Hiding the EAP-TLS match user by certificate behind an admin option, disabled by default

2024-09-13 07:13:00 +03:00 · 2023-01-24 11:31:10 +03:00 · 2023-01-24 11:31:10 +03:00 · 0a60cdf141
commit 0a60cdf141
parent 149096e13c
9 changed files with 9 additions and 1 deletions
--- a/src/Cedar/Hub.c
+++ b/src/Cedar/Hub.c
@ -45,6 +45,7 @@ static bool g_vgs_emb_tag = false;
 ADMIN_OPTION admin_options[] =
 {
 	{"allow_hub_admin_change_option", 0},
+	{"allow_eap_tls_match_user_by_cert", 0},
 	{"max_users", 0},
 	{"max_multilogins_per_user", 0},
 	{"max_groups", 0},
--- a/src/Cedar/Proto_PPP.c
+++ b/src/Cedar/Proto_PPP.c
@ -1295,7 +1295,7 @@ bool PPPProcessEAPResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req
 				AcLock(hub);
 				{
 					USER *user = AcGetUser(hub, p->Eap_Identity.UserName);
-					if (user == NULL)
+					if (user == NULL && GetHubAdminOption(hub, "allow_eap_tls_match_user_by_cert") == true)
 					{
 						user = AcGetUserByCert(hub, p->Eap_Identity.UserName);
 						if (user != NULL)
--- a/src/bin/hamcore/strtable_cn.stb
+++ b/src/bin/hamcore/strtable_cn.stb
@ -469,6 +469,7 @@ NATT_MSG					** 使用 NAT 穿透 (UDP 打洞) - 它可能是不稳定的 **\r\n
 HUB_AO_CLICK								选择一个项目，查看这里的描述。
 HUB_AO_UNKNOWN								该项目的描述没有被发现。请参阅文件，或从该项目的名称推测项目的意思和目的。
 HUB_AO_allow_hub_admin_change_option		这是一个特殊项目。如果你启用(设置为1)这个选项，那么不但 VPN Server 的全球管理员，而且虚拟 HUB 的管理员，都将被他自己准予修改虚拟 HUB 管理选项。
+HUB_AO_allow_eap_tls_match_user_by_cert		If you enable (set to 1) this option, the Virtual Hub will attempt to match the EAP Identity not only with usernames, but also with user certificate CNs during the PPP EAP authentication flow.
 HUB_AO_deny_hub_admin_change_ext_option		如果你启用(设置为1)这个选项，虚拟 HUB 的管理员将被禁止修改在虚拟 HUB 扩展选项上的任何值，那么只有 VPN Server 的全球管理员可以对其进行修改。
 HUB_AO_no_delay_jitter_packet_loss			如果您将此选项设置为非零值，在访问列表条目中的延迟、时基误差和数据包丢失的所有参数将被忽略，即使这些参数是在管理员添加新的访问列表条目时设置的。因此，延迟、时基误差和数据包丢失的生成函数实际中将被禁用。由于延迟生成函数有时会让 CPU 和 RAM 产生高负载量，由多个用户共享的一个虚拟 HUB 上应该启用此选项。
 HUB_AO_max_users							如果您将此选项设置为非零值，在虚拟 HUB 上用户对象注册的最大数量将被限制在这个值，那么用户对象的数量如果大于这个值则不能被添加。
--- a/src/bin/hamcore/strtable_en.stb
+++ b/src/bin/hamcore/strtable_en.stb
@ -465,6 +465,7 @@ NATT_MSG				** Connected with NAT traversal - might be unstable **\r\n\r\nThis V
 HUB_AO_CLICK			Select an item to view the description here.
 HUB_AO_UNKNOWN			The description of the item was not found. Refer to the documents, or speculate the meaning and purpose of the item from the name of the item.
 HUB_AO_allow_hub_admin_change_option	This is a special item. If you are enable (set to 1) this option, then not only the VPN Server's global administrator but also the Virtual Hub's administrator will be granted to modify the Virtual Hub Admin Options by himself.
+HUB_AO_allow_eap_tls_match_user_by_cert	If you enable (set to 1) this option, the Virtual Hub will attempt to match the EAP Identity not only with usernames, but also with user certificate CNs during the PPP EAP authentication flow.
 HUB_AO_deny_hub_admin_change_ext_option	If you are enable (set to 1) this option, the Virtual Hub's administrator will be forbidden to modify any values on the Virtual Hub Extended Options, then only the VPN Server's global administrator can modify them.
 HUB_AO_no_delay_jitter_packet_loss		If you set this option to non-zero value, then all parameters of delay, jitter and packet-loss on the access-list entry will be ignored even if these parameters are set when the administrator adds a new access list entry. Therefore, delay, jitter and packet-loss generating function will be virtually disabled. Because of the delay generating function sometimes make a high volume of load on the CPU and RAM, a Virtual Hub which is shared by several users should have this option enabled.
 HUB_AO_max_users						If you set this option to non-zero value, the maximum number of user objects registered on the Virtual Hub will be limited to this value, then greater number of user objects than this value cannot be added.
