Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/SoftEtherVPN/SoftEtherVPN_Stable.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/src/Cedar
diff options
context:
space:
mode:
authordnobori <da.git@softether.co.jp>2016-11-27 11:43:14 +0300
committerdnobori <da.git@softether.co.jp>2016-11-27 11:43:14 +0300
commit4df2eb4f9c2a8cf50e0123496bc20470edc21dc4 (patch)
treec31ceaa1709f599be25917bd35ae67f489d13652 /src/Cedar
parent0978e1a016e8de556514e51ffe1d7aa553562f19 (diff)
v4.22-9634-betav4.22-9634-beta
Diffstat (limited to 'src/Cedar')
-rw-r--r--src/Cedar/Admin.c2
-rw-r--r--src/Cedar/Cedar.c13
-rw-r--r--src/Cedar/Cedar.h34
-rw-r--r--src/Cedar/Cedar.vcproj4
-rw-r--r--src/Cedar/Client.c8
-rw-r--r--src/Cedar/Command.c41
-rw-r--r--src/Cedar/Command.h2
-rw-r--r--src/Cedar/Connection.c3
-rw-r--r--src/Cedar/Connection.h2
-rw-r--r--src/Cedar/DDNS.c16
-rw-r--r--src/Cedar/DDNS.h9
-rw-r--r--src/Cedar/Hub.c2
-rw-r--r--src/Cedar/Hub.h2
-rw-r--r--src/Cedar/IPsec_IKE.c12
-rw-r--r--src/Cedar/IPsec_IPC.c3
-rw-r--r--src/Cedar/Interop_OpenVPN.c4
-rw-r--r--src/Cedar/Layer3.c6
-rw-r--r--src/Cedar/Logging.c28
-rw-r--r--src/Cedar/Protocol.c54
-rw-r--r--src/Cedar/Protocol.h2
-rw-r--r--src/Cedar/Radius.c28
-rw-r--r--src/Cedar/Radius.h7
-rw-r--r--src/Cedar/SM.c5
-rw-r--r--src/Cedar/Sam.c10
-rw-r--r--src/Cedar/Server.c92
-rw-r--r--src/Cedar/UdpAccel.c4
-rw-r--r--src/Cedar/Virtual.c12
-rw-r--r--src/Cedar/WebUI.c4
-rw-r--r--src/Cedar/WinUi.h2
-rw-r--r--src/Cedar/Wpc.c57
-rw-r--r--src/Cedar/Wpc.h9
31 files changed, 263 insertions, 214 deletions
diff --git a/src/Cedar/Admin.c b/src/Cedar/Admin.c
index 4dfe3ac1..f0908f47 100644
--- a/src/Cedar/Admin.c
+++ b/src/Cedar/Admin.c
@@ -1166,7 +1166,7 @@ UINT StMakeOpenVpnConfigFile(ADMIN *a, RPC_READ_LOG_FILE *t)
name = NewName(cn, cn, cn, L"US", NULL, NULL);
- dummy_x = NewRootX(dummy_public_k, dummy_private_k, name, MAX(GetDaysUntil2038(), SERVER_DEFAULT_CERT_DAYS), NULL);
+ dummy_x = NewRootX(dummy_public_k, dummy_private_k, name, GetDaysUntil2038Ex(), NULL);
FreeName(name);
diff --git a/src/Cedar/Cedar.c b/src/Cedar/Cedar.c
index 9abcea50..9763e613 100644
--- a/src/Cedar/Cedar.c
+++ b/src/Cedar/Cedar.c
@@ -274,6 +274,15 @@ bool IsSupportedWinVer(RPC_WINVER *v)
return true;
}
}
+ else
+ {
+ // Windows Server 2016
+ if (v->ServicePack <= 0)
+ {
+ // SP0 only
+ return true;
+ }
+ }
}
return false;
@@ -1750,7 +1759,7 @@ CEDAR *NewCedar(X *server_x, K *server_k)
c->TrafficDiffList = NewList(NULL);
- SetCedarCipherList(c, "RC4-MD5");
+ SetCedarCipherList(c, SERVER_DEFAULT_CIPHER_NAME);
c->ClientId = _II("CLIENT_ID");
@@ -1803,8 +1812,6 @@ CEDAR *NewCedar(X *server_x, K *server_k)
c->BuildInfo = CopyStr(tmp);
- c->DisableSslVersions = SSL_OPT_DEFAULT;
-
return c;
}
diff --git a/src/Cedar/Cedar.h b/src/Cedar/Cedar.h
index 0f927dbb..a4f8c196 100644
--- a/src/Cedar/Cedar.h
+++ b/src/Cedar/Cedar.h
@@ -135,10 +135,10 @@
// Version number
-#define CEDAR_VER 421
+#define CEDAR_VER 422
// Build Number
-#define CEDAR_BUILD 9613
+#define CEDAR_BUILD 9634
// Beta number
//#define BETA_NUMBER 3
@@ -158,11 +158,11 @@
// Specifies the build date
#define BUILD_DATE_Y 2016
-#define BUILD_DATE_M 4
-#define BUILD_DATE_D 24
-#define BUILD_DATE_HO 15
-#define BUILD_DATE_MI 39
-#define BUILD_DATE_SE 17
+#define BUILD_DATE_M 11
+#define BUILD_DATE_D 27
+#define BUILD_DATE_HO 14
+#define BUILD_DATE_MI 33
+#define BUILD_DATE_SE 59
// Tolerable time difference
#define ALLOW_TIMESTAMP_DIFF (UINT64)(3 * 24 * 60 * 60 * 1000)
@@ -404,22 +404,7 @@
#define KEEP_ALIVE_MAGIC 0xffffffff
#define MAX_KEEPALIVE_SIZE 512
-// SSL/TLS Versions
-#define SSL_VERSION_SSL_V2 0x01 // SSLv2
-#define SSL_VERSION_SSL_V3 0x02 // SSLv3
-#define SSL_VERSION_TLS_V1_0 0x04 // TLS v1.0
-#define SSL_VERSION_TLS_V1_1 0x08 // TLS v1.1
-#define SSL_VERSION_TLS_V1_2 0x10 // TLS v1.2
-// SSL/TLS Version Names
-#define NAME_SSL_VERSION_SSL_V2 "SSL_V2" // SSLv2
-#define NAME_SSL_VERSION_SSL_V3 "SSL_V3" // SSLv3
-#define NAME_SSL_VERSION_TLS_V1_0 "TLS_V1_0" // TLS v1.0
-#define NAME_SSL_VERSION_TLS_V1_1 "TLS_V1_1" // TLS v1.1
-#define NAME_SSL_VERSION_TLS_V1_2 "TLS_V1_2" // TLS v1.2
-
-// OpenSSL SSL Context Option Flags default
-#define SSL_OPT_DEFAULT 0x0
//////////////////////////////////////////////////////////////////////
//
@@ -685,7 +670,7 @@
#define ARP_ENTRY_EXPIRES (30 * 1000) // ARP table expiration date
#define ARP_ENTRY_POLLING_TIME (1 * 1000) // ARP table cleaning timer
-#define ARP_REQUEST_TIMEOUT (200) // ARP request time-out period
+#define ARP_REQUEST_TIMEOUT (1000) // ARP request time-out period
#define ARP_REQUEST_GIVEUP (5 * 1000) // Time to give up sending the ARP request
#define IP_WAIT_FOR_ARP_TIMEOUT (5 * 1000) // Total time that an IP packet waiting for ARP table
#define IP_COMBINE_TIMEOUT (10 * 1000) // Time-out of IP packet combining
@@ -1067,8 +1052,7 @@ typedef struct CEDAR
UINT QueueBudget; // Queue budget
LOCK *FifoBudgetLock; // Fifo budget lock
UINT FifoBudget; // Fifo budget
- bool AcceptOnlyTls; // Accept only TLS (Disable SSL)
- UINT DisableSslVersions; // Bitmap of SSL Version to disable
+ SSL_ACCEPT_SETTINGS SslAcceptSettings; // SSL Accept Settings
char OpenVPNDefaultClientOption[MAX_SIZE]; // OpenVPN Default Client Option String
} CEDAR;
diff --git a/src/Cedar/Cedar.vcproj b/src/Cedar/Cedar.vcproj
