From d95d8ddefa88abf319abd308ded70a4b9be54808 Mon Sep 17 00:00:00 2001 From: Yihong Wu <54519668+domosekai@users.noreply.github.com> Date: Thu, 16 Dec 2021 01:56:29 +0800 Subject: [PATCH 1/7] Fix account name in wrong case after editing --- src/Cedar/Client.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/Cedar/Client.c b/src/Cedar/Client.c index 1c40787b..a45aff43 100644 --- a/src/Cedar/Client.c +++ b/src/Cedar/Client.c @@ -6597,6 +6597,9 @@ bool CtGetAccount(CLIENT *c, RPC_CLIENT_GET_ACCOUNT *a) Lock(r->lock); { + // Copy account name (restore the correct case) + UniStrCpy(a->AccountName, sizeof(a->AccountName), r->ClientOption->AccountName); + // Copy the client option if (a->ClientOption != NULL) { From a5565fce4b31891a8d4ffd71037f03286f47ed7a Mon Sep 17 00:00:00 2001 From: Yihong Wu <54519668+domosekai@users.noreply.github.com> Date: Thu, 16 Dec 2021 23:29:22 +0800 Subject: [PATCH 2/7] Fix cascade links may start before configuration is loaded --- src/Cedar/Server.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c index 523cfc7f..6376afc3 100644 --- a/src/Cedar/Server.c +++ b/src/Cedar/Server.c @@ -3457,16 +3457,8 @@ void SiLoadHubLinkCfg(FOLDER *f, HUB *h) FreeBuf(b); } - if (online) - { - k->Offline = true; - SetLinkOnline(k); - } - else - { - k->Offline = false; - SetLinkOffline(k); - } + k->Offline = !online; + ReleaseLink(k); } From f6edb5e1652427e9068a5c486fd6ca78cf2e7872 Mon Sep 17 00:00:00 2001 From: Yihong Wu <54519668+domosekai@users.noreply.github.com> Date: Fri, 17 Dec 2021 01:05:29 +0800 Subject: [PATCH 3/7] Fix a typo that causes CascadeList to show blank hub name --- src/Cedar/Admin.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/Cedar/Admin.c b/src/Cedar/Admin.c index 4ce38745..bf6cef0c 100644 --- a/src/Cedar/Admin.c +++ b/src/Cedar/Admin.c @@ -13702,12 +13702,14 @@ void InRpcEnumLink(RPC_ENUM_LINK *t, PACK *p) PackGetUniStrEx(p, "AccountName", e->AccountName, sizeof(e->AccountName), i); PackGetStrEx(p, "Hostname", e->Hostname, sizeof(e->Hostname), i); - PackGetStrEx(p, "ConnectedHubName", e->HubName, sizeof(e->HubName), i); + if (PackGetStrEx(p, "ConnectedHubName", e->HubName, sizeof(e->HubName), i) == false) + { + PackGetStrEx(p, "TargetHubName", e->HubName, sizeof(e->HubName), i); + } e->Online = PackGetBoolEx(p, "Online", i); e->ConnectedTime = PackGetInt64Ex(p, "ConnectedTime", i); e->Connected = PackGetBoolEx(p, "Connected", i); e->LastError = PackGetIntEx(p, "LastError", i); - PackGetStrEx(p, "LinkHubName", e->HubName, sizeof(e->HubName), i); } } void OutRpcEnumLink(PACK *p, RPC_ENUM_LINK *t) From 68dc4e23d8b90a346cbd053c7cda37ba569725c8 Mon Sep 17 00:00:00 2001 From: Yihong Wu <54519668+domosekai@users.noreply.github.com> Date: Wed, 15 Dec 2021 00:54:40 +0800 Subject: [PATCH 4/7] Improve NAT-T hint string handling --- src/Cedar/CM.c | 14 +++++++++--- src/Cedar/Client.c | 50 ++++++++++++++++++++++++++++++++++++++++-- src/Cedar/Command.c | 36 +++++++++++++++++++++++++++--- src/Cedar/Connection.h | 1 + src/Cedar/Protocol.c | 18 ++++++++++----- src/Cedar/Protocol.h | 2 ++ src/Cedar/SM.c | 42 +++++++++++++++++++++++++++++++++-- src/Cedar/SMInner.h | 2 +- src/Cedar/WinUi.c | 7 +++++- src/Cedar/WinUi.h | 2 ++ src/Mayaqua/Network.c | 46 ++++++++++---------------------------- src/Mayaqua/Network.h | 2 +- 12 files changed, 170 insertions(+), 52 deletions(-) diff --git a/src/Cedar/CM.c b/src/Cedar/CM.c index 02df5267..4ca4cc37 100644 --- a/src/Cedar/CM.c +++ b/src/Cedar/CM.c @@ -6649,6 +6649,7 @@ void CmEditAccountDlgUpdate(HWND hWnd, CM_ACCOUNT *a) // Host name GetTxtA(hWnd, E_HOSTNAME, a->ClientOption->Hostname, sizeof(a->ClientOption->Hostname)); Trim(a->ClientOption->Hostname); + a->ClientOption->HintStr[0] = 0; if (InStr(a->ClientOption->Hostname, "/tcp")) { @@ -7091,10 +7092,17 @@ void CmEditAccountDlgInit(HWND hWnd, CM_ACCOUNT *a) SetText(hWnd, E_ACCOUNT_NAME, a->ClientOption->AccountName); // Host name - SetTextA(hWnd, E_HOSTNAME, a->ClientOption->Hostname); - StrCpy(a->old_server_name, sizeof(a->old_server_name), a->ClientOption->Hostname); + char hostname[MAX_SIZE]; + StrCpy(hostname, sizeof(hostname), a->ClientOption->Hostname); + if (IsEmptyStr(a->ClientOption->HintStr) == false) + { + StrCat(hostname, sizeof(hostname), "/"); + StrCat(hostname, sizeof(hostname), a->ClientOption->HintStr); + } + SetTextA(hWnd, E_HOSTNAME, hostname); + StrCpy(a->old_server_name, sizeof(a->old_server_name), hostname); - if (InStr(a->ClientOption->Hostname, "/tcp")) + if (InStr(hostname, "/tcp")) { Check(hWnd, R_DISABLE_NATT, true); } diff --git a/src/Cedar/Client.c b/src/Cedar/Client.c index a45aff43..0d893f31 100644 --- a/src/Cedar/Client.c +++ b/src/Cedar/Client.c @@ -4315,6 +4315,13 @@ void InRpcClientOption(CLIENT_OPTION *c, PACK *p) PackGetUniStr(p, "AccountName", c->AccountName, sizeof(c->AccountName)); PackGetStr(p, "Hostname", c->Hostname, sizeof(c->Hostname)); + // Extract hint string from hostname + UINT i = SearchStrEx(c->Hostname, "/", 0, false); + if (i != INFINITE) + { + StrCpy(c->HintStr, sizeof(c->HintStr), c->Hostname + i + 1); + c->Hostname[i] = 0; + } c->Port = PackGetInt(p, "Port"); c->PortUDP = PackGetInt(p, "PortUDP"); c->ProxyType = PackGetInt(p, "ProxyType"); @@ -4352,7 +4359,20 @@ void OutRpcClientOption(PACK *p, CLIENT_OPTION *c) } PackAddUniStr(p, "AccountName", c->AccountName); - PackAddStr(p, "Hostname", c->Hostname); + // Append hint string to hostname + if (IsEmptyStr(c->HintStr)) + { + // No hint + PackAddStr(p, "Hostname", c->Hostname); + } + else + { + char hostname[MAX_SIZE]; + StrCpy(hostname, sizeof(hostname), c->Hostname); + StrCat(hostname, sizeof(hostname), "/"); + StrCat(hostname, sizeof(hostname), c->HintStr); + PackAddStr(p, "Hostname", hostname); + } PackAddStr(p, "ProxyName", c->ProxyName); PackAddStr(p, "ProxyUsername", c->ProxyUsername); PackAddStr(p, "ProxyPassword", c->ProxyPassword); @@ -7030,6 +7050,12 @@ bool CtEnumAccount(CLIENT *c, RPC_CLIENT_ENUM_ACCOUNT *e) // Server name StrCpy(item->ServerName, sizeof(item->ServerName), a->ClientOption->Hostname); + // Append hint string to hostname + if (IsEmptyStr(a->ClientOption->HintStr) == false) + { + StrCat(item->ServerName, sizeof(item->ServerName), "/"); + StrCat(item->ServerName, sizeof(item->ServerName), a->ClientOption->HintStr); + } // Proxy type item->ProxyType = a->ClientOption->ProxyType; @@ -9222,6 +9248,13 @@ CLIENT_OPTION *CiLoadClientOption(FOLDER *f) CfgGetUniStr(f, "AccountName", o->AccountName, sizeof(o->AccountName)); CfgGetStr(f, "Hostname", o->Hostname, sizeof(o->Hostname)); + // Extract hint string from hostname + UINT i = SearchStrEx(o->Hostname, "/", 0, false); + if (i != INFINITE) + { + StrCpy(o->HintStr, sizeof(o->HintStr), o->Hostname + i + 1); + o->Hostname[i] = 0; + } o->Port = CfgGetInt(f, "Port"); o->PortUDP = CfgGetInt(f, "PortUDP"); o->ProxyType = CfgGetInt(f, "ProxyType"); @@ -9764,7 +9797,20 @@ void CiWriteClientOption(FOLDER *f, CLIENT_OPTION *o) } CfgAddUniStr(f, "AccountName", o->AccountName); - CfgAddStr(f, "Hostname", o->Hostname); + // Append hint string to hostname + if (IsEmptyStr(o->HintStr)) + { + // No hint + CfgAddStr(f, "Hostname", o->Hostname); + } + else + { + char hostname[MAX_SIZE]; + StrCpy(hostname, sizeof(hostname), o->Hostname); + StrCat(hostname, sizeof(hostname), "/"); + StrCat(hostname, sizeof(hostname), o->HintStr); + CfgAddStr(f, "Hostname", hostname); + } CfgAddInt(f, "Port", o->Port); CfgAddInt(f, "PortUDP", o->PortUDP); CfgAddInt(f, "ProxyType", o->ProxyType); diff --git a/src/Cedar/Command.c b/src/Cedar/Command.c index df188b6f..d9f885e1 100644 --- a/src/Cedar/Command.c +++ b/src/Cedar/Command.c @@ -4333,6 +4333,7 @@ UINT PcAccountSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) // Success t.ClientOption->Port = port; StrCpy(t.ClientOption->Hostname, sizeof(t.ClientOption->Hostname), host); + t.ClientOption->HintStr[0] = 0; StrCpy(t.ClientOption->HubName, sizeof(t.ClientOption->HubName), GetParamStr(o, "HUB")); Zero(&c, sizeof(c)); @@ -4400,7 +4401,18 @@ UINT PcAccountGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_NAME"), t.ClientOption->AccountName); // Host name of the destination VPN Server - StrToUni(tmp, sizeof(tmp), t.ClientOption->Hostname); + if (IsEmptyStr(t.ClientOption->HintStr)) + { + StrToUni(tmp, sizeof(tmp), t.ClientOption->Hostname); + } + else + { + char hostname[MAX_SIZE]; + StrCpy(hostname, sizeof(hostname), t.ClientOption->Hostname); + StrCat(hostname, sizeof(hostname), "/"); + StrCat(hostname, sizeof(hostname), t.ClientOption->HintStr); + StrToUni(tmp, sizeof(tmp), hostname); + } CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_HOSTNAME"), tmp); // The port number to connect to VPN Server @@ -13117,6 +13129,7 @@ UINT PsCascadeSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) t.ClientOption->Port = port; StrCpy(t.ClientOption->Hostname, sizeof(t.ClientOption->Hostname), host); + t.ClientOption->HintStr[0] = 0; StrCpy(t.ClientOption->HubName, sizeof(t.ClientOption->HubName), GetParamStr(o, "HUB")); Free(host); @@ -13223,7 +13236,18 @@ UINT PsCascadeGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_NAME"), t.ClientOption->AccountName); // Host name of the destination VPN Server - StrToUni(tmp, sizeof(tmp), t.ClientOption->Hostname); + if (IsEmptyStr(t.ClientOption->HintStr)) + { + StrToUni(tmp, sizeof(tmp), t.ClientOption->Hostname); + } + else + { + char hostname[MAX_SIZE]; + StrCpy(hostname, sizeof(hostname), t.ClientOption->Hostname); + StrCat(hostname, sizeof(hostname), "/"); + StrCat(hostname, sizeof(hostname), t.ClientOption->HintStr); + StrToUni(tmp, sizeof(tmp), hostname); + } CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_HOSTNAME"), tmp); // The port number to connect to VPN Server @@ -24273,6 +24297,12 @@ UINT PsConnect(CONSOLE *c, char *host, UINT port, char *hub, char *adminhub, wch Zero(&o, sizeof(o)); UniStrCpy(o.AccountName, sizeof(o.AccountName), L"VPNCMD"); StrCpy(o.Hostname, sizeof(o.Hostname), host); + UINT i = SearchStrEx(o.Hostname, "/", 0, false); + if (i != INFINITE) + { + StrCpy(o.HintStr, sizeof(o.HintStr), o.Hostname + i + 1); + o.Hostname[i] = 0; + } o.Port = port; o.ProxyType = PROXY_DIRECT; @@ -24331,7 +24361,7 @@ UINT PsConnect(CONSOLE *c, char *host, UINT port, char *hub, char *adminhub, wch PS *ps; // Success - ps = NewPs(c, rpc, host, port, hub, adminhub, cmdline); + ps = NewPs(c, rpc, o.Hostname, port, hub, adminhub, cmdline); PsMain(ps); retcode = ps->LastError; FreePs(ps); diff --git a/src/Cedar/Connection.h b/src/Cedar/Connection.h index 9e82f98d..b7eff0a6 100644 --- a/src/Cedar/Connection.h +++ b/src/Cedar/Connection.h @@ -105,6 +105,7 @@ struct CLIENT_OPTION char pad12[3]; UCHAR HostUniqueKey[SHA1_SIZE]; // Host unique key char CustomHttpHeader[HTTP_CUSTOM_HEADER_MAX_SIZE]; // Custom HTTP proxy header + char HintStr[MAX_HOST_NAME_LEN + 1]; // Hint string for NAT-T }; // Client authentication data diff --git a/src/Cedar/Protocol.c b/src/Cedar/Protocol.c index 94f2a682..1d058caa 100644 --- a/src/Cedar/Protocol.c +++ b/src/Cedar/Protocol.c @@ -6306,9 +6306,9 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect) { // If additional_connect == false, enable trying to NAT-T connection // If additional_connect == true, follow the IsRUDPSession setting in this session - sock = TcpIpConnectEx(hostname, c->ServerPort, + sock = TcpIpConnectEx2(hostname, c->ServerPort, (bool *)cancel_flag, c->hWndForUI, &nat_t_err, (additional_connect ? (!sess->IsRUDPSession) : false), - true, &resolved_ip); + true, o->HintStr, &resolved_ip); } else { @@ -6444,23 +6444,31 @@ UINT ProxyCodeToCedar(UINT code) // TCP connection function SOCK *TcpConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, IP *ret_ip) +{ + return TcpConnectEx4(hostname, port, timeout, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, NULL, ret_ip); +} +SOCK *TcpConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, char *hint_str, IP *ret_ip) { #ifdef OS_WIN32 if (hWnd == NULL) { #endif // OS_WIN32 - return ConnectEx4(hostname, port, timeout, cancel_flag, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), nat_t_error_code, try_start_ssl, true, ret_ip); + return ConnectEx5(hostname, port, timeout, cancel_flag, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), nat_t_error_code, try_start_ssl, true, hint_str, ret_ip); #ifdef OS_WIN32 } else { - return WinConnectEx3((HWND)hWnd, hostname, port, timeout, 0, NULL, NULL, nat_t_error_code, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), try_start_ssl); + return WinConnectEx4((HWND)hWnd, hostname, port, timeout, 0, NULL, NULL, nat_t_error_code, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), try_start_ssl, hint_str); } #endif // OS_WIN32 } // Connect with TCP/IP SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, IP *ret_ip) +{ + return TcpIpConnectEx2(hostname, port, cancel_flag, hWnd, nat_t_error_code, no_nat_t, try_start_ssl, NULL, ret_ip); +} +SOCK *TcpIpConnectEx2(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, char *hint_str, IP *ret_ip) { SOCK *s = NULL; UINT dummy_int = 0; @@ -6475,7 +6483,7 @@ SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, U return NULL; } - s = TcpConnectEx3(hostname, port, 0, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, ret_ip); + s = TcpConnectEx4(hostname, port, 0, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, hint_str, ret_ip); if (s == NULL) { return NULL; diff --git a/src/Cedar/Protocol.h b/src/Cedar/Protocol.h index 8e3db267..7dd91721 100644 --- a/src/Cedar/Protocol.h +++ b/src/Cedar/Protocol.h @@ -114,6 +114,7 @@ bool ServerAccept(CONNECTION *c); bool ClientConnect(CONNECTION *c); SOCK *ClientConnectToServer(CONNECTION *c); SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, IP *ret_ip); +SOCK *TcpIpConnectEx2(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, char *hint_str, IP *ret_ip); bool ClientUploadSignature(SOCK *s); bool ClientDownloadHello(CONNECTION *c, SOCK *s); bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str); @@ -121,6 +122,7 @@ bool ServerUploadHello(CONNECTION *c); bool ClientUploadAuth(CONNECTION *c); SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect); SOCK *TcpConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, IP *ret_ip); +SOCK *TcpConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, char *hint_str, IP *ret_ip); UINT ProxyCodeToCedar(UINT code); diff --git a/src/Cedar/SM.c b/src/Cedar/SM.c index 917c60f3..5e505d4e 100644 --- a/src/Cedar/SM.c +++ b/src/Cedar/SM.c @@ -19360,7 +19360,14 @@ void SmEditSettingDlgInit(HWND hWnd, SM_EDIT_SETTING *p) SetText(hWnd, E_ACCOUNT_NAME, s->Title); // Host name - SetTextA(hWnd, E_HOSTNAME, s->ClientOption.Hostname); + char hostname[MAX_SIZE]; + StrCpy(hostname, sizeof(hostname), s->ClientOption.Hostname); + if (IsEmptyStr(s->ClientOption.HintStr) == false) + { + StrCat(hostname, sizeof(hostname), "/"); + StrCat(hostname, sizeof(hostname), s->ClientOption.HintStr); + } + SetTextA(hWnd, E_HOSTNAME, hostname); // Port number CbSetHeight(hWnd, C_PORT, 18); @@ -19450,6 +19457,16 @@ void SmEditSettingDlgUpdate(HWND hWnd, SM_EDIT_SETTING *p) GetTxtA(hWnd, E_HOSTNAME, tmp, sizeof(tmp)); Trim(tmp); + UINT i = SearchStrEx(tmp, "/", 0, false); + if (i != INFINITE) + { + StrCpy(s->ClientOption.HintStr, sizeof(s->ClientOption.HintStr), tmp + i + 1); + tmp[i] = 0; + } + else + { + s->ClientOption.HintStr[0] = 0; + } if (StrCmpi(tmp, s->ClientOption.Hostname) != 0) { @@ -20211,6 +20228,13 @@ void SmLoadSettingList() if (s != NULL) { + // Migrate from old settings that mixed hint string with hostname + UINT i = SearchStrEx(s->ClientOption.Hostname, "/", 0, false); + if (i != INFINITE) + { + StrCpy(s->ClientOption.HintStr, sizeof(s->ClientOption.HintStr), s->ClientOption.Hostname + i + 1); + s->ClientOption.Hostname[i] = 0; + } Add(sm->SettingList, s); } FreeBuf(b); @@ -20273,6 +20297,7 @@ void SmInitDefaultSettingList() Sha0(s->HashedPassword, "", 0); UniStrCpy(s->ClientOption.AccountName, sizeof(s->ClientOption.AccountName), s->Title); StrCpy(s->ClientOption.Hostname, sizeof(s->ClientOption.Hostname), "localhost"); + s->ClientOption.HintStr[0] = 0; s->ClientOption.Port = GC_DEFAULT_PORT; Add(sm->SettingList, s); @@ -20362,7 +20387,14 @@ void SmRefreshSettingEx(HWND hWnd, wchar_t *select_name) UniFormat(tmp, sizeof(tmp), _UU("SM_MODE_HUB"), s->HubName); } - StrToUni(tmp2, sizeof(tmp2), s->ClientOption.Hostname); + char hostname[MAX_SIZE]; + StrCpy(hostname, sizeof(hostname), s->ClientOption.Hostname); + if (IsEmptyStr(s->ClientOption.HintStr) == false) + { + StrCat(hostname, sizeof(hostname), "/"); + StrCat(hostname, sizeof(hostname), s->ClientOption.HintStr); + } + StrToUni(tmp2, sizeof(tmp2), hostname); LvInsertAdd(b, (s->ServerAdminMode ? ICO_SERVER_ONLINE : ICO_HUB), @@ -20781,6 +20813,12 @@ void SmParseCommandLine() UniStrCpy(o->AccountName, sizeof(o->AccountName), s->Title); StrCpy(o->Hostname, sizeof(o->Hostname), host); + UINT i = SearchStrEx(o->Hostname, "/", 0, false); + if (i != INFINITE) + { + StrCpy(o->HintStr, sizeof(o->HintStr), o->Hostname + i + 1); + o->Hostname[i] = 0; + } o->Port = port; o->ProxyType = PROXY_DIRECT; StrCpy(o->DeviceName, sizeof(o->DeviceName), "DUMMY"); diff --git a/src/Cedar/SMInner.h b/src/Cedar/SMInner.h index 26420ff4..2a9158ec 100644 --- a/src/Cedar/SMInner.h +++ b/src/Cedar/SMInner.h @@ -41,7 +41,7 @@ typedef struct SETTING char HubName[MAX_HUBNAME_LEN + 1]; // HUB name UCHAR HashedPassword[SHA1_SIZE]; // Password CLIENT_OPTION ClientOption; // Client Option - UCHAR Reserved[10240 - sizeof(UINT) * 8 - SHA1_SIZE - HTTP_CUSTOM_HEADER_MAX_SIZE]; // Reserved area + UCHAR Reserved[10240 - sizeof(UINT) * 8 - SHA1_SIZE - HTTP_CUSTOM_HEADER_MAX_SIZE - MAX_HOST_NAME_LEN - 1]; // Reserved area } SETTING; // Structure declaration diff --git a/src/Cedar/WinUi.c b/src/Cedar/WinUi.c index 9a4c3bbb..f0c4a1cc 100644 --- a/src/Cedar/WinUi.c +++ b/src/Cedar/WinUi.c @@ -1329,7 +1329,7 @@ void WinConnectDlgThread(THREAD *thread, void *param) nat_t_svc_name = d->nat_t_svc_name; } - s = ConnectEx3(d->hostname, d->port, d->timeout, &d->cancel, nat_t_svc_name, &nat_t_error_code, d->try_start_ssl, false); + s = ConnectEx5(d->hostname, d->port, d->timeout, &d->cancel, nat_t_svc_name, &nat_t_error_code, d->try_start_ssl, false, d->hint_str, NULL); d->ret_sock = s; d->nat_t_error_code = nat_t_error_code; @@ -1398,6 +1398,10 @@ UINT WinConnectDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void * // TCP connection with showing the UI SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl) +{ + return WinConnectEx4(hWnd, server, port, timeout, icon_id, caption, info, nat_t_error_code, nat_t_svc_name, try_start_ssl, NULL); +} +SOCK *WinConnectEx4(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl, char *hint_str) { wchar_t tmp[MAX_SIZE]; wchar_t tmp2[MAX_SIZE]; @@ -1440,6 +1444,7 @@ SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_ d.timeout = timeout; d.hostname = server; d.port = port; + d.hint_str = hint_str; StrCpy(d.nat_t_svc_name, sizeof(d.nat_t_svc_name), nat_t_svc_name); Dialog(hWnd, D_CONNECT, WinConnectDlgProc, &d); diff --git a/src/Cedar/WinUi.h b/src/Cedar/WinUi.h index 74cdd361..62d6c332 100644 --- a/src/Cedar/WinUi.h +++ b/src/Cedar/WinUi.h @@ -331,6 +331,7 @@ typedef struct WINCONNECT_DLG_DATA char nat_t_svc_name[MAX_SIZE]; UINT nat_t_error_code; bool try_start_ssl; + char *hint_str; } WINCONNECT_DLG_DATA; HBITMAP ResizeBitmap(HBITMAP hSrc, UINT src_x, UINT src_y, UINT dst_x, UINT dst_y); @@ -694,6 +695,7 @@ HFONT GetMeiryoFontEx(UINT font_size); HFONT GetMeiryoFontEx2(UINT font_size, bool bold); bool ShowWindowsNetworkConnectionDialog(); SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl); +SOCK *WinConnectEx4(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl, char *hint_str); UINT WinConnectDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *param); void WinConnectDlgThread(THREAD *thread, void *param); void NicInfo(UI_NICINFO *info); diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index ee97595d..6370f5e7 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -13979,7 +13979,7 @@ void ConnectThreadForIPv4(THREAD *thread, void *param) Zero(&p4, sizeof(p4)); // p1: TCP - StrCpy(p1.Hostname, sizeof(p1.Hostname), p->Hostname_Original); + StrCpy(p1.Hostname, sizeof(p1.Hostname), p->Hostname); Copy(&p1.Ip, ip, sizeof(IP)); p1.Port = p->Port; p1.Timeout = p->Timeout; @@ -13989,7 +13989,7 @@ void ConnectThreadForIPv4(THREAD *thread, void *param) p1.CancelLock = NewLock(); // p2: NAT-T - StrCpy(p2.Hostname, sizeof(p2.Hostname), p->Hostname_Original); + StrCpy(p2.Hostname, sizeof(p2.Hostname), p->Hostname); Copy(&p2.Ip, ip, sizeof(IP)); p2.Port = p->Port; p2.Timeout = p->Timeout; @@ -14002,7 +14002,7 @@ void ConnectThreadForIPv4(THREAD *thread, void *param) p2.Delay = 30; // Delay by 30ms // p3: over ICMP - StrCpy(p3.Hostname, sizeof(p3.Hostname), p->Hostname_Original); + StrCpy(p3.Hostname, sizeof(p3.Hostname), p->Hostname); Copy(&p3.Ip, ip, sizeof(IP)); p3.Port = p->Port; p3.Timeout = p->Timeout; @@ -14013,7 +14013,7 @@ void ConnectThreadForIPv4(THREAD *thread, void *param) p3.Delay = 200; // Delay by 200ms // p4: over DNS - StrCpy(p4.Hostname, sizeof(p4.Hostname), p->Hostname_Original); + StrCpy(p4.Hostname, sizeof(p4.Hostname), p->Hostname); Copy(&p4.Ip, ip, sizeof(IP)); p4.Port = p->Port; p4.Timeout = p->Timeout; @@ -14221,7 +14221,7 @@ void ConnectThreadForIPv4(THREAD *thread, void *param) if (s != INVALID_SOCKET) { - p->Sock = CreateTCPSock(s, false, ¤t_ip, p->No_Get_Hostname, p->Hostname_Original); + p->Sock = CreateTCPSock(s, false, ¤t_ip, p->No_Get_Hostname, p->Hostname); break; } } @@ -14308,7 +14308,7 @@ void ConnectThreadForIPv6(THREAD *thread, void *param) if (s != INVALID_SOCKET) { - p->Sock = CreateTCPSock(s, true, ¤t_ip, p->No_Get_Hostname, p->Hostname_Original); + p->Sock = CreateTCPSock(s, true, ¤t_ip, p->No_Get_Hostname, p->Hostname); break; } } @@ -14410,11 +14410,13 @@ SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha return ConnectEx4(hostname, port, timeout, cancel_flag, nat_t_svc_name, nat_t_error_code, try_start_ssl, no_get_hostname, NULL); } SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, IP *ret_ip) +{ + return ConnectEx5(hostname, port, timeout, cancel_flag, nat_t_svc_name, nat_t_error_code, try_start_ssl, no_get_hostname, NULL, ret_ip); +} +SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, char *hint_str, IP *ret_ip) { bool dummy = false; bool use_natt = false; - char hostname_original[MAX_SIZE]; - char hint_str[MAX_SIZE]; bool force_use_natt = false; UINT dummy_int = 0; IP dummy_ret_ip; @@ -14442,33 +14444,15 @@ SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha ret_ip = &dummy_ret_ip; } - Zero(hint_str, sizeof(hint_str)); - StrCpy(hostname_original, sizeof(hostname_original), hostname); - use_natt = (IsEmptyStr(nat_t_svc_name) ? false : true); if (use_natt) { - // In case of using NAT-T, split host name if the '/' is included in the host name - UINT i = SearchStrEx(hostname, "/", 0, false); - - if (i == INFINITE) + if (IsEmptyStr(hint_str) == false) { - // Not included - StrCpy(hostname_original, sizeof(hostname_original), hostname); - } - else - { - // Included - StrCpy(hostname_original, sizeof(hostname_original), hostname); - hostname_original[i] = 0; - // Force to use the NAT-T force_use_natt = true; - // Copy the hint string - StrCpy(hint_str, sizeof(hint_str), hostname + i + 1); - if (StrCmpi(hint_str, "tcp") == 0 || StrCmpi(hint_str, "disable") == 0 || StrCmpi(hint_str, "disabled") == 0 || StrCmpi(hint_str, "no") == 0 || StrCmpi(hint_str, "none") == 0) @@ -14479,10 +14463,6 @@ SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha } } } - else - { - StrCpy(hostname_original, sizeof(hostname_original), hostname); - } LIST *iplist_v6 = NULL; LIST *iplist_v4 = NULL; @@ -14506,7 +14486,7 @@ SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha else { // Forward resolution - if (DnsResolveEx(&iplist_v6, &iplist_v4, hostname_original, 0, cancel_flag) == false) + if (DnsResolveEx(&iplist_v6, &iplist_v4, hostname, 0, cancel_flag) == false) { return NULL; } @@ -14532,7 +14512,6 @@ SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha p6.Port = port; p6.Timeout = timeout; StrCpy(p6.Hostname, sizeof(p6.Hostname), hostname); - StrCpy(p6.Hostname_Original, sizeof(p6.Hostname_Original), hostname_original); p6.No_Get_Hostname = no_get_hostname; p6.CancelFlag = &cancel_flag2; p6.NoDelayFlag = &no_delay_flag; @@ -14551,7 +14530,6 @@ SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha p4.Port = port; p4.Timeout = timeout; StrCpy(p4.Hostname, sizeof(p4.Hostname), hostname); - StrCpy(p4.Hostname_Original, sizeof(p4.Hostname_Original), hostname_original); StrCpy(p4.HintStr, sizeof(p4.HintStr), hint_str); p4.No_Get_Hostname = no_get_hostname; p4.CancelFlag = &cancel_flag2; diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h index 3475744b..d0b3be4a 100644 --- a/src/Mayaqua/Network.h +++ b/src/Mayaqua/Network.h @@ -802,7 +802,6 @@ struct CONNECT_SERIAL_PARAM UINT Port; UINT Timeout; char Hostname[MAX_SIZE]; - char Hostname_Original[MAX_SIZE]; char HintStr[MAX_SIZE]; bool No_Get_Hostname; bool *CancelFlag; @@ -1085,6 +1084,7 @@ SOCK *ConnectEx(char *hostname, UINT port, UINT timeout); SOCK *ConnectEx2(char *hostname, UINT port, UINT timeout, bool *cancel_flag); SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname); SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, IP *ret_ip); +SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, char *hint_str, IP *ret_ip); SOCKET ConnectTimeoutIPv4(IP *ip, UINT port, UINT timeout, bool *cancel_flag); bool SetSocketBufferSize(SOCKET s, bool send, UINT size); UINT SetSocketBufferSizeWithBestEffort(SOCKET s, bool send, UINT size); From 1c1560f6ca8b20f5b2d3465e6fd688c78d3c63d4 Mon Sep 17 00:00:00 2001 From: Yihong Wu <54519668+domosekai@users.noreply.github.com> Date: Fri, 17 Dec 2021 19:06:55 +0800 Subject: [PATCH 5/7] Apply security level override in azure client mode --- src/Cedar/AzureClient.c | 2 ++ src/Mayaqua/Network.c | 14 +++++++------- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/src/Cedar/AzureClient.c b/src/Cedar/AzureClient.c index ea6a966c..67d8b7bd 100644 --- a/src/Cedar/AzureClient.c +++ b/src/Cedar/AzureClient.c @@ -103,6 +103,8 @@ void AcWaitForRequest(AZURE_CLIENT *ac, SOCK *s, AZURE_PARAM *param) SetTimeout(ns, param->DataTimeout); + Copy(&ns->SslAcceptSettings, &ac->Cedar->SslAcceptSettings, sizeof(SSL_ACCEPT_SETTINGS)); + if (StartSSLEx(ns, NULL, NULL, 0, NULL)) { // Check certification diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index 6370f5e7..6351a869 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -11719,13 +11719,6 @@ bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char } #endif // SSL_OP_NO_TLSv1_3 -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - if (sock->SslAcceptSettings.Override_Security_Level) - { - SSL_CTX_set_security_level(ssl_ctx, sock->SslAcceptSettings.Override_Security_Level_Value); - } -#endif - Unlock(openssl_lock); if (chain == NULL) { @@ -11748,6 +11741,13 @@ bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char Lock(openssl_lock); } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + if (sock->SslAcceptSettings.Override_Security_Level) + { + SSL_CTX_set_security_level(ssl_ctx, sock->SslAcceptSettings.Override_Security_Level_Value); + } +#endif + sock->ssl = SSL_new(ssl_ctx); SSL_set_fd(sock->ssl, (int)sock->socket); From f94ac6351efc02639e67696fba4f3b66a09a67a9 Mon Sep 17 00:00:00 2001 From: Yihong Wu <54519668+domosekai@users.noreply.github.com> Date: Fri, 17 Dec 2021 17:57:23 +0800 Subject: [PATCH 6/7] Implement complete server certificate verification --- src/Cedar/Admin.c | 5 + src/Cedar/Admin.h | 1 + src/Cedar/CM.c | 16 + src/Cedar/CMInner.h | 1 + src/Cedar/Cedar.h | 1 + src/Cedar/Client.c | 17 +- src/Cedar/Client.h | 3 + src/Cedar/Command.c | 550 ++++++++++++++++------------- src/Cedar/Command.h | 5 + src/Cedar/Link.h | 1 + src/Cedar/Protocol.c | 191 ++++------ src/Cedar/Protocol.h | 4 +- src/Cedar/SM.c | 1 + src/Cedar/Server.c | 2 + src/Cedar/Session.c | 61 +++- src/Cedar/Session.h | 1 + src/Cedar/WinUi.c | 8 +- src/Cedar/WinUi.h | 4 +- src/Mayaqua/MayaType.h | 1 + src/Mayaqua/Network.c | 141 ++++++-- src/Mayaqua/Network.h | 17 +- src/PenCore/PenCore.rc | 15 +- src/PenCore/resource.h | 3 +- src/bin/hamcore/strtable_cn.stb | 35 +- src/bin/hamcore/strtable_en.stb | 32 ++ src/bin/hamcore/strtable_ja.stb | 33 +- src/bin/hamcore/strtable_ko.stb | 32 +- src/bin/hamcore/strtable_pt_br.stb | 31 ++ src/bin/hamcore/strtable_ru.stb | 32 ++ src/bin/hamcore/strtable_tw.stb | 35 +- 30 files changed, 868 insertions(+), 411 deletions(-) diff --git a/src/Cedar/Admin.c b/src/Cedar/Admin.c index bf6cef0c..2c7d62c1 100644 --- a/src/Cedar/Admin.c +++ b/src/Cedar/Admin.c @@ -7350,6 +7350,7 @@ UINT StGetLink(ADMIN *a, RPC_CREATE_LINK *t) Copy(&t->Policy, k->Policy, sizeof(POLICY)); t->CheckServerCert = k->CheckServerCert; + t->AddDefaultCA = k->AddDefaultCA; t->ServerCert = CloneX(k->ServerCert); } Unlock(k->lock); @@ -7465,6 +7466,7 @@ UINT StSetLink(ADMIN *a, RPC_CREATE_LINK *t) k->Option->RequireMonitorMode = false; // Disable monitor mode k->CheckServerCert = t->CheckServerCert; + k->AddDefaultCA = t->AddDefaultCA; k->ServerCert = CloneX(t->ServerCert); } Unlock(k->lock); @@ -7561,6 +7563,7 @@ UINT StCreateLink(ADMIN *a, RPC_CREATE_LINK *t) // setting of verifying server certification // k->CheckServerCert = t->CheckServerCert; + k->AddDefaultCA = t->AddDefaultCA; k->ServerCert = CloneX(t->ServerCert); // stay this off-line @@ -13635,6 +13638,7 @@ void InRpcCreateLink(RPC_CREATE_LINK *t, PACK *p) InRpcPolicy(&t->Policy, p); t->CheckServerCert = PackGetBool(p, "CheckServerCert"); + t->AddDefaultCA = PackGetBool(p, "AddDefaultCA"); b = PackGetBuf(p, "ServerCert"); if (b != NULL) { @@ -13657,6 +13661,7 @@ void OutRpcCreateLink(PACK *p, RPC_CREATE_LINK *t) OutRpcPolicy(p, &t->Policy); PackAddBool(p, "CheckServerCert", t->CheckServerCert); + PackAddBool(p, "AddDefaultCA", t->AddDefaultCA); if (t->ServerCert != NULL) { BUF *b; diff --git a/src/Cedar/Admin.h b/src/Cedar/Admin.h index 89f97e39..e6e5faaf 100644 --- a/src/Cedar/Admin.h +++ b/src/Cedar/Admin.h @@ -436,6 +436,7 @@ struct RPC_CREATE_LINK CLIENT_AUTH *ClientAuth; // Client authentication data POLICY Policy; // Policy bool CheckServerCert; // Validate the server certificate + bool AddDefaultCA; // Use default trust store X *ServerCert; // Server certificate }; diff --git a/src/Cedar/CM.c b/src/Cedar/CM.c index 4ca4cc37..71b4c433 100644 --- a/src/Cedar/CM.c +++ b/src/Cedar/CM.c @@ -6022,6 +6022,7 @@ void CmExportAccount(HWND hWnd, wchar_t *account_name) t.StartupAccount = a->Startup; t.CheckServerCert = a->CheckServerCert; t.RetryOnServerCert = a->RetryOnServerCert; + t.AddDefaultCA = a->AddDefaultCA; t.ServerCert = a->ServerCert; t.ClientOption->FromAdminPack = false; @@ -6161,6 +6162,7 @@ void CmImportAccountMainEx(HWND hWnd, wchar_t *filename, bool overwrite) t->StartupAccount = get.StartupAccount; t->CheckServerCert = get.CheckServerCert; t->RetryOnServerCert = get.RetryOnServerCert; + t->AddDefaultCA = get.AddDefaultCA; if (t->ServerCert != NULL) { FreeX(t->ServerCert); @@ -6270,6 +6272,7 @@ void CmCopyAccount(HWND hWnd, wchar_t *account_name) } c.CheckServerCert = a->CheckServerCert; c.RetryOnServerCert = a->RetryOnServerCert; + c.AddDefaultCA = a->AddDefaultCA; c.StartupAccount = false; // Don't copy the startup attribute CALL(hWnd, CcCreateAccount(cm->Client, &c)); @@ -6686,9 +6689,13 @@ void CmEditAccountDlgUpdate(HWND hWnd, CM_ACCOUNT *a) // To validate the server certificate a->CheckServerCert = IsChecked(hWnd, R_CHECK_CERT); + // Trust default CA list + a->AddDefaultCA = IsChecked(hWnd, R_TRUST_DEFAULT); + if (a->NatMode) { Disable(hWnd, R_CHECK_CERT); + Disable(hWnd, R_TRUST_DEFAULT); Disable(hWnd, B_TRUST); } @@ -7031,6 +7038,7 @@ void CmEditAccountDlgUpdate(HWND hWnd, CM_ACCOUNT *a) SetEnable(hWnd, S_STATIC7, false); SetEnable(hWnd, S_STATIC11, false); SetEnable(hWnd, R_CHECK_CERT, false); + SetEnable(hWnd, R_TRUST_DEFAULT, false); SetEnable(hWnd, B_TRUST, false); SetEnable(hWnd, B_SERVER_CERT, false); SetEnable(hWnd, B_VIEW_SERVER_CERT, false); @@ -7132,6 +7140,9 @@ void CmEditAccountDlgInit(HWND hWnd, CM_ACCOUNT *a) // Verify the server certificate Check(hWnd, R_CHECK_CERT, a->CheckServerCert); + // Trust default CA list + Check(hWnd, R_TRUST_DEFAULT, a->AddDefaultCA); + // LAN card list if (a->NatMode == false && a->LinkMode == false) { @@ -7364,6 +7375,7 @@ UINT CmEditAccountDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, voi case R_HTTPS: case R_SOCKS: case R_CHECK_CERT: + case R_TRUST_DEFAULT: case C_TYPE: case E_USERNAME: case E_PASSWORD: @@ -8770,6 +8782,7 @@ void CmEditAccountDlgOnOk(HWND hWnd, CM_ACCOUNT *a) Copy(c.ClientOption, a->ClientOption, sizeof(CLIENT_OPTION)); c.ClientAuth = CopyClientAuth(a->ClientAuth); c.CheckServerCert = a->CheckServerCert; + c.AddDefaultCA = a->AddDefaultCA; if (a->ServerCert != NULL) { c.ServerCert = CloneX(a->ServerCert); @@ -8823,6 +8836,7 @@ void CmEditAccountDlgOnOk(HWND hWnd, CM_ACCOUNT *a) Copy(t.ClientOption, a->ClientOption, sizeof(CLIENT_OPTION)); t.ClientAuth = CopyClientAuth(a->ClientAuth); t.CheckServerCert = a->CheckServerCert; + t.AddDefaultCA = a->AddDefaultCA; t.ServerCert = CloneX(a->ServerCert); // Save the settings for cascade connection @@ -9015,6 +9029,7 @@ CM_ACCOUNT *CmGetExistAccountObject(HWND hWnd, wchar_t *account_name) a->EditMode = true; a->CheckServerCert = c.CheckServerCert; a->RetryOnServerCert = c.RetryOnServerCert; + a->AddDefaultCA = c.AddDefaultCA; a->Startup = c.StartupAccount; if (c.ServerCert != NULL) { @@ -9045,6 +9060,7 @@ CM_ACCOUNT *CmCreateNewAccountObject(HWND hWnd) a->EditMode = false; a->CheckServerCert = false; a->RetryOnServerCert = false; + a->AddDefaultCA = false; a->Startup = false; a->ClientOption = ZeroMalloc(sizeof(CLIENT_OPTION)); diff --git a/src/Cedar/CMInner.h b/src/Cedar/CMInner.h index e9122b39..e27c3566 100644 --- a/src/Cedar/CMInner.h +++ b/src/Cedar/CMInner.h @@ -140,6 +140,7 @@ typedef struct CM_ACCOUNT bool Startup; // Startup account bool CheckServerCert; // Check the server certificate bool RetryOnServerCert; // Retry on invalid server certificate + bool AddDefaultCA; // Use default trust store X *ServerCert; // Server certificate char old_server_name[MAX_HOST_NAME_LEN + 1]; // Old server name bool Inited; // Initialization flag diff --git a/src/Cedar/Cedar.h b/src/Cedar/Cedar.h index bfbf5083..de9ce01d 100644 --- a/src/Cedar/Cedar.h +++ b/src/Cedar/Cedar.h @@ -869,6 +869,7 @@ #define ERR_VPNGATE_INCLIENT_CANT_STOP 146 // Can not be stopped if operating within VPN Client mode #define ERR_NOT_SUPPORTED_FUNCTION_ON_OPENSOURCE 147 // It is a feature that is not supported in the open source version #define ERR_SUSPENDING 148 // System is suspending +#define ERR_HOSTNAME_MISMATCH 149 // SSL hostname mismatch //////////////////////////// diff --git a/src/Cedar/Client.c b/src/Cedar/Client.c index 0d893f31..2f0c7cc4 100644 --- a/src/Cedar/Client.c +++ b/src/Cedar/Client.c @@ -1957,6 +1957,7 @@ RPC_CLIENT_CREATE_ACCOUNT *CiCfgToAccount(BUF *b) t->StartupAccount = a->StartupAccount; t->CheckServerCert = a->CheckServerCert; t->RetryOnServerCert = a->RetryOnServerCert; + t->AddDefaultCA = a->AddDefaultCA; t->ServerCert = a->ServerCert; Free(a); @@ -1981,6 +1982,7 @@ BUF *CiAccountToCfg(RPC_CLIENT_CREATE_ACCOUNT *t) a.ClientAuth = t->ClientAuth; a.CheckServerCert = t->CheckServerCert; a.RetryOnServerCert = t->RetryOnServerCert; + a.AddDefaultCA = t->AddDefaultCA; a.ServerCert = t->ServerCert; a.StartupAccount = t->StartupAccount; @@ -4542,6 +4544,7 @@ void InRpcClientCreateAccount(RPC_CLIENT_CREATE_ACCOUNT *c, PACK *p) c->StartupAccount = PackGetInt(p, "StartupAccount") ? true : false; c->CheckServerCert = PackGetInt(p, "CheckServerCert") ? true : false; c->RetryOnServerCert = PackGetInt(p, "RetryOnServerCert") ? true : false; + c->AddDefaultCA = PackGetInt(p, "AddDefaultCA") ? true : false; b = PackGetBuf(p, "ServerCert"); if (b != NULL) { @@ -4565,6 +4568,7 @@ void OutRpcClientCreateAccount(PACK *p, RPC_CLIENT_CREATE_ACCOUNT *c) PackAddInt(p, "StartupAccount", c->StartupAccount); PackAddInt(p, "CheckServerCert", c->CheckServerCert); PackAddInt(p, "RetryOnServerCert", c->RetryOnServerCert); + PackAddInt(p, "AddDefaultCA", c->AddDefaultCA); if (c->ServerCert != NULL) { b = XToBuf(c->ServerCert, false); @@ -4715,6 +4719,7 @@ void InRpcClientGetAccount(RPC_CLIENT_GET_ACCOUNT *c, PACK *p) c->StartupAccount = PackGetInt(p, "StartupAccount") ? true : false; c->CheckServerCert = PackGetInt(p, "CheckServerCert") ? true : false; c->RetryOnServerCert = PackGetInt(p, "RetryOnServerCert") ? true : false; + c->AddDefaultCA = PackGetInt(p, "AddDefaultCA") ? true : false; b = PackGetBuf(p, "ServerCert"); if (b != NULL) { @@ -4744,6 +4749,7 @@ void OutRpcClientGetAccount(PACK *p, RPC_CLIENT_GET_ACCOUNT *c) PackAddInt(p, "StartupAccount", c->StartupAccount); PackAddInt(p, "CheckServerCert", c->CheckServerCert); PackAddInt(p, "RetryOnServerCert", c->RetryOnServerCert); + PackAddInt(p, "AddDefaultCA", c->AddDefaultCA); if (c->ServerCert != NULL) { @@ -6467,9 +6473,9 @@ bool CtConnect(CLIENT *c, RPC_CLIENT_CONNECT *connect) // Register a procedure for secure device authentication r->ClientAuth->SecureSignProc = CiSecureSignProc; } - else if (r->ClientAuth->AuthType == CLIENT_AUTHTYPE_OPENSSLENGINE) + else if (r->ClientAuth->AuthType == CLIENT_AUTHTYPE_OPENSSLENGINE) { - /* r->ClientAuth->ClientK = OpensslEngineToK("asdf"); */ + /* r->ClientAuth->ClientK = OpensslEngineToK("asdf"); */ r->ClientAuth->SecureSignProc = NULL; } else @@ -6639,6 +6645,7 @@ bool CtGetAccount(CLIENT *c, RPC_CLIENT_GET_ACCOUNT *a) a->CheckServerCert = r->CheckServerCert; a->RetryOnServerCert = r->RetryOnServerCert; + a->AddDefaultCA = r->AddDefaultCA; a->ServerCert = NULL; if (r->ServerCert != NULL) { @@ -7173,6 +7180,7 @@ bool CtSetAccount(CLIENT *c, RPC_CLIENT_CREATE_ACCOUNT *a, bool inner) ret->CheckServerCert = a->CheckServerCert; ret->RetryOnServerCert = a->RetryOnServerCert; + ret->AddDefaultCA = a->AddDefaultCA; if (a->ServerCert != NULL) { @@ -7272,6 +7280,7 @@ bool CtCreateAccount(CLIENT *c, RPC_CLIENT_CREATE_ACCOUNT *a, bool inner) new_account->CheckServerCert = a->CheckServerCert; new_account->RetryOnServerCert = a->RetryOnServerCert; + new_account->AddDefaultCA = a->AddDefaultCA; if (a->ServerCert != NULL) { new_account->ServerCert = CloneX(a->ServerCert); @@ -9336,6 +9345,7 @@ ACCOUNT *CiLoadClientAccount(FOLDER *f) a->StartupAccount = CfgGetBool(f, "StartupAccount"); a->CheckServerCert = CfgGetBool(f, "CheckServerCert"); a->RetryOnServerCert = CfgGetBool(f, "RetryOnServerCert"); + a->AddDefaultCA = CfgGetBool(f, "AddDefaultCA"); a->CreateDateTime = CfgGetInt64(f, "CreateDateTime"); a->UpdateDateTime = CfgGetInt64(f, "UpdateDateTime"); a->LastConnectDateTime = CfgGetInt64(f, "LastConnectDateTime"); @@ -9974,6 +9984,9 @@ void CiWriteAccountData(FOLDER *f, ACCOUNT *a) // Retry on invalid server certificate flag CfgAddBool(f, "RetryOnServerCert", a->RetryOnServerCert); + // Add default SSL trust store + CfgAddBool(f, "AddDefaultCA", a->AddDefaultCA); + // Date and time CfgAddInt64(f, "CreateDateTime", a->CreateDateTime); CfgAddInt64(f, "UpdateDateTime", a->UpdateDateTime); diff --git a/src/Cedar/Client.h b/src/Cedar/Client.h index b7198ac5..533996d9 100644 --- a/src/Cedar/Client.h +++ b/src/Cedar/Client.h @@ -61,6 +61,7 @@ struct ACCOUNT CLIENT_AUTH *ClientAuth; // Client authentication data bool CheckServerCert; // Check the server certificate bool RetryOnServerCert; // Retry on invalid server certificate + bool AddDefaultCA; // Use default trust store X *ServerCert; // Server certificate bool StartupAccount; // Start-up account UCHAR ShortcutKey[SHA1_SIZE]; // Key @@ -239,6 +240,7 @@ struct RPC_CLIENT_CREATE_ACCOUNT bool StartupAccount; // Startup account bool CheckServerCert; // Checking of the server certificate bool RetryOnServerCert; // Retry on invalid server certificate + bool AddDefaultCA; // Use default trust store X *ServerCert; // Server certificate UCHAR ShortcutKey[SHA1_SIZE]; // Shortcut Key }; @@ -292,6 +294,7 @@ struct RPC_CLIENT_GET_ACCOUNT bool StartupAccount; // Startup account bool CheckServerCert; // Check the server certificate bool RetryOnServerCert; // Retry on invalid server certificate + bool AddDefaultCA; // Use default trust store X *ServerCert; // Server certificate UCHAR ShortcutKey[SHA1_SIZE]; // Shortcut Key UINT64 CreateDateTime; // Creation date and time (Ver 3.0 or later) diff --git a/src/Cedar/Command.c b/src/Cedar/Command.c index d9f885e1..ece3ba01 100644 --- a/src/Cedar/Command.c +++ b/src/Cedar/Command.c @@ -3109,6 +3109,8 @@ void PcMain(PC *pc) {"AccountServerCertDisable", PcAccountServerCertDisable}, {"AccountRetryOnServerCertEnable", PcAccountRetryOnServerCertEnable}, {"AccountRetryOnServerCertDisable", PcAccountRetryOnServerCertDisable}, + {"AccountDefaultCAEnable", PcAccountDefaultCAEnable}, + {"AccountDefaultCADisable", PcAccountDefaultCADisable}, {"AccountServerCertSet", PcAccountServerCertSet}, {"AccountServerCertDelete", PcAccountServerCertDelete}, {"AccountServerCertGet", PcAccountServerCertGet}, @@ -4293,6 +4295,26 @@ UINT PcAccountCreate(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) return ret; } +// Setup a RPC_CLIENT_CREATE_ACCOUNT from a RPC_CLIENT_GET_ACCOUNT +void SetRpcClientCreateAccountFromGetAccount(RPC_CLIENT_CREATE_ACCOUNT *c, RPC_CLIENT_GET_ACCOUNT *t) +{ + if (c == NULL || t == NULL) + { + return; + } + + Zero(c, sizeof(RPC_CLIENT_CREATE_ACCOUNT)); + + // Copy reference + c->ClientAuth = t->ClientAuth; + c->ClientOption = t->ClientOption; + c->CheckServerCert = t->CheckServerCert; + c->RetryOnServerCert = t->RetryOnServerCert; + c->AddDefaultCA = t->AddDefaultCA; + c->ServerCert = t->ServerCert; + c->StartupAccount = t->StartupAccount; +} + // Set the destination of the connection settings UINT PcAccountSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) { @@ -4336,14 +4358,7 @@ UINT PcAccountSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) t.ClientOption->HintStr[0] = 0; StrCpy(t.ClientOption->HubName, sizeof(t.ClientOption->HubName), GetParamStr(o, "HUB")); - Zero(&c, sizeof(c)); - - c.ClientAuth = t.ClientAuth; - c.ClientOption = t.ClientOption; - c.CheckServerCert = t.CheckServerCert; - c.RetryOnServerCert = t.RetryOnServerCert; - c.ServerCert = t.ServerCert; - c.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&c, &t); ret = CcSetAccount(pc->RemoteClient, &c); } @@ -4456,6 +4471,8 @@ UINT PcAccountGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) { CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT"), t.RetryOnServerCert ? _UU("CMD_MSG_ENABLE") : _UU("CMD_MSG_DISABLE")); + CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA"), + t.AddDefaultCA ? _UU("CMD_MSG_ENABLE") : _UU("CMD_MSG_DISABLE")); } // Device name to be used for the connection @@ -4630,13 +4647,7 @@ UINT PcAccountUsernameSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) c->Write(c, _UU("CMD_AccountUsername_Notice")); } - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -4688,13 +4699,7 @@ UINT PcAccountAnonymousSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param // Change the settings t.ClientAuth->AuthType = CLIENT_AUTHTYPE_ANONYMOUS; - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -4770,13 +4775,7 @@ UINT PcAccountPasswordSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) if (ret == ERR_NO_ERROR) { - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -4849,13 +4848,7 @@ UINT PcAccountCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) t.ClientAuth->ClientX = CloneX(x); t.ClientAuth->ClientK = CloneK(k); - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -4970,13 +4963,7 @@ UINT PcAccountEncryptDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *par // Change the settings t.ClientOption->UseEncrypt = false; - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -5028,13 +5015,7 @@ UINT PcAccountEncryptEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *para // Change the settings t.ClientOption->UseEncrypt = true; - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -5086,13 +5067,7 @@ UINT PcAccountCompressEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *par // Change the settings t.ClientOption->UseCompress = true; - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -5144,13 +5119,7 @@ UINT PcAccountCompressDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *pa // Change the settings t.ClientOption->UseCompress = false; - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -5225,13 +5194,7 @@ UINT PcAccountHttpHeaderAdd(CONSOLE *c, char *cmd_name, wchar_t *str, void *para if ((StrLen(s) + StrLen(t.ClientOption->CustomHttpHeader)) < sizeof(t.ClientOption->CustomHttpHeader)) { StrCat(t.ClientOption->CustomHttpHeader, sizeof(s), s); - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -5296,13 +5259,7 @@ UINT PcAccountHttpHeaderDelete(CONSOLE *c, char *cmd_name, wchar_t *str, void *p RPC_CLIENT_CREATE_ACCOUNT z; char *value = GetParamStr(o, "NAME"); - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); Zero(z.ClientOption->CustomHttpHeader, sizeof(z.ClientOption->CustomHttpHeader)); @@ -5422,13 +5379,7 @@ UINT PcAccountProxyNone(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) // Change the settings t.ClientOption->ProxyType = PROXY_DIRECT; - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -5494,13 +5445,7 @@ UINT PcAccountProxyHttp(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) Free(host); } - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -5566,13 +5511,7 @@ UINT PcAccountProxySocks(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) Free(host); } - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -5638,13 +5577,7 @@ UINT PcAccountProxySocks5(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) Free(host); } - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -5696,13 +5629,7 @@ UINT PcAccountServerCertEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *p // Change the settings t.CheckServerCert = true; - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -5754,13 +5681,7 @@ UINT PcAccountServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void * // Change the settings t.CheckServerCert = false; - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -5812,13 +5733,7 @@ UINT PcAccountRetryOnServerCertEnable(CONSOLE *c, char *cmd_name, wchar_t *str, // Change the settings t.RetryOnServerCert = true; - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -5870,13 +5785,111 @@ UINT PcAccountRetryOnServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, // Change the settings t.RetryOnServerCert = false; - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); + + ret = CcSetAccount(pc->RemoteClient, &z); + } + + if (ret != ERR_NO_ERROR) + { + // Error has occurred + CmdPrintError(c, ret); + } + + CiFreeClientGetAccount(&t); + + // Release of the parameter list + FreeParamValueList(o); + + return ret; +} + +// Enable trusting default CA list +UINT PcAccountDefaultCAEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) +{ + LIST *o; + PC *pc = (PC *)param; + UINT ret = ERR_NO_ERROR; + RPC_CLIENT_GET_ACCOUNT t; + // Parameter list that can be specified + PARAM args[] = + { + {"[name]", CmdPrompt, _UU("CMD_AccountCreate_Prompt_Name"), CmdEvalNotEmpty, NULL}, + }; + + // Get the parameter list + o = ParseCommandList(c, cmd_name, str, args, sizeof(args) / sizeof(args[0])); + if (o == NULL) + { + return ERR_INVALID_PARAMETER; + } + + // RPC call + Zero(&t, sizeof(t)); + + UniStrCpy(t.AccountName, sizeof(t.AccountName), GetParamUniStr(o, "[name]")); + + ret = CcGetAccount(pc->RemoteClient, &t); + + if (ret == ERR_NO_ERROR) + { + RPC_CLIENT_CREATE_ACCOUNT z; + // Change the settings + t.AddDefaultCA = true; + + SetRpcClientCreateAccountFromGetAccount(&z, &t); + + ret = CcSetAccount(pc->RemoteClient, &z); + } + + if (ret != ERR_NO_ERROR) + { + // Error has occurred + CmdPrintError(c, ret); + } + + CiFreeClientGetAccount(&t); + + // Release of the parameter list + FreeParamValueList(o); + + return ret; +} + +// Disable trusting default CA list +UINT PcAccountDefaultCADisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) +{ + LIST *o; + PC *pc = (PC *)param; + UINT ret = ERR_NO_ERROR; + RPC_CLIENT_GET_ACCOUNT t; + // Parameter list that can be specified + PARAM args[] = + { + {"[name]", CmdPrompt, _UU("CMD_AccountCreate_Prompt_Name"), CmdEvalNotEmpty, NULL}, + }; + + // Get the parameter list + o = ParseCommandList(c, cmd_name, str, args, sizeof(args) / sizeof(args[0])); + if (o == NULL) + { + return ERR_INVALID_PARAMETER; + } + + // RPC call + Zero(&t, sizeof(t)); + + UniStrCpy(t.AccountName, sizeof(t.AccountName), GetParamUniStr(o, "[name]")); + + ret = CcGetAccount(pc->RemoteClient, &t); + + if (ret == ERR_NO_ERROR) + { + RPC_CLIENT_CREATE_ACCOUNT z; + // Change the settings + t.AddDefaultCA = false; + + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -5942,13 +5955,7 @@ UINT PcAccountServerCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *para } t.ServerCert = CloneX(x); - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -6006,13 +6013,7 @@ UINT PcAccountServerCertDelete(CONSOLE *c, char *cmd_name, wchar_t *str, void *p } t.ServerCert = NULL; - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -6061,23 +6062,20 @@ UINT PcAccountServerCertGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *para if (ret == ERR_NO_ERROR) { - RPC_CLIENT_CREATE_ACCOUNT z; - // Change the settings - if (t.ServerCert != NULL) + // Save the certificate + if (t.ServerCert == NULL) { - FreeX(t.ServerCert); + c->Write(c, _UU("CMD_CERT_NOT_EXISTS")); + ret = ERR_INTERNAL_ERROR; + } + else + { + if (XToFileW(t.ServerCert, GetParamUniStr(o, "SAVECERT"), true) == false) + { + c->Write(c, _UU("CMD_SAVECERT_FAILED")); + ret = ERR_INTERNAL_ERROR; + } } - t.ServerCert = NULL; - - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; - - ret = CcSetAccount(pc->RemoteClient, &z); } if (ret != ERR_NO_ERROR) @@ -6152,12 +6150,7 @@ UINT PcAccountDetailSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) t.ClientOption->DisableQoS = GetParamYes(o, "NOQOS"); t.ClientOption->NoUdpAcceleration = GetParamYes(o, "DISABLEUDP"); - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -6400,14 +6393,7 @@ UINT PcAccountNicSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) StrCpy(t.ClientOption->DeviceName, sizeof(t.ClientOption->DeviceName), GetParamStr(o, "NICNAME")); - Zero(&c, sizeof(c)); - - c.ClientAuth = t.ClientAuth; - c.ClientOption = t.ClientOption; - c.CheckServerCert = t.CheckServerCert; - c.RetryOnServerCert = t.RetryOnServerCert; - c.ServerCert = t.ServerCert; - c.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&c, &t); ret = CcSetAccount(pc->RemoteClient, &c); } @@ -6459,13 +6445,7 @@ UINT PcAccountStatusShow(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) // Change the settings t.ClientOption->HideStatusWindow = false; - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -6517,13 +6497,7 @@ UINT PcAccountStatusHide(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) // Change the settings t.ClientOption->HideStatusWindow = true; - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -6581,13 +6555,7 @@ UINT PcAccountSecureCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *para StrCpy(t.ClientAuth->SecurePrivateKeyName, sizeof(t.ClientAuth->SecurePrivateKeyName), GetParamStr(o, "KEYNAME")); - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -6639,24 +6607,19 @@ UINT PcAccountOpensslEngineCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, voi { RPC_CLIENT_CREATE_ACCOUNT z; t.ClientAuth->AuthType = CLIENT_AUTHTYPE_OPENSSLENGINE; - X *x; - x = FileToXW(GetParamUniStr(o, "LOADCERT")); - if (x == NULL) - { + X *x; + x = FileToXW(GetParamUniStr(o, "LOADCERT")); + if (x == NULL) + { c->Write(c, _UU("CMD_LOADCERT_FAILED")); - } + } StrCpy(t.ClientAuth->OpensslEnginePrivateKeyName, sizeof(t.ClientAuth->OpensslEnginePrivateKeyName), GetParamStr(o, "KEYNAME")); StrCpy(t.ClientAuth->OpensslEngineName, sizeof(t.ClientAuth->OpensslEngineName), GetParamStr(o, "ENGINENAME")); t.ClientAuth->ClientX = CloneX(x); - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -6721,13 +6684,7 @@ UINT PcAccountRetrySet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) t.ClientOption->NumRetry = (num == 999) ? INFINITE : num; t.ClientOption->RetryInterval = interval; - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -6780,13 +6737,7 @@ UINT PcAccountStartupSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) // Change the settings t.StartupAccount = true; - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -6838,13 +6789,7 @@ UINT PcAccountStartupRemove(CONSOLE *c, char *cmd_name, wchar_t *str, void *para // Change the settings t.StartupAccount = false; - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.RetryOnServerCert = t.RetryOnServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); ret = CcSetAccount(pc->RemoteClient, &z); } @@ -6901,12 +6846,7 @@ UINT PcAccountExport(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) UINT buf_size; UCHAR bom[] = {0xef, 0xbb, 0xbf, }; - Zero(&z, sizeof(z)); - z.CheckServerCert = t.CheckServerCert; - z.ClientAuth = t.ClientAuth; - z.ClientOption = t.ClientOption; - z.ServerCert = t.ServerCert; - z.StartupAccount = t.StartupAccount; + SetRpcClientCreateAccountFromGetAccount(&z, &t); b = CiAccountToCfg(&z); @@ -7710,6 +7650,8 @@ void PsMain(PS *ps) {"CascadeProxySocks5", PsCascadeProxySocks5}, {"CascadeServerCertEnable", PsCascadeServerCertEnable}, {"CascadeServerCertDisable", PsCascadeServerCertDisable}, + {"CascadeDefaultCAEnable", PsCascadeDefaultCAEnable}, + {"CascadeDefaultCADisable", PsCascadeDefaultCADisable}, {"CascadeServerCertSet", PsCascadeServerCertSet}, {"CascadeServerCertDelete", PsCascadeServerCertDelete}, {"CascadeServerCertGet", PsCascadeServerCertGet}, @@ -13287,6 +13229,12 @@ UINT PsCascadeGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME"), tmp); } + if (t.CheckServerCert) + { + CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA"), + t.AddDefaultCA ? _UU("CMD_MSG_ENABLE") : _UU("CMD_MSG_DISABLE")); + } + // Device name to be used for the connection StrToUni(tmp, sizeof(tmp), t.ClientOption->DeviceName); CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_DEVICE_NAME"), tmp); @@ -14705,6 +14653,134 @@ UINT PsCascadeServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void * return 0; } +// Enable trusting default CA list for cascade connection +UINT PsCascadeDefaultCAEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) +{ + LIST *o; + PS *ps = (PS *)param; + UINT ret = 0; + RPC_CREATE_LINK t; + // Parameter list that can be specified + PARAM args[] = + { + // "name", prompt_proc, prompt_param, eval_proc, eval_param + {"[name]", CmdPrompt, _UU("CMD_CascadeCreate_Prompt_Name"), CmdEvalNotEmpty, NULL}, + }; + + // If virtual HUB is not selected, it's an error + if (ps->HubName == NULL) + { + c->Write(c, _UU("CMD_Hub_Not_Selected")); + return ERR_INVALID_PARAMETER; + } + + o = ParseCommandList(c, cmd_name, str, args, sizeof(args) / sizeof(args[0])); + if (o == NULL) + { + return ERR_INVALID_PARAMETER; + } + + Zero(&t, sizeof(t)); + StrCpy(t.HubName, sizeof(t.HubName), ps->HubName); + t.ClientOption = ZeroMalloc(sizeof(CLIENT_OPTION)); + UniStrCpy(t.ClientOption->AccountName, sizeof(t.ClientOption->AccountName), GetParamUniStr(o, "[name]")); + + // RPC call + ret = ScGetLink(ps->Rpc, &t); + + if (ret != ERR_NO_ERROR) + { + // An error has occured + CmdPrintError(c, ret); + FreeParamValueList(o); + return ret; + } + else + { + // Data change + t.AddDefaultCA = true; + + ret = ScSetLink(ps->Rpc, &t); + if (ret != ERR_NO_ERROR) + { + // An error has occured + CmdPrintError(c, ret); + FreeParamValueList(o); + return ret; + } + + FreeRpcCreateLink(&t); + } + + FreeParamValueList(o); + + return 0; +} + +// Disable trusting default CA list for cascade connection +UINT PsCascadeDefaultCADisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) +{ + LIST *o; + PS *ps = (PS *)param; + UINT ret = 0; + RPC_CREATE_LINK t; + // Parameter list that can be specified + PARAM args[] = + { + // "name", prompt_proc, prompt_param, eval_proc, eval_param + {"[name]", CmdPrompt, _UU("CMD_CascadeCreate_Prompt_Name"), CmdEvalNotEmpty, NULL}, + }; + + // If virtual HUB is not selected, it's an error + if (ps->HubName == NULL) + { + c->Write(c, _UU("CMD_Hub_Not_Selected")); + return ERR_INVALID_PARAMETER; + } + + o = ParseCommandList(c, cmd_name, str, args, sizeof(args) / sizeof(args[0])); + if (o == NULL) + { + return ERR_INVALID_PARAMETER; + } + + Zero(&t, sizeof(t)); + StrCpy(t.HubName, sizeof(t.HubName), ps->HubName); + t.ClientOption = ZeroMalloc(sizeof(CLIENT_OPTION)); + UniStrCpy(t.ClientOption->AccountName, sizeof(t.ClientOption->AccountName), GetParamUniStr(o, "[name]")); + + // RPC call + ret = ScGetLink(ps->Rpc, &t); + + if (ret != ERR_NO_ERROR) + { + // An error has occured + CmdPrintError(c, ret); + FreeParamValueList(o); + return ret; + } + else + { + // Data change + t.AddDefaultCA = false; + + ret = ScSetLink(ps->Rpc, &t); + if (ret != ERR_NO_ERROR) + { + // An error has occured + CmdPrintError(c, ret); + FreeParamValueList(o); + return ret; + } + + FreeRpcCreateLink(&t); + } + + FreeParamValueList(o); + + return 0; +} + // Server-specific certificate settings of cascade connection UINT PsCascadeServerCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) { diff --git a/src/Cedar/Command.h b/src/Cedar/Command.h index 37846bb7..042ef8ea 100644 --- a/src/Cedar/Command.h +++ b/src/Cedar/Command.h @@ -342,6 +342,7 @@ UINT PcNicDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); UINT PcNicList(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); UINT PcAccountList(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); UINT PcAccountCreate(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); +void SetRpcClientCreateAccountFromGetAccount(RPC_CLIENT_CREATE_ACCOUNT *c, RPC_CLIENT_GET_ACCOUNT *t); UINT PcAccountSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); UINT PcAccountGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); UINT PcAccountDelete(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); @@ -365,6 +366,8 @@ UINT PcAccountServerCertEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *p UINT PcAccountServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); UINT PcAccountRetryOnServerCertEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); UINT PcAccountRetryOnServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); +UINT PcAccountDefaultCAEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); +UINT PcAccountDefaultCADisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); UINT PcAccountServerCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); UINT PcAccountServerCertDelete(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); UINT PcAccountServerCertGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); @@ -510,6 +513,8 @@ UINT PsCascadeProxySocks(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); UINT PsCascadeProxySocks5(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); UINT PsCascadeServerCertEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); UINT PsCascadeServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); +UINT PsCascadeDefaultCAEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); +UINT PsCascadeDefaultCADisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); UINT PsCascadeServerCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); UINT PsCascadeServerCertDelete(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); UINT PsCascadeServerCertGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param); diff --git a/src/Cedar/Link.h b/src/Cedar/Link.h index 817d0bbb..c8812184 100644 --- a/src/Cedar/Link.h +++ b/src/Cedar/Link.h @@ -31,6 +31,7 @@ struct LINK UINT CurrentSendPacketQueueSize; // Current send packet queue size UINT LastError; // Last error bool CheckServerCert; // To check the server certificate + bool AddDefaultCA; // Use default trust store X *ServerCert; // Server certificate bool LockFlag; // Lock flag bool *StopAllLinkFlag; // Stop all link flag diff --git a/src/Cedar/Protocol.c b/src/Cedar/Protocol.c index 1d058caa..018ee2ef 100644 --- a/src/Cedar/Protocol.c +++ b/src/Cedar/Protocol.c @@ -4295,7 +4295,6 @@ bool ClientCheckServerCert(CONNECTION *c, bool *expired) X *x; CHECK_CERT_THREAD_PROC *p; THREAD *thread; - CEDAR *cedar; bool ret; UINT64 start; // Validate arguments @@ -4310,31 +4309,10 @@ bool ClientCheckServerCert(CONNECTION *c, bool *expired) } auth = c->Session->ClientAuth; - cedar = c->Cedar; - if (auth->CheckCertProc == NULL && c->Session->LinkModeClient == false) + if (auth->CheckCertProc == NULL) { - // No checking function - return true; - } - - if (c->Session->LinkModeClient && c->Session->Link->CheckServerCert == false) - { - // It's in cascade connection mode, but do not check the server certificate - return true; - } - - if (c->UseTicket) - { - // Check the certificate of the redirected VPN server - if (CompareX(c->FirstSock->RemoteX, c->ServerX) == false) - { - return false; - } - else - { - return true; - } + return false; } x = CloneX(c->FirstSock->RemoteX); @@ -4344,63 +4322,6 @@ bool ClientCheckServerCert(CONNECTION *c, bool *expired) return false; } - if (CheckXDateNow(x)) - { - // Check whether it is signed by the root certificate to trust - if (c->Session->LinkModeClient == false) - { - // Normal VPN