AMajor/SoftEtherVPN
1
0
Fork 0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2026-04-20 05:49:26 +03:00
Code Releases Activity

v4.22-9634-beta

Browse Source
This commit is contained in:
dnobori
2016-11-27 17:43:14 +09:00
parent 0978e1a016
commit 4df2eb4f9c
122 changed files with 1265 additions and 562 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Cedar/Admin.c
+1 -1
View File
@@ -1166,7 +1166,7 @@ UINT StMakeOpenVpnConfigFile(ADMIN *a, RPC_READ_LOG_FILE *t)
name = NewName(cn, cn, cn, L"US", NULL, NULL);
dummy_x = NewRootX(dummy_public_k, dummy_private_k, name, MAX(GetDaysUntil2038(), SERVER_DEFAULT_CERT_DAYS), NULL);
dummy_x = NewRootX(dummy_public_k, dummy_private_k, name, GetDaysUntil2038Ex(), NULL);
FreeName(name);
src/Cedar/Cedar.c
+10 -3
View File
@@ -274,6 +274,15 @@ bool IsSupportedWinVer(RPC_WINVER *v)
return true;
}
}
else
{
// Windows Server 2016
if (v->ServicePack <= 0)
{
// SP0 only
return true;
}
}
}
return false;
@@ -1750,7 +1759,7 @@ CEDAR *NewCedar(X *server_x, K *server_k)
c->TrafficDiffList = NewList(NULL);
SetCedarCipherList(c, "RC4-MD5");
SetCedarCipherList(c, SERVER_DEFAULT_CIPHER_NAME);
c->ClientId = _II("CLIENT_ID");
@@ -1803,8 +1812,6 @@ CEDAR *NewCedar(X *server_x, K *server_k)
c->BuildInfo = CopyStr(tmp);
c->DisableSslVersions = SSL_OPT_DEFAULT;
return c;
}
src/Cedar/Cedar.h
+9 -25
View File
@@ -135,10 +135,10 @@
// Version number
#define CEDAR_VER 421
#define CEDAR_VER 422
// Build Number
#define CEDAR_BUILD 9613
#define CEDAR_BUILD 9634
// Beta number
//#define BETA_NUMBER 3
@@ -158,11 +158,11 @@
// Specifies the build date
#define BUILD_DATE_Y 2016
#define BUILD_DATE_M 4
#define BUILD_DATE_D 24
#define BUILD_DATE_HO 15
#define BUILD_DATE_MI 39
#define BUILD_DATE_SE 17
#define BUILD_DATE_M 11
#define BUILD_DATE_D 27
#define BUILD_DATE_HO 14
#define BUILD_DATE_MI 33
#define BUILD_DATE_SE 59
// Tolerable time difference
#define ALLOW_TIMESTAMP_DIFF (UINT64)(3 * 24 * 60 * 60 * 1000)
@@ -404,22 +404,7 @@
#define KEEP_ALIVE_MAGIC 0xffffffff
#define MAX_KEEPALIVE_SIZE 512
// SSL/TLS Versions
#define SSL_VERSION_SSL_V2 0x01 // SSLv2
#define SSL_VERSION_SSL_V3 0x02 // SSLv3
#define SSL_VERSION_TLS_V1_0 0x04 // TLS v1.0
#define SSL_VERSION_TLS_V1_1 0x08 // TLS v1.1
#define SSL_VERSION_TLS_V1_2 0x10 // TLS v1.2
// SSL/TLS Version Names
#define NAME_SSL_VERSION_SSL_V2 "SSL_V2" // SSLv2
#define NAME_SSL_VERSION_SSL_V3 "SSL_V3" // SSLv3
#define NAME_SSL_VERSION_TLS_V1_0 "TLS_V1_0" // TLS v1.0
#define NAME_SSL_VERSION_TLS_V1_1 "TLS_V1_1" // TLS v1.1
#define NAME_SSL_VERSION_TLS_V1_2 "TLS_V1_2" // TLS v1.2
// OpenSSL SSL Context Option Flags default
#define SSL_OPT_DEFAULT 0x0
//////////////////////////////////////////////////////////////////////
//
@@ -685,7 +670,7 @@
#define ARP_ENTRY_EXPIRES (30 * 1000) // ARP table expiration date
#define ARP_ENTRY_POLLING_TIME (1 * 1000) // ARP table cleaning timer
#define ARP_REQUEST_TIMEOUT (200) // ARP request time-out period
#define ARP_REQUEST_TIMEOUT (1000) // ARP request time-out period
#define ARP_REQUEST_GIVEUP (5 * 1000) // Time to give up sending the ARP request
#define IP_WAIT_FOR_ARP_TIMEOUT (5 * 1000) // Total time that an IP packet waiting for ARP table
#define IP_COMBINE_TIMEOUT (10 * 1000) // Time-out of IP packet combining
@@ -1067,8 +1052,7 @@ typedef struct CEDAR
UINT QueueBudget; // Queue budget
LOCK *FifoBudgetLock; // Fifo budget lock
UINT FifoBudget; // Fifo budget
bool AcceptOnlyTls; // Accept only TLS (Disable SSL)
UINT DisableSslVersions; // Bitmap of SSL Version to disable
SSL_ACCEPT_SETTINGS SslAcceptSettings; // SSL Accept Settings
char OpenVPNDefaultClientOption[MAX_SIZE]; // OpenVPN Default Client Option String
} CEDAR;
src/Cedar/Cedar.vcproj
+2 -2
View File
@@ -46,7 +46,7 @@
Name="VCCLCompilerTool"
Optimization="0"
AdditionalIncludeDirectories="$(SolutionDir)Mayaqua\win32_inc;.;$(SolutionDir);WinPcap"
PreprocessorDefinitions="WIN32;_DEBUG;_LIB;_USE_32BIT_TIME_T"
PreprocessorDefinitions="WIN32;_DEBUG;_LIB"
MinimalRebuild="true"
ExceptionHandling="0"
BasicRuntimeChecks="3"
@@ -188,7 +188,7 @@
EnableIntrinsicFunctions="false"
FavorSizeOrSpeed="0"
AdditionalIncludeDirectories="$(SolutionDir)Mayaqua\win32_inc;.;$(SolutionDir);WinPcap"
PreprocessorDefinitions="WIN32;NDEBUG;_LIB;_USE_32BIT_TIME_T;VPN_SPEED"
PreprocessorDefinitions="WIN32;NDEBUG;_LIB;VPN_SPEED"
StringPooling="false"
ExceptionHandling="0"
RuntimeLibrary="0"
src/Cedar/Client.c
+5 -3
View File
@@ -2182,12 +2182,13 @@ BUF *CiAccountToCfg(RPC_CLIENT_CREATE_ACCOUNT *t)
PACK *CiRpcDispatch(RPC *rpc, char *name, PACK *p)
{
PACK *ret;
CLIENT *c;
// Validate arguments
