diff --git a/src/BuildUtil/UnixBuildSoftwares.cs b/src/BuildUtil/UnixBuildSoftwares.cs index fb663fe0..8416dc9e 100644 --- a/src/BuildUtil/UnixBuildSoftwares.cs +++ b/src/BuildUtil/UnixBuildSoftwares.cs @@ -632,7 +632,7 @@ namespace BuildUtil sr.WriteLine("# You have to read and agree the license agreement at the same directory"); sr.WriteLine("# before using this software."); sr.WriteLine(); - sr.WriteLine("i_read_and_agree_the_license_agreement:"); + sr.WriteLine("main:"); sr.WriteLine("\t@echo \"Preparing {0}...\"", BuildHelper.GetSoftwareTitle(this.Software)); diff --git a/src/Cedar/Cedar.h b/src/Cedar/Cedar.h index 5dfeabe2..e2add369 100644 --- a/src/Cedar/Cedar.h +++ b/src/Cedar/Cedar.h @@ -126,10 +126,10 @@ // Version number -#define CEDAR_VER 436 +#define CEDAR_VER 437 // Build Number -#define CEDAR_BUILD 9754 +#define CEDAR_BUILD 9758 // Beta number //#define BETA_NUMBER 3 @@ -149,11 +149,11 @@ // Specifies the build date #define BUILD_DATE_Y 2021 -#define BUILD_DATE_M 6 -#define BUILD_DATE_D 7 -#define BUILD_DATE_HO 21 -#define BUILD_DATE_MI 29 -#define BUILD_DATE_SE 54 +#define BUILD_DATE_M 8 +#define BUILD_DATE_D 16 +#define BUILD_DATE_HO 0 +#define BUILD_DATE_MI 27 +#define BUILD_DATE_SE 11 // Tolerable time difference #define ALLOW_TIMESTAMP_DIFF (UINT64)(3 * 24 * 60 * 60 * 1000) diff --git a/src/Cedar/CedarType.h b/src/Cedar/CedarType.h index 040790f0..5ae3ac26 100644 --- a/src/Cedar/CedarType.h +++ b/src/Cedar/CedarType.h @@ -616,6 +616,7 @@ typedef struct IKE_SA_TRANSFORM_SETTING IKE_SA_TRANSFORM_SETTING; typedef struct IKE_CLIENT IKE_CLIENT; typedef struct IPSECSA IPSECSA; typedef struct IKE_CAPS IKE_CAPS; +typedef struct IKE_INFOMSG_QUOTA_ENTRY IKE_INFOMSG_QUOTA_ENTRY; // ============================================================== // IPSec Packet diff --git a/src/Cedar/Connection.c b/src/Cedar/Connection.c index e7298ddd..c5c5ca3a 100644 --- a/src/Cedar/Connection.c +++ b/src/Cedar/Connection.c @@ -3571,6 +3571,7 @@ CONNECTION *NewServerConnection(CEDAR *cedar, SOCK *s, THREAD *t) { AddRef(c->FirstSock->ref); Copy(&c->ClientIp, &s->RemoteIP, sizeof(IP)); + c->ClientPort = s->RemotePort; StrCpy(c->ClientHostname, sizeof(c->ClientHostname), s->RemoteHostname); } c->Tcp = ZeroMalloc(sizeof(TCP)); diff --git a/src/Cedar/Connection.h b/src/Cedar/Connection.h index 2b1f8091..f1fde638 100644 --- a/src/Cedar/Connection.h +++ b/src/Cedar/Connection.h @@ -300,6 +300,7 @@ struct CONNECTION char *CipherName; // Encryption algorithm name UINT64 ConnectedTick; // Time it is connected IP ClientIp; // Client IP address + UINT ClientPort; // Client Port number