Client mode - if (CheckSignatureByCa(cedar, x)) - { - // This certificate can be trusted because it is signed - FreeX(x); - return true; - } - } - else - { - // Cascade connection mode - if (CheckSignatureByCaLinkMode(c->Session, x)) - { - // This certificate can be trusted because it is signed - FreeX(x); - return true; - } - } - } - - if (c->Session->LinkModeClient) - { - if (CheckXDateNow(x)) - { - Lock(c->Session->Link->lock); - { - if (c->Session->Link->ServerCert != NULL) - { - if (CompareX(c->Session->Link->ServerCert, x)) - { - Unlock(c->Session->Link->lock); - // Exactly match the certificate that is registered in the cascade configuration - FreeX(x); - return true; - } - } - } - Unlock(c->Session->Link->lock); - } - else - { - if (expired != NULL) - { - *expired = true; - } - } - - // Verification failure at this point in the case of cascade connection mode - FreeX(x); - return false; - } - p = ZeroMalloc(sizeof(CHECK_CERT_THREAD_PROC)); p->ServerX = x; p->CheckCertProc = auth->CheckCertProc; @@ -4418,7 +4339,8 @@ bool ClientCheckServerCert(CONNECTION *c, bool *expired) { // Send a NOOP periodically for disconnection prevention start = Tick64(); - ClientUploadNoop(c); + // Do not send because we now ask for user permission before sending signature + //ClientUploadNoop(c); } if (p->UserSelected) { @@ -4477,10 +4399,43 @@ REDIRECTED: s = ClientConnectToServer(c); if (s == NULL) { + // Do not retry if untrusted or hostname mismatched + if (c->Session->LinkModeClient == false && (c->Err == ERR_CERT_NOT_TRUSTED || c->Err == ERR_HOSTNAME_MISMATCH) + && (c->Session->Account == NULL || ! c->Session->Account->RetryOnServerCert)) + { + c->Session->ForceStopFlag = true; + } PrintStatus(sess, L"free"); return false; } + PrintStatus(sess, _UU("STATUS_5")); + + // Prompt user whether to continue on verification errors + if ((c->Err == ERR_CERT_NOT_TRUSTED || c->Err == ERR_HOSTNAME_MISMATCH || c->Err == ERR_SERVER_CERT_EXPIRES) && ClientCheckServerCert(c, &expired) == false) + { + if (expired) + { + c->Err = ERR_SERVER_CERT_EXPIRES; + } + + // Do not retry if untrusted or hostname mismatched + if (c->Session->LinkModeClient == false && (c->Err == ERR_CERT_NOT_TRUSTED || c->Err == ERR_HOSTNAME_MISMATCH) + && (c->Session->Account == NULL || ! c->Session->Account->RetryOnServerCert)) + { + c->Session->ForceStopFlag = true; + } + + goto CLEANUP; + } + + // Check the certificate of the redirected VPN server + if (c->UseTicket && CompareX(s->RemoteX, c->ServerX) == false) + { + c->Err = ERR_CERT_NOT_TRUSTED; + goto CLEANUP; + } + Copy(&server_ip, &s->RemoteIP, sizeof(IP)); if (c->Halt) @@ -4532,8 +4487,6 @@ REDIRECTED: goto CLEANUP; } - PrintStatus(sess, _UU("STATUS_5")); - // Receive a Hello packet Debug("Downloading Hello...\n"); if (ClientDownloadHello(c, s) == false) @@ -4569,27 +4522,6 @@ REDIRECTED: // During user authentication c->Session->ClientStatus = CLIENT_STATUS_AUTH; - // Verify the server certificate by the client - if (ClientCheckServerCert(c, &expired) == false) - { - if (expired == false) - { - c->Err = ERR_CERT_NOT_TRUSTED; - } - else - { - c->Err = ERR_SERVER_CERT_EXPIRES; - } - - if (c->Session->LinkModeClient == false && c->Err == ERR_CERT_NOT_TRUSTED - && (c->Session->Account == NULL || ! c->Session->Account->RetryOnServerCert)) - { - c->Session->ForceStopFlag = true; - } - - goto CLEANUP; - } - PrintStatus(sess, _UU("STATUS_6")); // Send the authentication data @@ -6218,16 +6150,29 @@ SOCK *ClientConnectToServer(CONNECTION *c) SetTimeout(s, CONNECTING_TIMEOUT); // Start the SSL communication - if (StartSSLEx(s, x, k, 0, c->ServerName) == false) + UINT err = 0; + if (StartSSLEx3(s, x, k, NULL, 0, c->ServerName, c->Session->SslOption, &err) == false) { // SSL communication start failure Disconnect(s); ReleaseSock(s); c->FirstSock = NULL; - c->Err = ERR_SERVER_IS_NOT_VPN; + if (err != 0) + { + c->Err = err; + } + else + { + c->Err = ERR_SERVER_IS_NOT_VPN; + } return NULL; } + if (err != 0) + { + c->Err = err; + } + if (s->RemoteX == NULL) { // SSL communication start failure @@ -6297,6 +6242,7 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect) if (o->ProxyType == PROXY_DIRECT) { + UINT ssl_err = 0; UINT nat_t_err = 0; wchar_t tmp[MAX_SIZE]; UniFormat(tmp, sizeof(tmp), _UU("STATUS_4"), hostname); @@ -6306,9 +6252,10 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect) { // If additional_connect == false, enable trying to NAT-T connection // If additional_connect == true, follow the IsRUDPSession setting in this session + // In additional connect or redirect we do not need ssl verification as the certificate is always compared with a saved one sock = TcpIpConnectEx2(hostname, c->ServerPort, (bool *)cancel_flag, c->hWndForUI, &nat_t_err, (additional_connect ? (!sess->IsRUDPSession) : false), - true, o->HintStr, &resolved_ip); + true, ((additional_connect || c->UseTicket) ? NULL : sess->SslOption), &ssl_err, o->HintStr, &resolved_ip); } else { @@ -6331,7 +6278,14 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect) // Connection failure if (nat_t_err != RUDP_ERROR_NAT_T_TWO_OR_MORE) { - c->Err = ERR_CONNECT_FAILED; + if (ssl_err != 0) + { + c->Err = ssl_err; + } + else + { + c->Err = ERR_CONNECT_FAILED; + } } else { @@ -6340,6 +6294,11 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect) return NULL; } + + if (ssl_err != 0) + { + c->Err = ssl_err; + } } else { @@ -6445,20 +6404,20 @@ UINT ProxyCodeToCedar(UINT code) // TCP connection function SOCK *TcpConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, IP *ret_ip) { - return TcpConnectEx4(hostname, port, timeout, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, NULL, ret_ip); + return TcpConnectEx4(hostname, port, timeout, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, NULL, NULL, NULL, ret_ip); } -SOCK *TcpConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, char *hint_str, IP *ret_ip) +SOCK *TcpConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip) { #ifdef OS_WIN32 if (hWnd == NULL) { #endif // OS_WIN32 - return ConnectEx5(hostname, port, timeout, cancel_flag, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), nat_t_error_code, try_start_ssl, true, hint_str, ret_ip); + return ConnectEx5(hostname, port, timeout, cancel_flag, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), nat_t_error_code, try_start_ssl, true, ssl_option, ssl_err, hint_str, ret_ip); #ifdef OS_WIN32 } else { - return WinConnectEx4((HWND)hWnd, hostname, port, timeout, 0, NULL, NULL, nat_t_error_code, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), try_start_ssl, hint_str); + return WinConnectEx4((HWND)hWnd, hostname, port, timeout, 0, NULL, NULL, nat_t_error_code, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), try_start_ssl, ssl_option, ssl_err, hint_str); } #endif // OS_WIN32 } @@ -6466,9 +6425,9 @@ SOCK *TcpConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, // Connect with TCP/IP SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, IP *ret_ip) { - return TcpIpConnectEx2(hostname, port, cancel_flag, hWnd, nat_t_error_code, no_nat_t, try_start_ssl, NULL, ret_ip); + return TcpIpConnectEx2(hostname, port, cancel_flag, hWnd, nat_t_error_code, no_nat_t, try_start_ssl, NULL, NULL, NULL, ret_ip); } -SOCK *TcpIpConnectEx2(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, char *hint_str, IP *ret_ip) +SOCK *TcpIpConnectEx2(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip) { SOCK *s = NULL; UINT dummy_int = 0; @@ -6483,7 +6442,7 @@ SOCK *TcpIpConnectEx2(char *hostname, UINT port, bool *cancel_flag, void *hWnd, return NULL; } - s = TcpConnectEx4(hostname, port, 0, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, hint_str, ret_ip); + s = TcpConnectEx4(hostname, port, 0, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, ssl_option, ssl_err, hint_str, ret_ip); if (s == NULL) { return NULL; diff --git a/src/Cedar/Protocol.h b/src/Cedar/Protocol.h index 7dd91721..ebcc1052 100644 --- a/src/Cedar/Protocol.h +++ b/src/Cedar/Protocol.h @@ -114,7 +114,7 @@ bool ServerAccept(CONNECTION *c); bool ClientConnect(CONNECTION *c); SOCK *ClientConnectToServer(CONNECTION *c); SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, IP *ret_ip); -SOCK *TcpIpConnectEx2(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, char *hint_str, IP *ret_ip); +SOCK *TcpIpConnectEx2(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip); bool ClientUploadSignature(SOCK *s); bool ClientDownloadHello(CONNECTION *c, SOCK *s); bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str); @@ -122,7 +122,7 @@ bool ServerUploadHello(CONNECTION *c); bool ClientUploadAuth(CONNECTION *c); SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect); SOCK *TcpConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, IP *ret_ip); -SOCK *TcpConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, char *hint_str, IP *ret_ip); +SOCK *TcpConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip); UINT ProxyCodeToCedar(UINT code); diff --git a/src/Cedar/SM.c b/src/Cedar/SM.c index 5e505d4e..b0b5f2ae 100644 --- a/src/Cedar/SM.c +++ b/src/Cedar/SM.c @@ -10286,6 +10286,7 @@ bool SmLinkEdit(HWND hWnd, SM_HUB *s, wchar_t *name) a.ClientAuth = CopyClientAuth(t.ClientAuth); Copy(&a.Policy, &t.Policy, sizeof(POLICY)); a.CheckServerCert = t.CheckServerCert; + a.AddDefaultCA = t.AddDefaultCA; a.ServerCert = CloneX(t.ServerCert); a.HideTrustCert = GetCapsBool(s->p->CapsList, "b_support_config_hub"); FreeRpcCreateLink(&t); diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c index 6376afc3..85312e0f 100644 --- a/src/Cedar/Server.c +++ b/src/Cedar/Server.c @@ -3400,6 +3400,7 @@ void SiWriteHubLinkCfg(FOLDER *f, LINK *k) } CfgAddBool(f, "CheckServerCert", k->CheckServerCert); + CfgAddBool(f, "AddDefaultCA", k->AddDefaultCA); if (k->ServerCert != NULL) { @@ -3450,6 +3451,7 @@ void SiLoadHubLinkCfg(FOLDER *f, HUB *h) { BUF *b; k->CheckServerCert = CfgGetBool(f, "CheckServerCert"); + k->AddDefaultCA = CfgGetBool(f, "AddDefaultCA"); b = CfgGetBuf(f, "ServerCert"); if (b != NULL) { diff --git a/src/Cedar/Session.c b/src/Cedar/Session.c index f91ec0f7..5f2cfed8 100644 --- a/src/Cedar/Session.c +++ b/src/Cedar/Session.c @@ -1270,6 +1270,13 @@ void CleanupSession(SESSION *s) Free(s->ClientAuth); } + if (s->SslOption != NULL) + { + FreeXList(s->SslOption->CaList); + FreeX(s->SslOption->SavedCert); + Free(s->SslOption); + } + FreeTraffic(s->Traffic); Free(s->Name); @@ -1949,23 +1956,55 @@ SESSION *NewClientSessionEx(CEDAR *cedar, CLIENT_OPTION *option, CLIENT_AUTH *au { s->ClientAuth->ClientX = CloneX(s->ClientAuth->ClientX); } - if (s->ClientAuth->ClientK != NULL) - { - if (s->ClientAuth->AuthType != CLIENT_AUTHTYPE_OPENSSLENGINE) - { - s->ClientAuth->ClientK = CloneK(s->ClientAuth->ClientK); - } - else - { - s->ClientAuth->ClientK = OpensslEngineToK(s->ClientAuth->OpensslEnginePrivateKeyName, s->ClientAuth->OpensslEngineName); - } - } + if (s->ClientAuth->ClientK != NULL) + { + if (s->ClientAuth->AuthType != CLIENT_AUTHTYPE_OPENSSLENGINE) + { + s->ClientAuth->ClientK = CloneK(s->ClientAuth->ClientK); + } + else + { + s->ClientAuth->ClientK = OpensslEngineToK(s->ClientAuth->OpensslEnginePrivateKeyName, s->ClientAuth->OpensslEngineName); + } + } if (StrCmpi(s->ClientOption->DeviceName, LINK_DEVICE_NAME) == 0) { // Link client mode s->LinkModeClient = true; s->Link = (LINK *)s->PacketAdapter->Param; + if (s->Link != NULL && s->Link->CheckServerCert && s->Link->Hub->HubDb != NULL) + { + // Enable SSL peer verification + s->SslOption = ZeroMalloc(sizeof(SSL_VERIFY_OPTION)); + s->SslOption->VerifyPeer = true; + s->SslOption->AddDefaultCA = s->Link->AddDefaultCA; + s->SslOption->VerifyHostname = true; + s->SslOption->SavedCert = CloneX(s->Link->ServerCert); + + // Copy trusted CA + LIST *o = s->Link->Hub->HubDb->RootCertList; + s->SslOption->CaList = CloneXList(o); + } + } + else + { + if (account != NULL && account->CheckServerCert) + { + // Enable SSL peer verification + s->SslOption = ZeroMalloc(sizeof(SSL_VERIFY_OPTION)); + s->SslOption->VerifyPeer = true; +#ifdef OS_WIN32 + s->SslOption->PromptOnVerifyFail = true; +#endif + s->SslOption->AddDefaultCA = account->AddDefaultCA; + s->SslOption->VerifyHostname = true; + s->SslOption->SavedCert = CloneX(account->ServerCert); + + // Copy trusted CA + LIST *o = cedar->CaList; + s->SslOption->CaList = CloneXList(o); + } } if (StrCmpi(s->ClientOption->DeviceName, SNAT_DEVICE_NAME) == 0) diff --git a/src/Cedar/Session.h b/src/Cedar/Session.h index a28485c7..992a56f4 100644 --- a/src/Cedar/Session.h +++ b/src/Cedar/Session.h @@ -91,6 +91,7 @@ struct SESSION char ClientIP[64]; // Client IP CLIENT_OPTION *ClientOption; // Client connection options CLIENT_AUTH *ClientAuth; // Client authentication data + SSL_VERIFY_OPTION *SslOption; // SSL verification option volatile bool Halt; // Halting flag volatile bool CancelConnect; // Cancel the connection EVENT *HaltEvent; // Halting event diff --git a/src/Cedar/WinUi.c b/src/Cedar/WinUi.c index f0c4a1cc..904db691 100644 --- a/src/Cedar/WinUi.c +++ b/src/Cedar/WinUi.c @@ -1329,7 +1329,7 @@ void WinConnectDlgThread(THREAD *thread, void *param) nat_t_svc_name = d->nat_t_svc_name; } - s = ConnectEx5(d->hostname, d->port, d->timeout, &d->cancel, nat_t_svc_name, &nat_t_error_code, d->try_start_ssl, false, d->hint_str, NULL); + s = ConnectEx5(d->hostname, d->port, d->timeout, &d->cancel, nat_t_svc_name, &nat_t_error_code, d->try_start_ssl, false, d->ssl_option, d->ssl_err, d->hint_str, NULL); d->ret_sock = s; d->nat_t_error_code = nat_t_error_code; @@ -1399,9 +1399,9 @@ UINT WinConnectDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void * // TCP connection with showing the UI SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl) { - return WinConnectEx4(hWnd, server, port, timeout, icon_id, caption, info, nat_t_error_code, nat_t_svc_name, try_start_ssl, NULL); + return WinConnectEx4(hWnd, server, port, timeout, icon_id, caption, info, nat_t_error_code, nat_t_svc_name, try_start_ssl, NULL, NULL, NULL); } -SOCK *WinConnectEx4(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl, char *hint_str) +SOCK *WinConnectEx4(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str) { wchar_t tmp[MAX_SIZE]; wchar_t tmp2[MAX_SIZE]; @@ -1444,6 +1444,8 @@ SOCK *WinConnectEx4(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_ d.timeout = timeout; d.hostname = server; d.port = port; + d.ssl_option = ssl_option; + d.ssl_err = ssl_err; d.hint_str = hint_str; StrCpy(d.nat_t_svc_name, sizeof(d.nat_t_svc_name), nat_t_svc_name); diff --git a/src/Cedar/WinUi.h b/src/Cedar/WinUi.h index 62d6c332..8b82754c 100644 --- a/src/Cedar/WinUi.h +++ b/src/Cedar/WinUi.h @@ -331,6 +331,8 @@ typedef struct WINCONNECT_DLG_DATA char nat_t_svc_name[MAX_SIZE]; UINT nat_t_error_code; bool try_start_ssl; + SSL_VERIFY_OPTION *ssl_option; + UINT *ssl_err; char *hint_str; } WINCONNECT_DLG_DATA; @@ -695,7 +697,7 @@ HFONT GetMeiryoFontEx(UINT font_size); HFONT GetMeiryoFontEx2(UINT font_size, bool bold); bool ShowWindowsNetworkConnectionDialog(); SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl); -SOCK *WinConnectEx4(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl, char *hint_str); +SOCK *WinConnectEx4(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str); UINT WinConnectDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *param); void WinConnectDlgThread(THREAD *thread, void *param); void NicInfo(UI_NICINFO *info); diff --git a/src/Mayaqua/MayaType.h b/src/Mayaqua/MayaType.h index 4a3266eb..efdfaa59 100644 --- a/src/Mayaqua/MayaType.h +++ b/src/Mayaqua/MayaType.h @@ -382,6 +382,7 @@ typedef struct RUDP_SESSION RUDP_SESSION; typedef struct RUDP_SEGMENT RUDP_SEGMENT; typedef struct CONNECT_SERIAL_PARAM CONNECT_SERIAL_PARAM; typedef struct CONNECT_TCP_RUDP_PARAM CONNECT_TCP_RUDP_PARAM; +typedef struct SSL_VERIFY_OPTION SSL_VERIFY_OPTION; typedef struct TCP_PAIR_HEADER TCP_PAIR_HEADER; typedef struct NIC_ENTRY NIC_ENTRY; typedef struct HTTP_VALUE HTTP_VALUE; diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index 6351a869..66ab3b8a 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -54,7 +54,7 @@ #ifdef OS_WIN32 #include #include - +#include #include struct ROUTE_CHANGE_DATA @@ -11632,11 +11632,17 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname) return StartSSLEx2(sock, x, priv, NULL, ssl_timeout, sni_hostname); } bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char *sni_hostname) +{ + return StartSSLEx3(sock, x, priv, chain, ssl_timeout, sni_hostname, NULL, NULL); +} +bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char *sni_hostname, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err) { X509 *x509; EVP_PKEY *key; UINT prev_timeout = 1024; SSL_CTX *ssl_ctx; + UINT dummy_err = 0; + long ssl_verify_err; #ifdef UNIX_SOLARIS SOCKET_TIMEOUT_PARAM *ttparam; @@ -11648,6 +11654,10 @@ bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char Debug("StartSSL Error: #0\n"); return false; } + if (ssl_err == NULL) + { + ssl_err = &dummy_err; + } if (sock->Connected && sock->Type == SOCK_INPROC && sock->ListenMode == false) { sock->SecureMode = true; @@ -11740,6 +11750,55 @@ bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char } Lock(openssl_lock); } + else + { + // Client mode + if (ssl_option != NULL && ssl_option->VerifyPeer) + { + // Add default trust store + X509_STORE* store = SSL_CTX_get_cert_store(ssl_ctx); + if (ssl_option->AddDefaultCA) + { +#ifdef OS_WIN32 + HCERTSTORE hStore = CertOpenSystemStore(0, "ROOT"); + if (hStore != NULL) + { + PCCERT_CONTEXT pContext = NULL; + while ((pContext = CertEnumCertificatesInStore(hStore, pContext))) + { + X509 *x509 = d2i_X509(NULL, (const unsigned char**)&pContext->pbCertEncoded, pContext->cbCertEncoded); + if (x509 != NULL) + { + X509_STORE_add_cert(store, x509); + X509_free(x509); + } + } + CertCloseStore(hStore, 0); + } +#else + SSL_CTX_set_default_verify_paths(ssl_ctx); +#endif + } + + // Add trust CA specified by user + UINT i; + for (i = 0; i < LIST_NUM(ssl_option->CaList); ++i) + { + X *ca = LIST_DATA(ssl_option->CaList, i); + X509_STORE_add_cert(store, ca->x509); + } + + // Allow intermediate CA to be trusted + X509_VERIFY_PARAM *vpm = SSL_CTX_get0_param(ssl_ctx); + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN); + + // Enable hostname verification (by default CN is only checked if SAN is not available) + if (ssl_option->VerifyHostname && IsEmptyStr(sni_hostname) == false) + { + X509_VERIFY_PARAM_set1_host(vpm, sni_hostname, StrLen(sni_hostname)); + } + } + } #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) if (sock->SslAcceptSettings.Override_Security_Level) @@ -11880,7 +11939,7 @@ bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char Lock(openssl_lock); { x509 = SSL_get_peer_certificate(sock->ssl); - + ssl_verify_err = SSL_get_verify_result(sock->ssl); sock->SslVersion = SSL_get_version(sock->ssl); } Unlock(openssl_lock); @@ -11896,6 +11955,49 @@ bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char sock->RemoteX = X509ToX(x509); } + // Check verification error + if (ssl_option != NULL && ssl_option->VerifyPeer) + { + if (ssl_verify_err != X509_V_OK) + { + // Clear any error if matching saved certificate and not expired + if (ssl_option->SavedCert != NULL && sock->RemoteX != NULL && CheckXDateNow(sock->RemoteX) && CompareX(ssl_option->SavedCert, sock->RemoteX)) + { + ssl_verify_err = X509_V_OK; + } + else + { + Debug("StartSSL: SSL verification error %d\n", ssl_verify_err); + switch (ssl_verify_err) + { + case X509_V_ERR_CERT_HAS_EXPIRED: + *ssl_err = 106; // ERR_SERVER_CERT_EXPIRES + break; + case X509_V_ERR_HOSTNAME_MISMATCH: + *ssl_err = 149; // ERR_HOSTNAME_MISMATCH + break; + default: + *ssl_err = 85; // ERR_CERT_NOT_TRUSTED + } + + if (ssl_option->PromptOnVerifyFail == false) + { + // SSL verify failure + Lock(openssl_lock); + { + SSL_free(sock->ssl); + sock->ssl = NULL; + } + Unlock(openssl_lock); + + Unlock(sock->ssl_lock); + FreeSSLCtx(ssl_ctx); + return false; + } + } + } + } + // Get the certificate of local host Lock(openssl_lock); { @@ -13778,20 +13880,7 @@ void ConnectThreadForTcp(THREAD *thread, void *param) Unlock(p->CancelLock); // Start the SSL communication - ssl_ret = StartSSLEx(sock, NULL, NULL, 0, p->Hostname); - - if (ssl_ret) - { - // Identify whether the HTTPS server to be connected is a SoftEther VPN - SetTimeout(sock, (10 * 1000)); - ssl_ret = DetectIsServerSoftEtherVPN(sock); - SetTimeout(sock, INFINITE); - - if (ssl_ret == false) - { - Debug("DetectIsServerSoftEtherVPN Error.\n"); - } - } + ssl_ret = StartSSLEx3(sock, NULL, NULL, NULL, 0, p->Hostname, p->SslOption, p->SslErr); Lock(p->CancelLock); { @@ -13986,6 +14075,8 @@ void ConnectThreadForIPv4(THREAD *thread, void *param) p1.CancelFlag = &cancel_flag2; p1.FinishEvent = finish_event; p1.Tcp_TryStartSsl = p->Tcp_TryStartSsl; + p1.SslOption = p->SslOption; + p1.SslErr = p->SslErr; p1.CancelLock = NewLock(); // p2: NAT-T @@ -14411,9 +14502,9 @@ SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha } SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, IP *ret_ip) { - return ConnectEx5(hostname, port, timeout, cancel_flag, nat_t_svc_name, nat_t_error_code, try_start_ssl, no_get_hostname, NULL, ret_ip); + return ConnectEx5(hostname, port, timeout, cancel_flag, nat_t_svc_name, nat_t_error_code, try_start_ssl, no_get_hostname, NULL, NULL, NULL, ret_ip); } -SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, char *hint_str, IP *ret_ip) +SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip) { bool dummy = false; bool use_natt = false; @@ -14496,9 +14587,9 @@ SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha EVENT *finish_event; THREAD *t4 = NULL; THREAD *t6 = NULL; - UINT64 start_tick = Tick64(); bool cancel_flag2 = false; bool no_delay_flag = false; + IP ret_ip4, ret_ip6; finish_event = NewEvent(); @@ -14517,7 +14608,9 @@ SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha p6.NoDelayFlag = &no_delay_flag; p6.FinishEvent = finish_event; p6.Tcp_TryStartSsl = try_start_ssl; - p6.Ret_Ip = ret_ip; + p6.SslOption = ssl_option; + p6.SslErr = ssl_err; + p6.Ret_Ip = &ret_ip6; p6.RetryDelay = 250; p6.Delay = 0; t6 = NewThread(ConnectThreadForIPv6, &p6); @@ -14538,9 +14631,11 @@ SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha StrCpy(p4.NatT_SvcName, sizeof(p4.NatT_SvcName), nat_t_svc_name); p4.FinishEvent = finish_event; p4.Tcp_TryStartSsl = try_start_ssl; + p4.SslOption = ssl_option; + p4.SslErr = ssl_err; p4.Use_NatT = use_natt; p4.Force_NatT = force_use_natt; - p4.Ret_Ip = ret_ip; + p4.Ret_Ip = &ret_ip4; p4.RetryDelay = 250; p4.Delay = 250; // Delay by 250ms to prioritize IPv6 (RFC 6555 recommends 150-250ms, Chrome uses 300ms) t4 = NewThread(ConnectThreadForIPv4, &p4); @@ -14604,7 +14699,7 @@ SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha { Disconnect(p4.Sock); ReleaseSock(p4.Sock); - + Copy(ret_ip, &ret_ip6, sizeof(IP)); return p6.Sock; } @@ -14612,7 +14707,7 @@ SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha { Disconnect(p6.Sock); ReleaseSock(p6.Sock); - + Copy(ret_ip, &ret_ip4, sizeof(IP)); return p4.Sock; } diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h index d0b3be4a..3eb3b0cf 100644 --- a/src/Mayaqua/Network.h +++ b/src/Mayaqua/Network.h @@ -816,6 +816,8 @@ struct CONNECT_SERIAL_PARAM UINT Delay; UINT RetryDelay; bool Tcp_TryStartSsl; + SSL_VERIFY_OPTION *SslOption; + UINT *SslErr; bool Use_NatT; bool Force_NatT; IP *Ret_Ip; @@ -842,11 +844,23 @@ struct CONNECT_TCP_RUDP_PARAM UINT RUdpProtocol; UINT Delay; bool Tcp_TryStartSsl; + SSL_VERIFY_OPTION *SslOption; + UINT *SslErr; LOCK *CancelLock; SOCK *CancelDisconnectSock; bool Tcp_InNegotiation; }; +struct SSL_VERIFY_OPTION +{ + bool VerifyPeer; // Whether to verify SSL peer + bool PromptOnVerifyFail; // Prompt on verification failure (Windows) + bool AddDefaultCA; // Use default trust store + bool VerifyHostname; // Verify server hostname + LIST *CaList; // Trusted CA list + X *SavedCert; // Saved server certificate +}; + #define SSL_DEFAULT_CONNECT_TIMEOUT (15 * 1000) // SSL default timeout // Header for TCP Pair @@ -1084,7 +1098,7 @@ SOCK *ConnectEx(char *hostname, UINT port, UINT timeout); SOCK *ConnectEx2(char *hostname, UINT port, UINT timeout, bool *cancel_flag); SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname); SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, IP *ret_ip); -SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, char *hint_str, IP *ret_ip); +SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip); SOCKET ConnectTimeoutIPv4(IP *ip, UINT port, UINT timeout, bool *cancel_flag); bool SetSocketBufferSize(SOCKET s, bool send, UINT size); UINT SetSocketBufferSizeWithBestEffort(SOCKET s, bool send, UINT size); @@ -1109,6 +1123,7 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size); bool StartSSL(SOCK *sock, X *x, K *priv); bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname); bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char *sni_hostname); +bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char *sni_hostname, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err); bool AddChainSslCert(struct ssl_ctx_st *ctx, X *x); void AddChainSslCertOnDirectory(struct ssl_ctx_st *ctx); bool SendAll(SOCK *sock, void *data, UINT size, bool secure); diff --git a/src/PenCore/PenCore.rc b/src/PenCore/PenCore.rc index 6023da7f..3d356d3c 100644 --- a/src/PenCore/PenCore.rc +++ b/src/PenCore/PenCore.rc @@ -1505,7 +1505,7 @@ BEGIN EDITTEXT S_DESCRIPTION,7,191,289,45,ES_MULTILINE | ES_AUTOVSCROLL | ES_READONLY | ES_WANTRETURN | WS_VSCROLL END -D_CM_ACCOUNT DIALOGEX 0, 0, 451, 333 +D_CM_ACCOUNT DIALOGEX 0, 0, 451, 346 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "@D_CM_ACCOUNT" FONT 9, "MS Shell Dlg", 400, 0, 0x80 @@ -1535,14 +1535,15 @@ BEGIN CONTROL "@R_SOCKS",R_SOCKS,"Button",BS_AUTORADIOBUTTON,72,194,135,10 CONTROL "@R_SOCKS5",R_SOCKS5,"Button",BS_AUTORADIOBUTTON,72,204,135,10 PUSHBUTTON "@B_PROXY_CONFIG",B_PROXY_CONFIG,74,218,114,15 - GROUPBOX "@STATIC11",S_STATIC11,7,245,206,69 + GROUPBOX "@STATIC11",S_STATIC11,7,245,206,82 ICON ICO_CERT,IDC_STATIC,14,255,20,18 CONTROL "@R_CHECK_CERT",R_CHECK_CERT,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,41,259,133,9 - PUSHBUTTON "@B_TRUST",B_TRUST,41,273,157,15 - PUSHBUTTON "@B_SERVER_CERT",B_SERVER_CERT,41,291,77,15 - PUSHBUTTON "@B_VIEW_SERVER_CERT",B_VIEW_SERVER_CERT,123,291,75,15 - CONTROL "@R_HIDE",R_HIDE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,318,148,9 - CONTROL "@R_HIDE2",R_HIDE2,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,158,318,132,9 + CONTROL "@R_TRUST_DEFAULT",R_TRUST_DEFAULT,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,41,273,133,9 + PUSHBUTTON "@B_TRUST",B_TRUST,41,287,157,15 + PUSHBUTTON "@B_SERVER_CERT",B_SERVER_CERT,41,305,77,15 + PUSHBUTTON "@B_VIEW_SERVER_CERT",B_VIEW_SERVER_CERT,123,305,75,15 + CONTROL "@R_HIDE",R_HIDE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,331,148,9 + CONTROL "@R_HIDE2",R_HIDE2,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,158,331,132,9 CONTROL "",L_VLAN,"SysListView32",LVS_REPORT | LVS_SINGLESEL | LVS_SHOWSELALWAYS | LVS_SHAREIMAGELISTS | LVS_NOCOLUMNHEADER | LVS_NOSORTHEADER | WS_BORDER | WS_TABSTOP,233,17,200,66 GROUPBOX "@S_VLAN_GROUP",S_VLAN_GROUP,224,5,220,88 LTEXT "@S_POLICY_1",S_POLICY_1,258,17,163,24,NOT WS_VISIBLE diff --git a/src/PenCore/resource.h b/src/PenCore/resource.h index 2f50d0e6..384d3ff9 100644 --- a/src/PenCore/resource.h +++ b/src/PenCore/resource.h @@ -1028,6 +1028,7 @@ #define L_VALUES_LIST 1519 #define B_HTTP_HEADER 1520 #define B_NEW 1521 +#define R_TRUST_DEFAULT 1521 #define B_CLEAR 1522 #define B_ONLINE 1655 #define D_NM_CONNECT 1998 @@ -1212,7 +1213,7 @@ #define _APS_NO_MFC 1 #define _APS_NEXT_RESOURCE_VALUE 244 #define _APS_NEXT_COMMAND_VALUE 40111 -#define _APS_NEXT_CONTROL_VALUE 1521 +#define _APS_NEXT_CONTROL_VALUE 1522 #define _APS_NEXT_SYMED_VALUE 102 #endif #endif diff --git a/src/bin/hamcore/strtable_cn.stb b/src/bin/hamcore/strtable_cn.stb index 0f49f8df..2e6f5f12 100644 --- a/src/bin/hamcore/strtable_cn.stb +++ b/src/bin/hamcore/strtable_cn.stb @@ -214,6 +214,7 @@ ERR_145 不可接受的操作。使用 VPN Gate 实用工具修改 VPN Gate ERR_146 VPN Gate 服务运行在 VPN 客户端程序内。在此屏幕上,你不能停止 VPN Gate 服务。使用 VPN 客户端管理器来启用或禁用 VPN Gate 服务。 ERR_147 不支持此功能。它尚未在 SoftEther VPN 的开源版本上实施。 ERR_148 VPN 连接被中断,因为该系统被暂停。 +ERR_149 目标 VPN Server 的证书与指定的主机名不匹配。 #关于许可证 @@ -2340,6 +2341,7 @@ R_SOCKS5 通过 SOCKS5 代理服务器连接(&S) B_PROXY_CONFIG 代理服务器设置(&R) STATIC11 服务端证书验证选项(&F): R_CHECK_CERT 总是验证服务端证书(&C) +R_TRUST_DEFAULT 信任系统证书存储 B_TRUST 管理可信发证机关证书列表(&C) B_SERVER_CERT 指定特定证书(&S) B_VIEW_SERVER_CERT 查看特定证书(&V) @@ -4410,7 +4412,8 @@ CMD_ACCOUNT_COLUMN_PROXY_PORT 代理服务器的端口号 CMD_ACCOUNT_COLUMN_PROXY_USERNAME 代理服务器的用户名 CMD_ACCOUNT_COLUMN_SERVER_CERT_USE 验证服务器证书 CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME 注册的服务器个人证书 -CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT Retry on Untrusted Server Certificate +CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT 遇到不信任的证书时重试 +CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA 信任系统证书存储 CMD_ACCOUNT_COLUMN_DEVICE_NAME 用于连接的设备名 CMD_ACCOUNT_COLUMN_AUTH_TYPE 验证类型 CMD_ACCOUNT_COLUMN_AUTH_USERNAME 用户名 @@ -4425,7 +4428,7 @@ CMD_ACCOUNT_COLUMN_BRIDGE_ROUTER 通过网桥 / 路由模式连接 CMD_ACCOUNT_COLUMN_MONITOR 通过监测模式连接 CMD_ACCOUNT_COLUMN_NO_TRACKING 不要调整路由表 CMD_ACCOUNT_COLUMN_QOS_DISABLE 不要使用 QoS 控制功能 -CMD_ACCOUNT_COLUMN_DISABLEUDP Disable UDP Acceleration +CMD_ACCOUNT_COLUMN_DISABLEUDP 禁用 UDP 加速功能 # Debugging Information Collecting Tool @@ -5513,6 +5516,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name] CMD_CascadeServerCertDisable_[name] 指定级联名称来改变设置。 +# CascadeDefaultCAEnable 命令 +CMD_CascadeDefaultCAEnable 启用信任系统证书存储选项 +CMD_CascadeDefaultCAEnable_Help 当启用服务器证书验证时,使用此选项来启用信任系统证书存储的证书。\n如果禁用服务器证书验证,则此选项不执行任何操作。 +CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name] +CMD_CascadeDefaultCAEnable_[name] 指定级联名称来改变设置。 + + +# CascadeDefaultCADisable 命令 +CMD_CascadeDefaultCADisable 禁用信任系统证书存储选项 +CMD_CascadeDefaultCADisable_Help 当启用服务器证书验证时,使用此选项来禁用信任系统证书存储的证书。\n如果禁用服务器证书验证,则此选项不执行任何操作。 +CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name] +CMD_CascadeDefaultCADisable_[name] 指定级联名称来改变设置。 + + # CascadeServerCertSet 命令 CMD_CascadeServerCertSet 设置级联连接的服务器特定证书 CMD_CascadeServerCertSet_Help 指定已经在当前虚拟 HUB 注册的级联连接,当此连接和 VPN Server 之间通信时,事先将连接方提供的 SSL 证书注册。\n如果启用此选项,需要将在目标服务器的证书事先通过指令设置到级联的连接设置中,或者在虚拟 HUB 的可信任证书列表中,运行 CAAdd 指令,将有服务器的 SSL 证书署名的路线证书添加进去。\n当启用服务器证书验证选项时,如果 VPN Server 提供的证书不可信,连接将断开,并重试。\n此命令在集群虚拟 HUB 中不能运行。 @@ -6817,6 +6834,20 @@ CMD_AccountRetryOnServerCertDisable_Args AccountRetryOnServerCertDisable [name] CMD_AccountRetryOnServerCertDisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change. +# AccountDefaultCAEnable 命令 +CMD_AccountDefaultCAEnable 启用信任系统证书存储选项 +CMD_AccountDefaultCAEnable_Help 当启用服务器证书验证时,使用此选项来启用信任系统证书存储的证书。