index c84d7379..6a306a99 100644
--- a/src/Cedar/Cedar.vcproj
+++ b/src/Cedar/Cedar.vcproj
@@ -46,7 +46,7 @@
Name="VCCLCompilerTool"
Optimization="0"
AdditionalIncludeDirectories="$(SolutionDir)Mayaqua\win32_inc;.;$(SolutionDir);WinPcap"
- PreprocessorDefinitions="WIN32;_DEBUG;_LIB;_USE_32BIT_TIME_T"
+ PreprocessorDefinitions="WIN32;_DEBUG;_LIB"
MinimalRebuild="true"
ExceptionHandling="0"
BasicRuntimeChecks="3"
@@ -188,7 +188,7 @@
EnableIntrinsicFunctions="false"
FavorSizeOrSpeed="0"
AdditionalIncludeDirectories="$(SolutionDir)Mayaqua\win32_inc;.;$(SolutionDir);WinPcap"
- PreprocessorDefinitions="WIN32;NDEBUG;_LIB;_USE_32BIT_TIME_T;VPN_SPEED"
+ PreprocessorDefinitions="WIN32;NDEBUG;_LIB;VPN_SPEED"
StringPooling="false"
ExceptionHandling="0"
RuntimeLibrary="0"
diff --git a/src/Cedar/Client.c b/src/Cedar/Client.c
index 00baa32b..ccfbe665 100644
--- a/src/Cedar/Client.c
+++ b/src/Cedar/Client.c
@@ -2182,12 +2182,13 @@ BUF *CiAccountToCfg(RPC_CLIENT_CREATE_ACCOUNT *t)
PACK *CiRpcDispatch(RPC *rpc, char *name, PACK *p)
{
PACK *ret;
+ CLIENT *c;
// Validate arguments
if (rpc == NULL || name == NULL || p == NULL)
{
return NULL;
}
- CLIENT *c = rpc->Param;
+ c = rpc->Param;
ret = NewPack();
@@ -6033,8 +6034,9 @@ L_TRY:
if (ret != NULL)
{
- ret->Rpc = rpc;
RPC_CLIENT_VERSION t;
+
+ ret->Rpc = rpc;
Zero(&t, sizeof(t));
CcGetClientVersion(ret, &t);
ret->OsType = t.OsType;
@@ -6487,7 +6489,7 @@ bool Win32CiSecureSign(SECURE_SIGN *sign)
// Success
ret = true;
sign->ClientCert = batch[0].OutputX;
- Copy(sign->Signature, batch[1].OutputSign, 128);
+ Copy(sign->Signature, batch[1].OutputSign, MIN(sizeof(sign->Signature),sizeof(batch[1].OutputSign)));
}
}
diff --git a/src/Cedar/Command.c b/src/Cedar/Command.c
index 41dbd289..365257cd 100644
--- a/src/Cedar/Command.c
+++ b/src/Cedar/Command.c
@@ -1245,6 +1245,7 @@ void TtsWorkerThread(THREAD *thread, void *param)
if (ret != 0 && ret != SOCK_LATER)
{
ts->State = 5;
+ ts->LastCommTime = now;
}
break;
@@ -1255,6 +1256,8 @@ void TtsWorkerThread(THREAD *thread, void *param)
{
UCHAR c;
+ ts->LastCommTime = now;
+
// Direction of the data is in the first byte that is received
c = recv_buf_data[0];
@@ -1276,6 +1279,8 @@ void TtsWorkerThread(THREAD *thread, void *param)
// Span
ts->Span = READ_UINT64(recv_buf_data + sizeof(UINT64) + 1);
+
+ ts->GiveupSpan = ts->Span * 3ULL + 180000ULL;
}
}
break;
@@ -1289,6 +1294,8 @@ void TtsWorkerThread(THREAD *thread, void *param)
// Checking the first byte of received
UCHAR c = recv_buf_data[0];
+ ts->LastCommTime = now;
+
if (ts->FirstRecvTick == 0)
{
// Record the time at which the data has been received for the first
@@ -1326,10 +1333,20 @@ void TtsWorkerThread(THREAD *thread, void *param)
if (ts->NoMoreSendData == false)
{
ret = Send(ts->Sock, send_buf_data, buf_size, false);
+
+ if (ret != 0 && ret != SOCK_LATER)
+ {
+ ts->LastCommTime = now;
+ }
}
else
{
ret = Recv(ts->Sock, recv_buf_data, buf_size, false);
+
+ if (ret != 0 && ret != SOCK_LATER)
+ {
+ ts->LastCommTime = now;
+ }
}
if (ts->FirstSendTick == 0)
@@ -1364,6 +1381,11 @@ void TtsWorkerThread(THREAD *thread, void *param)
{
ret = Send(ts->Sock, &tmp64, sizeof(tmp64), false);
+ if (ret != 0 && ret != SOCK_LATER)
+ {
+ ts->LastCommTime = now;
+ }
+
if (ret != SOCK_LATER)
{
UINT j;
@@ -1390,6 +1412,12 @@ void TtsWorkerThread(THREAD *thread, void *param)
break;
}
+ if (now > (ts->LastCommTime + ts->GiveupSpan))
+ {
+ // Timeout: disconnect orphan sessions
+ ret = 0;
+ }
+
if (ret == 0)
{
// Mark as deleting the socket because it is disconnected
@@ -1514,7 +1542,7 @@ void TtsAcceptProc(TTS *tts, SOCK *listen_socket)
else
{
// Connected from the client
- AcceptInit(s);
+ AcceptInitEx(s, true);
tts->NewSocketArrived = true;
LockList(tts->TtsSockList);
{
@@ -1523,6 +1551,9 @@ void TtsAcceptProc(TTS *tts, SOCK *listen_socket)
ts->Id = (++tts->IdSeed);
ts->Sock = s;
+ ts->GiveupSpan = (UINT64)(10 * 60 * 1000);
+ ts->LastCommTime = Tick64();
+
UniFormat(tmp, sizeof(tmp), _UU("TTS_ACCEPTED"), ts->Id,
s->RemoteHostname, s->RemotePort);
TtPrint(tts->Param, tts->Print, tmp);
@@ -8079,7 +8110,7 @@ UINT PsServerCipherGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
RPC_STR t;
TOKEN_LIST *ciphers;
UINT i;
- wchar_t tmp[MAX_SIZE];
+ wchar_t tmp[4096];
o = ParseCommandList(c, cmd_name, str, NULL, 0);
if (o == NULL)
@@ -10039,7 +10070,11 @@ UINT PsLogFileGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
return ERR_INVALID_PARAMETER;
}
- filename = GetParamStr(o, "SAVEPATH");
+ filename = GetParamStr(o, "SAVE");
+ if (IsEmptyStr(filename))
+ {
+ filename = GetParamStr(o, "SAVEPATH");
+ }
c->Write(c, _UU("CMD_LogFileGet_START"));
diff --git a/src/Cedar/Command.h b/src/Cedar/Command.h
index 2ce75b89..d573d940 100644
--- a/src/Cedar/Command.h
+++ b/src/Cedar/Command.h
@@ -204,6 +204,8 @@ struct TTS_SOCK
UINT64 FirstRecvTick; // Time which the data has been received last
UINT64 FirstSendTick; // Time which the data has been sent last
UINT64 Span; // Period
+ UINT64 GiveupSpan;
+ UINT64 LastCommTime;
};
// Traffic test server
diff --git a/src/Cedar/Connection.c b/src/Cedar/Connection.c
index f4b08972..80097e1b 100644
--- a/src/Cedar/Connection.c
+++ b/src/Cedar/Connection.c
@@ -3137,8 +3137,7 @@ void ConnectionAccept(CONNECTION *c)