char ClientHostname[MAX_HOST_NAME_LEN + 1]; // Client host name UINT Type; // Type bool DontUseTls1; // Do not use TLS 1.0 diff --git a/src/Cedar/IPsec.c b/src/Cedar/IPsec.c index c9f708a0..92a8ccbf 100644 --- a/src/Cedar/IPsec.c +++ b/src/Cedar/IPsec.c @@ -381,6 +381,13 @@ void IPsecServerUdpPacketRecvProc(UDPLISTENER *u, LIST *packet_list) ike->Now = now; + if (now >= ike->NextInfoMsgQuotaClearTick) + { + ike->NextInfoMsgQuotaClearTick = now + 1000ULL; + + IkeInfoMsgQuotaDeleteAll(ike); + } + if (ipsec_disable == false) { { diff --git a/src/Cedar/IPsec_IKE.c b/src/Cedar/IPsec_IKE.c index 902678a6..b458aa48 100644 --- a/src/Cedar/IPsec_IKE.c +++ b/src/Cedar/IPsec_IKE.c @@ -159,6 +159,55 @@ void ProcIKEPacketRecv(IKE_SERVER *ike, UDPPACKET *p) } } +IKE_INFOMSG_QUOTA_ENTRY *IkeInfoMsgQuotaGetEntry(IKE_SERVER *ike, IP *client_ip) +{ + UINT i; + IKE_INFOMSG_QUOTA_ENTRY *new_entry = NULL; + if (ike == NULL || client_ip == NULL) + { + return NULL; + } + + for (i = 0;i < LIST_NUM(ike->InfoMsgQuotaList);i++) + { + IKE_INFOMSG_QUOTA_ENTRY *q = LIST_DATA(ike->InfoMsgQuotaList, i); + + if (CmpIpAddr(&q->ClientIp, client_ip) == 0) + { + return q; + } + } + + if (LIST_NUM(ike->InfoMsgQuotaList) >= IKE_QUOTA_MAX_INFOMSG_ENTRY_COUNT) + { + return NULL; + } + + new_entry = ZeroMalloc(sizeof(IKE_INFOMSG_QUOTA_ENTRY)); + CopyIP(&new_entry->ClientIp, client_ip); + Add(ike->InfoMsgQuotaList, new_entry); + + return new_entry; +} + +void IkeInfoMsgQuotaDeleteAll(IKE_SERVER *ike) +{ + UINT i; + if (ike == NULL) + { + return; + } + + for (i = 0;i < LIST_NUM(ike->InfoMsgQuotaList);i++) + { + IKE_INFOMSG_QUOTA_ENTRY *q = LIST_DATA(ike->InfoMsgQuotaList, i); + + Free(q); + } + + DeleteAll(ike->InfoMsgQuotaList); +} + // Send a packet via IPsec void IPsecSendPacketByIPsecSa(IKE_SERVER *ike, IPSECSA *sa, UCHAR *data, UINT data_size, UCHAR protocol_id) { @@ -1337,6 +1386,7 @@ void SendInformationalExchangePacketEx(IKE_SERVER *ike, IKE_CLIENT *c, IKE_PACKE BUF *tmp_buf; UCHAR hash[IKE_MAX_HASH_SIZE]; IKE_CRYPTO_PARAM cp; + IKE_INFOMSG_QUOTA_ENTRY *quota_entry; bool plain = false; // Validate arguments if (ike == NULL || c == NULL || payload == NULL) @@ -1345,6 +1395,20 @@ void SendInformationalExchangePacketEx(IKE_SERVER *ike, IKE_CLIENT *c, IKE_PACKE return; } + quota_entry = IkeInfoMsgQuotaGetEntry(ike, &c->ClientIP); + if (quota_entry == NULL) + { + IkeFreePayload(payload); + return; + } + + quota_entry->Count++; + if (quota_entry->Count >= IKE_QUOTA_MAX_INFOMSG_SEND_PER_IP_PER_SEC) + { + IkeFreePayload(payload); + return; + } + sa = c->CurrentIkeSa; if (sa == NULL) { @@ -5940,6 +6004,15 @@ void FreeIKEServer(IKE_SERVER *ike) FreeIkeEngine(ike->Engine); + for (i = 0;i < LIST_NUM(ike->InfoMsgQuotaList);i++) + { + IKE_INFOMSG_QUOTA_ENTRY *q = LIST_DATA(ike->InfoMsgQuotaList, i); + + Free(q); + } + + ReleaseList(ike->InfoMsgQuotaList); + Debug("FreeThreadList()...