From 4df2eb4f9c2a8cf50e0123496bc20470edc21dc4 Mon Sep 17 00:00:00 2001 From: dnobori Date: Sun, 27 Nov 2016 17:43:14 +0900 Subject: v4.22-9634-beta --- src/Cedar/Admin.c | 2 +- src/Cedar/Cedar.c | 13 +++++-- src/Cedar/Cedar.h | 34 +++++------------ src/Cedar/Cedar.vcproj | 4 +- src/Cedar/Client.c | 8 ++-- src/Cedar/Command.c | 41 ++++++++++++++++++-- src/Cedar/Command.h | 2 + src/Cedar/Connection.c | 3 +- src/Cedar/Connection.h | 2 +- src/Cedar/DDNS.c | 16 +++++--- src/Cedar/DDNS.h | 9 ++++- src/Cedar/Hub.c | 2 +- src/Cedar/Hub.h | 2 +- src/Cedar/IPsec_IKE.c | 12 +++--- src/Cedar/IPsec_IPC.c | 3 +- src/Cedar/Interop_OpenVPN.c | 4 +- src/Cedar/Layer3.c | 6 +++ src/Cedar/Logging.c | 28 +++++++++++--- src/Cedar/Protocol.c | 54 ++++++-------------------- src/Cedar/Protocol.h | 2 +- src/Cedar/Radius.c | 28 ++++++++++---- src/Cedar/Radius.h | 7 ++-- src/Cedar/SM.c | 5 ++- src/Cedar/Sam.c | 10 ++--- src/Cedar/Server.c | 92 +++++++-------------------------------------- src/Cedar/UdpAccel.c | 4 +- src/Cedar/Virtual.c | 12 ++++-- src/Cedar/WebUI.c | 4 +- src/Cedar/WinUi.h | 2 +- src/Cedar/Wpc.c | 57 +++++++++++++++++++++++++--- src/Cedar/Wpc.h | 9 +++++ 31 files changed, 263 insertions(+), 214 deletions(-) (limited to 'src/Cedar') diff --git a/src/Cedar/Admin.c b/src/Cedar/Admin.c index 4dfe3ac1..f0908f47 100644 --- a/src/Cedar/Admin.c +++ b/src/Cedar/Admin.c @@ -1166,7 +1166,7 @@ UINT StMakeOpenVpnConfigFile(ADMIN *a, RPC_READ_LOG_FILE *t) name = NewName(cn, cn, cn, L"US", NULL, NULL); - dummy_x = NewRootX(dummy_public_k, dummy_private_k, name, MAX(GetDaysUntil2038(), SERVER_DEFAULT_CERT_DAYS), NULL); + dummy_x = NewRootX(dummy_public_k, dummy_private_k, name, GetDaysUntil2038Ex(), NULL); FreeName(name); diff --git a/src/Cedar/Cedar.c b/src/Cedar/Cedar.c index 9abcea50..9763e613 100644 --- a/src/Cedar/Cedar.c +++ b/src/Cedar/Cedar.c @@ -274,6 +274,15 @@ bool IsSupportedWinVer(RPC_WINVER *v) return true; } } + else + { + // Windows Server 2016 + if (v->ServicePack <= 0) + { + // SP0 only + return true; + } + } } return false; @@ -1750,7 +1759,7 @@ CEDAR *NewCedar(X *server_x, K *server_k) c->TrafficDiffList = NewList(NULL); - SetCedarCipherList(c, "RC4-MD5"); + SetCedarCipherList(c, SERVER_DEFAULT_CIPHER_NAME); c->ClientId = _II("CLIENT_ID"); @@ -1803,8 +1812,6 @@ CEDAR *NewCedar(X *server_x, K *server_k) c->BuildInfo = CopyStr(tmp); - c->DisableSslVersions = SSL_OPT_DEFAULT; - return c; } diff --git a/src/Cedar/Cedar.h b/src/Cedar/Cedar.h index 0f927dbb..a4f8c196 100644 --- a/src/Cedar/Cedar.h +++ b/src/Cedar/Cedar.h @@ -135,10 +135,10 @@ // Version number -#define CEDAR_VER 421 +#define CEDAR_VER 422 // Build Number -#define CEDAR_BUILD 9613 +#define CEDAR_BUILD 9634 // Beta number //#define BETA_NUMBER 3 @@ -158,11 +158,11 @@ // Specifies the build date #define BUILD_DATE_Y 2016 -#define BUILD_DATE_M 4 -#define BUILD_DATE_D 24 -#define BUILD_DATE_HO 15 -#define BUILD_DATE_MI 39 -#define BUILD_DATE_SE 17 +#define BUILD_DATE_M 11 +#define BUILD_DATE_D 27 +#define BUILD_DATE_HO 14 +#define BUILD_DATE_MI 33 +#define BUILD_DATE_SE 59 // Tolerable time difference #define ALLOW_TIMESTAMP_DIFF (UINT64)(3 * 24 * 60 * 60 * 1000) @@ -404,22 +404,7 @@ #define KEEP_ALIVE_MAGIC 0xffffffff #define MAX_KEEPALIVE_SIZE 512 -// SSL/TLS Versions -#define SSL_VERSION_SSL_V2 0x01 // SSLv2 -#define SSL_VERSION_SSL_V3 0x02 // SSLv3 -#define SSL_VERSION_TLS_V1_0 0x04 // TLS v1.0 -#define SSL_VERSION_TLS_V1_1 0x08 // TLS v1.1 -#define SSL_VERSION_TLS_V1_2 0x10 // TLS v1.2 -// SSL/TLS Version Names -#define NAME_SSL_VERSION_SSL_V2 "SSL_V2" // SSLv2 -#define NAME_SSL_VERSION_SSL_V3 "SSL_V3" // SSLv3 -#define NAME_SSL_VERSION_TLS_V1_0 "TLS_V1_0" // TLS v1.0 -#define NAME_SSL_VERSION_TLS_V1_1 "TLS_V1_1" // TLS v1.1 -#define NAME_SSL_VERSION_TLS_V1_2 "TLS_V1_2" // TLS v1.2 - -// OpenSSL SSL Context Option Flags default -#define SSL_OPT_DEFAULT 0x0 ////////////////////////////////////////////////////////////////////// // @@ -685,7 +670,7 @@ #define ARP_ENTRY_EXPIRES (30 * 1000) // ARP table expiration date #define ARP_ENTRY_POLLING_TIME (1 * 1000) // ARP table cleaning timer -#define ARP_REQUEST_TIMEOUT (200) // ARP request time-out period +#define ARP_REQUEST_TIMEOUT (1000) // ARP request time-out period #define ARP_REQUEST_GIVEUP (5 * 1000) // Time to give up sending the ARP request #define IP_WAIT_FOR_ARP_TIMEOUT (5 * 1000) // Total time that an IP packet waiting for ARP table #define IP_COMBINE_TIMEOUT (10 * 1000) // Time-out of IP packet combining @@ -1067,8 +1052,7 @@ typedef struct CEDAR UINT QueueBudget; // Queue budget LOCK *FifoBudgetLock; // Fifo budget lock UINT FifoBudget; // Fifo budget - bool AcceptOnlyTls; // Accept only TLS (Disable SSL) - UINT DisableSslVersions; // Bitmap of SSL Version to disable + SSL_ACCEPT_SETTINGS SslAcceptSettings; // SSL Accept Settings char OpenVPNDefaultClientOption[MAX_SIZE]; // OpenVPN Default Client Option String } CEDAR; diff --git a/src/Cedar/Cedar.vcproj b/src/Cedar/Cedar.vcproj index c84d7379..6a306a99 100644 --- a/src/Cedar/Cedar.vcproj +++ b/src/Cedar/Cedar.vcproj @@ -46,7 +46,7 @@ Name="VCCLCompilerTool" Optimization="0" AdditionalIncludeDirectories="$(SolutionDir)Mayaqua\win32_inc;.;$(SolutionDir);WinPcap" - PreprocessorDefinitions="WIN32;_DEBUG;_LIB;_USE_32BIT_TIME_T" + PreprocessorDefinitions="WIN32;_DEBUG;_LIB" MinimalRebuild="true" ExceptionHandling="0" BasicRuntimeChecks="3" @@ -188,7 +188,7 @@ EnableIntrinsicFunctions="false" FavorSizeOrSpeed="0" AdditionalIncludeDirectories="$(SolutionDir)Mayaqua\win32_inc;.;$(SolutionDir);WinPcap" - PreprocessorDefinitions="WIN32;NDEBUG;_LIB;_USE_32BIT_TIME_T;VPN_SPEED" + PreprocessorDefinitions="WIN32;NDEBUG;_LIB;VPN_SPEED" StringPooling="false" ExceptionHandling="0" RuntimeLibrary="0" diff --git a/src/Cedar/Client.c b/src/Cedar/Client.c index 00baa32b..ccfbe665 100644 --- a/src/Cedar/Client.c +++ b/src/Cedar/Client.c @@ -2182,12 +2182,13 @@ BUF *CiAccountToCfg(RPC_CLIENT_CREATE_ACCOUNT *t) PACK *CiRpcDispatch(RPC *rpc, char *name, PACK *p) { PACK *ret; + CLIENT *c; // Validate arguments if (rpc == NULL || name == NULL || p == NULL) { return NULL; } - CLIENT *c = rpc->Param; + c = rpc->Param; ret = NewPack(); @@ -6033,8 +6034,9 @@ L_TRY: if (ret != NULL) { - ret->Rpc = rpc; RPC_CLIENT_VERSION t; + + ret->Rpc = rpc; Zero(&t, sizeof(t)); CcGetClientVersion(ret, &t); ret->OsType = t.OsType; @@ -6487,7 +6489,7 @@ bool Win32CiSecureSign(SECURE_SIGN *sign) // Success ret = true; sign->ClientCert = batch[0].OutputX; - Copy(sign->Signature, batch[1].OutputSign, 128); + Copy(sign->Signature, batch[1].OutputSign, MIN(sizeof(sign->Signature),sizeof(batch[1].OutputSign))); } } diff --git a/src/Cedar/Command.c b/src/Cedar/Command.c index 41dbd289..365257cd 100644 --- a/src/Cedar/Command.c +++ b/src/Cedar/Command.c @@ -1245,6 +1245,7 @@ void TtsWorkerThread(THREAD *thread, void *param) if (ret != 0 && ret != SOCK_LATER) { ts->State = 5; + ts->LastCommTime = now; } break; @@ -1255,6 +1256,8 @@ void TtsWorkerThread(THREAD *thread, void *param) { UCHAR c; + ts->LastCommTime = now; + // Direction of the data is in the first byte that is received c = recv_buf_data[0]; @@ -1276,6 +1279,8 @@ void TtsWorkerThread(THREAD *thread, void *param) // Span ts->Span = READ_UINT64(recv_buf_data + sizeof(UINT64) + 1); + + ts->GiveupSpan = ts->Span * 3ULL + 180000ULL; } } break; @@ -1289,6 +1294,8 @@ void TtsWorkerThread(THREAD *thread, void *param) // Checking the first byte of received UCHAR c = recv_buf_data[0]; + ts->LastCommTime = now; + if (ts->FirstRecvTick == 0) { // Record the time at which the data has been received for the first @@ -1326,10 +1333,20 @@ void TtsWorkerThread(THREAD *thread, void *param) if (ts->NoMoreSendData == false) { ret = Send(ts->Sock, send_buf_data, buf_size, false); + + if (ret != 0 && ret != SOCK_LATER) + { + ts->LastCommTime = now; + } } else { ret = Recv(ts->Sock, recv_buf_data, buf_size, false); + + if (ret != 0 && ret != SOCK_LATER) + { + ts->LastCommTime = now; + } } if (ts->FirstSendTick == 0) @@ -1364,6 +1381,11 @@ void TtsWorkerThread(THREAD *thread, void *param) { ret = Send(ts->Sock, &tmp64, sizeof(tmp64), false); + if (ret != 0 && ret != SOCK_LATER) + { + ts->LastCommTime = now; + } + if (ret != SOCK_LATER) { UINT j; @@ -1390,6 +1412,12 @@ void TtsWorkerThread(THREAD *thread, void *param) break; } + if (now > (ts->LastCommTime + ts->GiveupSpan)) + { + // Timeout: disconnect orphan sessions + ret = 0; + } + if (ret == 0) { // Mark as deleting the socket because it is disconnected @@ -1514,7 +1542,7 @@ void TtsAcceptProc(TTS *tts, SOCK *listen_socket) else { // Connected from the client - AcceptInit(s); + AcceptInitEx(s, true); tts->NewSocketArrived = true; LockList(tts->TtsSockList); { @@ -1523,6 +1551,9 @@ void TtsAcceptProc(TTS *tts, SOCK *listen_socket) ts->Id = (++tts->IdSeed); ts->Sock = s; + ts->GiveupSpan = (UINT64)(10 * 60 * 1000); + ts->LastCommTime = Tick64(); + UniFormat(tmp, sizeof(tmp), _UU("TTS_ACCEPTED"), ts->Id, s->RemoteHostname, s->RemotePort); TtPrint(tts->Param, tts->Print, tmp); @@ -8079,7 +8110,7 @@ UINT PsServerCipherGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) RPC_STR t; TOKEN_LIST *ciphers; UINT i; - wchar_t tmp[MAX_SIZE]; + wchar_t tmp[4096]; o = ParseCommandList(c, cmd_name, str, NULL, 0); if (o == NULL) @@ -10039,7 +10070,11 @@ UINT PsLogFileGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) return ERR_INVALID_PARAMETER; } - filename = GetParamStr(o, "SAVEPATH"); + filename = GetParamStr(o, "SAVE"); + if (IsEmptyStr(filename)) + { + filename = GetParamStr(o, "SAVEPATH"); + } c->Write(c, _UU("CMD_LogFileGet_START")); diff --git a/src/Cedar/Command.h b/src/Cedar/Command.h index 2ce75b89..d573d940 100644 --- a/src/Cedar/Command.h +++ b/src/Cedar/Command.h @@ -204,6 +204,8 @@ struct TTS_SOCK UINT64 FirstRecvTick; // Time which the data has been received last UINT64 FirstSendTick; // Time which the data has been sent last UINT64 Span; // Period + UINT64 GiveupSpan; + UINT64 LastCommTime; }; // Traffic test server diff --git a/src/Cedar/Connection.c b/src/Cedar/Connection.c index f4b08972..80097e1b 100644 --- a/src/Cedar/Connection.c +++ b/src/Cedar/Connection.c @@ -3137,8 +3137,7 @@ void ConnectionAccept(CONNECTION *c) // Start the SSL communication Debug("StartSSL()\n"); - s->DisableSslVersions = c->Cedar->DisableSslVersions; - + Copy(&s->SslAcceptSettings, &c->Cedar->SslAcceptSettings, sizeof(SSL_ACCEPT_SETTINGS)); if (StartSSL(s, x, k) == false) { // Failed