// Start the SSL communication
Debug("StartSSL()\n");
- s->DisableSslVersions = c->Cedar->DisableSslVersions;
-
+ Copy(&s->SslAcceptSettings, &c->Cedar->SslAcceptSettings, sizeof(SSL_ACCEPT_SETTINGS));
if (StartSSL(s, x, k) == false)
{
// Failed
diff --git a/src/Cedar/Connection.h b/src/Cedar/Connection.h
index 6861bbb8..98a7c1f2 100644
--- a/src/Cedar/Connection.h
+++ b/src/Cedar/Connection.h
@@ -144,7 +144,7 @@ struct SECURE_SIGN
char SecurePrivateKeyName[MAX_SECURE_DEVICE_FILE_LEN + 1]; // Secure device secret key name
X *ClientCert; // Client certificate
UCHAR Random[SHA1_SIZE]; // Random value for signature
- UCHAR Signature[128]; // Signed data
+ UCHAR Signature[4096 / 8]; // Signed data
UINT UseSecureDeviceId;
UINT BitmapId; // Bitmap ID
};
diff --git a/src/Cedar/DDNS.c b/src/Cedar/DDNS.c
index b6281ee7..85695bb3 100644
--- a/src/Cedar/DDNS.c
+++ b/src/Cedar/DDNS.c
@@ -670,9 +670,12 @@ UINT DCRegister(DDNS_CLIENT *c, bool ipv6, DDNS_REGISTER_PARAM *p, char *replace
if (ret == NULL)
{
Debug("WpcCall: %s\n", url3);
- ret = WpcCallEx(url3, &t, DDNS_CONNECT_TIMEOUT, DDNS_COMM_TIMEOUT, "register", req,
- NULL, NULL, ((cert_hash != NULL && cert_hash->Size == SHA1_SIZE) ? cert_hash->Buf : NULL), NULL, DDNS_RPC_MAX_RECV_SIZE,
- add_header_name, add_header_value);
+ ret = WpcCallEx2(url3, &t, DDNS_CONNECT_TIMEOUT, DDNS_COMM_TIMEOUT, "register", req,
+ NULL, NULL, ((cert_hash != NULL && ((cert_hash->Size % SHA1_SIZE) == 0)) ? cert_hash->Buf : NULL),
+ (cert_hash != NULL ? cert_hash->Size / SHA1_SIZE : 0),
+ NULL, DDNS_RPC_MAX_RECV_SIZE,
+ add_header_name, add_header_value,
+ DDNS_SNI_VER_STRING);
Debug("WpcCall Ret: %u\n", ret);
}
@@ -874,8 +877,11 @@ UINT DCGetMyIpMain(DDNS_CLIENT *c, bool ipv6, char *dst, UINT dst_size, bool use
}
- recv = HttpRequest(&data, (ipv6 ? NULL : &c->InternetSetting), DDNS_CONNECT_TIMEOUT, DDNS_COMM_TIMEOUT, &ret, false, NULL, NULL,
- NULL, ((cert_hash != NULL && cert_hash->Size == SHA1_SIZE) ? cert_hash->Buf : NULL));
+ StrCpy(data.SniString, sizeof(data.SniString), DDNS_SNI_VER_STRING);
+
+ recv = HttpRequestEx3(&data, (ipv6 ? NULL : &c->InternetSetting), DDNS_CONNECT_TIMEOUT, DDNS_COMM_TIMEOUT, &ret, false, NULL, NULL,
+ NULL, ((cert_hash != NULL && (cert_hash->Size % SHA1_SIZE) == 0) ? cert_hash->Buf : NULL),
+ (cert_hash != NULL ? cert_hash->Size / SHA1_SIZE : 0), NULL, 0, NULL, NULL);
FreeBuf(cert_hash);
diff --git a/src/Cedar/DDNS.h b/src/Cedar/DDNS.h
index fe0d9054..e9ef14b6 100644
--- a/src/Cedar/DDNS.h
+++ b/src/Cedar/DDNS.h
@@ -115,7 +115,14 @@
#define DDNS_H
// Certificate hash
-#define DDNS_CERT_HASH "EFAC5FA0CDD14E0F864EED58A73C35D7E33B62F3"
+#define DDNS_CERT_HASH "78BF0499A99396907C9F49DD13571C81FE26E6F5" \
+ "439BAFA75A6EE5671FC9F9A02D34FF29881761A0" \
+ "EFAC5FA0CDD14E0F864EED58A73C35D7E33B62F3" \
+ "74DF99D4B1B5F0488A388B50D347D26013DC67A5" \
+ "6EBB39AFCA8C900635CFC11218CF293A612457E4"
+
+#define DDNS_SNI_VER_STRING "DDNS"
+
// Destination URL
#define DDNS_URL_V4_GLOBAL "https://x%c.x%c.servers.ddns.softether-network.net/ddns/ddns.aspx"
diff --git a/src/Cedar/Hub.c b/src/Cedar/Hub.c
index 4cfd7b2b..5aa36b5a 100644
--- a/src/Cedar/Hub.c
+++ b/src/Cedar/Hub.c
@@ -214,7 +214,7 @@ EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, ch
if (GetIP(&ip, radius_servers_list->Token[i]))
{
eap = NewEapClient(&ip, radius_port, radius_secret, radius_retry_interval,
- RADIUS_INITIAL_EAP_TIMEOUT, client_ip_str, username);
+ RADIUS_INITIAL_EAP_TIMEOUT, client_ip_str, username, hubname);
if (eap != NULL)
{
diff --git a/src/Cedar/Hub.h b/src/Cedar/Hub.h
index c6bdd300..bb6acfbd 100644
--- a/src/Cedar/Hub.h
+++ b/src/Cedar/Hub.h
@@ -438,9 +438,9 @@ struct HUB
UINT RadiusRetryInterval; // Radius retry interval
BUF *RadiusSecret; // Radius shared key
char RadiusSuffixFilter[MAX_SIZE]; // Radius suffix filter
+ char RadiusRealm[MAX_SIZE]; // Radius realm (optional)
bool RadiusConvertAllMsChapv2AuthRequestToEap; // Convert all MS-CHAPv2 auth request to EAP
bool RadiusUsePeapInsteadOfEap; // Use PEAP instead of EAP
- char RadiusRealm[MAX_SIZE]; // Radius realm (optional)
volatile bool Halt; // Halting flag
bool Offline; // Offline
bool BeingOffline; // Be Doing Offline
diff --git a/src/Cedar/IPsec_IKE.c b/src/Cedar/IPsec_IKE.c
index aea01040..eff09b78 100644
--- a/src/Cedar/IPsec_IKE.c
+++ b/src/Cedar/IPsec_IKE.c
@@ -4723,11 +4723,13 @@ bool GetBestTransformSettingForIPsecSa(IKE_SERVER *ike, IKE_PACKET *pr, IPSEC_SA
if (transform_payload != NULL)
{
IKE_PACKET_TRANSFORM_PAYLOAD *transform = &transform_payload->Payload.Transform;
- IPSEC_SA_TRANSFORM_SETTING *set = NULL;
+ IPSEC_SA_TRANSFORM_SETTING set;
- if (TransformPayloadToTransformSettingForIPsecSa(ike, transform, set, server_ip))
+ Zero(&set, sizeof(set));
+
+ if (TransformPayloadToTransformSettingForIPsecSa(ike, transform, &set, server_ip))
{
- Copy(setting, set, sizeof(IPSEC_SA_TRANSFORM_SETTING));
+ Copy(setting, &set, sizeof(IPSEC_SA_TRANSFORM_SETTING));
setting->SpiServerToClient = READ_UINT(proposal->Spi->Buf);
@@ -4735,11 +4737,11 @@ bool GetBestTransformSettingForIPsecSa(IKE_SERVER *ike, IKE_PACKET *pr, IPSEC_SA
}
else
{
- if (set != NULL && set->OnlyCapsuleModeIsInvalid)
+ if (set.OnlyCapsuleModeIsInvalid)
{
if (ocmii_flag == false)
{
- Copy(setting, set, sizeof(IPSEC_SA_TRANSFORM_SETTING));