\n"); FreeThreadList(ike->ThreadList); Debug("FreeThreadList() Done.\n"); @@ -5974,6 +6047,8 @@ IKE_SERVER *NewIKEServer(CEDAR *cedar, IPSEC_SERVER *ipsec) ike->ClientList = NewList(CmpIkeClient); + ike->InfoMsgQuotaList = NewList(NULL); + ike->Engine = NewIkeEngine(); ike->ThreadList = NewThreadList(); diff --git a/src/Cedar/IPsec_IKE.h b/src/Cedar/IPsec_IKE.h index 91408c79..82904676 100644 --- a/src/Cedar/IPsec_IKE.h +++ b/src/Cedar/IPsec_IKE.h @@ -148,6 +148,9 @@ #define IKE_QUOTA_MAX_NUM_CLIENTS 30000 // Limit number of IKE_CLIENT #define IKE_QUOTA_MAX_SA_PER_CLIENT 100 // The limit number of SA for each IKE_CLIENT +#define IKE_QUOTA_MAX_INFOMSG_SEND_PER_IP_PER_SEC 20 +#define IKE_QUOTA_MAX_INFOMSG_ENTRY_COUNT 100 + // Time-out #define IKE_TIMEOUT_FOR_IKE_CLIENT 150000 // IKE_CLIENT non-communication disconnect time #define IKE_TIMEOUT_FOR_IKE_CLIENT_FOR_NOT_ESTABLISHED 10000 // IKE_CLIENT non-communication disconnect time (connection incomplete) @@ -346,6 +349,12 @@ struct IPSECSA IKE_HASH *SKEYID_Hash; }; +struct IKE_INFOMSG_QUOTA_ENTRY +{ + IP ClientIp; + UINT Count; +}; + // IKE server struct IKE_SERVER { @@ -360,6 +369,8 @@ struct IKE_SERVER LIST *IkeSaList; // SA list LIST *IPsecSaList; // IPsec SA list LIST *ThreadList; // L2TP thread list + LIST *InfoMsgQuotaList; // Information Message Quota List + UINT64 NextInfoMsgQuotaClearTick; bool StateHasChanged; // Flag whether the state has changed UINT CurrentIkeSaId, CurrentIPsecSaId, CurrentIkeClientId, CurrentEtherId; // Serial number ID @@ -463,5 +474,8 @@ void ProcL2TPv3PacketRecv(IKE_SERVER *ike, IKE_CLIENT *c, UCHAR *data, UINT data IKE_SA *SearchIkeSaByCookie(IKE_SERVER *ike, UINT64 init_cookie, UINT64 resp_cookie); +IKE_INFOMSG_QUOTA_ENTRY *IkeInfoMsgQuotaGetEntry(IKE_SERVER *ike, IP *client_ip); +void IkeInfoMsgQuotaDeleteAll(IKE_SERVER *ike); + #endif // IPSEC_IKE_H diff --git a/src/Cedar/Logging.c b/src/Cedar/Logging.c index 9ec6a5a0..34060308 100644 --- a/src/Cedar/Logging.c +++ b/src/Cedar/Logging.c @@ -1147,11 +1147,23 @@ bool PacketLog(HUB *hub, SESSION *src_session, SESSION *dest_session, PKT *packe if (src_session != NULL && src_session->NormalClient) { StrCpy(pl->SrcPhysicalIP, sizeof(pl->SrcPhysicalIP), src_session->ClientIP); + if (src_session->ClientPort != 0) + { + char