diff --git a/src/Cedar/Cedar.c b/src/Cedar/Cedar.c index 04d0556b..c00e0c58 100644 --- a/src/Cedar/Cedar.c +++ b/src/Cedar/Cedar.c @@ -1765,6 +1765,8 @@ CEDAR *NewCedar(X *server_x, K *server_k) c->UdpPortList = NewIntList(false); + c->DhParamBits = DH_PARAM_BITS_DEFAULT; + InitNetSvcList(c); InitLocalBridgeList(c); diff --git a/src/Cedar/Cedar.h b/src/Cedar/Cedar.h index bc15b32f..39570cd9 100644 --- a/src/Cedar/Cedar.h +++ b/src/Cedar/Cedar.h @@ -308,6 +308,7 @@ #define FARM_BASE_POINT 100000 // Reference value of the cluster score #define FARM_DEFAULT_WEIGHT 100 // Standard performance ratio +#define DH_PARAM_BITS_DEFAULT 2048 // Bits of Diffie-Hellman Parameters #define SE_UDP_SIGN "SE2P" // Not used (only old UDP mode) @@ -1053,6 +1054,7 @@ typedef struct CEDAR LOCK *FifoBudgetLock; // Fifo budget lock UINT FifoBudget; // Fifo budget SSL_ACCEPT_SETTINGS SslAcceptSettings; // SSL Accept Settings + UINT DhParamBits; // Bits of Diffie-Hellman parameters char OpenVPNDefaultClientOption[MAX_SIZE]; // OpenVPN Default Client Option String } CEDAR; diff --git a/src/Cedar/Interop_OpenVPN.c b/src/Cedar/Interop_OpenVPN.c index aecac52e..5d3f379d 100644 --- a/src/Cedar/Interop_OpenVPN.c +++ b/src/Cedar/Interop_OpenVPN.c @@ -2595,7 +2595,7 @@ OPENVPN_SERVER *NewOpenVpnServer(CEDAR *cedar, INTERRUPT_MANAGER *interrupt, SOC OvsLog(s, NULL, NULL, "LO_START"); - s->Dh = DhNewGroup2(); + s->Dh = DhNewFromBits(DH_PARAM_BITS_DEFAULT); return s; } @@ -2703,6 +2703,21 @@ OPENVPN_SERVER_UDP *NewOpenVpnServerUdp(CEDAR *cedar) return u; } +void OpenVpnServerUdpSetDhParam(OPENVPN_SERVER_UDP *u, DH_CTX *dh) +{ + // Validate arguments + if (u == NULL) { + return; + } + + if (u->OpenVpnServer->Dh) + { + DhFree(u->OpenVpnServer->Dh); + } + + u->OpenVpnServer->Dh = dh; +} + // Apply the port list to the OpenVPN server void OvsApplyUdpPortList(OPENVPN_SERVER_UDP *u, char *port_list, IP *listen_ip) { diff --git a/src/Cedar/Interop_OpenVPN.h b/src/Cedar/Interop_OpenVPN.h index f4320104..a7cd6c1a 100644 --- a/src/Cedar/Interop_OpenVPN.h +++ b/src/Cedar/Interop_OpenVPN.h @@ -384,6 +384,8 @@ bool OvsGetNoOpenVpnTcp(); void OvsSetNoOpenVpnUdp(bool b); +void OpenVpnServerUdpSetDhParam(OPENVPN_SERVER_UDP *u, DH_CTX *dh); + #endif // INTEROP_OPENVPN_H diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c index 5ac3e3e7..e3e6921e 100644 --- a/src/Cedar/Server.c +++ b/src/Cedar/Server.c @@ -6186,6 +6186,18 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f) c->SslAcceptSettings.Tls_Disable1_2 = CfgGetBool(f, "Tls_Disable1_2"); s->StrictSyslogDatetimeFormat = CfgGetBool(f, "StrictSyslogDatetimeFormat"); + // Bits of Diffie-Hellman parameters + c->DhParamBits = CfgGetInt(f, "DhParamBits"); + if (c->DhParamBits == 0) + { + c->DhParamBits = DH_PARAM_BITS_DEFAULT; + } + + SetDhParam(DhNewFromBits(c->DhParamBits)); + if (s->OpenVpnServerUdp) + { + OpenVpnServerUdpSetDhParam(s->OpenVpnServerUdp, DhNewFromBits(c->DhParamBits)); + } } Unlock(c->lock); @@ -6289,6 +6301,7 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s) CfgAddBool(f, "BackupConfigOnlyWhenModified", s->BackupConfigOnlyWhenModified); CfgAddIp(f, "ListenIP", &s->ListenIP); + if (s->Logger != NULL) { CfgAddInt(f, "ServerLogSwitchType", s->Logger->SwitchType); @@ -6499,6 +6512,7 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s) CfgAddBool(f, "Tls_Disable1_0", c->SslAcceptSettings.Tls_Disable1_0); CfgAddBool(f, "Tls_Disable1_1", c->SslAcceptSettings.Tls_Disable1_1); CfgAddBool(f, "Tls_Disable1_2", c->SslAcceptSettings.Tls_Disable1_2); + CfgAddInt(f, "DhParamBits", c->DhParamBits); // Disable