14 files changed, 152 insertions, 36 deletions

diff --git a/src/Cedar/Admin.c b/src/Cedar/Admin.c
index 5e2ea80a..4dfe3ac1 100644
--- a/src/Cedar/Admin.c
+++ b/src/Cedar/Admin.c
@@ -11840,12 +11840,12 @@ void InRpcHubEnumCa(RPC_HUB_ENUM_CA *t, PACK *p)
 void OutRpcHubEnumCa(PACK *p, RPC_HUB_ENUM_CA *t)

 {

 	UINT i;

-	PackAddStr(p, "HubName", t->HubName);

 	// Validate arguments

 	if (t == NULL || p == NULL)

 	{

 		return;

 	}

+	PackAddStr(p, "HubName", t->HubName);

 

 	for (i = 0;i < t->NumCa;i++)

 	{

@@ -12313,12 +12313,12 @@ void InRpcEnumAccessList(RPC_ENUM_ACCESS_LIST *a, PACK *p)
 void OutRpcEnumAccessList(PACK *p, RPC_ENUM_ACCESS_LIST *a)

 {

 	UINT i;

-	PackAddStr(p, "HubName", a->HubName);

 	// Validate arguments

 	if (a == NULL || p == NULL)

 	{

 		return;

 	}

+	PackAddStr(p, "HubName", a->HubName);

 

 	for (i = 0;i < a->NumAccess;i++)

 	{

@@ -12573,12 +12573,12 @@ void InRpcEnumUser(RPC_ENUM_USER *t, PACK *p)
 void OutRpcEnumUser(PACK *p, RPC_ENUM_USER *t)

 {

 	UINT i;

-	PackAddStr(p, "HubName", t->HubName);

 	// Validate arguments

 	if (t == NULL || p == NULL)

 	{

 		return;

 	}

+	PackAddStr(p, "HubName", t->HubName);

 

 	for (i = 0;i < t->NumUser;i++)

 	{

@@ -12787,12 +12787,12 @@ void InRpcEnumSession(RPC_ENUM_SESSION *t, PACK *p)
 void OutRpcEnumSession(PACK *p, RPC_ENUM_SESSION *t)

 {

 	UINT i;

-	PackAddStr(p, "HubName", t->HubName);

 	// Validate arguments

 	if (t == NULL || p == NULL)

 	{

 		return;

 	}

+	PackAddStr(p, "HubName", t->HubName);

 

 	for (i = 0;i < t->NumSession;i++)

 	{

diff --git a/src/Cedar/Cedar.c b/src/Cedar/Cedar.c
index 790e8018..9abcea50 100644
--- a/src/Cedar/Cedar.c
+++ b/src/Cedar/Cedar.c
@@ -1803,6 +1803,8 @@ CEDAR *NewCedar(X *server_x, K *server_k)
 

 	c->BuildInfo = CopyStr(tmp);

 

+	c->DisableSslVersions = SSL_OPT_DEFAULT;

+

 	return c;

 }

 

diff --git a/src/Cedar/Cedar.h b/src/Cedar/Cedar.h
index 23a94ffd..0f927dbb 100644
--- a/src/Cedar/Cedar.h
+++ b/src/Cedar/Cedar.h
@@ -404,7 +404,22 @@
 #define	KEEP_ALIVE_MAGIC				0xffffffff

 #define	MAX_KEEPALIVE_SIZE				512

 