diff --git a/src/Cedar/Connection.h b/src/Cedar/Connection.h index 6861bbb8..98a7c1f2 100644 --- a/src/Cedar/Connection.h +++ b/src/Cedar/Connection.h @@ -144,7 +144,7 @@ struct SECURE_SIGN char SecurePrivateKeyName[MAX_SECURE_DEVICE_FILE_LEN + 1]; // Secure device secret key name X *ClientCert; // Client certificate UCHAR Random[SHA1_SIZE]; // Random value for signature - UCHAR Signature[128]; // Signed data + UCHAR Signature[4096 / 8]; // Signed data UINT UseSecureDeviceId; UINT BitmapId; // Bitmap ID }; diff --git a/src/Cedar/DDNS.c b/src/Cedar/DDNS.c index b6281ee7..85695bb3 100644 --- a/src/Cedar/DDNS.c +++ b/src/Cedar/DDNS.c @@ -670,9 +670,12 @@ UINT DCRegister(DDNS_CLIENT *c, bool ipv6, DDNS_REGISTER_PARAM *p, char *replace if (ret == NULL) { Debug("WpcCall: %s\n", url3); - ret = WpcCallEx(url3, &t, DDNS_CONNECT_TIMEOUT, DDNS_COMM_TIMEOUT, "register", req, - NULL, NULL, ((cert_hash != NULL && cert_hash->Size == SHA1_SIZE) ? cert_hash->Buf : NULL), NULL, DDNS_RPC_MAX_RECV_SIZE, - add_header_name, add_header_value); + ret = WpcCallEx2(url3, &t, DDNS_CONNECT_TIMEOUT, DDNS_COMM_TIMEOUT, "register", req, + NULL, NULL, ((cert_hash != NULL && ((cert_hash->Size % SHA1_SIZE) == 0)) ? cert_hash->Buf : NULL), + (cert_hash != NULL ? cert_hash->Size / SHA1_SIZE : 0), + NULL, DDNS_RPC_MAX_RECV_SIZE, + add_header_name, add_header_value, + DDNS_SNI_VER_STRING); Debug("WpcCall Ret: %u\n", ret); } @@ -874,8 +877,11 @@ UINT DCGetMyIpMain(DDNS_CLIENT *c, bool ipv6, char *dst, UINT dst_size, bool use } - recv = HttpRequest(&data, (ipv6 ? NULL : &c->InternetSetting), DDNS_CONNECT_TIMEOUT, DDNS_COMM_TIMEOUT, &ret, false, NULL, NULL, - NULL, ((cert_hash != NULL && cert_hash->Size == SHA1_SIZE) ? cert_hash->Buf : NULL)); + StrCpy(data.SniString, sizeof(data.SniString), DDNS_SNI_VER_STRING); + + recv = HttpRequestEx3(&data, (ipv6 ? NULL : &c->InternetSetting), DDNS_CONNECT_TIMEOUT, DDNS_COMM_TIMEOUT, &ret, false, NULL, NULL, + NULL, ((cert_hash != NULL && (cert_hash->Size % SHA1_SIZE) == 0) ? cert_hash->Buf : NULL), + (cert_hash != NULL ? cert_hash->Size / SHA1_SIZE : 0), NULL, 0, NULL, NULL); FreeBuf(cert_hash); diff --git a/src/Cedar/DDNS.h b/src/Cedar/DDNS.h index fe0d9054..e9ef14b6 100644 --- a/src/Cedar/DDNS.h +++ b/src/Cedar/DDNS.h @@ -115,7 +115,14 @@ #define DDNS_H // Certificate hash -#define DDNS_CERT_HASH "EFAC5FA0CDD14E0F864EED58A73C35D7E33B62F3" +#define DDNS_CERT_HASH "78BF0499A99396907C9F49DD13571C81FE26E6F5" \ + "439BAFA75A6EE5671FC9F9A02D34FF29881761A0" \ + "EFAC5FA0CDD14E0F864EED58A73C35D7E33B62F3" \ + "74DF99D4B1B5F0488A388B50D347D26013DC67A5" \ + "6EBB39AFCA8C900635CFC11218CF293A612457E4" + +#define DDNS_SNI_VER_STRING "DDNS" + // Destination URL #define DDNS_URL_V4_GLOBAL "https://x%c.x%c.servers.ddns.softether-network.net/ddns/ddns.aspx" diff --git a/src/Cedar/Hub.c b/src/Cedar/Hub.c index 4cfd7b2b..5aa36b5a 100644 --- a/src/Cedar/Hub.c +++ b/src/Cedar/Hub.c @@ -214,7 +214,7 @@ EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, ch if (GetIP(&ip, radius_servers_list->Token[i])) { eap = NewEapClient(&ip, radius_port, radius_secret, radius_retry_interval, - RADIUS_INITIAL_EAP_TIMEOUT, client_ip_str, username); + RADIUS_INITIAL_EAP_TIMEOUT, client_ip_str, username, hubname); if (eap != NULL) { diff --git a/src/Cedar/Hub.h b/src/Cedar/Hub.h index c6bdd300..bb6acfbd 100644 --- a/src/Cedar/Hub.h +++ b/src/Cedar/Hub.h @@ -438,9 +438,9 @@ struct HUB UINT RadiusRetryInterval; // Radius retry interval BUF *RadiusSecret; // Radius shared key char RadiusSuffixFilter[MAX_SIZE]; // Radius suffix filter + char RadiusRealm[MAX_SIZE]; // Radius realm (optional) bool RadiusConvertAllMsChapv2AuthRequestToEap; // Convert all MS-CHAPv2 auth request to EAP bool RadiusUsePeapInsteadOfEap; // Use PEAP instead of EAP - char RadiusRealm[MAX_SIZE]; // Radius realm (optional) volatile bool Halt; // Halting flag bool Offline; // Offline bool BeingOffline; // Be Doing Offline diff --git a/src/Cedar/IPsec_IKE.c b/src/Cedar/IPsec_IKE.c index aea01040..eff09b78 100644 --- a/src/Cedar/IPsec_IKE.c +++ b/src/Cedar/IPsec_IKE.c @@ -4723,11 +4723,13 @@ bool GetBestTransformSettingForIPsecSa(IKE_SERVER *ike, IKE_PACKET *pr, IPSEC_SA if (transform_payload != NULL) { IKE_PACKET_TRANSFORM_PAYLOAD *transform = &transform_payload->Payload.Transform; - IPSEC_SA_TRANSFORM_SETTING *set = NULL; + IPSEC_SA_TRANSFORM_SETTING set; - if (TransformPayloadToTransformSettingForIPsecSa(ike, transform, set, server_ip)) + Zero(&set, sizeof(set)); + + if (TransformPayloadToTransformSettingForIPsecSa(ike, transform, &set, server_ip)) { - Copy(setting, set, sizeof(IPSEC_SA_TRANSFORM_SETTING)); + Copy(setting, &set, sizeof(IPSEC_SA_TRANSFORM_SETTING)); setting->SpiServerToClient = READ_UINT(proposal->Spi->Buf); @@ -4735,11 +4737,11 @@ bool GetBestTransformSettingForIPsecSa(IKE_SERVER *ike, IKE_PACKET *pr, IPSEC_SA } else { - if (set != NULL && set->OnlyCapsuleModeIsInvalid) + if (set.OnlyCapsuleModeIsInvalid) { if (ocmii_flag == false) { - Copy(setting, set, sizeof(IPSEC_SA_TRANSFORM_SETTING)); + Copy(setting, &set, sizeof(IPSEC_SA_TRANSFORM_SETTING)); ocmii_flag = true; } } diff --git a/src/Cedar/IPsec_IPC.c b/src/Cedar/IPsec_IPC.c index ad90ae09..26d1163a 100644 --- a/src/Cedar/IPsec_IPC.c +++ b/src/Cedar/IPsec_IPC.c @@ -426,7 +426,6 @@ IPC *NewIPC(CEDAR *cedar, char *client_name, char *postfix, char *hubname, char // Upload the authentication data p = PackLoginWithPlainPassword(hubname, username, password); - PackAddInt64(p, "timestamp", SystemTime64()); PackAddStr(p, "hello", client_name); PackAddInt(p, "client_ver", cedar->Version); PackAddInt(p, "client_build", cedar->Build); @@ -690,7 +689,7 @@ void IPCDhcpSetConditionalUserClass(IPC *ipc, DHCP_OPTION_LIST *req) return; } - if (hub->Option && hub->Option->UseHubNameAsDhcpUserClassOption == true) + if (hub->Option && hub->Option->UseHubNameAsDhcpUserClassOption) { StrCpy(req->UserClass, sizeof(req->UserClass), ipc->HubName); } diff --git a/src/Cedar/Interop_OpenVPN.c b/src/Cedar/Interop_OpenVPN.c index 6b7260a5..801f48b9 100644 --- a/src/Cedar/Interop_OpenVPN.c +++ b/src/Cedar/Interop_OpenVPN.c @@ -2114,8 +2114,8 @@ void OvsRecvPacket(OPENVPN_SERVER *s, LIST *recv_packet_list, UINT protocol) if (r->Exists) { Format(l3_options, sizeof(l3_options), - ",route %r %r %r", - &r->Network, &r->SubnetMask, &r->Gateway); + ",route %r %r vpn_gateway", + &r->Network, &r->SubnetMask); StrCat(option_str, sizeof(option_str), l3_options); } diff --git a/src/Cedar/Layer3.c b/src/Cedar/Layer3.c index ebae0b21..16f5032e 100644 --- a/src/Cedar/Layer3.c +++ b/src/Cedar/Layer3.c @@ -540,6 +540,12 @@ void L3KnownArp(L3IF *f, UINT ip, UCHAR *mac) return; } + if (!((f->IpAddress & f->SubnetMask) == (ip & f->SubnetMask))) + { + // Outside the subnet + return; + } + // Delete an ARP query entry to this IP address Zero(&t, sizeof(t)); t.IpAddress = ip; diff --git a/src/Cedar/Logging.c b/src/Cedar/Logging.c index e0fceaa6..69334b14 100644 --- a/src/Cedar/Logging.c +++ b/src/Cedar/Logging.c @@ -1396,22 +1396,38 @@ char *BuildHttpLogStr(HTTPLOG *h) b = NewBuf(); - if (StartWith(h->Path, "http://")) + if (StartWith(h->Path, "http://") || StartWith(h->Path, "https://")) { StrCpy(url, sizeof(url), h->Path); } else { // URL generation - if (h->Port == 80) + if (h->IsSsl == false) { - Format(url, sizeof(url), "http://%s%s", - h->Hostname, h->Path); + if (h->Port == 80) + { + Format(url, sizeof(url), "http://%s%s", + h->Hostname, h->Path); + } + else + { + Format(url, sizeof(url), "http://%s:%u%s", + h->Hostname, h->Port, h->Path); + } } else { - Format(url, sizeof(url), "http://%s:%u%s", - h->Hostname, h->Port, h->Path); + if (h->Port == 443) + { + Format(url, sizeof(url), "https://%s/", + h->Hostname); + } + else + { + Format(url, sizeof(url), "https://%s:%u/", + h->Hostname, h->Port); + } } } diff --git a/src/Cedar/Protocol.c b/src/Cedar/Protocol.c index f11d5957..90342c74 100644 --- a/src/Cedar/Protocol.c +++ b/src/Cedar/Protocol.c @@ -690,8 +690,11 @@ void UpdateClientThreadMain(UPDATE_CLIENT *c) cert_hash = StrToBin(UPDATE_SERVER_CERT_HASH); - recv = HttpRequestEx2(&data, NULL, UPDATE_CONNECT_TIMEOUT, UPDATE_COMM_TIMEOUT, &ret, false, NULL, NULL, - NULL, ((cert_hash != NULL && cert_hash->Size == SHA1_SIZE) ? cert_hash->Buf : NULL), + StrCpy(data.SniString, sizeof(data.SniString), DDNS_SNI_VER_STRING); + + recv = HttpRequestEx3(&data, NULL, UPDATE_CONNECT_TIMEOUT, UPDATE_COMM_TIMEOUT, &ret, false, NULL, NULL, + NULL, ((cert_hash != NULL && (cert_hash->Size % SHA1_SIZE) == 0) ? cert_hash->Buf : NULL), + (cert_hash != NULL ? (cert_hash->Size / SHA1_SIZE) : 0), (bool *)&c->HaltFlag, 0, NULL, NULL); FreeBuf(cert_hash); @@ -1312,7 +1315,6 @@ bool ServerAccept(CONNECTION *c) FARM_MEMBER *f = NULL; SERVER *server = NULL; POLICY ticketed_policy; - UINT64 timestamp; UCHAR unique[SHA1_SIZE], unique2[SHA1_SIZE]; CEDAR *cedar; RPC_WINVER winver; @@ -1450,31 +1452,6 @@ bool ServerAccept(CONNECTION *c) } } - // Time inspection - timestamp = PackGetInt64(p, "timestamp"); - if (timestamp != 0) - { - UINT64 now = SystemTime64(); - UINT64 abs; - if (now >= timestamp) - { - abs = now - timestamp; - } - else - { - abs = timestamp - now; - } - - if (abs > ALLOW_TIMESTAMP_DIFF) - { - // Time difference is too large - FreePack(p); - c->Err = ERR_BAD_CLOCK; - error_detail = "ERR_BAD_CLOCK"; - goto CLEANUP; - } - } - // Get the client version PackGetStr(p, "client_str", c->ClientStr, sizeof(c->ClientStr)); c->ClientVer = PackGetInt(p, "client_ver"); @@ -1655,7 +1632,7 @@ bool ServerAccept(CONNECTION *c) { radius_login_opt.In_CheckVLanId = hub->Option->AssignVLanIdByRadiusAttribute; radius_login_opt.In_DenyNoVlanId = hub->Option->DenyAllRadiusLoginWithNoVlanAssign; - if (hub->Option->UseHubNameAsRadiusNasId == true) + if (hub->Option->UseHubNameAsRadiusNasId) { StrCpy(radius_login_opt.NasId, sizeof(radius_login_opt.NasId), hubname); } @@ -4578,7 +4555,7 @@ bool ClientSecureSign(CONNECTION *c, UCHAR *sign, UCHAR *random, X **x) if (ret) { - Copy(sign, ss->Signature, 128); + Copy(sign, ss->Signature, sizeof(ss->Signature)); *x = ss->ClientCert; } @@ -5857,7 +5834,7 @@ bool ClientUploadAuth(CONNECTION *c) // Authentication by secure device if (ClientSecureSign(c, sign, c->Random, &x)) { - p = PackLoginWithCert(o->HubName, a->Username, x, sign, 128); + p = PackLoginWithCert(o->HubName, a->Username, x, sign, x->bits / 8); c->ClientX = CloneX(x); FreeX(x); } @@ -5880,9 +5857,6 @@ bool ClientUploadAuth(CONNECTION *c) PackAddData(p, "ticket", c->Ticket, SHA1_SIZE); } - // Current time - PackAddInt64(p, "timestamp", SystemTime64()); - if (p == NULL) { // Error @@ -6073,9 +6047,8 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str) SOCK *s; UINT num = 0, max = 19; SERVER *server; - char hostname[64]; char *vpn_http_target = HTTP_VPN_TARGET2; - bool check_hostname = true; + bool check_hostname = false; // Validate arguments if (c == NULL) { @@ -6083,7 +6056,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str) } - strcpy(hostname, ""); + server = c->Cedar->Server; s = c->FirstSock; @@ -6113,6 +6086,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str) if (check_hostname && (StrCmpi(h->Version, "HTTP/1.1") == 0 || StrCmpi(h->Version, "HTTP/1.2") == 0)) { HTTP_VALUE *v; + char hostname[64]; Zero(hostname, sizeof(hostname)); @@ -6347,12 +6321,6 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str) } } - if ((b == false) && (StartWith(h->Target, "/wiki"))) - { - HttpSendRedirect(s, h->Target, hostname); - b = true; - } - if (b == false) { // Not Found diff --git a/src/Cedar/Protocol.h b/src/Cedar/Protocol.h index 033c181d..e608c0ce 100644 --- a/src/Cedar/Protocol.h +++ b/src/Cedar/Protocol.h @@ -180,7 +180,7 @@ struct UPDATE_CLIENT #define UPDATE_FAMILY_NAME _SS("PRODUCT_FAMILY_NAME") // Software update server certificate hash -#define UPDATE_SERVER_CERT_HASH "EFAC5FA0CDD14E0F864EED58A73C35D7E33B62F3" +#define UPDATE_SERVER_CERT_HASH DDNS_CERT_HASH // URL #define UPDATE_SERVER_URL_GLOBAL "https://update-check.softether-network.net/update/update.aspx?family=%s&software=%s&mybuild=%u&lang=%s" diff --git a/src/Cedar/Radius.c b/src/Cedar/Radius.c index 5a7a6e9f..386a6955 100644 --- a/src/Cedar/Radius.c +++ b/src/Cedar/Radius.c @@ -686,6 +686,11 @@ void EapSetRadiusGeneralAttributes(RADIUS_PACKET *r, EAP_CLIENT *e) ui = Endian32(5); Add(r->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_NAS_PORT_TYPE, 0, 0, &ui, sizeof(UINT))); + if (IsEmptyStr(e->CalledStationStr) == false) + { + Add(r->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_CALLED_STATION_ID, 0, 0, e->CalledStationStr, StrLen(e->CalledStationStr))); + } + Add(r->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_CALLING_STATION_ID, 0, 0, e->ClientIpStr, StrLen(e->ClientIpStr))); Add(r->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_TUNNEL_CLIENT_ENDPOINT, 0, 0, e->ClientIpStr, StrLen(e->ClientIpStr))); @@ -1237,7 +1242,7 @@ bool EapSendPacket(EAP_CLIENT *e, RADIUS_PACKET *r) } // New EAP client -EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username) +EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username, char *hubname) { EAP_CLIENT *e; if (server_ip == NULL) @@ -1266,6 +1271,7 @@ EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, U e->GiveupTimeout = giveup_timeout; StrCpy(e->SharedSecret, sizeof(e->SharedSecret), shared_secret); + StrCpy(e->CalledStationStr, sizeof(e->CalledStationStr), hubname); StrCpy(e->ClientIpStr, sizeof(e->ClientIpStr), client_ip_str); StrCpy(e->Username, sizeof(e->Username), username); e->LastRecvEapId = 0; @@ -1702,8 +1708,8 @@ LABEL_ERROR: ////////// Classical implementation // Attempts Radius authentication (with specifying retry interval and multiple server) -bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20, - RADIUS_LOGIN_OPTION *opt) +bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20, + RADIUS_LOGIN_OPTION *opt, char *hubname) { UCHAR random[MD5_SIZE]; UCHAR id; @@ -1835,7 +1841,7 @@ bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *s BUF *user_password = (is_mschap ? NULL : RadiusCreateUserPassword(encrypted_password->Buf, encrypted_password->Size)); BUF *nas_id; - if (IsEmptyStr(opt->NasId) == true) + if (IsEmptyStr(opt->NasId)) { nas_id = RadiusCreateNasId(CEDAR_SERVER_STR); } @@ -1890,8 +1896,11 @@ bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *s ui = Endian32(1); RadiusAddValue(p, 65, 0, 0, &ui, sizeof(ui)); - // Called-Station-Id - RadiusAddValue(p, 30, 0, 0, hubname, StrLen(hubname)); + // Called-Station-ID - VPN Hub Name + if (IsEmptyStr(hubname) == false) + { + RadiusAddValue(p, 30, 0, 0, hubname, StrLen(hubname)); + } // Calling-Station-Id RadiusAddValue(p, 31, 0, 0, client_ip_str, StrLen(client_ip_str)); @@ -1943,8 +1952,11 @@ bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *s ui = Endian32(1); RadiusAddValue(p, 65, 0, 0, &ui, sizeof(ui)); - // Called-Station-Id - RadiusAddValue(p, 30, 0, 0, hubname, StrLen(hubname)); + // Called-Station-ID - VPN Hub Name + if (IsEmptyStr(hubname) == false) + { + RadiusAddValue(p, 30, 0, 0, hubname, StrLen(hubname)); + } // Calling-Station-Id RadiusAddValue(p, 31, 0, 0, client_ip_str, StrLen(client_ip_str)); diff --git a/src/Cedar/Radius.h b/src/Cedar/Radius.h index 00583454..ba336486 100644 --- a/src/Cedar/Radius.h +++ b/src/Cedar/Radius.h @@ -311,6 +311,7 @@ struct EAP_CLIENT UINT ServerPort; char SharedSecret[MAX_SIZE]; char ClientIpStr[256]; + char CalledStationStr[256]; char Username[MAX_USERNAME_LEN + 1]; UINT ResendTimeout; UINT GiveupTimeout; @@ -346,7 +347,7 @@ RADIUS_AVP *GetRadiusAvp(RADIUS_PACKET *p, UCHAR type); void RadiusTest(); -EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username); +EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username, char *hubname); void ReleaseEapClient(EAP_CLIENT *e); void CleanupEapClient(EAP_CLIENT *e); bool EapClientSendMsChapv2AuthRequest(EAP_CLIENT *e); @@ -376,8 +377,8 @@ struct RADIUS_LOGIN_OPTION }; // Function prototype -bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20, - RADIUS_LOGIN_OPTION *opt); +bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20, + RADIUS_LOGIN_OPTION *opt, char *hubname); BUF *RadiusEncryptPassword(char *password, UCHAR *random, UCHAR *secret, UINT secret_size); BUF *RadiusCreateUserName(wchar_t *username); BUF *RadiusCreateUserPassword(void *data, UINT size); diff --git a/src/Cedar/SM.c b/src/Cedar/SM.c index 92471e24..3ee2c1d9 100644 --- a/src/Cedar/SM.c +++ b/src/Cedar/SM.c @@ -876,12 +876,14 @@ static UINT SmDdnsGetKey(char *key, SM_DDNS *d){ UINT err; BUF *buf; FOLDER *root, *ddnsfolder; + RPC *rpc; // Validate arguments if(d == NULL || d->s == NULL || key == NULL){ return ERR_INTERNAL_ERROR; } - RPC *rpc = d->s->Rpc; + + rpc = d->s->Rpc; Zero(&config, sizeof(config)); err = ScGetConfig(d->s->Rpc, &config); @@ -17011,6 +17013,7 @@ void SmSslDlgInit(HWND hWnd, SM_SSL *s) // Set the encryption algorithm list cipher_list = GetCipherList(); + SetFont(hWnd, C_CIPHER, GetFont("Tahoma", 8, false, false, false, false)); CbSetHeight(hWnd, C_CIPHER, 18); for (i = 0;i < cipher_list->NumTokens;i++) { diff --git a/src/Cedar/Sam.c b/src/Cedar/Sam.c index 8201110d..137cb61b 100644 --- a/src/Cedar/Sam.c +++ b/src/Cedar/Sam.c @@ -214,9 +214,9 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p if( IsEmptyStr(h->RadiusRealm) == false ) { char name_and_realm[MAX_SIZE]; - StrCpy(name_and_realm, MAX_SIZE, username); - StrCat(name_and_realm, (MAX_SIZE - StrLen(name_and_realm)), "@"); - StrCat(name_and_realm, (MAX_SIZE - StrLen(name_and_realm)), h->RadiusRealm); + StrCpy(name_and_realm, sizeof(name_and_realm), username); + StrCat(name_and_realm, sizeof(name_and_realm), "@"); + StrCat(name_and_realm, sizeof(name_and_realm), h->RadiusRealm); name = CopyStrToUni(name_and_realm); } else @@ -276,9 +276,9 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p if (UniIsEmptyStr(suffix_filter_w) || UniEndWith(name, suffix_filter_w)) { // Attempt to login - b = RadiusLogin(c, hub->Name, radius_server_addr, radius_server_port, + b = RadiusLogin(c, radius_server_addr, radius_server_port, radius_secret, StrLen(radius_secret), - name, password, interval, mschap_v2_server_response_20, opt); + name, password, interval, mschap_v2_server_response_20, opt, hub->Name); if (b) { diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c index 9a2a4aab..191fc147 100644 --- a/src/Cedar/Server.c +++ b/src/Cedar/Server.c @@ -2152,7 +2152,7 @@ void SiGenerateDefaultCertEx(X **server_x, K **server_k, char *common_name) name = NewName(cn, cn, cn, L"US", NULL, NULL); - x = NewRootX(public_key, private_key, name, MAX(GetDaysUntil2038(), SERVER_DEFAULT_CERT_DAYS), NULL); + x = NewRootX(public_key, private_key, name, GetDaysUntil2038Ex(), NULL); *server_x = x; *server_k = private_key; @@ -2578,7 +2578,7 @@ void SiLoadInitialConfiguration(SERVER *s) } // Default to TLS only; mitigates CVE-2016-0800 - s->Cedar->AcceptOnlyTls = true; + s->Cedar->SslAcceptSettings.AcceptOnlyTls = true; // Auto saving interval related s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT; @@ -2765,9 +2765,6 @@ void SiInitConfiguration(SERVER *s) s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT; s->BackupConfigOnlyWhenModified = true; - // Default to TLS only; mitigates CVE-2016-0800 - s->Cedar->AcceptOnlyTls = true; - // IPsec server if (s->Cedar->Bridge == false) { @@ -5019,10 +5016,10 @@ void SiWriteHubCfg(FOLDER *f, HUB *h) CfgAddInt(f, "RadiusServerPort", h->RadiusServerPort); CfgAddInt(f, "RadiusRetryInterval", h->RadiusRetryInterval); CfgAddStr(f, "RadiusSuffixFilter", h->RadiusSuffixFilter); + CfgAddStr(f, "RadiusRealm", h->RadiusRealm); CfgAddBool(f, "RadiusConvertAllMsChapv2AuthRequestToEap", h->RadiusConvertAllMsChapv2AuthRequestToEap); CfgAddBool(f, "RadiusUsePeapInsteadOfEap", h->RadiusUsePeapInsteadOfEap); - CfgAddStr(f, "RadiusRealm", h->RadiusRealm); } Unlock(h->RadiusOptionLock); @@ -6170,47 +6167,16 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f) // AcceptOnlyTls if (CfgIsItem(f, "AcceptOnlyTls")) { - c->AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls"); + c->SslAcceptSettings.AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls"); } else { - c->AcceptOnlyTls = true; - } - - if (c->AcceptOnlyTls) { - c->DisableSslVersions |= SSL_VERSION_SSL_V2; - c->DisableSslVersions |= SSL_VERSION_SSL_V3; - } - - if (CfgGetStr(f, "DisableSslVersions", tmp, sizeof(tmp))) { - TOKEN_LIST *sslVersions= ParseToken(tmp, ", "); - UINT i; - for (i = 0;i < sslVersions->NumTokens;i++) - { - char *sslVersion=sslVersions->Token[i]; - if (StrCmp(sslVersion, NAME_SSL_VERSION_SSL_V2)==0) { - c->DisableSslVersions |= SSL_VERSION_SSL_V2; - continue; - } - if (StrCmp(sslVersion, NAME_SSL_VERSION_SSL_V3)==0) { - c->DisableSslVersions |= SSL_VERSION_SSL_V3; - continue; - } - if (StrCmp(sslVersion, NAME_SSL_VERSION_TLS_V1_0)==0) { - c->DisableSslVersions |= SSL_VERSION_TLS_V1_0; - continue; - } - if (StrCmp(sslVersion, NAME_SSL_VERSION_TLS_V1_1)==0) { - c->DisableSslVersions |= SSL_VERSION_TLS_V1_1; - continue; - } - if (StrCmp(sslVersion, NAME_SSL_VERSION_TLS_V1_2)==0) { - c->DisableSslVersions |= SSL_VERSION_TLS_V1_2; - continue; - } - } - FreeToken(sslVersions); + // Default to TLS only; mitigates CVE-2016-0800 + c->SslAcceptSettings.AcceptOnlyTls = true; } + c->SslAcceptSettings.Tls_Disable1_0 = CfgGetBool(f, "Tls_Disable1_0"); + c->SslAcceptSettings.Tls_Disable1_1 = CfgGetBool(f, "Tls_Disable1_1"); + c->SslAcceptSettings.Tls_Disable1_2 = CfgGetBool(f, "Tls_Disable1_2"); } Unlock(c->lock); @@ -6519,42 +6485,10 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s) CfgAddBool(f, "DisableGetHostNameWhenAcceptTcp", s->DisableGetHostNameWhenAcceptTcp); CfgAddBool(f, "DisableCoreDumpOnUnix", s->DisableCoreDumpOnUnix); - CfgAddBool(f, "AcceptOnlyTls", c->AcceptOnlyTls); - - { - char tmp[MAX_SIZE]; - tmp[0] = 0; - if (c->DisableSslVersions & SSL_VERSION_SSL_V2) { - StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_SSL_V2); - StrCat(tmp, sizeof(tmp), ","); - } - if (c->DisableSslVersions & SSL_VERSION_SSL_V3) { - StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_SSL_V3); - StrCat(tmp, sizeof(tmp), ","); - } - if (c->DisableSslVersions & SSL_VERSION_TLS_V1_0) { - StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_TLS_V1_0); - StrCat(tmp, sizeof(tmp), ","); - } - if (c->DisableSslVersions & SSL_VERSION_TLS_V1_1) { - StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_TLS_V1_1); - StrCat(tmp, sizeof(tmp), ","); - } - if (c->DisableSslVersions & SSL_VERSION_TLS_V1_2) { - StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_TLS_V1_2); - StrCat(tmp, sizeof(tmp), ","); - } - if (StrLen(tmp) >= 1) - { - if (tmp[StrLen(tmp) - 1] == ',') - { - tmp[StrLen(tmp) - 1] = 0; - } - } - CfgAddStr(f, "DisableSslVersions", tmp); - } - - + CfgAddBool(f, "AcceptOnlyTls", c->SslAcceptSettings.AcceptOnlyTls); + CfgAddBool(f, "Tls_Disable1_0", c->SslAcceptSettings.Tls_Disable1_0); + CfgAddBool(f, "Tls_Disable1_1", c->SslAcceptSettings.Tls_Disable1_1); + CfgAddBool(f, "Tls_Disable1_2", c->SslAcceptSettings.Tls_Disable1_2); // Disable session reconnect CfgAddBool(f, "DisableSessionReconnect", GetGlobalServerFlag(GSF_DISABLE_SESSION_RECONNECT)); diff --git a/src/Cedar/UdpAccel.c b/src/Cedar/UdpAccel.c index 58d1a621..842dc24b 100644 --- a/src/Cedar/UdpAccel.c +++ b/src/Cedar/UdpAccel.c @@ -118,12 +118,14 @@ void UdpAccelPoll(UDP_ACCEL *a) { IP nat_t_ip; UINT num_ignore_errors = 0; + UCHAR *tmp; // Validate arguments if (a == NULL) { return; } - UCHAR *tmp = a->TmpBuf; + + tmp = a->TmpBuf; Lock(a->NatT_Lock); { diff --git a/src/Cedar/Virtual.c b/src/Cedar/Virtual.c index a17892e0..16e45436 100644 --- a/src/Cedar/Virtual.c +++ b/src/Cedar/Virtual.c @@ -2393,12 +2393,14 @@ bool NnTestConnectivity(NATIVE_STACK *a, TUBE *halt_tube) IP my_priv_ip; UINT num_send_dns = 0; IP using_dns; + UINT src_port = 0; // Validate arguments if (a == NULL) { return false; } - UINT src_port = NnGenSrcPort(a->IsIpRawMode); + + src_port = NnGenSrcPort(a->IsIpRawMode); Copy(&using_dns, &a->DnsServerIP, sizeof(IP)); @@ -3999,12 +4001,14 @@ bool NatTransactIcmp(VH *v, NAT_ENTRY *n) BLOCK *block; IP dest_ip; UINT num_ignore_errors = 0; + UINT dest_port = 0; // Validate arguments if (v == NULL || n == NULL) { return true; } - UINT dest_port = n->DestPort; + + dest_port = n->DestPort; if (n->DisconnectNow) { @@ -4202,12 +4206,14 @@ bool NatTransactUdp(VH *v, NAT_ENTRY *n) BLOCK *block; IP dest_ip; UINT num_ignore_errors; + UINT dest_port = 0; // Validate arguments if (v == NULL || n == NULL) { return true; } - UINT dest_port = n->DestPort; + + dest_port = n->DestPort; if (n->DisconnectNow) { diff --git a/src/Cedar/WebUI.c b/src/Cedar/WebUI.c index f71c385f..d188911c 100644 --- a/src/Cedar/WebUI.c +++ b/src/Cedar/WebUI.c @@ -1725,12 +1725,14 @@ static wchar_t *WuUniReadFile(char *filename) static void WuUniReplace(wchar_t **buf, wchar_t *from, wchar_t *to) { UINT dstsize; + wchar_t *oldbuf; if(buf == NULL || from == NULL || to == NULL) { return; } - wchar_t *oldbuf = *buf; + + oldbuf = *buf; dstsize = (UniCalcReplaceStrEx(*buf, from, to, true) + 1) * sizeof(wchar_t); *buf = (wchar_t*)Malloc(dstsize); diff --git a/src/Cedar/WinUi.h b/src/Cedar/WinUi.h index 630e514c..7225ee2d 100644 --- a/src/Cedar/WinUi.h +++ b/src/Cedar/WinUi.h @@ -204,7 +204,7 @@ typedef struct WINUI_SECURE_BATCH X *OutputX; // Output certificate K *InputK; // Input secret key LIST *EnumList; // Enumerated list - UCHAR OutputSign[128]; // Output signature + UCHAR OutputSign[4096 / 8]; // Output signature bool Succeed; // Success flag } WINUI_SECURE_BATCH; diff --git a/src/Cedar/Wpc.c b/src/Cedar/Wpc.c index 17a337b3..f10019dd 100644 --- a/src/Cedar/Wpc.c +++ b/src/Cedar/Wpc.c @@ -163,6 +163,14 @@ PACK *WpcCall(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT t PACK *WpcCallEx(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT timeout_comm, char *function_name, PACK *pack, X *cert, K *key, void *sha1_cert_hash, bool *cancel, UINT max_recv_size, char *additional_header_name, char *additional_header_value) +{ + return WpcCallEx2(url, setting, timeout_connect, timeout_comm, function_name, pack, + cert, key, sha1_cert_hash, (sha1_cert_hash == NULL ? 