v4.31-9727-betav4.31-9727-beta

9 files changed, 116 insertions, 20 deletions

diff --git a/src/Cedar/Account.c b/src/Cedar/Account.c
index 192048df..7d3a17cd 100644
--- a/src/Cedar/Account.c
+++ b/src/Cedar/Account.c
@@ -1439,3 +1439,50 @@ int CompareUserName(void *p1, void *p2)
 	return StrCmpi(u1->Name, u2->Name);

 }

 

+// Get the MAC address from the user's note string

+bool GetUserMacAddressFromUserNote(UCHAR *mac, wchar_t *note)

+{

+	bool ret = false;

+	UINT i;

+

+	Zero(mac, 6);

+	if (mac == NULL || note == NULL)

+	{

+		return false;

+	}

+

+	i = UniSearchStrEx(note, USER_MAC_STR_PREFIX, 0, false);

+	if (i != INFINITE)

+	{

+		wchar_t *macstr_start = &note[i + UniStrLen(USER_MAC_STR_PREFIX)];

+		wchar_t macstr2[MAX_SIZE];

+		UNI_TOKEN_LIST *tokens;

+

+		UniStrCpy(macstr2, sizeof(macstr2), macstr_start);

+

+		UniTrim(macstr2);

+

+		tokens = UniParseToken(macstr2, L" ,/()[].");

+		if (tokens != NULL)

+		{

+			if (tokens->NumTokens >= 1)

+			{

+				wchar_t *macstr = tokens->Token[0];

+

+				if (UniIsEmptyStr(macstr) == false)

+				{

+					char macstr_a[MAX_SIZE];

+

+					UniToStr(macstr_a, sizeof(macstr_a), macstr);

+

+					ret = StrToMac(mac, macstr_a);

+				}

+			}

+

+			UniFreeToken(tokens);

+		}

+	}

+

+	return ret;

+}

+

diff --git a/src/Cedar/Account.h b/src/Cedar/Account.h
index 929f19ab..713524e1 100644
--- a/src/Cedar/Account.h
+++ b/src/Cedar/Account.h
@@ -105,6 +105,8 @@
 #ifndef	ACCOUNT_H

 #define	ACCOUNT_H

 

+#define	USER_MAC_STR_PREFIX		L"MAC:"

+

 // Policy item

 struct POLICY_ITEM

 {

@@ -303,6 +305,7 @@ POLICY_ITEM *GetPolicyItem(UINT id);
 void GetPolicyValueRangeStr(wchar_t *str, UINT size, UINT id);

 void FormatPolicyValue(wchar_t *str, UINT size, UINT id, UINT value);

 char *NormalizePolicyName(char *name);

+bool GetUserMacAddressFromUserNote(UCHAR *mac, wchar_t *note);

 

 

 #endif	// ACCOUNT_H

diff --git a/src/Cedar/Cedar.h b/src/Cedar/Cedar.h
index cc32fc28..c3892d16 100644
--- a/src/Cedar/Cedar.h
+++ b/src/Cedar/Cedar.h
@@ -126,10 +126,10 @@
 

 

 // Version number

-#define	CEDAR_VER					430

+#define	CEDAR_VER					431

 

 // Build Number

-#define	CEDAR_BUILD					9700

+#define	CEDAR_BUILD					9727

 

 // Beta number

 //#define	BETA_NUMBER					3

@@ -139,21 +139,21 @@
 

 // Specify the name of the person in charge building

 #ifndef	BUILDER_NAME

-#define	BUILDER_NAME		"yagi"

+#define	BUILDER_NAME		"buildsan"

 #endif	// BUILDER_NAME

 

 // Specify the location to build

 #ifndef	BUILD_PLACE

-#define	BUILD_PLACE			"pc33"

+#define	BUILD_PLACE			"crosswin"

 #endif	// BUILD_PLACE

 

 // Specifies the build date

 #define	BUILD_DATE_Y		2019

-#define	BUILD_DATE_M		7

-#define	BUILD_DATE_D		13

-#define	BUILD_DATE_HO		21

-#define	BUILD_DATE_MI		37

-#define	BUILD_DATE_SE		51

+#define	BUILD_DATE_M		11

+#define	BUILD_DATE_D		18

+#define	BUILD_DATE_HO		10

+#define	BUILD_DATE_MI		55

+#define	BUILD_DATE_SE		38

 

 // Tolerable time difference

 #define	ALLOW_TIMESTAMP_DIFF		(UINT64)(3 * 24 * 60 * 60 * 1000)

diff --git a/src/Cedar/IPsec_IKE.c b/src/Cedar/IPsec_IKE.c
index 4f4f9a89..902678a6 100644
--- a/src/Cedar/IPsec_IKE.c
+++ b/src/Cedar/IPsec_IKE.c
@@ -135,7 +135,10 @@ void ProcIKEPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
 			break;