if (rpc == NULL || name == NULL || p == NULL)
{
return NULL;
}
CLIENT *c = rpc->Param;
c = rpc->Param;
ret = NewPack();
@@ -6033,8 +6034,9 @@ L_TRY:
if (ret != NULL)
{
ret->Rpc = rpc;
RPC_CLIENT_VERSION t;
ret->Rpc = rpc;
Zero(&t, sizeof(t));
CcGetClientVersion(ret, &t);
ret->OsType = t.OsType;
@@ -6487,7 +6489,7 @@ bool Win32CiSecureSign(SECURE_SIGN *sign)
// Success
ret = true;
sign->ClientCert = batch[0].OutputX;
Copy(sign->Signature, batch[1].OutputSign, 128);
Copy(sign->Signature, batch[1].OutputSign, MIN(sizeof(sign->Signature),sizeof(batch[1].OutputSign)));
}
}
src/Cedar/Command.c
+38 -3
View File
@@ -1245,6 +1245,7 @@ void TtsWorkerThread(THREAD *thread, void *param)
if (ret != 0 && ret != SOCK_LATER)
{
ts->State = 5;
ts->LastCommTime = now;
}
break;
@@ -1255,6 +1256,8 @@ void TtsWorkerThread(THREAD *thread, void *param)
{
UCHAR c;
ts->LastCommTime = now;
// Direction of the data is in the first byte that is received
c = recv_buf_data[0];
@@ -1276,6 +1279,8 @@ void TtsWorkerThread(THREAD *thread, void *param)
// Span
ts->Span = READ_UINT64(recv_buf_data + sizeof(UINT64) + 1);
ts->GiveupSpan = ts->Span * 3ULL + 180000ULL;
}
}
break;
@@ -1289,6 +1294,8 @@ void TtsWorkerThread(THREAD *thread, void *param)
// Checking the first byte of received
UCHAR c = recv_buf_data[0];
ts->LastCommTime = now;
if (ts->FirstRecvTick == 0)
{
// Record the time at which the data has been received for the first
@@ -1326,10 +1333,20 @@ void TtsWorkerThread(THREAD *thread, void *param)
if (ts->NoMoreSendData == false)
{
ret = Send(ts->Sock, send_buf_data, buf_size, false);
if (ret != 0 && ret != SOCK_LATER)
{
ts->LastCommTime = now;
}
}
else
{
ret = Recv(ts->Sock, recv_buf_data, buf_size, false);
if (ret != 0 && ret != SOCK_LATER)
{
ts->LastCommTime = now;
}
}
if (ts->FirstSendTick == 0)
@@ -1364,6 +1381,11 @@ void TtsWorkerThread(THREAD *thread, void *param)
{
ret = Send(ts->Sock, &tmp64, sizeof(tmp64), false);
if (ret != 0 && ret != SOCK_LATER)
{
ts->LastCommTime = now;
}
if (ret != SOCK_LATER)
{
UINT j;
@@ -1390,6 +1412,12 @@ void TtsWorkerThread(THREAD *thread, void *param)
break;
}
if (now > (ts->LastCommTime + ts->GiveupSpan))
{
// Timeout: disconnect orphan sessions
ret = 0;
}
if (ret == 0)
{
// Mark as deleting the socket because it is disconnected
@@ -1514,7 +1542,7 @@ void TtsAcceptProc(TTS *tts, SOCK *listen_socket)
else
{
// Connected from the client
AcceptInit(s);
AcceptInitEx(s, true);
tts->NewSocketArrived = true;
LockList(tts->TtsSockList);
{
@@ -1523,6 +1551,9 @@ void TtsAcceptProc(TTS *tts, SOCK *listen_socket)
ts->Id = (++tts->IdSeed);
ts->Sock = s;
ts->GiveupSpan = (UINT64)(10 * 60 * 1000);
ts->LastCommTime = Tick64();
UniFormat(tmp, sizeof(tmp), _UU("TTS_ACCEPTED"), ts->Id,
s->RemoteHostname, s->RemotePort);
TtPrint(tts->Param, tts->Print, tmp);
@@ -8079,7 +8110,7 @@ UINT PsServerCipherGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
RPC_STR t;
TOKEN_LIST *ciphers;
UINT i;
wchar_t tmp[MAX_SIZE];
wchar_t tmp[4096];
o = ParseCommandList(c, cmd_name, str, NULL, 0);
if (o == NULL)
@@ -10039,7 +10070,11 @@ UINT PsLogFileGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
return ERR_INVALID_PARAMETER;
}
filename = GetParamStr(o, "SAVEPATH");
filename = GetParamStr(o, "SAVE");
if (IsEmptyStr(filename))
{
filename = GetParamStr(o, "SAVEPATH");
}
c->Write(c, _UU("CMD_LogFileGet_START"));
src/Cedar/Command.h
+2
View File
@@ -204,6 +204,8 @@ struct TTS_SOCK
UINT64 FirstRecvTick; // Time which the data has been received last
UINT64 FirstSendTick; // Time which the data has been sent last
UINT64 Span; // Period
UINT64 GiveupSpan;
UINT64 LastCommTime;
};
// Traffic test server
src/Cedar/Connection.c
+1 -2
View File
@@ -3137,8 +3137,7 @@ void ConnectionAccept(CONNECTION *c)
// Start the SSL communication
Debug("StartSSL()\n");
s->DisableSslVersions = c->Cedar->DisableSslVersions;
Copy(&s->SslAcceptSettings, &c->Cedar->SslAcceptSettings, sizeof(SSL_ACCEPT_SETTINGS));
if (StartSSL(s, x, k) == false)
{
// Failed
src/Cedar/Connection.h
+1 -1
View File
@@ -144,7 +144,7 @@ struct SECURE_SIGN
char SecurePrivateKeyName[MAX_SECURE_DEVICE_FILE_LEN + 1]; // Secure device secret key name
X *ClientCert; // Client certificate
UCHAR Random[SHA1_SIZE]; // Random value for signature
UCHAR Signature[128]; // Signed data
UCHAR Signature[4096 / 8]; // Signed data
UINT UseSecureDeviceId;
UINT BitmapId; // Bitmap ID
};
src/Cedar/DDNS.c
+11 -5
View File
@@ -670,9 +670,12 @@ UINT DCRegister(DDNS_CLIENT *c, bool ipv6, DDNS_REGISTER_PARAM *p, char *replace
if (ret == NULL)
{
Debug("WpcCall: %s\n", url3);
ret = WpcCallEx(url3, &t, DDNS_CONNECT_TIMEOUT, DDNS_COMM_TIMEOUT, "register", req,
