Merge branch 'master' into add-sha2

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,14 @@
+Changes proposed in this pull request:
+ - 
+ - 
+ - 
+
+Your great patch is much appreciated. We are considering to apply your patch into the SoftEther VPN main tree.
+
+SoftEther VPN Patch Acceptance Policy:
+http://www.softether.org/5-download/src/9.patch
+
+You have two options which are described on the above policy.
+Could you please choose either option 1 or 2, and specify it clearly on the reply?
+
+-

debian/softether-vpnserver.init

@@ -1,4 +1,3 @@
-
 #! /bin/sh
 
 ### BEGIN INIT INFO

src/Cedar/Client.c

@@ -6663,7 +6663,7 @@ bool CtConnect(CLIENT *c, RPC_CLIENT_CONNECT *connect)
 				CiSetError(c, ERR_ACCOUNT_ACTIVE);
 			}
 			else if (r->ClientAuth->AuthType == CLIENT_AUTHTYPE_SECURE &&
-				client->UseSecureDeviceId == 0)
+				c->UseSecureDeviceId == 0)
 			{
 				// Secure device is not specified
 				CiSetError(c, ERR_NO_SECURE_DEVICE_SPECIFIED);

src/Cedar/IPsec_IkePacket.c

@@ -2560,6 +2560,8 @@ IKE_ENGINE *NewIkeEngine()
 	IKE_CRYPTO *des, *des3, *aes;
 	IKE_HASH *sha1, *md5, *sha2_256, *sha2_384, *sha2_512;
 	IKE_DH *dh1, *dh2, *dh5;
+	IKE_HASH *sha1, *md5;
+	IKE_DH *dh1, *dh2, *dh5, *dh2048, *dh3072, *dh4096;
 	UINT des_key_sizes[] =
 	{
 		8,
@@ -2609,6 +2611,9 @@ IKE_ENGINE *NewIkeEngine()
 	dh1 = NewIkeDh(e, IKE_DH_1_ID, IKE_DH_1_STRING, 96);
 	dh2 = NewIkeDh(e, IKE_DH_2_ID, IKE_DH_2_STRING, 128);
 	dh5 = NewIkeDh(e, IKE_DH_5_ID, IKE_DH_5_STRING, 192);
+	dh2048 = NewIkeDh(e, IKE_DH_2048_ID, IKE_DH_2048_STRING, 256);
+	dh3072 = NewIkeDh(e, IKE_DH_3072_ID, IKE_DH_3072_STRING, 384);
+	dh4096 = NewIkeDh(e, IKE_DH_4096_ID, IKE_DH_4096_STRING, 512);
 
 	// Define the IKE algorithm
 	e->IkeCryptos[IKE_P1_CRYPTO_DES_CBC] = des;
@@ -2632,6 +2637,9 @@ IKE_ENGINE *NewIkeEngine()
 	e->IkeDhs[IKE_P1_DH_GROUP_768_MODP] = e->EspDhs[IKE_P2_DH_GROUP_768_MODP] = dh1;
 	e->IkeDhs[IKE_P1_DH_GROUP_1024_MODP] = e->EspDhs[IKE_P2_DH_GROUP_1024_MODP] = dh2;
 	e->IkeDhs[IKE_P1_DH_GROUP_1536_MODP] = e->EspDhs[IKE_P2_DH_GROUP_1536_MODP] = dh5;
+	e->IkeDhs[IKE_P1_DH_GROUP_2048_MODP] = e->EspDhs[IKE_P2_DH_GROUP_2048_MODP] = dh2048;
+	e->IkeDhs[IKE_P1_DH_GROUP_3072_MODP] = e->EspDhs[IKE_P2_DH_GROUP_3072_MODP] = dh3072;
+	e->IkeDhs[IKE_P1_DH_GROUP_4096_MODP] = e->EspDhs[IKE_P2_DH_GROUP_4096_MODP] = dh4096;
 
 	return e;
 }
@@ -3183,6 +3191,15 @@ DH_CTX *IkeDhNewCtx(IKE_DH *d)
 
 	case IKE_DH_5_ID:
 		return DhNewGroup5();
+
+	case IKE_DH_2048_ID:
+		return DhNew2048();
+
+	case IKE_DH_3072_ID:
+		return DhNew3072();
+
+	case IKE_DH_4096_ID:
+		return DhNew4096();
 	}
 
 	return NULL;

src/Cedar/IPsec_IkePacket.h

@@ -262,6 +262,9 @@ struct IKE_TRANSFORM_VALUE
 #define IKE_P1_DH_GROUP_768_MODP			1
 #define IKE_P1_DH_GROUP_1024_MODP			2
 #define IKE_P1_DH_GROUP_1536_MODP			5
+#define IKE_P1_DH_GROUP_2048_MODP			14
+#define IKE_P1_DH_GROUP_3072_MODP			15
+#define IKE_P1_DH_GROUP_4096_MODP			16
 