session reconnect CfgAddBool(f, "DisableSessionReconnect", GetGlobalServerFlag(GSF_DISABLE_SESSION_RECONNECT)); diff --git a/src/Mayaqua/Encrypt.c b/src/Mayaqua/Encrypt.c index e403189f..389267b0 100644 --- a/src/Mayaqua/Encrypt.c +++ b/src/Mayaqua/Encrypt.c @@ -4895,12 +4895,36 @@ DH_CTX *DhNewGroup5() return DhNew(DH_GROUP5_PRIME_1536, 2); } + // Creating a DH SIMPLE 160bits DH_CTX *DhNewSimple160() { return DhNew(DH_SIMPLE_160, 2); } +DH_CTX *DhNewFromBits(UINT bits) +{ + switch (bits) + { + case 160: + return DhNewSimple160(); + case 768: + return DhNewGroup1(); + case 1024: + return DhNewGroup2(); + case 1536: + return DhNewGroup5(); + case 2048: + return DhNew2048(); + case 3072: + return DhNew3072(); + case 4096: + return DhNew4096(); + default: + return DhNew2048(); + } +} + // Convert the DH parameters to file BUF *DhToBuf(DH_CTX *dh) { diff --git a/src/Mayaqua/Encrypt.h b/src/Mayaqua/Encrypt.h index 8bd25818..117e9263 100644 --- a/src/Mayaqua/Encrypt.h +++ b/src/Mayaqua/Encrypt.h @@ -150,8 +150,8 @@ void RAND_Free_For_SoftEther(); // HMAC block size #define HMAC_BLOCK_SIZE 64 // The block size for sha-384 and sha-512 as defined by rfc4868 -#define HMAC_BLOCK_SIZE_1024 128 -#define HMAC_BLOCK_SIZE_MAX 512 +#define HMAC_BLOCK_SIZE_1024 128 +#define HMAC_BLOCK_SIZE_MAX 512 #define DH_GROUP1_PRIME_768 \ "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ @@ -540,6 +540,7 @@ DH_CTX *DhNewSimple160(); DH_CTX *DhNew2048(); DH_CTX *DhNew3072(); DH_CTX *DhNew4096(); +DH_CTX *DhNewFromBits(UINT bits); DH_CTX *DhNew(char *prime, UINT g); void DhFree(DH_CTX *dh); BUF *DhToBuf(DH_CTX *dh); diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index a1d5c83c..f3d130fb 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -250,7 +250,7 @@ static UINT rand_port_numbers[256] = {0}; static bool g_use_privateip_file = false; static bool g_source_ip_validation_force_disable = false; -static DH_CTX *dh_2048 = NULL; +static DH_CTX *dh_param = NULL; typedef struct PRIVATE_IP_SUBNET { @@ -17810,9 +17810,9 @@ DH *TmpDhCallback(SSL *ssl, int is_export, int keylength) { DH *ret = NULL; - if (dh_2048 != NULL) + if (dh_param != NULL) { - ret = dh_2048->dh; + ret = dh_param->dh; } return ret; @@ -17932,9 +17932,6 @@ void InitNetwork() disable_cache = false; - - dh_2048 = DhNew2048(); - Zero(rand_port_numbers, sizeof(rand_port_numbers)); SetGetIpThreadMaxNum(DEFAULT_GETIP_THREAD_MAX_NUM); @@ -18367,10 +18364,10 @@ void SetCurrentGlobalIP(IP *ip, bool ipv6) void FreeNetwork() { - if (dh_2048 != NULL) + if (dh_param != NULL) { - DhFree(dh_2048); - dh_2048 = NULL; + DhFree(dh_param); + dh_param = NULL; } // Release of thread-related @@ -20282,6 +20279,8 @@ LABEL_RESTART: if (u->PollMyIpAndPort) { + // Create a thread to get a NAT-T IP address if necessary + if (u->GetNatTIpThread == NULL) { // Create a thread to get a NAT-T IP address if necessary if (u->GetNatTIpThread == NULL) diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h index ffc96d07..870ef40f 100644 --- a/src/Mayaqua/Network.h +++ b/src/Mayaqua/Network.h @@ -1020,6 +1020,8 @@ int GetCurrentTimezone(); bool GetSniNameFromSslPacket(UCHAR *packet_buf, UINT packet_size, char *sni, UINT sni_size); bool GetSniNameFromPreSslConnection(SOCK *s, char *sni, UINT sni_size); +void SetDhParam(DH_CTX *dh); + bool IsUseDnsProxy(); bool IsUseAlternativeHostname();