+ Copy(setting, &set, sizeof(IPSEC_SA_TRANSFORM_SETTING));
ocmii_flag = true;
}
}
diff --git a/src/Cedar/IPsec_IPC.c b/src/Cedar/IPsec_IPC.c
index ad90ae09..26d1163a 100644
--- a/src/Cedar/IPsec_IPC.c
+++ b/src/Cedar/IPsec_IPC.c
@@ -426,7 +426,6 @@ IPC *NewIPC(CEDAR *cedar, char *client_name, char *postfix, char *hubname, char
// Upload the authentication data
p = PackLoginWithPlainPassword(hubname, username, password);
- PackAddInt64(p, "timestamp", SystemTime64());
PackAddStr(p, "hello", client_name);
PackAddInt(p, "client_ver", cedar->Version);
PackAddInt(p, "client_build", cedar->Build);
@@ -690,7 +689,7 @@ void IPCDhcpSetConditionalUserClass(IPC *ipc, DHCP_OPTION_LIST *req)
return;
}
- if (hub->Option && hub->Option->UseHubNameAsDhcpUserClassOption == true)
+ if (hub->Option && hub->Option->UseHubNameAsDhcpUserClassOption)
{
StrCpy(req->UserClass, sizeof(req->UserClass), ipc->HubName);
}
diff --git a/src/Cedar/Interop_OpenVPN.c b/src/Cedar/Interop_OpenVPN.c
index 6b7260a5..801f48b9 100644
--- a/src/Cedar/Interop_OpenVPN.c
+++ b/src/Cedar/Interop_OpenVPN.c
@@ -2114,8 +2114,8 @@ void OvsRecvPacket(OPENVPN_SERVER *s, LIST *recv_packet_list, UINT protocol)
if (r->Exists)
{
Format(l3_options, sizeof(l3_options),
- ",route %r %r %r",
- &r->Network, &r->SubnetMask, &r->Gateway);
+ ",route %r %r vpn_gateway",
+ &r->Network, &r->SubnetMask);
StrCat(option_str, sizeof(option_str), l3_options);
}
diff --git a/src/Cedar/Layer3.c b/src/Cedar/Layer3.c
index ebae0b21..16f5032e 100644
--- a/src/Cedar/Layer3.c
+++ b/src/Cedar/Layer3.c
@@ -540,6 +540,12 @@ void L3KnownArp(L3IF *f, UINT ip, UCHAR *mac)
return;
}
+ if (!((f->IpAddress & f->SubnetMask) == (ip & f->SubnetMask)))
+ {
+ // Outside the subnet
+ return;
+ }
+
// Delete an ARP query entry to this IP address
Zero(&t, sizeof(t));
t.IpAddress = ip;
diff --git a/src/Cedar/Logging.c b/src/Cedar/Logging.c
index e0fceaa6..69334b14 100644
--- a/src/Cedar/Logging.c
+++ b/src/Cedar/Logging.c
@@ -1396,22 +1396,38 @@ char *BuildHttpLogStr(HTTPLOG *h)
b = NewBuf();
- if (StartWith(h->Path, "http://"))
+ if (StartWith(h->Path, "http://") || StartWith(h->Path, "https://"))
{
StrCpy(url, sizeof(url), h->Path);
}
else
{
// URL generation
- if (h->Port == 80)
+ if (h->IsSsl == false)
{
- Format(url, sizeof(url), "http://%s%s",
- h->Hostname, h->Path);
+ if (h->Port == 80)
+ {
+ Format(url, sizeof(url), "http://%s%s",
+ h->Hostname, h->Path);
+ }
+ else
+ {
+ Format(url, sizeof(url), "http://%s:%u%s",
+ h->Hostname, h->Port, h->Path);
+ }
}
else
{
- Format(url, sizeof(url), "http://%s:%u%s",
- h->Hostname, h->Port, h->Path);
+ if (h->Port == 443)
+ {
+ Format(url, sizeof(url), "https://%s/",
+ h->Hostname);
+ }
+ else
+ {
+ Format(url, sizeof(url), "https://%s:%u/",
+ h->Hostname, h->Port);
+ }
}
}
diff --git a/src/Cedar/Protocol.c b/src/Cedar/Protocol.c
index f11d5957..90342c74 100644
--- a/src/Cedar/Protocol.c
+++ b/src/Cedar/Protocol.c
@@ -690,8 +690,11 @@ void UpdateClientThreadMain(UPDATE_CLIENT *c)
cert_hash = StrToBin(UPDATE_SERVER_CERT_HASH);
- recv = HttpRequestEx2(&data, NULL, UPDATE_CONNECT_TIMEOUT, UPDATE_COMM_TIMEOUT, &ret, false, NULL, NULL,
- NULL, ((cert_hash != NULL && cert_hash->Size == SHA1_SIZE) ? cert_hash->Buf : NULL),
+ StrCpy(data.SniString, sizeof(data.SniString), DDNS_SNI_VER_STRING);
+
+ recv = HttpRequestEx3(&data, NULL, UPDATE_CONNECT_TIMEOUT, UPDATE_COMM_TIMEOUT, &ret, false, NULL, NULL,
+ NULL, ((cert_hash != NULL && (cert_hash->Size % SHA1_SIZE) == 0) ? cert_hash->Buf : NULL),
+ (cert_hash != NULL ? (cert_hash->Size / SHA1_SIZE) : 0),
(bool *)&c->HaltFlag, 0, NULL, NULL);
FreeBuf(cert_hash);
@@ -1312,7 +1315,6 @@ bool ServerAccept(CONNECTION *c)
FARM_MEMBER *f = NULL;
SERVER *server = NULL;
POLICY ticketed_policy;
- UINT64 timestamp;
UCHAR unique[SHA1_SIZE], unique2[SHA1_SIZE];
CEDAR *cedar;
RPC_WINVER winver;
@@ -1450,31 +1452,6 @@ bool ServerAccept(CONNECTION *c)
}
}
- // Time inspection
- timestamp = PackGetInt64(p, "timestamp");
- if (timestamp != 0)
- {
- UINT64 now = SystemTime64();
- UINT64 abs;
- if (now >= timestamp)
- {
- abs = now - timestamp;
- }
- else
- {
- abs = timestamp - now;
- }
-
- if (abs > ALLOW_TIMESTAMP_DIFF)
- {
- // Time difference is too large
- FreePack(p);
- c->Err = ERR_BAD_CLOCK;
- error_detail = "ERR_BAD_CLOCK";
- goto CLEANUP;
- }
- }
-
// Get the client version
PackGetStr(p, "client_str", c->ClientStr, sizeof(c->ClientStr));
c->ClientVer = PackGetInt(p, "client_ver");
@@ -1655,7 +1632,7 @@ bool ServerAccept(CONNECTION *c)
{
radius_login_opt.In_CheckVLanId = hub->Option->AssignVLanIdByRadiusAttribute;
radius_login_opt.In_DenyNoVlanId = hub->Option->DenyAllRadiusLoginWithNoVlanAssign;
- if (hub->Option->UseHubNameAsRadiusNasId == true)
+ if (hub->Option->UseHubNameAsRadiusNasId)
{
StrCpy(radius_login_opt.NasId, sizeof(radius_login_opt.NasId), hubname);
}
@@ -4578,7 +4555,7 @@ bool ClientSecureSign(CONNECTION *c, UCHAR *sign, UCHAR *random, X **x)
if (ret)
{
- Copy(sign, ss->Signature, 128);
+ Copy(sign, ss->Signature, sizeof(ss->Signature));
*x = ss->ClientCert;
}
@@ -5857,7 +5834,7 @@ bool ClientUploadAuth(CONNECTION *c)
// Authentication by secure device
if (ClientSecureSign(c, sign, c->Random, &x))
{
- p = PackLoginWithCert(o->HubName, a->Username, x, sign, 128);