-

+// SSL/TLS Versions

+#define SSL_VERSION_SSL_V2	0x01	// SSLv2

+#define SSL_VERSION_SSL_V3	0x02	// SSLv3

+#define SSL_VERSION_TLS_V1_0	0x04	// TLS v1.0

+#define SSL_VERSION_TLS_V1_1	0x08	// TLS v1.1

+#define SSL_VERSION_TLS_V1_2	0x10	// TLS v1.2

+

+// SSL/TLS Version Names

+#define NAME_SSL_VERSION_SSL_V2	"SSL_V2"	// SSLv2

+#define NAME_SSL_VERSION_SSL_V3	"SSL_V3"	// SSLv3

+#define NAME_SSL_VERSION_TLS_V1_0	"TLS_V1_0"	// TLS v1.0

+#define NAME_SSL_VERSION_TLS_V1_1	"TLS_V1_1"	// TLS v1.1

+#define NAME_SSL_VERSION_TLS_V1_2	"TLS_V1_2"	// TLS v1.2

+

+// OpenSSL SSL Context Option Flags default

+#define SSL_OPT_DEFAULT	0x0

 

 //////////////////////////////////////////////////////////////////////

 // 

@@ -1053,6 +1068,7 @@ typedef struct CEDAR
 	LOCK *FifoBudgetLock;			// Fifo budget lock

 	UINT FifoBudget;				// Fifo budget

 	bool AcceptOnlyTls;				// Accept only TLS (Disable SSL)

+	UINT DisableSslVersions;	// Bitmap of SSL Version to disable

 	char OpenVPNDefaultClientOption[MAX_SIZE];	// OpenVPN Default Client Option String

 } CEDAR;

 

diff --git a/src/Cedar/Client.c b/src/Cedar/Client.c
index d4dd39be..00baa32b 100644
--- a/src/Cedar/Client.c
+++ b/src/Cedar/Client.c
@@ -2181,13 +2181,13 @@ BUF *CiAccountToCfg(RPC_CLIENT_CREATE_ACCOUNT *t)
 // RPC dispatch routine

 PACK *CiRpcDispatch(RPC *rpc, char *name, PACK *p)

 {

-	CLIENT *c = rpc->Param;

 	PACK *ret;

 	// Validate arguments

 	if (rpc == NULL || name == NULL || p == NULL)

 	{

 		return NULL;

 	}

+	CLIENT *c = rpc->Param;

 

 	ret = NewPack();

 

@@ -6029,11 +6029,11 @@ L_TRY:
 	ReleaseSock(s);

 

 	ret = ZeroMalloc(sizeof(REMOTE_CLIENT));

-	ret->Rpc = rpc;

 	rpc->Param = ret;

 

 	if (ret != NULL)

 	{

+		ret->Rpc = rpc;

 		RPC_CLIENT_VERSION t;

 		Zero(&t, sizeof(t));

 		CcGetClientVersion(ret, &t);

diff --git a/src/Cedar/Connection.c b/src/Cedar/Connection.c
index ada6ecc2..f4b08972 100644
--- a/src/Cedar/Connection.c
+++ b/src/Cedar/Connection.c
@@ -1030,7 +1030,7 @@ void ConnectionSend(CONNECTION *c, UINT64 now)
 	UINT size;

 	SESSION *s;

 	HUB *hub = NULL;

-	bool use_qos;

+	bool use_qos = false;

 	// Validate arguments

 	if (c == NULL)

 	{

@@ -1038,11 +1038,11 @@ void ConnectionSend(CONNECTION *c, UINT64 now)
 	}

 

 	s = c->Session;

-	use_qos = s->QoS;

 

 	if (s != NULL)

 	{

 		hub = s->Hub;

+		use_qos = s->QoS;

 	}

 

 	// Protocol

@@ -3137,10 +3137,8 @@ void ConnectionAccept(CONNECTION *c)
 

 	// Start the SSL communication

 	Debug("StartSSL()\n");

-	if (c->Cedar->AcceptOnlyTls)

-	{

-		s->AcceptOnlyTls = true;

-	}

+	s->DisableSslVersions = c->Cedar->DisableSslVersions;

+

 	if (StartSSL(s, x, k) == false)

 	{

 		// Failed

diff --git a/src/Cedar/SM.c b/src/Cedar/SM.c
index a45213b4..92471e24 100644
--- a/src/Cedar/SM.c
+++ b/src/Cedar/SM.c
@@ -872,7 +872,6 @@ UINT SmDDnsDlg(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *param)
 