NULL, NULL, ((cert_hash != NULL && cert_hash->Size == SHA1_SIZE) ? cert_hash->Buf : NULL), NULL, DDNS_RPC_MAX_RECV_SIZE,
add_header_name, add_header_value);
ret = WpcCallEx2(url3, &t, DDNS_CONNECT_TIMEOUT, DDNS_COMM_TIMEOUT, "register", req,
NULL, NULL, ((cert_hash != NULL && ((cert_hash->Size % SHA1_SIZE) == 0)) ? cert_hash->Buf : NULL),
(cert_hash != NULL ? cert_hash->Size / SHA1_SIZE : 0),
NULL, DDNS_RPC_MAX_RECV_SIZE,
add_header_name, add_header_value,
DDNS_SNI_VER_STRING);
Debug("WpcCall Ret: %u\n", ret);
}
@@ -874,8 +877,11 @@ UINT DCGetMyIpMain(DDNS_CLIENT *c, bool ipv6, char *dst, UINT dst_size, bool use
}
recv = HttpRequest(&data, (ipv6 ? NULL : &c->InternetSetting), DDNS_CONNECT_TIMEOUT, DDNS_COMM_TIMEOUT, &ret, false, NULL, NULL,
NULL, ((cert_hash != NULL && cert_hash->Size == SHA1_SIZE) ? cert_hash->Buf : NULL));
StrCpy(data.SniString, sizeof(data.SniString), DDNS_SNI_VER_STRING);
recv = HttpRequestEx3(&data, (ipv6 ? NULL : &c->InternetSetting), DDNS_CONNECT_TIMEOUT, DDNS_COMM_TIMEOUT, &ret, false, NULL, NULL,
NULL, ((cert_hash != NULL && (cert_hash->Size % SHA1_SIZE) == 0) ? cert_hash->Buf : NULL),
(cert_hash != NULL ? cert_hash->Size / SHA1_SIZE : 0), NULL, 0, NULL, NULL);
FreeBuf(cert_hash);
src/Cedar/DDNS.h
+8 -1
View File
@@ -115,7 +115,14 @@
#define DDNS_H
// Certificate hash
#define DDNS_CERT_HASH "EFAC5FA0CDD14E0F864EED58A73C35D7E33B62F3"
#define DDNS_CERT_HASH "78BF0499A99396907C9F49DD13571C81FE26E6F5" \
"439BAFA75A6EE5671FC9F9A02D34FF29881761A0" \
"EFAC5FA0CDD14E0F864EED58A73C35D7E33B62F3" \
"74DF99D4B1B5F0488A388B50D347D26013DC67A5" \
"6EBB39AFCA8C900635CFC11218CF293A612457E4"
#define DDNS_SNI_VER_STRING "DDNS"
// Destination URL
#define DDNS_URL_V4_GLOBAL "https://x%c.x%c.servers.ddns.softether-network.net/ddns/ddns.aspx"
src/Cedar/Hub.c
+1 -1
View File
@@ -214,7 +214,7 @@ EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, ch
if (GetIP(&ip, radius_servers_list->Token[i]))
{
eap = NewEapClient(&ip, radius_port, radius_secret, radius_retry_interval,
RADIUS_INITIAL_EAP_TIMEOUT, client_ip_str, username);
RADIUS_INITIAL_EAP_TIMEOUT, client_ip_str, username, hubname);
if (eap != NULL)
{
src/Cedar/Hub.h
+1 -1
View File
@@ -438,9 +438,9 @@ struct HUB
UINT RadiusRetryInterval; // Radius retry interval
BUF *RadiusSecret; // Radius shared key
char RadiusSuffixFilter[MAX_SIZE]; // Radius suffix filter
char RadiusRealm[MAX_SIZE]; // Radius realm (optional)
bool RadiusConvertAllMsChapv2AuthRequestToEap; // Convert all MS-CHAPv2 auth request to EAP
bool RadiusUsePeapInsteadOfEap; // Use PEAP instead of EAP
char RadiusRealm[MAX_SIZE]; // Radius realm (optional)
volatile bool Halt; // Halting flag
bool Offline; // Offline
bool BeingOffline; // Be Doing Offline
src/Cedar/IPsec_IKE.c
+7 -5
View File
@@ -4723,11 +4723,13 @@ bool GetBestTransformSettingForIPsecSa(IKE_SERVER *ike, IKE_PACKET *pr, IPSEC_SA
if (transform_payload != NULL)
{
IKE_PACKET_TRANSFORM_PAYLOAD *transform = &transform_payload->Payload.Transform;
IPSEC_SA_TRANSFORM_SETTING *set = NULL;
IPSEC_SA_TRANSFORM_SETTING set;
if (TransformPayloadToTransformSettingForIPsecSa(ike, transform, set, server_ip))
Zero(&set, sizeof(set));
if (TransformPayloadToTransformSettingForIPsecSa(ike, transform, &set, server_ip))
{
Copy(setting, set, sizeof(IPSEC_SA_TRANSFORM_SETTING));
Copy(setting, &set, sizeof(IPSEC_SA_TRANSFORM_SETTING));
setting->SpiServerToClient = READ_UINT(proposal->Spi->Buf);
@@ -4735,11 +4737,11 @@ bool GetBestTransformSettingForIPsecSa(IKE_SERVER *ike, IKE_PACKET *pr, IPSEC_SA
}
else
{
if (set != NULL && set->OnlyCapsuleModeIsInvalid)
if (set.OnlyCapsuleModeIsInvalid)
{
if (ocmii_flag == false)
{
Copy(setting, set, sizeof(IPSEC_SA_TRANSFORM_SETTING));
Copy(setting, &set, sizeof(IPSEC_SA_TRANSFORM_SETTING));
ocmii_flag = true;
}
}
src/Cedar/IPsec_IPC.c
+1 -2
View File
@@ -426,7 +426,6 @@ IPC *NewIPC(CEDAR *cedar, char *client_name, char *postfix, char *hubname, char
// Upload the authentication data
p = PackLoginWithPlainPassword(hubname, username, password);
PackAddInt64(p, "timestamp", SystemTime64());
PackAddStr(p, "hello", client_name);
PackAddInt(p, "client_ver", cedar->Version);
PackAddInt(p, "client_build", cedar->Build);
@@ -690,7 +689,7 @@ void IPCDhcpSetConditionalUserClass(IPC *ipc, DHCP_OPTION_LIST *req)
return;
}
if (hub->Option && hub->Option->UseHubNameAsDhcpUserClassOption == true)
if (hub->Option && hub->Option->UseHubNameAsDhcpUserClassOption)
{
StrCpy(req->UserClass, sizeof(req->UserClass), ipc->HubName);
}
src/Cedar/Interop_OpenVPN.c
+2 -2
View File
@@ -2114,8 +2114,8 @@ void OvsRecvPacket(OPENVPN_SERVER *s, LIST *recv_packet_list, UINT protocol)