--- a/src/bin/hamcore/strtable_ja.stb
+++ b/src/bin/hamcore/strtable_ja.stb
@ -487,6 +487,7 @@ NATT_MSG				** NAT Traversal 接続 - 安定性低下の可能性があります
 HUB_AO_CLICK								項目名を 1 つ選択すると、その項目名に関する説明文が表示されます。
 HUB_AO_UNKNOWN								この項目に関する説明文が見つかりませんでした。ドキュメント等を参照するか、項目名をもとに意味・内容を推測して利用してください。
 HUB_AO_allow_hub_admin_change_option		この項目は特殊です。この項目が 1 (有効) の場合は、VPN Server 全体の管理者だけでなく仮想 HUB の管理者も自ら仮想 HUB 管理オプションを変更することができるようになります。
+HUB_AO_allow_eap_tls_match_user_by_cert		If you enable (set to 1) this option, the Virtual Hub will attempt to match the EAP Identity not only with usernames, but also with user certificate CNs during the PPP EAP authentication flow.
 HUB_AO_deny_hub_admin_change_ext_option		この項目が 1 (有効) の場合は、仮想 HUB の管理者は仮想 HUB の拡張オプションの設定を変更することができなくなり、VPN Server 全体の管理者のみが仮想 HUB の拡張オプションの設定を変更することができるようになります。
 HUB_AO_no_delay_jitter_packet_loss			この項目が 1 以上に設定されている場合は、仮想 HUB のアクセスリストを追加する際に遅延・ジッタ・パケットロスを生成させるためのパラメータが設定されている場合であっても、それらの値をすべて削除します。これにより、遅延・パケットロス生成機能が実質的に無効になります。遅延・パケットロス生成機能は VPN Server の CPU およびメモリ使用率を高くする可能性があるため、多くのユーザーで共有する仮想 HUB の場合は、高負荷を避けるためにこのオプションを使用してください。
 HUB_AO_max_users							この項目が 1 以上に設定されている場合は、仮想 HUB に登録できるユーザーの最大数がこの項目の指定数に制限され、それ以上のユーザーオブジェクトを登録することはできなくなります。
--- a/src/bin/hamcore/strtable_ko.stb
+++ b/src/bin/hamcore/strtable_ko.stb
@ -491,6 +491,7 @@ NATT_MSG ** NAT Traversal 연결 - 안정성 저하 가능성이 있습니다 **
 HUB_AO_CLICK 항목 이름을 선택하면 해당 항목 이름에 대한 설명이 표시됩니다.
 HUB_AO_UNKNOWN 이 항목에 대한 설명을 찾을 수 없습니다. 문서 등을 참조하거나 항목 이름을 바탕으로 의미·내용을 추측하여 사용하십시오.
 HUB_AO_allow_hub_admin_change_option 이 항목은 특별하다. 이 항목을 1 (유효)의 경우 VPN Server 전체 관리자뿐만 아니라 가상 HUB 관리자도 스스로 가상 HUB 관리 옵션을 변경 할 수 있습니다.
+HUB_AO_allow_eap_tls_match_user_by_cert	If you enable (set to 1) this option, the Virtual Hub will attempt to match the EAP Identity not only with usernames, but also with user certificate CNs during the PPP EAP authentication flow.
 HUB_AO_deny_hub_admin_change_ext_option 이 항목을 1 (유효)의 경우 가상 HUB 관리자는 가상 HUB의 고급 옵션 설정을 변경할 수 없으며 VPN Server 전체 관리자 만 가상 HUB의 고급 옵션 설정을 변경 할 수 있습니다.
 HUB_AO_no_delay_jitter_packet_loss 이 항목이 1 이상으로 설정되어있는 경우 가상 HUB 액세스 목록을 추가 할 때 지연 지터 패킷 손실을 생성시키기위한 매개 변수가 설정되어있는 경우에도 그 값 를 모두 삭제합니다. 이로 인해 지연 패킷 로스 생성 기능이 실질적으로 해제됩니다. 지연 패킷 로스 생성 기능은 VPN Server의 CPU 및 메모리 사용률이 높을 수 있기 때문에 많은 사용자가 공유하는 가상 HUB의 경우 높은 부하를 피하기 위해이 옵션을 사용하십시오.
 HUB_AO_max_users 이 항목이 1 이상으로 설정되어있는 경우 가상 HUB에 등록 할 수있는 최대 사용자 수이 항목의 지정된 수에 제한되며, 그 이상의 사용자 개체를 등록 할 수 없습니다.
--- a/src/bin/hamcore/strtable_pt_br.stb
+++ b/src/bin/hamcore/strtable_pt_br.stb
@ -480,6 +480,7 @@ NATT_MSG	** Connected with NAT traversal - might be unstable **\r\n\r\nThis VPN
 HUB_AO_CLICK	Select an item to view the description here.
 HUB_AO_UNKNOWN	The description of the item was not found. Refer to the documents, or speculate the meaning and purpose of the item from the name of the item.