 // Phase 1: The expiration date type in IKE transform value
 #define IKE_P1_LIFE_TYPE_SECONDS			1
@@ -275,6 +278,9 @@ struct IKE_TRANSFORM_VALUE
 #define IKE_P2_DH_GROUP_768_MODP			1
 #define IKE_P2_DH_GROUP_1024_MODP			2
 #define IKE_P2_DH_GROUP_1536_MODP			5
+#define IKE_P2_DH_GROUP_2048_MODP			14
+#define IKE_P2_DH_GROUP_3072_MODP			15
+#define IKE_P2_DH_GROUP_4096_MODP			16
 
 // Phase 2: The encapsulation mode in IPsec transform value
 #define IKE_P2_CAPSULE_TUNNEL				1
@@ -552,6 +558,15 @@ struct IKE_P1_KEYSET
 #define	IKE_DH_5_ID								2
 #define	IKE_DH_5_STRING							"MODP 1536 (Group 5)"
 
+#define IKE_DH_2048_ID							14
+#define IKE_DH_2048_STRING						"MODP 2048 (Group 14)"
+
+#define IKE_DH_3072_ID							15
+#define IKE_DH_3072_STRING						"MODP 3072 (Group 15)"
+
+#define IKE_DH_4096_ID							16
+#define IKE_DH_4096_STRING						"MODP 4096 (Group 16)"
+
 
 // Encryption algorithm for IKE
 struct IKE_CRYPTO

src/Cedar/IPsec_PPP.c

@@ -1749,8 +1749,12 @@ PPP_PACKET *PPPRecvResponsePacket(PPP_SESSION *p, PPP_PACKET *req, USHORT expect
 
 			if (pp->IsControl && PPP_CODE_IS_REQUEST(pp->Protocol, pp->Lcp->Code))
 			{
+				// Record current resend because next steps may take a while
+				UINT64 currentresend = next_resend - now;
 				// Process when the received packet is a request packet
 				response = PPPProcessRequestPacket(p, pp);
+				// Increase next resend because this may have taken a while
+				next_resend = Tick64() + currentresend;
 				FreePPPPacket(pp);
 
 				if (response == NULL)

src/Cedar/Interop_OpenVPN.c

@@ -1151,14 +1151,17 @@ UINT OvsParseKeyMethod2(OPENVPN_KEY_METHOD_2 *ret, UCHAR *data, UINT size, bool
 					// Random2
 					if (ReadBuf(b, ret->Random2, sizeof(ret->Random2)) == sizeof(ret->Random2))
 					{
-						// String
+                        // String
-						if (OvsReadStringFromBuf(b, ret->OptionString, sizeof(ret->OptionString)) &&
+                        if (OvsReadStringFromBuf(b, ret->OptionString, sizeof(ret->OptionString)) &&
-							OvsReadStringFromBuf(b, ret->Username, sizeof(ret->Username)) &&
+                            OvsReadStringFromBuf(b, ret->Username, sizeof(ret->Username)) &&
-							OvsReadStringFromBuf(b, ret->Password, sizeof(ret->Password)) &&
+                            OvsReadStringFromBuf(b, ret->Password, sizeof(ret->Password)))
-							OvsReadStringFromBuf(b, ret->PeerInfo, sizeof(ret->PeerInfo)))
+                        {
-						{
+                            if (!OvsReadStringFromBuf(b, ret->PeerInfo, sizeof(ret->PeerInfo)))
-							read_size = b->Current;
+                            {
-						}
+                                Zero(ret->PeerInfo, sizeof(ret->PeerInfo));
+                            }
+                            read_size = b->Current;
+                        }
 					}
 				}
 			}