tmp[32] = {0}; + Format(tmp, sizeof(tmp), "(port=%u)", src_session->ClientPort); + StrCat(pl->SrcPhysicalIP, sizeof(pl->SrcPhysicalIP), tmp); + } } if (dest_session != NULL && dest_session->NormalClient) { StrCpy(pl->DestPhysicalIP, sizeof(pl->DestPhysicalIP), dest_session->ClientIP); + if (dest_session->ClientPort != 0) + { + char tmp[32] = {0}; + Format(tmp, sizeof(tmp), "(port=%u)", dest_session->ClientPort); + StrCat(pl->DestPhysicalIP, sizeof(pl->DestPhysicalIP), tmp); + } } pl->WritePhysicalIP = true; diff --git a/src/Cedar/Protocol.c b/src/Cedar/Protocol.c index 2fc3c22b..def224bb 100644 --- a/src/Cedar/Protocol.c +++ b/src/Cedar/Protocol.c @@ -3736,6 +3736,7 @@ bool ServerAccept(CONNECTION *c) s->NormalClient = true; IPToStr(s->ClientIP, sizeof(s->ClientIP), &c->ClientIp); + s->ClientPort = c->ClientPort; if (c->FirstSock->IsRUDPSocket) { @@ -7783,7 +7784,10 @@ SOCK *SocksConnectEx2(CONNECTION *c, char *proxy_host_name, UINT proxy_port, if (c == NULL || proxy_host_name == NULL || proxy_port == 0 || server_host_name == NULL || server_port == 0) { - c->Err = ERR_PROXY_CONNECT_FAILED; + if (c != NULL) + { + c->Err = ERR_PROXY_CONNECT_FAILED; + } return NULL; } @@ -7977,7 +7981,10 @@ SOCK *ProxyConnectEx2(CONNECTION *c, char *proxy_host_name, UINT proxy_port, if (c == NULL || proxy_host_name == NULL || proxy_port == 0 || server_host_name == NULL || server_port == 0) { - c->Err = ERR_PROXY_CONNECT_FAILED; + if (c != NULL) + { + c->Err = ERR_PROXY_CONNECT_FAILED; + } return NULL; } if (username != NULL && password != NULL && @@ -8977,7 +8984,7 @@ UINT WsRecvSync(WS *w, void *data, UINT size) return sz; } r = Recv(w->Sock, w->TmpBuf, sizeof(w->TmpBuf), w->Sock->SecureMode); - if (r == 0) + if (r == 0 || r == SOCK_LATER) { break; } @@ -9589,9 +9596,9 @@ UINT MvpnDoAccept(CONNECTION *c, WS *w) StrCpy(ipc_param.HubName, sizeof(ipc_param.HubName), client_hub_name); StrCpy(ipc_param.UserName, sizeof(ipc_param.UserName), auth_username); CopyIP(&ipc_param.ClientIp, &w->Sock->RemoteIP); - ipc_param.ClientPort, w->Sock->RemotePort; + ipc_param.ClientPort = w->Sock->RemotePort; CopyIP(&ipc_param.ServerIp, &w->Sock->LocalIP); - ipc_param.ServerPort, w->Sock->LocalPort; + ipc_param.ServerPort = w->Sock->LocalPort; StrCpy(ipc_param.ClientHostname, sizeof(ipc_param.ClientHostname), w->Sock->RemoteHostname); StrCpy(ipc_param.CryptName, sizeof(ipc_param.CryptName), w->Sock->CipherName); ipc_param.Layer = IPC_LAYER_3; // TODO diff --git a/src/Cedar/Session.h b/src/Cedar/Session.h index 5fca38ee..d12fede5 100644 --- a/src/Cedar/Session.h +++ b/src/Cedar/Session.h @@ -185,6 +185,7 @@ struct SESSION THREAD *Thread; // Management thread