 // Get the ddns key from the server configuration file

 static UINT SmDdnsGetKey(char *key, SM_DDNS *d){

-	RPC *rpc = d->s->Rpc;

 	RPC_CONFIG config;

 	UINT err;

 	BUF *buf;

@@ -882,6 +881,7 @@ static UINT SmDdnsGetKey(char *key, SM_DDNS *d){
 	if(d == NULL || d->s == NULL || key == NULL){

 		return ERR_INTERNAL_ERROR;

 	}

+	RPC *rpc = d->s->Rpc;

 

 	Zero(&config, sizeof(config));

 	err = ScGetConfig(d->s->Rpc, &config);

diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c
index dcac885b..c0d5af72 100644
--- a/src/Cedar/Server.c
+++ b/src/Cedar/Server.c
@@ -2577,6 +2577,9 @@ void SiLoadInitialConfiguration(SERVER *s)
 		return;

 	}

 

+	// Default to TLS only; mitigates CVE-2016-0800

+	s->Cedar->AcceptOnlyTls = true;

+

 	// Auto saving interval related

 	s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT;

 	s->BackupConfigOnlyWhenModified = true;

@@ -2762,6 +2765,9 @@ void SiInitConfiguration(SERVER *s)
 	s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT;

 	s->BackupConfigOnlyWhenModified = true;

 

+	// Default to TLS only; mitigates CVE-2016-0800

+	s->Cedar->AcceptOnlyTls = true;

+

 	// IPsec server

 	if (s->Cedar->Bridge == false)

 	{

@@ -6156,7 +6162,49 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
 		SetGlobalServerFlag(GSF_DISABLE_SESSION_RECONNECT, CfgGetBool(f, "DisableSessionReconnect"));

 

 		// AcceptOnlyTls

-		c->AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");

+		if (CfgIsItem(f, "AcceptOnlyTls"))

+		{

+			c->AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");

+		}

+		else

+		{

+			c->AcceptOnlyTls = true;

+		}

+

+		if (c->AcceptOnlyTls) {

+			c->DisableSslVersions |= SSL_VERSION_SSL_V2;

+			c->DisableSslVersions |= SSL_VERSION_SSL_V3;

+		}

+

+		if (CfgGetStr(f, "DisableSslVersions", tmp, sizeof(tmp))) {

+			TOKEN_LIST *sslVersions= ParseToken(tmp, ", ");

+			UINT i;		

+			for (i = 0;i < sslVersions->NumTokens;i++)

+			{

+				char *sslVersion=sslVersions->Token[i];

+				if (StrCmp(sslVersion, NAME_SSL_VERSION_SSL_V2)==0) {

+					c->DisableSslVersions |= SSL_VERSION_SSL_V2;

+					continue;

+				}

+				if (StrCmp(sslVersion, NAME_SSL_VERSION_SSL_V3)==0) {

+					c->DisableSslVersions |= SSL_VERSION_SSL_V3;

+					continue;

+				}

+				if (StrCmp(sslVersion, NAME_SSL_VERSION_TLS_V1_0)==0) { 

+					c->DisableSslVersions |= SSL_VERSION_TLS_V1_0;

+					continue;

+				}

+				if (StrCmp(sslVersion, NAME_SSL_VERSION_TLS_V1_1)==0) {

+					c->DisableSslVersions |= SSL_VERSION_TLS_V1_1;

+					continue;

+				}

+				if (StrCmp(sslVersion, NAME_SSL_VERSION_TLS_V1_2)==0) {

+					c->DisableSslVersions |= SSL_VERSION_TLS_V1_2;

+					continue;

+				}

+			}

+			FreeToken(sslVersions);

+		}

 	}

 	Unlock(c->lock);

 