+ p = PackLoginWithCert(o->HubName, a->Username, x, sign, x->bits / 8);
c->ClientX = CloneX(x);
FreeX(x);
}
@@ -5880,9 +5857,6 @@ bool ClientUploadAuth(CONNECTION *c)
PackAddData(p, "ticket", c->Ticket, SHA1_SIZE);
}
- // Current time
- PackAddInt64(p, "timestamp", SystemTime64());
-
if (p == NULL)
{
// Error
@@ -6073,9 +6047,8 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
SOCK *s;
UINT num = 0, max = 19;
SERVER *server;
- char hostname[64];
char *vpn_http_target = HTTP_VPN_TARGET2;
- bool check_hostname = true;
+ bool check_hostname = false;
// Validate arguments
if (c == NULL)
{
@@ -6083,7 +6056,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
}
- strcpy(hostname, "");
+
server = c->Cedar->Server;
s = c->FirstSock;
@@ -6113,6 +6086,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
if (check_hostname && (StrCmpi(h->Version, "HTTP/1.1") == 0 || StrCmpi(h->Version, "HTTP/1.2") == 0))
{
HTTP_VALUE *v;
+ char hostname[64];
Zero(hostname, sizeof(hostname));
@@ -6347,12 +6321,6 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
}
}
- if ((b == false) && (StartWith(h->Target, "/wiki")))
- {
- HttpSendRedirect(s, h->Target, hostname);
- b = true;
- }
-
if (b == false)
{
// Not Found
diff --git a/src/Cedar/Protocol.h b/src/Cedar/Protocol.h
index 033c181d..e608c0ce 100644
--- a/src/Cedar/Protocol.h
+++ b/src/Cedar/Protocol.h
@@ -180,7 +180,7 @@ struct UPDATE_CLIENT
#define UPDATE_FAMILY_NAME _SS("PRODUCT_FAMILY_NAME")
// Software update server certificate hash
-#define UPDATE_SERVER_CERT_HASH "EFAC5FA0CDD14E0F864EED58A73C35D7E33B62F3"
+#define UPDATE_SERVER_CERT_HASH DDNS_CERT_HASH
// URL
#define UPDATE_SERVER_URL_GLOBAL "https://update-check.softether-network.net/update/update.aspx?family=%s&software=%s&mybuild=%u&lang=%s"
diff --git a/src/Cedar/Radius.c b/src/Cedar/Radius.c
index 5a7a6e9f..386a6955 100644
--- a/src/Cedar/Radius.c
+++ b/src/Cedar/Radius.c
@@ -686,6 +686,11 @@ void EapSetRadiusGeneralAttributes(RADIUS_PACKET *r, EAP_CLIENT *e)
ui = Endian32(5);
Add(r->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_NAS_PORT_TYPE, 0, 0, &ui, sizeof(UINT)));
+ if (IsEmptyStr(e->CalledStationStr) == false)
+ {
+ Add(r->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_CALLED_STATION_ID, 0, 0, e->CalledStationStr, StrLen(e->CalledStationStr)));
+ }
+
Add(r->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_CALLING_STATION_ID, 0, 0, e->ClientIpStr, StrLen(e->ClientIpStr)));
Add(r->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_TUNNEL_CLIENT_ENDPOINT, 0, 0, e->ClientIpStr, StrLen(e->ClientIpStr)));
@@ -1237,7 +1242,7 @@ bool EapSendPacket(EAP_CLIENT *e, RADIUS_PACKET *r)
}
// New EAP client
-EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username)
+EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username, char *hubname)
{
EAP_CLIENT *e;
if (server_ip == NULL)
@@ -1266,6 +1271,7 @@ EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, U
e->GiveupTimeout = giveup_timeout;
StrCpy(e->SharedSecret, sizeof(e->SharedSecret), shared_secret);
+ StrCpy(e->CalledStationStr, sizeof(e->CalledStationStr), hubname);
StrCpy(e->ClientIpStr, sizeof(e->ClientIpStr), client_ip_str);
StrCpy(e->Username, sizeof(e->Username), username);
e->LastRecvEapId = 0;
@@ -1702,8 +1708,8 @@ LABEL_ERROR:
////////// Classical implementation
// Attempts Radius authentication (with specifying retry interval and multiple server)
-bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
- RADIUS_LOGIN_OPTION *opt)
+bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
+ RADIUS_LOGIN_OPTION *opt, char *hubname)
{
UCHAR random[MD5_SIZE];
UCHAR id;
@@ -1835,7 +1841,7 @@ bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *s
BUF *user_password = (is_mschap ? NULL : RadiusCreateUserPassword(encrypted_password->Buf, encrypted_password->Size));
BUF *nas_id;
- if (IsEmptyStr(opt->NasId) == true)
+ if (IsEmptyStr(opt->NasId))
{
nas_id = RadiusCreateNasId(CEDAR_SERVER_STR);
}
@@ -1890,8 +1896,11 @@ bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *s
ui = Endian32(1);
RadiusAddValue(p, 65, 0, 0, &ui, sizeof(ui));
- // Called-Station-Id
- RadiusAddValue(p, 30, 0, 0, hubname, StrLen(hubname));
+ // Called-Station-ID - VPN Hub Name
+ if (IsEmptyStr(hubname) == false)
+ {
+ RadiusAddValue(p, 30, 0, 0, hubname, StrLen(hubname));
+ }
// Calling-Station-Id
RadiusAddValue(p, 31, 0, 0, client_ip_str, StrLen(client_ip_str));
@@ -1943,8 +1952,11 @@ bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *s
ui = Endian32(1);
RadiusAddValue(p, 65, 0, 0, &ui, sizeof(ui));
- // Called-Station-Id
- RadiusAddValue(p, 30, 0, 0, hubname, StrLen(hubname));
+ // Called-Station-ID - VPN Hub Name
+ if (IsEmptyStr(hubname) == false)
+ {
+ RadiusAddValue(p, 30, 0, 0, hubname, StrLen(hubname));
+ }
// Calling-Station-Id
RadiusAddValue(p, 31, 0, 0, client_ip_str, StrLen(client_ip_str));
diff --git a/src/Cedar/Radius.h b/src/Cedar/Radius.h
index 00583454..ba336486 100644
--- a/src/Cedar/Radius.h
+++ b/src/Cedar/Radius.h
@@ -311,6 +311,7 @@ struct EAP_CLIENT
UINT ServerPort;
char SharedSecret[MAX_SIZE];
char ClientIpStr[256];
+ char CalledStationStr[256];
char Username[MAX_USERNAME_LEN + 1];
UINT ResendTimeout;
UINT GiveupTimeout;
@@ -346,7 +347,7 @@ RADIUS_AVP *GetRadiusAvp(RADIUS_PACKET *p, UCHAR type);