if (r->Exists)
{
Format(l3_options, sizeof(l3_options),
",route %r %r %r",
&r->Network, &r->SubnetMask, &r->Gateway);
",route %r %r vpn_gateway",
&r->Network, &r->SubnetMask);
StrCat(option_str, sizeof(option_str), l3_options);
}
src/Cedar/Layer3.c
+6
View File
@@ -540,6 +540,12 @@ void L3KnownArp(L3IF *f, UINT ip, UCHAR *mac)
return;
}
if (!((f->IpAddress & f->SubnetMask) == (ip & f->SubnetMask)))
{
// Outside the subnet
return;
}
// Delete an ARP query entry to this IP address
Zero(&t, sizeof(t));
t.IpAddress = ip;
src/Cedar/Logging.c
+22 -6
View File
@@ -1396,22 +1396,38 @@ char *BuildHttpLogStr(HTTPLOG *h)
b = NewBuf();
if (StartWith(h->Path, "http://"))
if (StartWith(h->Path, "http://") || StartWith(h->Path, "https://"))
{
StrCpy(url, sizeof(url), h->Path);
}
else
{
// URL generation
if (h->Port == 80)
if (h->IsSsl == false)
{
Format(url, sizeof(url), "http://%s%s",
h->Hostname, h->Path);
if (h->Port == 80)
{
Format(url, sizeof(url), "http://%s%s",
h->Hostname, h->Path);
}
else
{
Format(url, sizeof(url), "http://%s:%u%s",
h->Hostname, h->Port, h->Path);
}
}
else
{
Format(url, sizeof(url), "http://%s:%u%s",
h->Hostname, h->Port, h->Path);
if (h->Port == 443)
{
Format(url, sizeof(url), "https://%s/",
h->Hostname);
}
else
{
Format(url, sizeof(url), "https://%s:%u/",
h->Hostname, h->Port);
}
}
}
src/Cedar/Protocol.c
+11 -43
View File
@@ -690,8 +690,11 @@ void UpdateClientThreadMain(UPDATE_CLIENT *c)
cert_hash = StrToBin(UPDATE_SERVER_CERT_HASH);
recv = HttpRequestEx2(&data, NULL, UPDATE_CONNECT_TIMEOUT, UPDATE_COMM_TIMEOUT, &ret, false, NULL, NULL,
NULL, ((cert_hash != NULL && cert_hash->Size == SHA1_SIZE) ? cert_hash->Buf : NULL),
StrCpy(data.SniString, sizeof(data.SniString), DDNS_SNI_VER_STRING);
recv = HttpRequestEx3(&data, NULL, UPDATE_CONNECT_TIMEOUT, UPDATE_COMM_TIMEOUT, &ret, false, NULL, NULL,
NULL, ((cert_hash != NULL && (cert_hash->Size % SHA1_SIZE) == 0) ? cert_hash->Buf : NULL),
(cert_hash != NULL ? (cert_hash->Size / SHA1_SIZE) : 0),
(bool *)&c->HaltFlag, 0, NULL, NULL);
FreeBuf(cert_hash);
@@ -1312,7 +1315,6 @@ bool ServerAccept(CONNECTION *c)
FARM_MEMBER *f = NULL;
SERVER *server = NULL;
POLICY ticketed_policy;
UINT64 timestamp;
UCHAR unique[SHA1_SIZE], unique2[SHA1_SIZE];
CEDAR *cedar;
RPC_WINVER winver;
@@ -1450,31 +1452,6 @@ bool ServerAccept(CONNECTION *c)
}
}
// Time inspection
timestamp = PackGetInt64(p, "timestamp");
if (timestamp != 0)
{
UINT64 now = SystemTime64();
UINT64 abs;
if (now >= timestamp)
{
abs = now - timestamp;
}
else
{
abs = timestamp - now;
}
if (abs > ALLOW_TIMESTAMP_DIFF)
{
// Time difference is too large
FreePack(p);
c->Err = ERR_BAD_CLOCK;
error_detail = "ERR_BAD_CLOCK";
goto CLEANUP;
}
}
// Get the client version
PackGetStr(p, "client_str", c->ClientStr, sizeof(c->ClientStr));
c->ClientVer = PackGetInt(p, "client_ver");
@@ -1655,7 +1632,7 @@ bool ServerAccept(CONNECTION *c)
{
radius_login_opt.In_CheckVLanId = hub->Option->AssignVLanIdByRadiusAttribute;
radius_login_opt.In_DenyNoVlanId = hub->Option->DenyAllRadiusLoginWithNoVlanAssign;
if (hub->Option->UseHubNameAsRadiusNasId == true)
if (hub->Option->UseHubNameAsRadiusNasId)
{
StrCpy(radius_login_opt.NasId, sizeof(radius_login_opt.NasId), hubname);
}
@@ -4578,7 +4555,7 @@ bool ClientSecureSign(CONNECTION *c, UCHAR *sign, UCHAR *random, X **x)
if (ret)
{
Copy(sign, ss->Signature, 128);
Copy(sign, ss->Signature, sizeof(ss->Signature));
*x = ss->ClientCert;
}
@@ -5857,7 +5834,7 @@ bool ClientUploadAuth(CONNECTION *c)
// Authentication by secure device
if (ClientSecureSign(c, sign, c->Random, &x))
{
p = PackLoginWithCert(o->HubName, a->Username, x, sign, 128);
p = PackLoginWithCert(o->HubName, a->Username, x, sign, x->bits / 8);
c->ClientX = CloneX(x);
FreeX(x);
}
@@ -5880,9 +5857,6 @@ bool ClientUploadAuth(CONNECTION *c)
PackAddData(p, "ticket", c->Ticket, SHA1_SIZE);
}
// Current time
PackAddInt64(p, "timestamp", SystemTime64());
if (p == NULL)
{
// Error
@@ -6073,9 +6047,8 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
SOCK *s;
UINT num = 0, max = 19;
SERVER *server;
char hostname[64];
char *vpn_http_target = HTTP_VPN_TARGET2;
bool check_hostname = true;
bool check_hostname = false;
// Validate arguments
if (c == NULL)
{
@@ -6083,7 +6056,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
}
strcpy(hostname, "");
server = c->Cedar->Server;
s = c->FirstSock;
@@ -6113,6 +6086,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
if (check_hostname && (StrCmpi(h->Version, "HTTP/1.1") == 0 || StrCmpi(h->Version, "HTTP/1.2") == 0))
{
HTTP_VALUE *v;
char hostname[64];
Zero(hostname, sizeof(hostname));