@@ -6467,6 +6515,41 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
 

 		CfgAddBool(f, "AcceptOnlyTls", c->AcceptOnlyTls);

 

+		{

+			char tmp[MAX_SIZE];

+			tmp[0] = 0;

+			if (c->DisableSslVersions & SSL_VERSION_SSL_V2) {

+				StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_SSL_V2);

+				StrCat(tmp, sizeof(tmp), ",");

+			}

+			if (c->DisableSslVersions & SSL_VERSION_SSL_V3) {

+				StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_SSL_V3);

+				StrCat(tmp, sizeof(tmp), ",");

+			}

+			if (c->DisableSslVersions & SSL_VERSION_TLS_V1_0) {

+				StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_TLS_V1_0);

+				StrCat(tmp, sizeof(tmp), ",");

+			}

+			if (c->DisableSslVersions & SSL_VERSION_TLS_V1_1) {

+				StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_TLS_V1_1);

+				StrCat(tmp, sizeof(tmp), ",");

+			}

+			if (c->DisableSslVersions & SSL_VERSION_TLS_V1_2) {

+				StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_TLS_V1_2);

+				StrCat(tmp, sizeof(tmp), ",");

+			}

+                        if (StrLen(tmp) >= 1)

+                        {

+                                if (tmp[StrLen(tmp) - 1] == ',')

+                                {

+                                        tmp[StrLen(tmp) - 1] = 0;

+                                }

+                        }

+			CfgAddStr(f, "DisableSslVersions", tmp);

+		}

+

+		

+

 		// Disable session reconnect

 		CfgAddBool(f, "DisableSessionReconnect", GetGlobalServerFlag(GSF_DISABLE_SESSION_RECONNECT));

 	}

diff --git a/src/Cedar/UdpAccel.c b/src/Cedar/UdpAccel.c
index 8b5b595f..58d1a621 100644
--- a/src/Cedar/UdpAccel.c
+++ b/src/Cedar/UdpAccel.c
@@ -116,7 +116,6 @@
 // Polling process

 void UdpAccelPoll(UDP_ACCEL *a)

 {

-	UCHAR *tmp = a->TmpBuf;

 	IP nat_t_ip;

 	UINT num_ignore_errors = 0;

 	// Validate arguments

@@ -124,6 +123,7 @@ void UdpAccelPoll(UDP_ACCEL *a)
 	{

 		return;

 	}

+	UCHAR *tmp = a->TmpBuf;

 

 	Lock(a->NatT_Lock);

 	{

diff --git a/src/Cedar/Virtual.c b/src/Cedar/Virtual.c
index 2ce41b02..a17892e0 100644
--- a/src/Cedar/Virtual.c
+++ b/src/Cedar/Virtual.c
@@ -2386,7 +2386,6 @@ bool NnTestConnectivity(NATIVE_STACK *a, TUBE *halt_tube)
 	UINT64 next_send_tick = 0;

 	UINT64 giveup_time;

 	IPC *ipc;

-	UINT src_port = NnGenSrcPort(a->IsIpRawMode);

 	INTERRUPT_MANAGER *interrupt;

 	TUBE *tubes[3];

 	UINT num_tubes = 0;

@@ -2399,6 +2398,7 @@ bool NnTestConnectivity(NATIVE_STACK *a, TUBE *halt_tube)
 	{

 		return false;

 	}

+	UINT src_port = NnGenSrcPort(a->IsIpRawMode);

 

 	Copy(&using_dns, &a->DnsServerIP, sizeof(IP));

 

@@ -3997,7 +3997,6 @@ bool NatTransactIcmp(VH *v, NAT_ENTRY *n)
 	void *buf;

 	UINT recv_size;

 	BLOCK *block;

-	UINT dest_port = n->DestPort;

 	IP dest_ip;

 	UINT num_ignore_errors = 0;