void RadiusTest();
-EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username);
+EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username, char *hubname);
void ReleaseEapClient(EAP_CLIENT *e);
void CleanupEapClient(EAP_CLIENT *e);
bool EapClientSendMsChapv2AuthRequest(EAP_CLIENT *e);
@@ -376,8 +377,8 @@ struct RADIUS_LOGIN_OPTION
};
// Function prototype
-bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
- RADIUS_LOGIN_OPTION *opt);
+bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
+ RADIUS_LOGIN_OPTION *opt, char *hubname);
BUF *RadiusEncryptPassword(char *password, UCHAR *random, UCHAR *secret, UINT secret_size);
BUF *RadiusCreateUserName(wchar_t *username);
BUF *RadiusCreateUserPassword(void *data, UINT size);
diff --git a/src/Cedar/SM.c b/src/Cedar/SM.c
index 92471e24..3ee2c1d9 100644
--- a/src/Cedar/SM.c
+++ b/src/Cedar/SM.c
@@ -876,12 +876,14 @@ static UINT SmDdnsGetKey(char *key, SM_DDNS *d){
UINT err;
BUF *buf;
FOLDER *root, *ddnsfolder;
+ RPC *rpc;
// Validate arguments
if(d == NULL || d->s == NULL || key == NULL){
return ERR_INTERNAL_ERROR;
}
- RPC *rpc = d->s->Rpc;
+
+ rpc = d->s->Rpc;
Zero(&config, sizeof(config));
err = ScGetConfig(d->s->Rpc, &config);
@@ -17011,6 +17013,7 @@ void SmSslDlgInit(HWND hWnd, SM_SSL *s)
// Set the encryption algorithm list
cipher_list = GetCipherList();
+ SetFont(hWnd, C_CIPHER, GetFont("Tahoma", 8, false, false, false, false));
CbSetHeight(hWnd, C_CIPHER, 18);
for (i = 0;i < cipher_list->NumTokens;i++)
{
diff --git a/src/Cedar/Sam.c b/src/Cedar/Sam.c
index 8201110d..137cb61b 100644
--- a/src/Cedar/Sam.c
+++ b/src/Cedar/Sam.c
@@ -214,9 +214,9 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
if( IsEmptyStr(h->RadiusRealm) == false )
{
char name_and_realm[MAX_SIZE];
- StrCpy(name_and_realm, MAX_SIZE, username);
- StrCat(name_and_realm, (MAX_SIZE - StrLen(name_and_realm)), "@");
- StrCat(name_and_realm, (MAX_SIZE - StrLen(name_and_realm)), h->RadiusRealm);
+ StrCpy(name_and_realm, sizeof(name_and_realm), username);
+ StrCat(name_and_realm, sizeof(name_and_realm), "@");
+ StrCat(name_and_realm, sizeof(name_and_realm), h->RadiusRealm);
name = CopyStrToUni(name_and_realm);
}
else
@@ -276,9 +276,9 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
if (UniIsEmptyStr(suffix_filter_w) || UniEndWith(name, suffix_filter_w))
{
// Attempt to login
- b = RadiusLogin(c, hub->Name, radius_server_addr, radius_server_port,
+ b = RadiusLogin(c, radius_server_addr, radius_server_port,
radius_secret, StrLen(radius_secret),
- name, password, interval, mschap_v2_server_response_20, opt);
+ name, password, interval, mschap_v2_server_response_20, opt, hub->Name);
if (b)
{
diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c
index 9a2a4aab..191fc147 100644
--- a/src/Cedar/Server.c
+++ b/src/Cedar/Server.c
@@ -2152,7 +2152,7 @@ void SiGenerateDefaultCertEx(X **server_x, K **server_k, char *common_name)
name = NewName(cn, cn, cn,
L"US", NULL, NULL);
- x = NewRootX(public_key, private_key, name, MAX(GetDaysUntil2038(), SERVER_DEFAULT_CERT_DAYS), NULL);
+ x = NewRootX(public_key, private_key, name, GetDaysUntil2038Ex(), NULL);
*server_x = x;
*server_k = private_key;
@@ -2578,7 +2578,7 @@ void SiLoadInitialConfiguration(SERVER *s)
}
// Default to TLS only; mitigates CVE-2016-0800
- s->Cedar->AcceptOnlyTls = true;
+ s->Cedar->SslAcceptSettings.AcceptOnlyTls = true;
// Auto saving interval related
s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT;
@@ -2765,9 +2765,6 @@ void SiInitConfiguration(SERVER *s)
s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT;
s->BackupConfigOnlyWhenModified = true;
- // Default to TLS only; mitigates CVE-2016-0800
- s->Cedar->AcceptOnlyTls = true;
-
// IPsec server
if (s->Cedar->Bridge == false)
{
@@ -5019,10 +5016,10 @@ void SiWriteHubCfg(FOLDER *f, HUB *h)
CfgAddInt(f, "RadiusServerPort", h->RadiusServerPort);
CfgAddInt(f, "RadiusRetryInterval", h->RadiusRetryInterval);
CfgAddStr(f, "RadiusSuffixFilter", h->RadiusSuffixFilter);
+ CfgAddStr(f, "RadiusRealm", h->RadiusRealm);
CfgAddBool(f, "RadiusConvertAllMsChapv2AuthRequestToEap", h->RadiusConvertAllMsChapv2AuthRequestToEap);
CfgAddBool(f, "RadiusUsePeapInsteadOfEap", h->RadiusUsePeapInsteadOfEap);
- CfgAddStr(f, "RadiusRealm", h->RadiusRealm);
}
Unlock(h->RadiusOptionLock);
@@ -6170,47 +6167,16 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
// AcceptOnlyTls
if (CfgIsItem(f, "AcceptOnlyTls"))
{
- c->AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");
+ c->SslAcceptSettings.AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");
}
else
{
- c->AcceptOnlyTls = true;
- }
-
- if (c->AcceptOnlyTls) {
- c->DisableSslVersions |= SSL_VERSION_SSL_V2;
- c->DisableSslVersions |= SSL_VERSION_SSL_V3;
- }
-
- if (CfgGetStr(f, "DisableSslVersions", tmp, sizeof(tmp))) {
- TOKEN_LIST *sslVersions= ParseToken(tmp, ", ");
- UINT i;
- for (i = 0;i < sslVersions->NumTokens;i++)
- {
- char *sslVersion=sslVersions->Token[i];
- if (StrCmp(sslVersion, NAME_SSL_VERSION_SSL_V2)==0) {
- c->DisableSslVersions |= SSL_VERSION_SSL_V2;
- continue;
- }
- if (StrCmp(sslVersion, NAME_SSL_VERSION_SSL_V3)==0) {
- c->DisableSslVersions |= SSL_VERSION_SSL_V3;
- continue;
- }
- if (StrCmp(sslVersion, NAME_SSL_VERSION_TLS_V1_0)==0) {