\n如果禁用服务器证书验证,则此选项不执行任何操作。 +CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name] +CMD_AccountDefaultCAEnable_[name] 指定要更改设置的连接设置名。 + + +# AccountDefaultCADisable 命令 +CMD_AccountDefaultCADisable 禁用信任系统证书存储选项 +CMD_AccountDefaultCADisable_Help 当启用服务器证书验证时,使用此选项来禁用信任系统证书存储的证书。\n如果禁用服务器证书验证,则此选项不执行任何操作。 +CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name] +CMD_AccountDefaultCADisable_[name] 指定要更改设置的连接设置名。 + + # AccountServerCertSet 命令 CMD_AccountServerCertSet 设置连接设置的服务器固有证明书 CMD_AccountServerCertSet_Help 指定注册到 VPN Client 的连接设置,其连接设置连接到 VPN Server 时,预先注册与连接目标的 VPN Server 提交的 SSL 证书相同的证书。\n如果启动了连接设置的服务器证书验证选项,可以预先将连接目标服务器的 SSL 证书以此指令保存在连接设置的设置内,或需要将服务器的 SSL 证书签名了的根证书,以 CAAdd 指令注册到虚拟 HUB 信任的证明机构的证书列表中。\n验证连接设置的服务器证书的选项处于启动状态,连接了的 VPN Server 的证书不可信时,立即解除连接,反复重试。 diff --git a/src/bin/hamcore/strtable_en.stb b/src/bin/hamcore/strtable_en.stb index 60094a49..943cb4c3 100644 --- a/src/bin/hamcore/strtable_en.stb +++ b/src/bin/hamcore/strtable_en.stb @@ -212,6 +212,8 @@ ERR_145 Unacceptable operation. Use the VPN Gate Utility to modify the conne ERR_146 The VPN Gate Service is running inside the VPN Client program. You cannot stop the VPN Gate Service on this screen. Use the VPN Client Manager to enable or disable the VPN Gate Service. ERR_147 This feature is not supported. It hasn't been implemented yet on the open-source version of SoftEther VPN. ERR_148 The VPN connection was disconnected because the system is being suspended. +ERR_149 The destination VPN Server's certificate does not match the specified hostname. + # Concerning licenses LICENSE_INFO_URL https://selinks.org/?new_license @@ -2322,6 +2324,7 @@ R_SOCKS5 Connect via &SOCKS5 Proxy Server B_PROXY_CONFIG P&roxy Server Setting STATIC11 Server Certificate Veri&fication Option: R_CHECK_CERT Always Verify Server &Certificate +R_TRUST_DEFAULT Trust System Certificate Store B_TRUST Manage Trusted CA &Certificate List B_SERVER_CERT &Specify Individual Cert B_VIEW_SERVER_CERT Show Indi&vidual Cert @@ -4396,6 +4399,7 @@ CMD_ACCOUNT_COLUMN_PROXY_USERNAME Proxy Server User Name CMD_ACCOUNT_COLUMN_SERVER_CERT_USE Verify Server Certificate CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME Registered Server Individual Certificate CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT Retry on Untrusted Server Certificate +CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA Trust System Certificate Store CMD_ACCOUNT_COLUMN_DEVICE_NAME Device Name Used for Connection CMD_ACCOUNT_COLUMN_AUTH_TYPE Authentication Type CMD_ACCOUNT_COLUMN_AUTH_USERNAME User Name @@ -5496,6 +5500,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name] CMD_CascadeServerCertDisable_[name] Specify the name of the Cascade Connection whose setting you want to change. +# CascadeDefaultCAEnable command +CMD_CascadeDefaultCAEnable Enable Trust System Certificate Store Option +CMD_CascadeDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing. +CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name] +CMD_CascadeDefaultCAEnable_[name] Specify the name of the Cascade Connection whose setting you want to change. + + +# CascadeDefaultCADisable command +CMD_CascadeDefaultCADisable Disable Trust System Certificate Store Option +CMD_CascadeDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing. +CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name] +CMD_CascadeDefaultCADisable_[name] Specify the name of the Cascade Connection whose setting you want to change. + + # CascadeServerCertSet command CMD_CascadeServerCertSet Set the Server Individual Certificate for Cascade Connection CMD_CascadeServerCertSet_Help When a Cascade Connection registered on the currently managed Virtual Hub is specified and that Cascade Connection connects to a VPN Server, use this to register beforehand the same certificate as the SSL certificate provided by the destination VPN Server. \nIf the option to verify server certificates for Cascade Connections is enabled, you must either use this command to save the connection destination server SSL certificate beforehand in the Cascade Connection Settings beforehand, or use the CAAdd command etc. to register a root certificate containing the signed server SSL certificate in the list of Virtual Hub trusted CA certificates. \nIf the certificate of the connected VPN Server cannot be trusted under the condition where the option to verify server certificates was enabled for the Cascade Connection, the connection will be promptly cancelled and continual reattempts at connection will be made. \nYou cannot execute this command for Virtual Hubs of VPN Servers operating as a cluster. @@ -6803,6 +6821,20 @@ CMD_AccountRetryOnServerCertDisable_Args AccountRetryOnServerCertDisable [name] CMD_AccountRetryOnServerCertDisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change. +# AccountDefaultCAEnable command +CMD_AccountDefaultCAEnable Enable Trust System Certificate Store Option +CMD_AccountDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing. +CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name] +CMD_AccountDefaultCAEnable_[name] Specify the name of the VPN Connection Setting whose setting you want to change. + + +# AccountDefaultCADisable command +CMD_AccountDefaultCADisable Disable Trust System Certificate Store Option +CMD_AccountDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing. +CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name] +CMD_AccountDefaultCADisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change. + + # AccountServerCertSet command CMD_AccountServerCertSet Set Server Individual Certificate for VPN Connection Setting CMD_AccountServerCertSet_Help When a VPN Connection Setting registered on the VPN Client is specified and that VPN Connection Setting connects to a VPN Server, use this to register the same certificate as the SSL certificate provided by the destination VPN Server. \nIf the option to verify server certificates for VPN Connection Settings is enabled, you must either use this command to save the connection destination server SSL certificate beforehand in the VPN Connection Setting settings beforehand, or use the CAAdd command etc. to register a root certificate containing the signed server SSL certificate in the list of Virtual Hub trusted CA certificates. \nIf the certificate of the connected VPN Server cannot be trusted under the condition where the option to verify server certificates has been enabled for the VPN Connection Setting, the connection will be promptly cancelled and continual reattempts at connection will be made. diff --git a/src/bin/hamcore/strtable_ja.stb b/src/bin/hamcore/strtable_ja.stb index 29ba2f58..943e4b7c 100644 --- a/src/bin/hamcore/strtable_ja.stb +++ b/src/bin/hamcore/strtable_ja.stb @@ -214,7 +214,7 @@ ERR_145 この操作は実行できません。VPN Gate 公開 VPN 中継サ ERR_146 VPN Gate サービスが VPN Client 内で動作している場合は、この設定画面から VPN Gate サービスを停止することはできません。VPN Gate サービスを停止するには、VPN Client 接続マネージャの設定ツールを使用してください。 ERR_147 この機能はオープンソース版 SoftEther VPN にはまだ実装されていません。 ERR_148 Windows システムがサスペンド状態に移行中のため、VPN 通信が切断されました。 - +ERR_149 接続先サーバーの提示した証明書が指定したホスト名と一致しません。 # ライセンス関係 @@ -2328,6 +2328,7 @@ R_SOCKS5 SOCKS5 プロキシサーバー経由接続(&S) B_PROXY_CONFIG プロキシサーバーの接続設定(&2) STATIC11 サーバー証明書の検証オプション(&F): R_CHECK_CERT サーバー証明書を必ず検証する(&3) +R_TRUST_DEFAULT システム証明書ストアを信頼する B_TRUST 信頼する証明機関の証明書の管理(&4) B_SERVER_CERT 固有証明書の登録(&R) B_VIEW_SERVER_CERT 固有証明書の表示(&5) @@ -4401,6 +4402,7 @@ CMD_ACCOUNT_COLUMN_PROXY_USERNAME プロキシサーバーのユーザー名 CMD_ACCOUNT_COLUMN_SERVER_CERT_USE サーバー証明書の検証 CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME 登録されているサーバー固有証明書 CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT サーバー証明書が信頼できない場合に接続を再試行する +CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA システム証明書ストアを信頼する CMD_ACCOUNT_COLUMN_DEVICE_NAME 接続に使用するデバイス名 CMD_ACCOUNT_COLUMN_AUTH_TYPE 認証の種類 CMD_ACCOUNT_COLUMN_AUTH_USERNAME ユーザー名 @@ -5500,6 +5502,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name] CMD_CascadeServerCertDisable_[name] 設定を変更するカスケード接続の名前を指定します。 +# CascadeDefaultCAEnable コマンド +CMD_CascadeDefaultCAEnable システム証明書ストアからの証明書の信頼を有効化 +CMD_CascadeDefaultCAEnable_Help サーバー証明書の検証が有効になっている場合、システム証明書ストアからの証明書の信頼を有効にします。\nサーバー証明書の検証が無効になっている場合、このオプションは何もしません。 +CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name] +CMD_CascadeDefaultCAEnable_[name] 設定を変更するカスケード接続の名前を指定します。 + + +# CascadeDefaultCADisable コマンド +CMD_CascadeDefaultCADisable システム証明書ストアからの証明書の信頼を無効化 +CMD_CascadeDefaultCADisable_Help サーバー証明書の検証が有効になっている場合、システム証明書ストアからの証明書の信頼を無効にします。\nサーバー証明書の検証が無効になっている場合、このオプションは何もしません。 +CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name] +CMD_CascadeDefaultCADisable_[name] 設定を変更するカスケード接続の名前を指定します。 + + # CascadeServerCertSet コマンド CMD_CascadeServerCertSet カスケード接続のサーバー固有証明書の設定 CMD_CascadeServerCertSet_Help 現在管理している仮想 HUB に登録されているカスケード接続を指定し、そのカスケード接続が VPN Server に対して接続する際に、接続先の VPN Server の提示する SSL 証明書と同じ証明書をあらかじめ登録します。\nカスケード接続の、サーバー証明書の検証オプションが有効になっている場合、接続先サーバーの SSL 証明書を、あらかじめこのコマンドでカスケード接続設定内に保存しておくか、または仮想 HUB の信頼する証明機関の証明書一覧に、サーバーの SSL 証明書を署名したルート証明書を CAAdd コマンドなどで登録しておく必要があります。\nカスケード接続の、サーバー証明書の検証オプションが有効になっている状態で接続した VPN Server の証明書が信頼できない場合、直ちに接続を解除して再試行を繰り返します。\nこのコマンドは、クラスタとして動作している VPN Server の仮想 HUB では実行できません。 @@ -6801,7 +6817,6 @@ CMD_AccountServerCertDisable_[name] 設定を変更する接続設定の名前 # AccountRetryOnServerCertEnable コマンド CMD_AccountRetryOnServerCertEnable 接続設定のサーバー証明書が信頼できない場合の接続再試行を有効化 CMD_AccountRetryOnServerCertEnable_Help 接続設定のサーバー証明書の検証プションが有効になっている状態で、 VPN Server の証明書が信頼できない場合、直ちに接続を解除して再試行を繰り返します。AccountRetryOnServerCertDisableコマンドを使用することにより再試行を行わないように設定することができますが、このコマンドを使用することにより、デフォルトの接続再試行を行う状態に戻すことができます。 - CMD_AccountRetryOnServerCertEnable_Args AccountRetryOnServerCertEnable [name] CMD_AccountRetryOnServerCertEnable_[name] 設定を変更する接続設定の名前を指定します。 @@ -6813,6 +6828,20 @@ CMD_AccountRetryOnServerCertDisable_Args AccountRetryOnServerCertDisable [name] CMD_AccountRetryOnServerCertDisable_[name] 設定を変更する接続設定の名前を指定します。 +# AccountDefaultCAEnable コマンド +CMD_AccountDefaultCAEnable システム証明書ストアからの証明書の信頼を有効化 +CMD_AccountDefaultCAEnable_Help サーバー証明書の検証が有効になっている場合、システム証明書ストアからの証明書の信頼を有効にします。\nサーバー証明書の検証が無効になっている場合、このオプションは何もしません。 +CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name] +CMD_AccountDefaultCAEnable_[name] 設定を変更する接続設定の名前を指定します。 + + +# AccountDefaultCADisable コマンド +CMD_AccountDefaultCADisable システム証明書ストアからの証明書の信頼を無効化 +CMD_AccountDefaultCADisable_Help サーバー証明書の検証が有効になっている場合、システム証明書ストアからの証明書の信頼を無効にします。\nサーバー証明書の検証が無効になっている場合、このオプションは何もしません。 +CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name] +CMD_AccountDefaultCADisable_[name] 設定を変更する接続設定の名前を指定します。 + + # AccountServerCertSet コマンド CMD_AccountServerCertSet 接続設定のサーバー固有証明書の設定 CMD_AccountServerCertSet_Help VPN Client に登録されている接続設定を指定し、その接続設定が VPN Server に対して接続する際に、接続先の VPN Server の提示する SSL 証明書と同じ証明書をあらかじめ登録します。\n接続設定のサーバー証明書の検証オプションが有効になっている場合、接続先サーバーの SSL 証明書をあらかじめこのコマンドで接続設定設定内に保存しておくか、または仮想 HUB の信頼する証明機関の証明書一覧に、サーバーの SSL 証明書を署名したルート証明書を CAAdd コマンドなどで登録しておく必要があります。\n接続設定のサーバー証明書の検証オプションが有効になっている状態で、接続した VPN Server の証明書が信頼できない場合、直ちに接続を解除して再試行を繰り返します。 diff --git a/src/bin/hamcore/strtable_ko.stb b/src/bin/hamcore/strtable_ko.stb index 4186e8fd..5278e838 100644 --- a/src/bin/hamcore/strtable_ko.stb +++ b/src/bin/hamcore/strtable_ko.stb @@ -218,7 +218,7 @@ ERR_145 이 작업을 수행 할 수 없습니다. VPN Gate 공개 VPN 중계 ERR_146 VPN Gate 서비스가 VPN Client에서 실행중인 경우이 설정 화면에서 VPN Gate 서비스를 중지 할 수 없습니다. VPN Gate 서비스를 중지하려면 VPN Client 연결 관리자 설정 도구를 사용하십시오. ERR_147 이 기능은 오픈 소스 버전 SoftEther VPN은 아직 구현되어 있지 않습니다. ERR_148 Windows 시스템이 대기 상태로 전환 중이기 때문에 VPN 통신이 끊어졌습니다. - +ERR_149 대상 VPN 서버의 인증서가 지정된 호스트 이름과 일치하지 않습니다. # 라이센스 관계 @@ -2306,6 +2306,7 @@ R_SOCKS5 SOCKS5 프록시 서버를 통해 연결 (&S) B_PROXY_CONFIG 프록시 서버 연결 설정 (&2) STATIC11 서버 인증서 검증 옵션 (&F): R_CHECK_CERT 서버 인증서를 반드시 확인한다 (&3) +R_TRUST_DEFAULT 시스템 인증서 저장소 신뢰 B_TRUST 신뢰하는 인증 기관의 인증서 관리 (&4) B_SERVER_CERT 고유 인증서 등록 (&R) B_VIEW_SERVER_CERT 고유 인증서보기 (&5) @@ -4379,6 +4380,7 @@ CMD_ACCOUNT_COLUMN_PROXY_USERNAME 프록시 서버의 사용자 이름 CMD_ACCOUNT_COLUMN_SERVER_CERT_USE 서버 인증서 확인 CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME 등록 된 서버 별 인증서 CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT Retry on Untrusted Server Certificate +CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA 시스템 인증서 저장소 신뢰 CMD_ACCOUNT_COLUMN_DEVICE_NAME 연결에 사용할 장치 이름 CMD_ACCOUNT_COLUMN_AUTH_TYPE 인증의 종류 CMD_ACCOUNT_COLUMN_AUTH_USERNAME 사용자 이름 @@ -5477,6 +5479,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name] CMD_CascadeServerCertDisable_[name] 설정을 변경 계단식의 이름을 지정합니다. +# CascadeDefaultCAEnable command +CMD_CascadeDefaultCAEnable Enable Trust System Certificate Store Option +CMD_CascadeDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing. +CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name] +CMD_CascadeDefaultCAEnable_[name] Specify the name of the Cascade Connection whose setting you want to change. + + +# CascadeDefaultCADisable command +CMD_CascadeDefaultCADisable Disable Trust System Certificate Store Option +CMD_CascadeDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing. +CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name] +CMD_CascadeDefaultCADisable_[name] Specify the name of the Cascade Connection whose setting you want to change. + + # CascadeServerCertSet 명령 CMD_CascadeServerCertSet 계단식 서버 별 인증서 설정 CMD_CascadeServerCertSet_Help 현재 관리하고있는 가상 HUB에 등록되어있는 계단식 지정하고 계단식가 VPN Server에 연결할 때 연결하려는 VPN Server가 제시하는 SSL 인증서와 동일한 인증서를 미리 등록합니다. \n 계단식 서버 인증서 검증 옵션이 활성화되어있는 경우 연결할 서버의 SSL 인증서를 미리이 명령에서 계단식 설정에 저장할하거나 가상 HUB의 신뢰 인증 기관의 인증서 목록에 서버의 SSL 인증서를 서명 한 루트 인증서를 CAAdd 명령 등으로 등록되어 있어야합니다. \n 계단식 서버 인증서 검증 옵션이 활성화되어있는 상태에서 연결 한 VPN Server의 인증서를 신뢰할 수없는 경우 즉시 연결을 해제하고 재 시도를 반복합니다. \n이 명령은 클러스터로 작동하는 VPN Server의 가상 HUB에서는 실행되지 않습니다. @@ -6787,6 +6803,20 @@ CMD_AccountRetryOnServerCertDisable_Args AccountRetryOnServerCertDisable [name] CMD_AccountRetryOnServerCertDisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change. +# AccountDefaultCAEnable command +CMD_AccountDefaultCAEnable Enable Trust System Certificate Store Option +CMD_AccountDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing. +CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name] +CMD_AccountDefaultCAEnable_[name] Specify the name of the VPN Connection Setting whose setting you want to change. + + +# AccountDefaultCADisable command +CMD_AccountDefaultCADisable Disable Trust System Certificate Store Option +CMD_AccountDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing. +CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name] +CMD_AccountDefaultCADisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change. + + # AccountServerCertSet 명령 CMD_AccountServerCertSet 연결 설정 서버 별 인증서 설정 CMD_AccountServerCertSet_Help VPN Client에 등록되어있는 연결 설정을 지정하고 연결 설정 VPN Server에 연결할 때 연결하려는 VPN Server가 제시하는 SSL 인증서와 동일한 인증서를 미리 등록합니다. \n 연결 설정 서버 인증서 검증 옵션이 활성화되어있는 경우 연결할 서버의 SSL 인증서를 미리이 명령에서 연결 설정 설정에 저장할하거나 가상 HUB 신뢰하는 인증 기관 인증서 목록에 서버의 SSL 인증서를 서명 한 루트 인증서를 CAAdd 명령 등으로 등록되어 있어야합니다. \n 연결 설정 서버 인증서 검증 옵션이 활성화되어있는 상태에서 연결 한 VPN Server의 인증서를 신뢰할 수없는 경우 즉시 연결을 해제하고 재 시도를 반복합니다. diff --git a/src/bin/hamcore/strtable_pt_br.stb b/src/bin/hamcore/strtable_pt_br.stb index 75828b2d..593d296b 100644 --- a/src/bin/hamcore/strtable_pt_br.stb +++ b/src/bin/hamcore/strtable_pt_br.stb @@ -231,6 +231,7 @@ ERR_145 Unacceptable operation. Use the VPN Gate Utility to modify the connectio ERR_146 The VPN Gate Service is running inside the VPN Client program. You cannot stop the VPN Gate Service on