@@ -6347,12 +6321,6 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
}
}
if ((b == false) && (StartWith(h->Target, "/wiki")))
{
HttpSendRedirect(s, h->Target, hostname);
b = true;
}
if (b == false)
{
// Not Found
src/Cedar/Protocol.h
+1 -1
View File
@@ -180,7 +180,7 @@ struct UPDATE_CLIENT
#define UPDATE_FAMILY_NAME _SS("PRODUCT_FAMILY_NAME")
// Software update server certificate hash
#define UPDATE_SERVER_CERT_HASH "EFAC5FA0CDD14E0F864EED58A73C35D7E33B62F3"
#define UPDATE_SERVER_CERT_HASH DDNS_CERT_HASH
// URL
#define UPDATE_SERVER_URL_GLOBAL "https://update-check.softether-network.net/update/update.aspx?family=%s&software=%s&mybuild=%u&lang=%s"
src/Cedar/Radius.c
+20 -8
View File
@@ -686,6 +686,11 @@ void EapSetRadiusGeneralAttributes(RADIUS_PACKET *r, EAP_CLIENT *e)
ui = Endian32(5);
Add(r->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_NAS_PORT_TYPE, 0, 0, &ui, sizeof(UINT)));
if (IsEmptyStr(e->CalledStationStr) == false)
{
Add(r->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_CALLED_STATION_ID, 0, 0, e->CalledStationStr, StrLen(e->CalledStationStr)));
}
Add(r->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_CALLING_STATION_ID, 0, 0, e->ClientIpStr, StrLen(e->ClientIpStr)));
Add(r->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_TUNNEL_CLIENT_ENDPOINT, 0, 0, e->ClientIpStr, StrLen(e->ClientIpStr)));
@@ -1237,7 +1242,7 @@ bool EapSendPacket(EAP_CLIENT *e, RADIUS_PACKET *r)
}
// New EAP client
EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username)
EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username, char *hubname)
{
EAP_CLIENT *e;
if (server_ip == NULL)
@@ -1266,6 +1271,7 @@ EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, U
e->GiveupTimeout = giveup_timeout;
StrCpy(e->SharedSecret, sizeof(e->SharedSecret), shared_secret);
StrCpy(e->CalledStationStr, sizeof(e->CalledStationStr), hubname);
StrCpy(e->ClientIpStr, sizeof(e->ClientIpStr), client_ip_str);
StrCpy(e->Username, sizeof(e->Username), username);
e->LastRecvEapId = 0;
@@ -1702,8 +1708,8 @@ LABEL_ERROR:
////////// Classical implementation
// Attempts Radius authentication (with specifying retry interval and multiple server)
bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
RADIUS_LOGIN_OPTION *opt)
bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
RADIUS_LOGIN_OPTION *opt, char *hubname)
{
UCHAR random[MD5_SIZE];
UCHAR id;
@@ -1835,7 +1841,7 @@ bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *s
BUF *user_password = (is_mschap ? NULL : RadiusCreateUserPassword(encrypted_password->Buf, encrypted_password->Size));
BUF *nas_id;
if (IsEmptyStr(opt->NasId) == true)
if (IsEmptyStr(opt->NasId))
{
nas_id = RadiusCreateNasId(CEDAR_SERVER_STR);
}
@@ -1890,8 +1896,11 @@ bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *s
ui = Endian32(1);
RadiusAddValue(p, 65, 0, 0, &ui, sizeof(ui));
// Called-Station-Id
RadiusAddValue(p, 30, 0, 0, hubname, StrLen(hubname));
// Called-Station-ID - VPN Hub Name
if (IsEmptyStr(hubname) == false)
{
RadiusAddValue(p, 30, 0, 0, hubname, StrLen(hubname));
}
// Calling-Station-Id
RadiusAddValue(p, 31, 0, 0, client_ip_str, StrLen(client_ip_str));
@@ -1943,8 +1952,11 @@ bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *s
ui = Endian32(1);
RadiusAddValue(p, 65, 0, 0, &ui, sizeof(ui));
// Called-Station-Id
RadiusAddValue(p, 30, 0, 0, hubname, StrLen(hubname));
// Called-Station-ID - VPN Hub Name
if (IsEmptyStr(hubname) == false)
{
RadiusAddValue(p, 30, 0, 0, hubname, StrLen(hubname));
}
// Calling-Station-Id
RadiusAddValue(p, 31, 0, 0, client_ip_str, StrLen(client_ip_str));
src/Cedar/Radius.h
+4 -3
View File
@@ -311,6 +311,7 @@ struct EAP_CLIENT
UINT ServerPort;
char SharedSecret[MAX_SIZE];
char ClientIpStr[256];
char CalledStationStr[256];
char Username[MAX_USERNAME_LEN + 1];
UINT ResendTimeout;
UINT GiveupTimeout;
@@ -346,7 +347,7 @@ RADIUS_AVP *GetRadiusAvp(RADIUS_PACKET *p, UCHAR type);
void RadiusTest();
EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username);
EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username, char *hubname);
void ReleaseEapClient(EAP_CLIENT *e);
void CleanupEapClient(EAP_CLIENT *e);
bool EapClientSendMsChapv2AuthRequest(EAP_CLIENT *e);
@@ -376,8 +377,8 @@ struct RADIUS_LOGIN_OPTION
};
// Function prototype
bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
RADIUS_LOGIN_OPTION *opt);
bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
RADIUS_LOGIN_OPTION *opt, char *hubname);
BUF *RadiusEncryptPassword(char *password, UCHAR *random, UCHAR *secret, UINT secret_size);
BUF *RadiusCreateUserName(wchar_t *username);