 	// Validate arguments

@@ -4005,6 +4004,7 @@ bool NatTransactIcmp(VH *v, NAT_ENTRY *n)
 	{

 		return true;

 	}

+	UINT dest_port = n->DestPort;

 

 	if (n->DisconnectNow)

 	{

@@ -4200,7 +4200,6 @@ bool NatTransactUdp(VH *v, NAT_ENTRY *n)
 	void *buf;

 	UINT recv_size;

 	BLOCK *block;

-	UINT dest_port = n->DestPort;

 	IP dest_ip;

 	UINT num_ignore_errors;

 	// Validate arguments

@@ -4208,6 +4207,7 @@ bool NatTransactUdp(VH *v, NAT_ENTRY *n)
 	{

 		return true;

 	}

+	UINT dest_port = n->DestPort;

 

 	if (n->DisconnectNow)

 	{

@@ -5429,7 +5429,7 @@ SCAN_FIRST:
 void ParseTcpOption(TCP_OPTION *o, void *data, UINT size)

 {

 	UCHAR *buf = (UCHAR *)data;

-	UINT i;

+	UINT i = 0;

 	UINT value_size = 0;

 	UINT value_id = 0;

 	UCHAR value[128];

@@ -5441,13 +5441,18 @@ void ParseTcpOption(TCP_OPTION *o, void *data, UINT size)
 

 	Zero(o, sizeof(TCP_OPTION));

 

-	for (i = 0;i < size;i++)

+	while(i < size)

 	{

 		if (buf[i] == 0)

 		{

 			return;

 		}

-		if (buf[i] != 1)

+		else if (buf[i] == 1)

+		{

+			i++;

+			continue;

+		}

+		else

 		{

 			value_id = buf[i];

 			i++;

@@ -5466,12 +5471,14 @@ void ParseTcpOption(TCP_OPTION *o, void *data, UINT size)
 				return;

 			}

 			value_size -= 2;

+                   

 			Copy(value, &buf[i], value_size);

 			i += value_size;

-			if (i >= size)

+			if (i > size)

 			{

 				return;

 			}

+

 			switch (value_id)

 			{

 			case 2:	// MSS

@@ -5486,14 +5493,13 @@ void ParseTcpOption(TCP_OPTION *o, void *data, UINT size)
 				if (value_size == 1)

 				{

 					UCHAR *wss = (UCHAR *)value;

-					o->WindowScaling = Endian16(*wss);

+					o->WindowScaling = *wss;

 				}

 				break;

 

 			}

 		}

 	}

-

 }

 

 // Create a new NAT TCP session

diff --git a/src/Cedar/WebUI.c b/src/Cedar/WebUI.c
index e488835f..f71c385f 100644
--- a/src/Cedar/WebUI.c
+++ b/src/Cedar/WebUI.c
@@ -1725,12 +1725,12 @@ static wchar_t *WuUniReadFile(char *filename)
 static void WuUniReplace(wchar_t **buf, wchar_t *from, wchar_t *to)

 {

 	UINT dstsize;

-	wchar_t *oldbuf = *buf;

 

 	if(buf == NULL || from == NULL || to == NULL)

 	{

 		return;

 	}

+	wchar_t *oldbuf = *buf;

 

 	dstsize = (UniCalcReplaceStrEx(*buf, from, to, true) + 1) * sizeof(wchar_t);

 	*buf = (wchar_t*)Malloc(dstsize);

diff --git a/src/Mayaqua/FileIO.c b/src/Mayaqua/FileIO.c
index 49fbec95..02abafb0 100644
--- a/src/Mayaqua/FileIO.c
+++ b/src/Mayaqua/FileIO.c
@@ -380,13 +380,13 @@ void ZipAddFileStart(ZIP_PACKER *p, char *name, UINT size, UINT64 dt, UINT attri
 // Add data to the file

 UINT ZipAddFileData(ZIP_PACKER *p, void *data, UINT pos, UINT len)