- c->DisableSslVersions |= SSL_VERSION_TLS_V1_0;
- continue;
- }
- if (StrCmp(sslVersion, NAME_SSL_VERSION_TLS_V1_1)==0) {
- c->DisableSslVersions |= SSL_VERSION_TLS_V1_1;
- continue;
- }
- if (StrCmp(sslVersion, NAME_SSL_VERSION_TLS_V1_2)==0) {
- c->DisableSslVersions |= SSL_VERSION_TLS_V1_2;
- continue;
- }
- }
- FreeToken(sslVersions);
+ // Default to TLS only; mitigates CVE-2016-0800
+ c->SslAcceptSettings.AcceptOnlyTls = true;
}
+ c->SslAcceptSettings.Tls_Disable1_0 = CfgGetBool(f, "Tls_Disable1_0");
+ c->SslAcceptSettings.Tls_Disable1_1 = CfgGetBool(f, "Tls_Disable1_1");
+ c->SslAcceptSettings.Tls_Disable1_2 = CfgGetBool(f, "Tls_Disable1_2");
}
Unlock(c->lock);
@@ -6519,42 +6485,10 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
CfgAddBool(f, "DisableGetHostNameWhenAcceptTcp", s->DisableGetHostNameWhenAcceptTcp);
CfgAddBool(f, "DisableCoreDumpOnUnix", s->DisableCoreDumpOnUnix);
- CfgAddBool(f, "AcceptOnlyTls", c->AcceptOnlyTls);
-
- {
- char tmp[MAX_SIZE];
- tmp[0] = 0;
- if (c->DisableSslVersions & SSL_VERSION_SSL_V2) {
- StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_SSL_V2);
- StrCat(tmp, sizeof(tmp), ",");
- }
- if (c->DisableSslVersions & SSL_VERSION_SSL_V3) {
- StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_SSL_V3);
- StrCat(tmp, sizeof(tmp), ",");
- }
- if (c->DisableSslVersions & SSL_VERSION_TLS_V1_0) {
- StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_TLS_V1_0);
- StrCat(tmp, sizeof(tmp), ",");
- }
- if (c->DisableSslVersions & SSL_VERSION_TLS_V1_1) {
- StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_TLS_V1_1);
- StrCat(tmp, sizeof(tmp), ",");
- }
- if (c->DisableSslVersions & SSL_VERSION_TLS_V1_2) {
- StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_TLS_V1_2);
- StrCat(tmp, sizeof(tmp), ",");
- }
- if (StrLen(tmp) >= 1)
- {
- if (tmp[StrLen(tmp) - 1] == ',')
- {
- tmp[StrLen(tmp) - 1] = 0;
- }
- }
- CfgAddStr(f, "DisableSslVersions", tmp);
- }
-
-
+ CfgAddBool(f, "AcceptOnlyTls", c->SslAcceptSettings.AcceptOnlyTls);
+ CfgAddBool(f, "Tls_Disable1_0", c->SslAcceptSettings.Tls_Disable1_0);
+ CfgAddBool(f, "Tls_Disable1_1", c->SslAcceptSettings.Tls_Disable1_1);
+ CfgAddBool(f, "Tls_Disable1_2", c->SslAcceptSettings.Tls_Disable1_2);
// Disable session reconnect
CfgAddBool(f, "DisableSessionReconnect", GetGlobalServerFlag(GSF_DISABLE_SESSION_RECONNECT));
diff --git a/src/Cedar/UdpAccel.c b/src/Cedar/UdpAccel.c
index 58d1a621..842dc24b 100644
--- a/src/Cedar/UdpAccel.c
+++ b/src/Cedar/UdpAccel.c
@@ -118,12 +118,14 @@ void UdpAccelPoll(UDP_ACCEL *a)
{
IP nat_t_ip;
UINT num_ignore_errors = 0;
+ UCHAR *tmp;
// Validate arguments
if (a == NULL)
{
return;
}
- UCHAR *tmp = a->TmpBuf;
+
+ tmp = a->TmpBuf;
Lock(a->NatT_Lock);
{
diff --git a/src/Cedar/Virtual.c b/src/Cedar/Virtual.c
index a17892e0..16e45436 100644
--- a/src/Cedar/Virtual.c
+++ b/src/Cedar/Virtual.c
@@ -2393,12 +2393,14 @@ bool NnTestConnectivity(NATIVE_STACK *a, TUBE *halt_tube)
IP my_priv_ip;
UINT num_send_dns = 0;
IP using_dns;
+ UINT src_port = 0;
// Validate arguments
if (a == NULL)
{
return false;
}
- UINT src_port = NnGenSrcPort(a->IsIpRawMode);
+
+ src_port = NnGenSrcPort(a->IsIpRawMode);
Copy(&using_dns, &a->DnsServerIP, sizeof(IP));
@@ -3999,12 +4001,14 @@ bool NatTransactIcmp(VH *v, NAT_ENTRY *n)
BLOCK *block;
IP dest_ip;
UINT num_ignore_errors = 0;
+ UINT dest_port = 0;
// Validate arguments
if (v == NULL || n == NULL)
{
return true;
}
- UINT dest_port = n->DestPort;
+
+ dest_port = n->DestPort;
if (n->DisconnectNow)
{
@@ -4202,12 +4206,14 @@ bool NatTransactUdp(VH *v, NAT_ENTRY *n)
BLOCK *block;
IP dest_ip;
UINT num_ignore_errors;
+ UINT dest_port = 0;
// Validate arguments
if (v == NULL || n == NULL)
{
return true;
}
- UINT dest_port = n->DestPort;
+
+ dest_port = n->DestPort;
if (n->DisconnectNow)
{
diff --git a/src/Cedar/WebUI.c b/src/Cedar/WebUI.c
index f71c385f..d188911c 100644
--- a/src/Cedar/WebUI.c
+++ b/src/Cedar/WebUI.c
@@ -1725,12 +1725,14 @@ static wchar_t *WuUniReadFile(char *filename)
static void WuUniReplace(wchar_t **buf, wchar_t *from, wchar_t *to)
{
UINT dstsize;
+ wchar_t *oldbuf;
if(buf == NULL || from == NULL || to == NULL)
{
return;
}
- wchar_t *oldbuf = *buf;
+
+ oldbuf = *buf;
dstsize = (UniCalcReplaceStrEx(*buf, from, to, true) + 1) * sizeof(wchar_t);
*buf = (wchar_t*)Malloc(dstsize);
diff --git a/src/Cedar/WinUi.h b/src/Cedar/WinUi.h
index 630e514c..7225ee2d 100644
--- a/src/Cedar/WinUi.h
+++ b/src/Cedar/WinUi.h
@@ -204,7 +204,7 @@ typedef struct WINUI_SECURE_BATCH
X *OutputX; // Output certificate
K *InputK; // Input secret key
LIST *EnumList; // Enumerated list
- UCHAR OutputSign[128]; // Output signature
+ UCHAR OutputSign[4096 / 8]; // Output signature
bool Succeed; // Success flag
} WINUI_SECURE_BATCH;
diff --git a/src/Cedar/Wpc.c b/src/Cedar/Wpc.c
index 17a337b3..f10019dd 100644
--- a/src/Cedar/Wpc.c
+++ b/src/Cedar/Wpc.c
@@ -164,6 +164,14 @@ PACK *WpcCallEx(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT
char *function_name, PACK *pack, X *cert, K *key, void *sha1_cert_hash, bool *cancel, UINT max_recv_size,
char *additional_header_name, char *additional_header_value)
{
+ return WpcCallEx2(url, setting, timeout_connect, timeout_comm, function_name, pack,