BUF *RadiusCreateUserPassword(void *data, UINT size);
src/Cedar/SM.c
+4 -1
View File
@@ -876,12 +876,14 @@ static UINT SmDdnsGetKey(char *key, SM_DDNS *d){
UINT err;
BUF *buf;
FOLDER *root, *ddnsfolder;
RPC *rpc;
// Validate arguments
if(d == NULL || d->s == NULL || key == NULL){
return ERR_INTERNAL_ERROR;
}
RPC *rpc = d->s->Rpc;
rpc = d->s->Rpc;
Zero(&config, sizeof(config));
err = ScGetConfig(d->s->Rpc, &config);
@@ -17011,6 +17013,7 @@ void SmSslDlgInit(HWND hWnd, SM_SSL *s)
// Set the encryption algorithm list
cipher_list = GetCipherList();
SetFont(hWnd, C_CIPHER, GetFont("Tahoma", 8, false, false, false, false));
CbSetHeight(hWnd, C_CIPHER, 18);
for (i = 0;i < cipher_list->NumTokens;i++)
{
src/Cedar/Sam.c
+5 -5
View File
@@ -214,9 +214,9 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
if( IsEmptyStr(h->RadiusRealm) == false )
{
char name_and_realm[MAX_SIZE];
StrCpy(name_and_realm, MAX_SIZE, username);
StrCat(name_and_realm, (MAX_SIZE - StrLen(name_and_realm)), "@");
StrCat(name_and_realm, (MAX_SIZE - StrLen(name_and_realm)), h->RadiusRealm);
StrCpy(name_and_realm, sizeof(name_and_realm), username);
StrCat(name_and_realm, sizeof(name_and_realm), "@");
StrCat(name_and_realm, sizeof(name_and_realm), h->RadiusRealm);
name = CopyStrToUni(name_and_realm);
}
else
@@ -276,9 +276,9 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
if (UniIsEmptyStr(suffix_filter_w) || UniEndWith(name, suffix_filter_w))
{
// Attempt to login
b = RadiusLogin(c, hub->Name, radius_server_addr, radius_server_port,
b = RadiusLogin(c, radius_server_addr, radius_server_port,
radius_secret, StrLen(radius_secret),
name, password, interval, mschap_v2_server_response_20, opt);
name, password, interval, mschap_v2_server_response_20, opt, hub->Name);
if (b)
{
src/Cedar/Server.c
+13 -79
View File
@@ -2152,7 +2152,7 @@ void SiGenerateDefaultCertEx(X **server_x, K **server_k, char *common_name)
name = NewName(cn, cn, cn,
L"US", NULL, NULL);
x = NewRootX(public_key, private_key, name, MAX(GetDaysUntil2038(), SERVER_DEFAULT_CERT_DAYS), NULL);
x = NewRootX(public_key, private_key, name, GetDaysUntil2038Ex(), NULL);
*server_x = x;
*server_k = private_key;
@@ -2578,7 +2578,7 @@ void SiLoadInitialConfiguration(SERVER *s)
}
// Default to TLS only; mitigates CVE-2016-0800
s->Cedar->AcceptOnlyTls = true;
s->Cedar->SslAcceptSettings.AcceptOnlyTls = true;
// Auto saving interval related
s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT;
@@ -2765,9 +2765,6 @@ void SiInitConfiguration(SERVER *s)
s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT;
s->BackupConfigOnlyWhenModified = true;
// Default to TLS only; mitigates CVE-2016-0800
s->Cedar->AcceptOnlyTls = true;
// IPsec server
if (s->Cedar->Bridge == false)
{
@@ -5019,10 +5016,10 @@ void SiWriteHubCfg(FOLDER *f, HUB *h)
CfgAddInt(f, "RadiusServerPort", h->RadiusServerPort);
CfgAddInt(f, "RadiusRetryInterval", h->RadiusRetryInterval);
CfgAddStr(f, "RadiusSuffixFilter", h->RadiusSuffixFilter);
CfgAddStr(f, "RadiusRealm", h->RadiusRealm);
CfgAddBool(f, "RadiusConvertAllMsChapv2AuthRequestToEap", h->RadiusConvertAllMsChapv2AuthRequestToEap);
CfgAddBool(f, "RadiusUsePeapInsteadOfEap", h->RadiusUsePeapInsteadOfEap);
CfgAddStr(f, "RadiusRealm", h->RadiusRealm);
}
Unlock(h->RadiusOptionLock);
@@ -6170,47 +6167,16 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
// AcceptOnlyTls
if (CfgIsItem(f, "AcceptOnlyTls"))
{
c->AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");
c->SslAcceptSettings.AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");
}
else
{
c->AcceptOnlyTls = true;
}
if (c->AcceptOnlyTls) {
c->DisableSslVersions |= SSL_VERSION_SSL_V2;
c->DisableSslVersions |= SSL_VERSION_SSL_V3;
}
if (CfgGetStr(f, "DisableSslVersions", tmp, sizeof(tmp))) {
TOKEN_LIST *sslVersions= ParseToken(tmp, ", ");
UINT i;
for (i = 0;i < sslVersions->NumTokens;i++)
{
char *sslVersion=sslVersions->Token[i];
if (StrCmp(sslVersion, NAME_SSL_VERSION_SSL_V2)==0) {
c->DisableSslVersions |= SSL_VERSION_SSL_V2;
continue;
}
if (StrCmp(sslVersion, NAME_SSL_VERSION_SSL_V3)==0) {
c->DisableSslVersions |= SSL_VERSION_SSL_V3;
continue;
}
if (StrCmp(sslVersion, NAME_SSL_VERSION_TLS_V1_0)==0) {
c->DisableSslVersions |= SSL_VERSION_TLS_V1_0;
continue;
}
if (StrCmp(sslVersion, NAME_SSL_VERSION_TLS_V1_1)==0) {
c->DisableSslVersions |= SSL_VERSION_TLS_V1_1;
continue;
}
if (StrCmp(sslVersion, NAME_SSL_VERSION_TLS_V1_2)==0) {
c->DisableSslVersions |= SSL_VERSION_TLS_V1_2;
continue;
}
}
FreeToken(sslVersions);
// Default to TLS only; mitigates CVE-2016-0800
c->SslAcceptSettings.AcceptOnlyTls = true;
}
c->SslAcceptSettings.Tls_Disable1_0 = CfgGetBool(f, "Tls_Disable1_0");