 

 		case IKE_EXCHANGE_TYPE_AGGRESSIVE:	// Aggressive mode

-			ProcIkeAggressiveModePacketRecv(ike, p, header);

+			if (ike->Cedar->Server->DisableIPsecAggressiveMode == false)

+			{

+				ProcIkeAggressiveModePacketRecv(ike, p, header);

+			}

 			break;

 

 		case IKE_EXCHANGE_TYPE_QUICK:	// Quick mode

diff --git a/src/Cedar/Interop_OpenVPN.c b/src/Cedar/Interop_OpenVPN.c
index dbb203e9..a2eaa8ad 100644
--- a/src/Cedar/Interop_OpenVPN.c
+++ b/src/Cedar/Interop_OpenVPN.c
@@ -482,7 +482,7 @@ void OvsProcessRecvControlPacket(OPENVPN_SERVER *s, OPENVPN_SESSION *se, OPENVPN
 

 		case OPENVPN_P_CONTROL_HARD_RESET_CLIENT_V2:

 			// New connection (hard reset)

-			OvsSendControlPacket(c, OPENVPN_P_CONTROL_HARD_RESET_SERVER_V2, NULL, 0);

+			OvsSendControlPacketEx(c, OPENVPN_P_CONTROL_HARD_RESET_SERVER_V2, NULL, 0, true);

 

 			c->Status = OPENVPN_CHANNEL_STATUS_TLS_WAIT_CLIENT_KEY;

 			break;

@@ -1268,6 +1268,10 @@ void OvsSendControlPacketWithAutoSplit(OPENVPN_CHANNEL *c, UCHAR opcode, UCHAR *
 // Send the control packet

 void OvsSendControlPacket(OPENVPN_CHANNEL *c, UCHAR opcode, UCHAR *data, UINT data_size)

 {

+	OvsSendControlPacketEx(c, opcode, data, data_size, false);

+}

+void OvsSendControlPacketEx(OPENVPN_CHANNEL *c, UCHAR opcode, UCHAR *data, UINT data_size, bool no_resend)

+{

 	OPENVPN_CONTROL_PACKET *p;

 	// Validate arguments

 	if (c == NULL || (data_size != 0 && data == NULL))

@@ -1277,6 +1281,8 @@ void OvsSendControlPacket(OPENVPN_CHANNEL *c, UCHAR opcode, UCHAR *data, UINT da
 

 	p = ZeroMalloc(sizeof(OPENVPN_CONTROL_PACKET));

 

+	p->NoResend = no_resend;

+

 	p->OpCode = opcode;

 	p->PacketId = c->NextSendPacketId++;

 

@@ -2258,20 +2264,25 @@ void OvsRecvPacket(OPENVPN_SERVER *s, LIST *recv_packet_list, UINT protocol)
 

 					if (cp->NextSendTime <= s->Now)

 					{

-						OPENVPN_PACKET *p;

+						if (cp->NoResend == false || cp->NumSent == 0) // To address the UDP reflection amplification attack: https://github.com/SoftEtherVPN/SoftEtherVPN/issues/1001

+						{

+							OPENVPN_PACKET *p;

+

+							cp->NumSent++;

 

-						num = OvsGetAckReplyList(c, acks);

+							num = OvsGetAckReplyList(c, acks);

 

-						p = OvsNewControlPacket(cp->OpCode, j, se->ServerSessionId, num, acks,

-							se->ClientSessionId, cp->PacketId, cp->DataSize, cp->Data);

+							p = OvsNewControlPacket(cp->OpCode, j, se->ServerSessionId, num, acks,

+								se->ClientSessionId, cp->PacketId, cp->DataSize, cp->Data);

 

-						OvsSendPacketNow(s, se, p);

+							OvsSendPacketNow(s, se, p);

 

-						OvsFreePacket(p);

+							OvsFreePacket(p);

 

-						cp->NextSendTime = s->Now + (UINT64)OPENVPN_CONTROL_PACKET_RESEND_INTERVAL;

+							cp->NextSendTime = s->Now + (UINT64)OPENVPN_CONTROL_PACKET_RESEND_INTERVAL;

 

-						AddInterrupt(s->Interrupt, cp->NextSendTime);

+							AddInterrupt(s->Interrupt, cp->NextSendTime);

+						}

 					}

 				}

 

diff --git a/src/Cedar/Interop_OpenVPN.h b/src/Cedar/Interop_OpenVPN.h
index b23eca5e..59a03b30 100644
--- a/src/Cedar/Interop_OpenVPN.h
+++ b/src/Cedar/Interop_OpenVPN.h
@@ -204,6 +204,8 @@ struct OPENVPN_CONTROL_PACKET
 	UINT DataSize;										// Data size