 HUB_AO_allow_hub_admin_change_option	This is a special item. If you are enable (set to 1) this option, then not only the VPN Server's global administrator but also the Virtual Hub's administrator will be granted to modify the Virtual Hub Admin Options by himself.
+HUB_AO_allow_eap_tls_match_user_by_cert	If you enable (set to 1) this option, the Virtual Hub will attempt to match the EAP Identity not only with usernames, but also with user certificate CNs during the PPP EAP authentication flow.
 HUB_AO_deny_hub_admin_change_ext_option	If you are enable (set to 1) this option, the Virtual Hub's administrator will be forbidden to modify any values on the Virtual Hub Extended Options, then only the VPN Server's global administrator can modify them.
 HUB_AO_no_delay_jitter_packet_loss	If you set this option to non-zero value, then all parameters of delay, jitter and packet-loss on the access-list entry will be ignored even if these parameters are set when the administrator adds a new access list entry. Therefore, delay, jitter and packet-loss generating function will be virtually disabled. Because of the delay generating function sometimes make a high volume of load on the CPU and RAM, a Virtual Hub which is shared by several users should have this option enabled.
 HUB_AO_max_users	If you set this option to non-zero value, the maximum number of user objects registered on the Virtual Hub will be limited to this value, then greater number of user objects than this value cannot be added.
--- a/src/bin/hamcore/strtable_ru.stb
+++ b/src/bin/hamcore/strtable_ru.stb
@ -465,6 +465,7 @@ NATT_MSG				** Connected with NAT traversal - might be unstable **\r\n\r\nThis V
 HUB_AO_CLICK			Select an item to view the description here.
 HUB_AO_UNKNOWN			The description of the item was not found. Refer to the documents, or speculate the meaning and purpose of the item from the name of the item.
 HUB_AO_allow_hub_admin_change_option	This is a special item. If you are enable (set to 1) this option, then not only the VPN Server's global administrator but also the Virtual Hub's administrator will be granted to modify the Virtual Hub Admin Options by himself.
+HUB_AO_allow_eap_tls_match_user_by_cert	If you enable (set to 1) this option, the Virtual Hub will attempt to match the EAP Identity not only with usernames, but also with user certificate CNs during the PPP EAP authentication flow.
 HUB_AO_deny_hub_admin_change_ext_option	If you are enable (set to 1) this option, the Virtual Hub's administrator will be forbidden to modify any values on the Virtual Hub Extended Options, then only the VPN Server's global administrator can modify them.
 HUB_AO_no_delay_jitter_packet_loss		If you set this option to non-zero value, then all parameters of delay, jitter and packet-loss on the access-list entry will be ignored even if these parameters are set when the administrator adds a new access list entry. Therefore, delay, jitter and packet-loss generating function will be virtually disabled. Because of the delay generating function sometimes make a high volume of load on the CPU and RAM, a Virtual Hub which is shared by several users should have this option enabled.
 HUB_AO_max_users						If you set this option to non-zero value, the maximum number of user objects registered on the Virtual Hub will be limited to this value, then greater number of user objects than this value cannot be added.
--- a/src/bin/hamcore/strtable_tw.stb
+++ b/src/bin/hamcore/strtable_tw.stb
@ -473,6 +473,7 @@ NATT_MSG				** 使用 NAT 穿透 (UDP 打洞) - 它可能是不穩定的 **\r\n\
 HUB_AO_CLICK								選擇一個項目，查看這裡的描述。
 HUB_AO_UNKNOWN								該項目的描述沒有被發現。請參閱檔案，或從該專案的名稱推測專案的意思和目的。
 HUB_AO_allow_hub_admin_change_option		這是一個特殊項目。如果你啟用(設置為1)這個選項，那麼不但 VPN Server 的全球管理員，而且虛擬 HUB 的管理員，都將被他自己准予修改虛擬 HUB 管理選項。
+HUB_AO_allow_eap_tls_match_user_by_cert		If you enable (set to 1) this option, the Virtual Hub will attempt to match the EAP Identity not only with usernames, but also with user certificate CNs during the PPP EAP authentication flow.
 HUB_AO_deny_hub_admin_change_ext_option		如果你啟用(設置為1)這個選項，虛擬 HUB 的管理員將被禁止修改在虛擬 HUB 擴展選項上的任何值，那麼只有 VPN Server 的全球管理員可以對其進行修改。
 HUB_AO_no_delay_jitter_packet_loss			如果您將此選項設置為非零值，在訪問列表條目中的延遲、抖動和封包丟失的所有參數將被忽略，即使這些參數是在管理員添加新的訪問列表條目時設置的。因此，延遲、抖動和封包丟失的生成函數實際中將被禁用。由於延遲生成函數有時會讓 CPU 和 RAM 產生高負載量，由多個使用者共用的一個虛擬 HUB 上應該啟用此選項。
 HUB_AO_max_users							如果您將此選項設置為非零值，在虛擬 HUB 上使用者物件註冊的最大數量將被限制在這個值，那麼使用者物件的數量如果大於這個值則不能被添加。