c->SslAcceptSettings.Tls_Disable1_1 = CfgGetBool(f, "Tls_Disable1_1");
c->SslAcceptSettings.Tls_Disable1_2 = CfgGetBool(f, "Tls_Disable1_2");
}
Unlock(c->lock);
@@ -6519,42 +6485,10 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
CfgAddBool(f, "DisableGetHostNameWhenAcceptTcp", s->DisableGetHostNameWhenAcceptTcp);
CfgAddBool(f, "DisableCoreDumpOnUnix", s->DisableCoreDumpOnUnix);
CfgAddBool(f, "AcceptOnlyTls", c->AcceptOnlyTls);
{
char tmp[MAX_SIZE];
tmp[0] = 0;
if (c->DisableSslVersions & SSL_VERSION_SSL_V2) {
StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_SSL_V2);
StrCat(tmp, sizeof(tmp), ",");
}
if (c->DisableSslVersions & SSL_VERSION_SSL_V3) {
StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_SSL_V3);
StrCat(tmp, sizeof(tmp), ",");
}
if (c->DisableSslVersions & SSL_VERSION_TLS_V1_0) {
StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_TLS_V1_0);
StrCat(tmp, sizeof(tmp), ",");
}
if (c->DisableSslVersions & SSL_VERSION_TLS_V1_1) {
StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_TLS_V1_1);
StrCat(tmp, sizeof(tmp), ",");
}
if (c->DisableSslVersions & SSL_VERSION_TLS_V1_2) {
StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_TLS_V1_2);
StrCat(tmp, sizeof(tmp), ",");
}
if (StrLen(tmp) >= 1)
{
if (tmp[StrLen(tmp) - 1] == ',')
{
tmp[StrLen(tmp) - 1] = 0;
}
}
CfgAddStr(f, "DisableSslVersions", tmp);
}
CfgAddBool(f, "AcceptOnlyTls", c->SslAcceptSettings.AcceptOnlyTls);
CfgAddBool(f, "Tls_Disable1_0", c->SslAcceptSettings.Tls_Disable1_0);
CfgAddBool(f, "Tls_Disable1_1", c->SslAcceptSettings.Tls_Disable1_1);
CfgAddBool(f, "Tls_Disable1_2", c->SslAcceptSettings.Tls_Disable1_2);
// Disable session reconnect
CfgAddBool(f, "DisableSessionReconnect", GetGlobalServerFlag(GSF_DISABLE_SESSION_RECONNECT));
src/Cedar/UdpAccel.c
+3 -1
View File
@@ -118,12 +118,14 @@ void UdpAccelPoll(UDP_ACCEL *a)
{
IP nat_t_ip;
UINT num_ignore_errors = 0;
UCHAR *tmp;
// Validate arguments
if (a == NULL)
{
return;
}
UCHAR *tmp = a->TmpBuf;
tmp = a->TmpBuf;
Lock(a->NatT_Lock);
{
src/Cedar/Virtual.c
+9 -3
View File
@@ -2393,12 +2393,14 @@ bool NnTestConnectivity(NATIVE_STACK *a, TUBE *halt_tube)
IP my_priv_ip;
UINT num_send_dns = 0;
IP using_dns;
UINT src_port = 0;
// Validate arguments
if (a == NULL)
{
return false;
}
UINT src_port = NnGenSrcPort(a->IsIpRawMode);
src_port = NnGenSrcPort(a->IsIpRawMode);
Copy(&using_dns, &a->DnsServerIP, sizeof(IP));
@@ -3999,12 +4001,14 @@ bool NatTransactIcmp(VH *v, NAT_ENTRY *n)
BLOCK *block;
IP dest_ip;
UINT num_ignore_errors = 0;
UINT dest_port = 0;
// Validate arguments
if (v == NULL || n == NULL)
{
return true;
}
UINT dest_port = n->DestPort;
dest_port = n->DestPort;
if (n->DisconnectNow)
{
@@ -4202,12 +4206,14 @@ bool NatTransactUdp(VH *v, NAT_ENTRY *n)
BLOCK *block;
IP dest_ip;
UINT num_ignore_errors;
UINT dest_port = 0;
// Validate arguments
if (v == NULL || n == NULL)
{
return true;
}
UINT dest_port = n->DestPort;
dest_port = n->DestPort;
if (n->DisconnectNow)
{
src/Cedar/WebUI.c
+3 -1
View File
@@ -1725,12 +1725,14 @@ static wchar_t *WuUniReadFile(char *filename)
static void WuUniReplace(wchar_t **buf, wchar_t *from, wchar_t *to)
{
UINT dstsize;
wchar_t *oldbuf;
if(buf == NULL || from == NULL || to == NULL)
{
return;
}
wchar_t *oldbuf = *buf;
oldbuf = *buf;
dstsize = (UniCalcReplaceStrEx(*buf, from, to, true) + 1) * sizeof(wchar_t);
*buf = (wchar_t*)Malloc(dstsize);
src/Cedar/WinUi.h
+1 -1
View File
@@ -204,7 +204,7 @@ typedef struct WINUI_SECURE_BATCH
X *OutputX; // Output certificate
K *InputK; // Input secret key
LIST *EnumList; // Enumerated list
UCHAR OutputSign[128]; // Output signature
UCHAR OutputSign[4096 / 8]; // Output signature
bool Succeed; // Success flag
} WINUI_SECURE_BATCH;
src/Cedar/Wpc.c
+52 -5
View File
@@ -163,6 +163,14 @@ PACK *WpcCall(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT t
PACK *WpcCallEx(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT timeout_comm,
char *function_name, PACK *pack, X *cert, K *key, void *sha1_cert_hash, bool *cancel, UINT max_recv_size,
char *additional_header_name, char *additional_header_value)
{
return WpcCallEx2(url, setting, timeout_connect, timeout_comm, function_name, pack,
cert, key, sha1_cert_hash, (sha1_cert_hash == NULL ? 0 : 1),
cancel, max_recv_size, additional_header_name, additional_header_value, NULL);
}
PACK *WpcCallEx2(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT timeout_comm,
char *function_name, PACK *pack, X *cert, K *key, void *sha1_cert_hash, UINT num_hashes, bool *cancel, UINT max_recv_size,
char *additional_header_name, char *additional_header_value, char *sni_string)