+ cert, key, sha1_cert_hash, (sha1_cert_hash == NULL ? 0 : 1),
+ cancel, max_recv_size, additional_header_name, additional_header_value, NULL);
+}
+PACK *WpcCallEx2(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT timeout_comm,
+ char *function_name, PACK *pack, X *cert, K *key, void *sha1_cert_hash, UINT num_hashes, bool *cancel, UINT max_recv_size,
+ char *additional_header_name, char *additional_header_value, char *sni_string)
+{
URL_DATA data;
BUF *b, *recv;
UINT error;
@@ -197,8 +205,14 @@ PACK *WpcCallEx(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT
StrCpy(data.AdditionalHeaderValue, sizeof(data.AdditionalHeaderValue), additional_header_value);
}
- recv = HttpRequestEx(&data, setting, timeout_connect, timeout_comm, &error,
- false, b->Buf, NULL, NULL, sha1_cert_hash, cancel, max_recv_size);
+ if (sni_string != NULL && IsEmptyStr(sni_string) == false)
+ {
+ StrCpy(data.SniString, sizeof(data.SniString), sni_string);
+ }
+
+ recv = HttpRequestEx3(&data, setting, timeout_connect, timeout_comm, &error,
+ false, b->Buf, NULL, NULL, sha1_cert_hash, num_hashes, cancel, max_recv_size,
+ NULL, NULL);
FreeBuf(b);
@@ -694,6 +708,16 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting,
WPC_RECV_CALLBACK *recv_callback, void *recv_callback_param, void *sha1_cert_hash,
bool *cancel, UINT max_recv_size, char *header_name, char *header_value)
{
+ return HttpRequestEx3(data, setting, timeout_connect, timeout_comm, error_code, check_ssl_trust,
+ post_data, recv_callback, recv_callback_param, sha1_cert_hash, (sha1_cert_hash == NULL ? 0 : 1),
+ cancel, max_recv_size, header_name, header_value);
+}
+BUF *HttpRequestEx3(URL_DATA *data, INTERNET_SETTING *setting,
+ UINT timeout_connect, UINT timeout_comm,
+ UINT *error_code, bool check_ssl_trust, char *post_data,
+ WPC_RECV_CALLBACK *recv_callback, void *recv_callback_param, void *sha1_cert_hash, UINT num_hashes,
+ bool *cancel, UINT max_recv_size, char *header_name, char *header_value)
+{
WPC_CONNECT con;
SOCK *s;
HTTP_HEADER *h;
@@ -728,6 +752,14 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting,
{
timeout_comm = WPC_TIMEOUT;
}
+ if (sha1_cert_hash == NULL)
+ {
+ num_hashes = 0;
+ }
+ if (num_hashes == 0)
+ {
+ sha1_cert_hash = NULL;
+ }
// Connection
Zero(&con, sizeof(con));
@@ -773,7 +805,7 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting,
if (data->Secure)
{
// Start the SSL communication
- if (StartSSLEx(s, NULL, NULL, true, 0, NULL) == false)
+ if (StartSSLEx(s, NULL, NULL, true, 0, (IsEmptyStr(data->SniString) ? NULL : data->SniString)) == false)
{
// SSL connection failed
*error_code = ERR_PROTOCOL_ERROR;
@@ -782,13 +814,28 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting,
return NULL;
}
- if (sha1_cert_hash != NULL)
+ if (sha1_cert_hash != NULL && num_hashes >= 1)
{
UCHAR hash[SHA1_SIZE];
+ UINT i;
+ bool ok = false;
+
Zero(hash, sizeof(hash));
GetXDigest(s->RemoteX, hash, true);
- if (Cmp(hash, sha1_cert_hash, SHA1_SIZE) != 0)
+ for (i = 0;i < num_hashes;i++)
+ {
+ UCHAR *a = (UCHAR *)sha1_cert_hash;
+ a += (SHA1_SIZE * i);
+
+ if (Cmp(hash, a, SHA1_SIZE) == 0)
+ {
+ ok = true;
+ break;
+ }
+ }
+
+ if (ok == false)
{
// Destination certificate hash mismatch
*error_code = ERR_CERT_NOT_TRUSTED;
diff --git a/src/Cedar/Wpc.h b/src/Cedar/Wpc.h
index 98a2a4a5..5204057b 100644
--- a/src/Cedar/Wpc.h
+++ b/src/Cedar/Wpc.h
@@ -159,6 +159,7 @@ struct URL_DATA
char Referer[MAX_SIZE * 3]; // Referer
char AdditionalHeaderName[128]; // Additional header name
char AdditionalHeaderValue[MAX_SIZE]; // Additional header value
+ char SniString[MAX_SIZE]; // SNI String
};
// WPC entry
@@ -204,6 +205,11 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting,
UINT *error_code, bool check_ssl_trust, char *post_data,
WPC_RECV_CALLBACK *recv_callback, void *recv_callback_param, void *sha1_cert_hash,
bool *cancel, UINT max_recv_size, char *header_name, char *header_value);
+BUF *HttpRequestEx3(URL_DATA *data, INTERNET_SETTING *setting,
+ UINT timeout_connect, UINT timeout_comm,
+ UINT *error_code, bool check_ssl_trust, char *post_data,
+ WPC_RECV_CALLBACK *recv_callback, void *recv_callback_param, void *sha1_cert_hash, UINT num_hashes,
+ bool *cancel, UINT max_recv_size, char *header_name, char *header_value);
SOCK *WpcSockConnect(WPC_CONNECT *param, UINT *error_code, UINT timeout);
SOCK *WpcSockConnectEx(WPC_CONNECT *param, UINT *error_code, UINT timeout, bool *cancel);
SOCK *WpcSockConnect2(char *hostname, UINT port, INTERNET_SETTING *t, UINT *error_code, UINT timeout);
@@ -223,6 +229,9 @@ PACK *WpcCall(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT t
PACK *WpcCallEx(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT timeout_comm,
char *function_name, PACK *pack, X *cert, K *key, void *sha1_cert_hash, bool *cancel, UINT max_recv_size,
char *additional_header_name, char *additional_header_value);
+PACK *WpcCallEx2(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT timeout_comm,
+ char *function_name, PACK *pack, X *cert, K *key, void *sha1_cert_hash, UINT num_hashes, bool *cancel, UINT max_recv_size,
+ char *additional_header_name, char *additional_header_value, char *sni_string);
bool IsProxyPrivateIp(INTERNET_SETTING *s);
#endif // WPC_H
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-16 16:30:34 +0300