 	UCHAR *Data;										// Data body

 	UINT64 NextSendTime;								// Scheduled next transmission time

+	bool NoResend;										// Disable re-sending

+	UINT NumSent;										// How many times we have sent this packet

 };

 

 // OpenVPN packet

@@ -343,6 +345,7 @@ void OvsSendPacketRawNow(OPENVPN_SERVER *s, OPENVPN_SESSION *se, void *data, UIN
 

 void OvsProcessRecvControlPacket(OPENVPN_SERVER *s, OPENVPN_SESSION *se, OPENVPN_CHANNEL *c, OPENVPN_PACKET *p);

 void OvsSendControlPacket(OPENVPN_CHANNEL *c, UCHAR opcode, UCHAR *data, UINT data_size);

+void OvsSendControlPacketEx(OPENVPN_CHANNEL *c, UCHAR opcode, UCHAR *data, UINT data_size, bool no_resend);

 void OvsSendControlPacketWithAutoSplit(OPENVPN_CHANNEL *c, UCHAR opcode, UCHAR *data, UINT data_size);

 void OvsFreeControlPacket(OPENVPN_CONTROL_PACKET *p);

 void OvsDeleteFromSendingControlPacketList(OPENVPN_CHANNEL *c, UINT num_acks, UINT *acks);

diff --git a/src/Cedar/Protocol.c b/src/Cedar/Protocol.c
index 5fd8c12c..ff48382b 100644
--- a/src/Cedar/Protocol.c
+++ b/src/Cedar/Protocol.c
@@ -3021,6 +3021,8 @@ bool ServerAccept(CONNECTION *c)
 				// Get the policy

 				if (farm_member == false)

 				{

+					bool is_asterisk_user = false;

+

 					// In the case of not a farm member

 					user = AcGetUser(hub, username);

 					if (user == NULL)

@@ -3035,12 +3037,28 @@ bool ServerAccept(CONNECTION *c)
 							error_detail = "AcGetUser";

 							goto CLEANUP;

 						}

+

+						is_asterisk_user = true;

 					}

 

 					policy = NULL;

 

 					Lock(user->lock);

 					{

+						if (is_asterisk_user == false)

+						{

+							UCHAR associated_mac_address[6];

+

+							// Get the associated virtual MAC address

+							if (GetUserMacAddressFromUserNote(associated_mac_address, user->Note))

+							{

+								if (IsZero(assigned_ipc_mac_address, 6))

+								{

+									Copy(assigned_ipc_mac_address, associated_mac_address, 6);

+								}

+							}

+						}

+

 						// Get the expiration date

 						user_expires = user->ExpireTime;

 

@@ -7302,7 +7320,12 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 					*error_detail_str = "HTTP_ROOT";

 

 					{

-						BUF *b = ReadDump("|wwwroot\\index.html");

+						BUF *b = NULL;

+						

+						if (disable_json_api == false)

+						{

+							b = ReadDump("|wwwroot\\index.html");

+						}

 

 						if (b != NULL)

 						{

diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c
index 31f4cb67..85ed1eb4 100644
--- a/src/Cedar/Server.c
+++ b/src/Cedar/Server.c
@@ -6003,6 +6003,9 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
 		// Disable the NAT-traversal feature

 		s->DisableNatTraversal = CfgGetBool(f, "DisableNatTraversal");

 

+		// Disable IPsec Aggressive Mode

+		s->DisableIPsecAggressiveMode = CfgGetBool(f, "DisableIPsecAggressiveMode");

+

 		// Intel AES

 		s->DisableIntelAesAcceleration = CfgGetBool(f, "DisableIntelAesAcceleration");

 

@@ -6410,6 +6413,8 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
 			}

 		}

 

+		CfgAddBool(f, "DisableIPsecAggressiveMode", s->DisableIPsecAggressiveMode);

+

 		CfgAddStr(f, "OpenVPNDefaultClientOption", c->OpenVPNDefaultClientOption);

 

 		if (c->Bridge == false)

diff --git a/src/Cedar/Server.h b/src/Cedar/Server.h
index 4618eee5..338aa6a4 100644
--- a/src/Cedar/Server.h
+++ b/src/Cedar/Server.h
@@ -288,6 +288,7 @@ struct SERVER
 	bool NoMoreSave;					// Do not save any more

 	bool EnableConditionalAccept;		// Apply the Conditional Accept the Listener

 	bool EnableLegacySSL;				// Enable Legacy SSL

+	bool DisableIPsecAggressiveMode;	// Disable IPsec Aggressive Mode

 

 	volatile bool Halt;					// Halting flag

 	LOCK *lock;							// Lock