0 : 1), + cancel, max_recv_size, additional_header_name, additional_header_value, NULL); +} +PACK *WpcCallEx2(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT timeout_comm, + char *function_name, PACK *pack, X *cert, K *key, void *sha1_cert_hash, UINT num_hashes, bool *cancel, UINT max_recv_size, + char *additional_header_name, char *additional_header_value, char *sni_string) { URL_DATA data; BUF *b, *recv; @@ -197,8 +205,14 @@ PACK *WpcCallEx(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT StrCpy(data.AdditionalHeaderValue, sizeof(data.AdditionalHeaderValue), additional_header_value); } - recv = HttpRequestEx(&data, setting, timeout_connect, timeout_comm, &error, - false, b->Buf, NULL, NULL, sha1_cert_hash, cancel, max_recv_size); + if (sni_string != NULL && IsEmptyStr(sni_string) == false) + { + StrCpy(data.SniString, sizeof(data.SniString), sni_string); + } + + recv = HttpRequestEx3(&data, setting, timeout_connect, timeout_comm, &error, + false, b->Buf, NULL, NULL, sha1_cert_hash, num_hashes, cancel, max_recv_size, + NULL, NULL); FreeBuf(b); @@ -693,6 +707,16 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting, UINT *error_code, bool check_ssl_trust, char *post_data, WPC_RECV_CALLBACK *recv_callback, void *recv_callback_param, void *sha1_cert_hash, bool *cancel, UINT max_recv_size, char *header_name, char *header_value) +{ + return HttpRequestEx3(data, setting, timeout_connect, timeout_comm, error_code, check_ssl_trust, + post_data, recv_callback, recv_callback_param, sha1_cert_hash, (sha1_cert_hash == NULL ? 0 : 1), + cancel, max_recv_size, header_name, header_value); +} +BUF *HttpRequestEx3(URL_DATA *data, INTERNET_SETTING *setting, + UINT timeout_connect, UINT timeout_comm, + UINT *error_code, bool check_ssl_trust, char *post_data, + WPC_RECV_CALLBACK *recv_callback, void *recv_callback_param, void *sha1_cert_hash, UINT num_hashes, + bool *cancel, UINT max_recv_size, char *header_name, char *header_value) { WPC_CONNECT con; SOCK *s; @@ -728,6 +752,14 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting, { timeout_comm = WPC_TIMEOUT; } + if (sha1_cert_hash == NULL) + { + num_hashes = 0; + } + if (num_hashes == 0) + { + sha1_cert_hash = NULL; + } // Connection Zero(&con, sizeof(con)); @@ -773,7 +805,7 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting, if (data->Secure) { // Start the SSL communication - if (StartSSLEx(s, NULL, NULL, true, 0, NULL) == false) + if (StartSSLEx(s, NULL, NULL, true, 0, (IsEmptyStr(data->SniString) ? NULL : data->SniString)) == false) { // SSL connection failed *error_code = ERR_PROTOCOL_ERROR; @@ -782,13 +814,28 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting, return NULL; } - if (sha1_cert_hash != NULL) + if (sha1_cert_hash != NULL && num_hashes >= 1) { UCHAR hash[SHA1_SIZE]; + UINT i; + bool ok = false; + Zero(hash, sizeof(hash)); GetXDigest(s->RemoteX, hash, true); - if (Cmp(hash, sha1_cert_hash, SHA1_SIZE) != 0) + for (i = 0;i < num_hashes;i++) + { + UCHAR *a = (UCHAR *)sha1_cert_hash; + a += (SHA1_SIZE * i); + + if (Cmp(hash, a, SHA1_SIZE) == 0) + { + ok = true; + break; + } + } + + if (ok == false) { // Destination certificate hash mismatch *error_code = ERR_CERT_NOT_TRUSTED; diff --git a/src/Cedar/Wpc.h b/src/Cedar/Wpc.h index 98a2a4a5..5204057b 100644 --- a/src/Cedar/Wpc.h +++ b/src/Cedar/Wpc.h @@ -159,6 +159,7 @@ struct URL_DATA char Referer[MAX_SIZE * 3]; // Referer char AdditionalHeaderName[128]; // Additional header name char AdditionalHeaderValue[MAX_SIZE]; // Additional header value + char SniString[MAX_SIZE]; // SNI String }; // WPC entry @@ -204,6 +205,11 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting, UINT *error_code, bool check_ssl_trust, char *post_data, WPC_RECV_CALLBACK *recv_callback, void *recv_callback_param, void *sha1_cert_hash, bool *cancel, UINT max_recv_size, char *header_name, char *header_value); +BUF *HttpRequestEx3(URL_DATA *data, INTERNET_SETTING *setting, + UINT timeout_connect, UINT timeout_comm, + UINT *error_code, bool check_ssl_trust, char *post_data, + WPC_RECV_CALLBACK *recv_callback, void *recv_callback_param, void *sha1_cert_hash, UINT num_hashes, + bool *cancel, UINT max_recv_size, char *header_name, char *header_value); SOCK *WpcSockConnect(WPC_CONNECT *param, UINT *error_code, UINT timeout); SOCK *WpcSockConnectEx(WPC_CONNECT *param, UINT *error_code, UINT timeout, bool *cancel); SOCK *WpcSockConnect2(char *hostname, UINT port, INTERNET_SETTING *t, UINT *error_code, UINT timeout); @@ -223,6 +229,9 @@ PACK *WpcCall(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT t PACK *WpcCallEx(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT timeout_comm, char *function_name, PACK *pack, X *cert, K *key, void *sha1_cert_hash, bool *cancel, UINT max_recv_size, char *additional_header_name, char *additional_header_value); +PACK *WpcCallEx2(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT timeout_comm, + char *function_name, PACK *pack, X *cert, K *key, void *sha1_cert_hash, UINT num_hashes, bool *cancel, UINT max_recv_size, + char *additional_header_name, char *additional_header_value, char *sni_string); bool IsProxyPrivateIp(INTERNET_SETTING *s); #endif // WPC_H -- cgit v1.2.3