 {

-	UINT total_size = p->CurrentFile->CurrentSize + len;

 	UINT ret;

 	// Validate arguments

 	if (p == NULL)

 	{

 		return 0;

 	}

+	UINT total_size = p->CurrentFile->CurrentSize + len;

 	if (total_size > p->CurrentFile->Size)

 	{

 		return 0;

diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c
index 609540fd..0737dd9c 100644
--- a/src/Mayaqua/Network.c
+++ b/src/Mayaqua/Network.c
@@ -155,6 +155,7 @@
 #ifdef	UNIX_MACOS

 #include <sys/event.h>

 #endif	// UNIX_MACOS

+#include <Cedar/Cedar.h>

 

 #ifdef	OS_WIN32

 NETWORK_WIN32_FUNCTIONS *w32net;

@@ -12968,15 +12969,24 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
 	{

 		if (sock->ServerMode)

 		{

-			if (sock->AcceptOnlyTls == false)

-			{

-				SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());

+			SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());

+			long ssl_opt_flags=0x0L;

+			if (sock->DisableSslVersions & SSL_VERSION_SSL_V2) {

+				ssl_opt_flags |= SSL_OP_NO_SSLv2;

 			}

-			else

-			{

-				SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_method());

+			if (sock->DisableSslVersions & SSL_VERSION_SSL_V3) {

+				ssl_opt_flags |= SSL_OP_NO_SSLv3;

 			}

-

+			if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_0) {

+				ssl_opt_flags |= SSL_OP_NO_TLSv1;

+			}

+			if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_1) {

+				ssl_opt_flags |= SSL_OP_NO_TLSv1_1;

+			}

+			if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_2) {

+				ssl_opt_flags |= SSL_OP_NO_TLSv1_2;

+			}

+			SSL_CTX_set_options(ssl_ctx, ssl_opt_flags);

 			Unlock(openssl_lock);

 			AddChainSslCertOnDirectory(ssl_ctx);

 			Lock(openssl_lock);

diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h
index 6d579f8e..fd4c5d52 100644
--- a/src/Mayaqua/Network.h
+++ b/src/Mayaqua/Network.h
@@ -313,6 +313,7 @@ struct SOCK
 	UINT Reverse_MyServerPort;		// Self port number when using the reverse socket

 	UCHAR Ssl_Init_Async_SendAlert[2];	// Initial state of SSL send_alert

 	bool AcceptOnlyTls;			// Accept only TLS (disable SSLv3)

+	UINT DisableSslVersions;	// Bitmap of SSL Version to disable

 	bool RawIP_HeaderIncludeFlag;

 

 #ifdef	ENABLE_SSL_LOGGING

diff --git a/src/Mayaqua/TcpIp.c b/src/Mayaqua/TcpIp.c
index 39c43c09..5bed26a7 100644
--- a/src/Mayaqua/TcpIp.c
+++ b/src/Mayaqua/TcpIp.c
@@ -1834,9 +1834,9 @@ PKT *ParsePacketEx4(UCHAR *buf, UINT size, bool no_l3, UINT vlan_type_id, bool b
 		if ((p->TypeL3 == L3_IPV4 || p->TypeL3 == L3_IPV6) && p->TypeL4 == L4_TCP)

 		{

 			TCP_HEADER *tcp = p->L4.TCPHeader;

-			if (tcp->DstPort == port_raw || tcp->DstPort == port_raw2)

+			if (tcp != NULL && (!((tcp->Flag & TCP_SYN) || (tcp->Flag & TCP_RST) || (tcp->Flag & TCP_FIN))))

 			{

-				if (tcp != NULL && (!((tcp->Flag & TCP_SYN) || (tcp->Flag & TCP_RST) || (tcp->Flag & TCP_FIN))))

+				if (tcp->DstPort == port_raw || tcp->DstPort == port_raw2)

 				{

 					if (p->PayloadSize >= 1)

 					{