CONNECTION *Connection; // Connection char ClientIP[64]; // Client IP + UINT ClientPort; // Client Port CLIENT_OPTION *ClientOption; // Client connection options CLIENT_AUTH *ClientAuth; // Client authentication data volatile bool Halt; // Halting flag diff --git a/src/CurrentBuild.txt b/src/CurrentBuild.txt index 0fecf2a1..a783815e 100644 --- a/src/CurrentBuild.txt +++ b/src/CurrentBuild.txt @@ -1,4 +1,4 @@ -BUILD_NUMBER 9754 -VERSION 436 +BUILD_NUMBER 9758 +VERSION 437 BUILD_NAME beta -BUILD_DATE 20210607_212954 +BUILD_DATE 20210816_002711 diff --git a/src/Mayaqua/Encrypt.c b/src/Mayaqua/Encrypt.c index d93ef7d5..0757b090 100644 --- a/src/Mayaqua/Encrypt.c +++ b/src/Mayaqua/Encrypt.c @@ -2642,6 +2642,7 @@ bool RsaPrivateDecrypt(void *dst, void *src, UINT size, K *k) Unlock(openssl_lock); if (ret <= 0) { + Free(tmp); return false; } diff --git a/src/Mayaqua/Kernel.c b/src/Mayaqua/Kernel.c index 28dd4b6e..2edc142e 100644 --- a/src/Mayaqua/Kernel.c +++ b/src/Mayaqua/Kernel.c @@ -566,7 +566,7 @@ void GetHomeDir(char *path, UINT size) if (GetEnv("HOMEDRIVE", drive, sizeof(drive)) && GetEnv("HOMEPATH", hpath, sizeof(hpath))) { - Format(path, sizeof(path), "%s%s", drive, hpath); + Format(path, size, "%s%s", drive, hpath); } else { diff --git a/src/bin/vpnweb.cab b/src/bin/vpnweb.cab index 04347ec9..8e8f66ba 100644 Binary files a/src/bin/vpnweb.cab and b/src/bin/vpnweb.cab differ diff --git a/src/bin/vpnweb.ocx b/src/bin/vpnweb.ocx index fb9d6390..9a097ab0 100644 Binary files a/src/bin/vpnweb.ocx and b/src/bin/vpnweb.ocx differ diff --git a/src/vpnweb/vpnweb.h b/src/vpnweb/vpnweb.h index 126fb191..9ca211b4 100644 --- a/src/vpnweb/vpnweb.h +++ b/src/vpnweb/vpnweb.h @@ -4,7 +4,7 @@ /* File created by MIDL compiler version 7.00.0500 */ -/* at Mon Jun 07 21:30:12 2021 +/* at Mon Aug 16 00:27:28 2021 */ /* Compiler settings for .\vpnweb.idl: Oicf, W1, Zp8, env=Win32 (32b run) diff --git a/src/vpnweb/vpnweb_i.c b/src/vpnweb/vpnweb_i.c index c3d46155..a0b1f9ff 100644 --- a/src/vpnweb/vpnweb_i.c +++ b/src/vpnweb/vpnweb_i.c @@ -6,7 +6,7 @@ /* File created by MIDL compiler version 7.00.0500 */ -/* at Mon Jun 07 21:30:12 2021 +/* at Mon Aug 16 00:27:28 2021 */ /* Compiler settings for .\vpnweb.idl: Oicf, W1, Zp8, env=Win32 (32b run) diff --git a/src/vpnweb/vpnweb_p.c b/src/vpnweb/vpnweb_p.c index f21d0dbe..6bd00159 100644 --- a/src/vpnweb/vpnweb_p.c +++ b/src/vpnweb/vpnweb_p.c @@ -4,7 +4,7 @@ /* File created by MIDL compiler version 7.00.0500 */ -/* at Mon Jun 07 21:30:12 2021 +/* at Mon Aug 16 00:27:28 2021 */ /* Compiler settings for .\vpnweb.idl: Oicf, W1, Zp8, env=Win32 (32b run)