{
URL_DATA data;
BUF *b, *recv;
@@ -197,8 +205,14 @@ PACK *WpcCallEx(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT
StrCpy(data.AdditionalHeaderValue, sizeof(data.AdditionalHeaderValue), additional_header_value);
}
recv = HttpRequestEx(&data, setting, timeout_connect, timeout_comm, &error,
false, b->Buf, NULL, NULL, sha1_cert_hash, cancel, max_recv_size);
if (sni_string != NULL && IsEmptyStr(sni_string) == false)
{
StrCpy(data.SniString, sizeof(data.SniString), sni_string);
}
recv = HttpRequestEx3(&data, setting, timeout_connect, timeout_comm, &error,
false, b->Buf, NULL, NULL, sha1_cert_hash, num_hashes, cancel, max_recv_size,
NULL, NULL);
FreeBuf(b);
@@ -693,6 +707,16 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting,
UINT *error_code, bool check_ssl_trust, char *post_data,
WPC_RECV_CALLBACK *recv_callback, void *recv_callback_param, void *sha1_cert_hash,
bool *cancel, UINT max_recv_size, char *header_name, char *header_value)
{
return HttpRequestEx3(data, setting, timeout_connect, timeout_comm, error_code, check_ssl_trust,
post_data, recv_callback, recv_callback_param, sha1_cert_hash, (sha1_cert_hash == NULL ? 0 : 1),
cancel, max_recv_size, header_name, header_value);
}
BUF *HttpRequestEx3(URL_DATA *data, INTERNET_SETTING *setting,
UINT timeout_connect, UINT timeout_comm,
UINT *error_code, bool check_ssl_trust, char *post_data,
WPC_RECV_CALLBACK *recv_callback, void *recv_callback_param, void *sha1_cert_hash, UINT num_hashes,
bool *cancel, UINT max_recv_size, char *header_name, char *header_value)
{
WPC_CONNECT con;
SOCK *s;
@@ -728,6 +752,14 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting,
{
timeout_comm = WPC_TIMEOUT;
}
if (sha1_cert_hash == NULL)
{
num_hashes = 0;
}
if (num_hashes == 0)
{
sha1_cert_hash = NULL;
}
// Connection
Zero(&con, sizeof(con));
@@ -773,7 +805,7 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting,
if (data->Secure)
{
// Start the SSL communication
if (StartSSLEx(s, NULL, NULL, true, 0, NULL) == false)
if (StartSSLEx(s, NULL, NULL, true, 0, (IsEmptyStr(data->SniString) ? NULL : data->SniString)) == false)
{
// SSL connection failed
*error_code = ERR_PROTOCOL_ERROR;
@@ -782,13 +814,28 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting,
return NULL;
}
if (sha1_cert_hash != NULL)
if (sha1_cert_hash != NULL && num_hashes >= 1)
{
UCHAR hash[SHA1_SIZE];
UINT i;
bool ok = false;
Zero(hash, sizeof(hash));
GetXDigest(s->RemoteX, hash, true);
if (Cmp(hash, sha1_cert_hash, SHA1_SIZE) != 0)
for (i = 0;i < num_hashes;i++)
{
UCHAR *a = (UCHAR *)sha1_cert_hash;
a += (SHA1_SIZE * i);
if (Cmp(hash, a, SHA1_SIZE) == 0)
{
ok = true;
break;
}
}
if (ok == false)
{
// Destination certificate hash mismatch
*error_code = ERR_CERT_NOT_TRUSTED;
src/Cedar/Wpc.h
+9
View File
@@ -159,6 +159,7 @@ struct URL_DATA
char Referer[MAX_SIZE * 3]; // Referer
char AdditionalHeaderName[128]; // Additional header name
char AdditionalHeaderValue[MAX_SIZE]; // Additional header value
char SniString[MAX_SIZE]; // SNI String
};
// WPC entry
@@ -204,6 +205,11 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting,
UINT *error_code, bool check_ssl_trust, char *post_data,
WPC_RECV_CALLBACK *recv_callback, void *recv_callback_param, void *sha1_cert_hash,
bool *cancel, UINT max_recv_size, char *header_name, char *header_value);
BUF *HttpRequestEx3(URL_DATA *data, INTERNET_SETTING *setting,
UINT timeout_connect, UINT timeout_comm,
UINT *error_code, bool check_ssl_trust, char *post_data,
WPC_RECV_CALLBACK *recv_callback, void *recv_callback_param, void *sha1_cert_hash, UINT num_hashes,
bool *cancel, UINT max_recv_size, char *header_name, char *header_value);
SOCK *WpcSockConnect(WPC_CONNECT *param, UINT *error_code, UINT timeout);
SOCK *WpcSockConnectEx(WPC_CONNECT *param, UINT *error_code, UINT timeout, bool *cancel);
SOCK *WpcSockConnect2(char *hostname, UINT port, INTERNET_SETTING *t, UINT *error_code, UINT timeout);
@@ -223,6 +229,9 @@ PACK *WpcCall(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT t
PACK *WpcCallEx(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT timeout_comm,
char *function_name, PACK *pack, X *cert, K *key, void *sha1_cert_hash, bool *cancel, UINT max_recv_size,
char *additional_header_name, char *additional_header_value);
PACK *WpcCallEx2(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT timeout_comm,
char *function_name, PACK *pack, X *cert, K *key, void *sha1_cert_hash, UINT num_hashes, bool *cancel, UINT max_recv_size,
char *additional_header_name, char *additional_header_value, char *sni_string);
bool IsProxyPrivateIp(INTERNET_SETTING *s);
#endif // WPC_H