this screen. Use the VPN Client Manager to enable or disable the VPN Gate Service. ERR_147 This feature is not supported. It hasn't been implemented yet on the open-source version of SoftEther VPN. ERR_148 The VPN connection was disconnected because the system is being suspended. +ERR_149 The destination VPN Server's certificate does not match the specified hostname. # Concerning licenses @@ -2299,6 +2300,7 @@ R_SOCKS5 Conectar via servidor proxy &SOCKS5 B_PROXY_CONFIG Configuração do servidor &proxy STATIC11 Opção de verificação do certificado do servidor: R_CHECK_CERT Sempre verificar o certificado do servidor +R_TRUST_DEFAULT Confie no armazenamento de certificados do sistema B_TRUST Gerenciar lista de &certificados CA confiáveis B_SERVER_CERT Certificado &individual B_VIEW_SERVER_CERT &Mostrar individual @@ -4112,6 +4114,7 @@ CMD_ACCOUNT_COLUMN_PROXY_USERNAME Proxy Server User Name CMD_ACCOUNT_COLUMN_SERVER_CERT_USE Verify Server Certificate CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME Registered Server Individual Certificate CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT Retry on Untrusted Server Certificate +CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA Trust System Certificate Store CMD_ACCOUNT_COLUMN_DEVICE_NAME Device Name Used for Connection CMD_ACCOUNT_COLUMN_AUTH_TYPE Authentication Type CMD_ACCOUNT_COLUMN_AUTH_USERNAME Nome de usuário @@ -5225,6 +5228,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name] CMD_CascadeServerCertDisable_[name] Specify the name of the Cascade Connection whose setting you want to change. +# CascadeDefaultCAEnable command +CMD_CascadeDefaultCAEnable Enable Trust System Certificate Store Option +CMD_CascadeDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing. +CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name] +CMD_CascadeDefaultCAEnable_[name] Specify the name of the Cascade Connection whose setting you want to change. + + +# CascadeDefaultCADisable command +CMD_CascadeDefaultCADisable Disable Trust System Certificate Store Option +CMD_CascadeDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing. +CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name] +CMD_CascadeDefaultCADisable_[name] Specify the name of the Cascade Connection whose setting you want to change. + + # CascadeServerCertSet command CMD_CascadeServerCertSet Set the Server Individual Certificate for Cascade Connection CMD_CascadeServerCertSet_Help When a Cascade Connection registered on the currently managed Virtual Hub is specified and that Cascade Connection connects to a VPN Server, use this to register beforehand the same certificate as the SSL certificate provided by the destination VPN Server. \nIf the option to verify server certificates for Cascade Connections is enabled, you must either use this command to save the connection destination server SSL certificate beforehand in the Cascade Connection Settings beforehand, or use the CAAdd command etc. to register a root certificate containing the signed server SSL certificate in the list of Virtual Hub trusted CA certificates. \nIf the certificate of the connected VPN Server cannot be trusted under the condition where the option to verify server certificates was enabled for the Cascade Connection, the connection will be promptly cancelled and continual reattempts at connection will be made. \nYou cannot execute this command for Virtual Hubs of VPN Servers operating as a cluster. @@ -6539,6 +6556,20 @@ CMD_AccountRetryOnServerCertDisable_Args AccountRetryOnServerCertDisable [name] CMD_AccountRetryOnServerCertDisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change. +# AccountDefaultCAEnable command +CMD_AccountDefaultCAEnable Enable Trust System Certificate Store Option +CMD_AccountDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing. +CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name] +CMD_AccountDefaultCAEnable_[name] Specify the name of the VPN Connection Setting whose setting you want to change. + + +# AccountDefaultCADisable command +CMD_AccountDefaultCADisable Disable Trust System Certificate Store Option +CMD_AccountDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing. +CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name] +CMD_AccountDefaultCADisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change. + + # AccountServerCertSet command CMD_AccountServerCertSet Set Server Individual Certificate for VPN Connection Setting CMD_AccountServerCertSet_Help When a VPN Connection Setting registered on the VPN Client is specified and that VPN Connection Setting connects to a VPN Server, use this to register the same certificate as the SSL certificate provided by the destination VPN Server. \nIf the option to verify server certificates for VPN Connection Settings is enabled, you must either use this command to save the connection destination server SSL certificate beforehand in the VPN Connection Setting settings beforehand, or use the CAAdd command etc. to register a root certificate containing the signed server SSL certificate in the list of Virtual Hub trusted CA certificates. \nIf the certificate of the connected VPN Server cannot be trusted under the condition where the option to verify server certificates has been enabled for the VPN Connection Setting, the connection will be promptly cancelled and continual reattempts at connection will be made. diff --git a/src/bin/hamcore/strtable_ru.stb b/src/bin/hamcore/strtable_ru.stb index b3ac6ecc..52aff0c3 100644 --- a/src/bin/hamcore/strtable_ru.stb +++ b/src/bin/hamcore/strtable_ru.stb @@ -212,6 +212,8 @@ ERR_145 Unacceptable operation. Use the VPN Gate Utility to modify the conne ERR_146 The VPN Gate Service is running inside the VPN Client program. You cannot stop the VPN Gate Service on this screen. Use the VPN Client Manager to enable or disable the VPN Gate Service. ERR_147 This feature is not supported. It hasn't been implemented yet on the open-source version of SoftEther VPN. ERR_148 The VPN connection was disconnected because the system is being suspended. +ERR_149 The destination VPN Server's certificate does not match the specified hostname. + # Concerning licenses LICENSE_INFO_URL https://selinks.org/?new_license @@ -2322,6 +2324,7 @@ R_SOCKS5 Connect via &SOCKS5 Proxy Server B_PROXY_CONFIG P&roxy Server Setting STATIC11 Server Certificate Veri&fication Option: R_CHECK_CERT Always Verify Server &Certificate +R_TRUST_DEFAULT Trust System Certificate Store B_TRUST Manage Trusted CA &Certificate List B_SERVER_CERT &Specify Individual Cert B_VIEW_SERVER_CERT Show Indi&vidual Cert @@ -4395,6 +4398,7 @@ CMD_ACCOUNT_COLUMN_PROXY_PORT Proxy Server Port Number CMD_ACCOUNT_COLUMN_PROXY_USERNAME Proxy Server User Name CMD_ACCOUNT_COLUMN_SERVER_CERT_USE Verify Server Certificate CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME Registered Server Individual Certificate +CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA Trust System Certificate Store CMD_ACCOUNT_COLUMN_DEVICE_NAME Device Name Used for Connection CMD_ACCOUNT_COLUMN_AUTH_TYPE Authentication Type CMD_ACCOUNT_COLUMN_AUTH_USERNAME User Name @@ -5497,6 +5501,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name] CMD_CascadeServerCertDisable_[name] Specify the name of the Cascade Connection whose setting you want to change. +# CascadeDefaultCAEnable command +CMD_CascadeDefaultCAEnable Enable Trust System Certificate Store Option +CMD_CascadeDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing. +CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name] +CMD_CascadeDefaultCAEnable_[name] Specify the name of the Cascade Connection whose setting you want to change. + + +# CascadeDefaultCADisable command +CMD_CascadeDefaultCADisable Disable Trust System Certificate Store Option +CMD_CascadeDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing. +CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name] +CMD_CascadeDefaultCADisable_[name] Specify the name of the Cascade Connection whose setting you want to change. + + # CascadeServerCertSet command CMD_CascadeServerCertSet Set the Server Individual Certificate for Cascade Connection CMD_CascadeServerCertSet_Help When a Cascade Connection registered on the currently managed Virtual Hub is specified and that Cascade Connection connects to a VPN Server, use this to register beforehand the same certificate as the SSL certificate provided by the destination VPN Server. \nIf the option to verify server certificates for Cascade Connections is enabled, you must either use this command to save the connection destination server SSL certificate beforehand in the Cascade Connection Settings beforehand, or use the CAAdd command etc. to register a root certificate containing the signed server SSL certificate in the list of Virtual Hub trusted CA certificates. \nIf the certificate of the connected VPN Server cannot be trusted under the condition where the option to verify server certificates was enabled for the Cascade Connection, the connection will be promptly cancelled and continual reattempts at connection will be made. \nYou cannot execute this command for Virtual Hubs of VPN Servers operating as a cluster. @@ -6790,6 +6808,20 @@ CMD_AccountServerCertDisable_Args AccountServerCertDisable [name] CMD_AccountServerCertDisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change. +# AccountDefaultCAEnable command +CMD_AccountDefaultCAEnable Enable Trust System Certificate Store Option +CMD_AccountDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing. +CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name] +CMD_AccountDefaultCAEnable_[name] Specify the name of the VPN Connection Setting whose setting you want to change. + + +# AccountDefaultCADisable command +CMD_AccountDefaultCADisable Disable Trust System Certificate Store Option +CMD_AccountDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing. +CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name] +CMD_AccountDefaultCADisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change. + + # AccountServerCertSet command CMD_AccountServerCertSet Set Server Individual Certificate for VPN Connection Setting CMD_AccountServerCertSet_Help When a VPN Connection Setting registered on the VPN Client is specified and that VPN Connection Setting connects to a VPN Server, use this to register the same certificate as the SSL certificate provided by the destination VPN Server. \nIf the option to verify server certificates for VPN Connection Settings is enabled, you must either use this command to save the connection destination server SSL certificate beforehand in the VPN Connection Setting settings beforehand, or use the CAAdd command etc. to register a root certificate containing the signed server SSL certificate in the list of Virtual Hub trusted CA certificates. \nIf the certificate of the connected VPN Server cannot be trusted under the condition where the option to verify server certificates has been enabled for the VPN Connection Setting, the connection will be promptly cancelled and continual reattempts at connection will be made. diff --git a/src/bin/hamcore/strtable_tw.stb b/src/bin/hamcore/strtable_tw.stb index d4e767ed..1ca3a5bc 100644 --- a/src/bin/hamcore/strtable_tw.stb +++ b/src/bin/hamcore/strtable_tw.stb @@ -218,6 +218,7 @@ ERR_145 不可接受的操作。使用 VPN Gate 實用工具修改 VPN Gate ERR_146 VPN Gate 服務運行在 VPN 用戶端程式內。在此螢幕上,你不能停止 VPN Gate 服務。使用 VPN 用戶端管理器來啟用或禁用 VPN Gate 服務。 ERR_147 不支援此功能。它尚未在 SoftEther VPN 的開源版本上實施。 ERR_148 VPN 連接被中斷,因為該系統被暫停。 +ERR_149 目標 VPN Server 的證書與指定的主機名稱不匹配。 #關於許可證 @@ -2342,6 +2343,7 @@ R_SOCKS5 通過 SOCKS5 代理伺服器連接(&S) B_PROXY_CONFIG 代理伺服器設置(&R) STATIC11 服務端證書驗證選項(&F): R_CHECK_CERT 總是驗證服務端證書(&C) +R_TRUST_DEFAULT 信任系統憑證存放區 B_TRUST 管理可信發證機關證書列表(&C) B_SERVER_CERT 指定特定證書(&S) B_VIEW_SERVER_CERT 查看特定證書(&V) @@ -4411,7 +4413,8 @@ CMD_ACCOUNT_COLUMN_PROXY_PORT 代理伺服器的埠號 CMD_ACCOUNT_COLUMN_PROXY_USERNAME 代理伺服器的用戶名 CMD_ACCOUNT_COLUMN_SERVER_CERT_USE 驗證伺服器憑證 CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME 註冊的伺服器個人證書 -CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT Retry on Untrusted Server Certificate +CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT 遇到不信任的證書時重試 +CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA 信任系統憑證存放區 CMD_ACCOUNT_COLUMN_DEVICE_NAME 用於連接的設備名 CMD_ACCOUNT_COLUMN_AUTH_TYPE 驗證類型 CMD_ACCOUNT_COLUMN_AUTH_USERNAME 用戶名 @@ -4426,7 +4429,7 @@ CMD_ACCOUNT_COLUMN_BRIDGE_ROUTER 通過橋接器 / 路由模式連接 CMD_ACCOUNT_COLUMN_MONITOR 通過監測模式連接 CMD_ACCOUNT_COLUMN_NO_TRACKING 不要調整路由表 CMD_ACCOUNT_COLUMN_QOS_DISABLE 不要使用 QoS 控制功能 -CMD_ACCOUNT_COLUMN_DISABLEUDP Disable UDP Acceleration +CMD_ACCOUNT_COLUMN_DISABLEUDP 禁用 UDP 加速功能 # Debugging Information Collecting Tool @@ -5514,6 +5517,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name] CMD_CascadeServerCertDisable_[name] 指定級聯名稱來改變設置。 +# CascadeDefaultCAEnable 命令 +CMD_CascadeDefaultCAEnable 啟用信任系統憑證存放區選項 +CMD_CascadeDefaultCAEnable_Help 當啟用服務器憑證驗證時,使用此選項來啟用信任系統憑證存放區的證書。\n如果禁用服務器憑證驗證,則此選項不執行任何操作。 +CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name] +CMD_CascadeDefaultCAEnable_[name] 指定級聯名稱來改變設置。 + + +# CascadeDefaultCADisable 命令 +CMD_CascadeDefaultCADisable 禁用信任系統憑證存放區選項 +CMD_CascadeDefaultCADisable_Help 當啟用服務器憑證驗證時,使用此選項來禁用信任系統憑證存放區的證書。\n如果禁用服務器憑證驗證,則此選項不執行任何操作。 +CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name] +CMD_CascadeDefaultCADisable_[name] 指定級聯名稱來改變設置。 + + # CascadeServerCertSet 命令 CMD_CascadeServerCertSet 設置級聯連接的伺服器特定證書 CMD_CascadeServerCertSet_Help 指定已經在當前虛擬 HUB 註冊的級聯連接,當此連接和 VPN Server 之間通信時,事先將連接方提供的 SSL 證書註冊。\n如果啟用此選項,需要將在目標伺服器的證書事先通過指令設置到級聯的連接設置中,或者在虛擬 HUB 的可信任證書清單中,運行 CAAdd 指令,將有伺服器的 SSL 證書署名的路線證書添加進去。\n當啟用伺服器憑證驗證選項時,如果 VPN Server 提供的證書不可信,連接將斷開,並重試。\n此命令在集群虛擬 HUB 中不能運行。 @@ -6819,6 +6836,20 @@ CMD_AccountRetryOnServerCertDisable_Args AccountRetryOnServerCertDisable [name] CMD_AccountRetryOnServerCertDisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change. +# AccountDefaultCAEnable 命令 +CMD_AccountDefaultCAEnable 啟用信任系統憑證存放區選項 +CMD_AccountDefaultCAEnable_Help 當啟用服務器憑證驗證時,使用此選項來啟用信任系統憑證存放區的證書。\n如果禁用服務器憑證驗證,則此選項不執行任何操作。 +CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name] +CMD_AccountDefaultCAEnable_[name] 指定要更改設置的連接設置名。 + + +# AccountDefaultCADisable 命令 +CMD_AccountDefaultCADisable 禁用信任系統憑證存放區選項 +CMD_AccountDefaultCADisable_Help 當啟用服務器憑證驗證時,使用此選項來禁用信任系統憑證存放區的證書。\n如果禁用服務器憑證驗證,則此選項不執行任何操作。 +CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name] +CMD_AccountDefaultCADisable_[name] 指定要更改設置的連接設置名。 + + # AccountServerCertSet 命令 CMD_AccountServerCertSet 設置連接設置的伺服器固有證明書 CMD_AccountServerCertSet_Help 指定註冊到 VPN Client 的連接設置,其連接設置連接到 VPN Server 時,預先註冊與連接目標的 VPN Server 提交的 SSL 證書相同的證書。\n如果啟動了連接設置的伺服器憑證驗證選項,可以預先將連接目標伺服器的 SSL 證書以此指令保存在連接設置的設置內,或需要將伺服器的 SSL 證書簽名了的根證書,以 CAAdd 指令註冊到虛擬 HUB 信任的證明機構的證書列表中。\n驗證連接設置的伺服器憑證的選項處於啟動狀態,連接了的 VPN Server 的證書不可信時,立即解除連接,反復重試。 From 0a4455ac40214182f4e9a9be1ab0ccefa79f2aec Mon Sep 17 00:00:00 2001 From: Yihong Wu <54519668+domosekai@users.noreply.github.com> Date: Sun, 26 Dec 2021 12:31:53 +0800 Subject: [PATCH 7/7] Add more TLS negotiation info in logging and UI --- src/Cedar/AzureClient.c | 15 ++++++++++- src/Cedar/CM.c | 6 ++++- src/Cedar/Cedar.h | 3 +++ src/Cedar/Client.c | 3 +++ src/Cedar/Command.c | 6 ++++- src/Cedar/Connection.c | 15 +++++++++-- src/Cedar/Connection.h | 1 + src/Cedar/Protocol.c | 26 +++++++++++++++++++ src/Mayaqua/Network.c | 40 ++++++++++++++++++++++++++++++ src/bin/hamcore/strtable_cn.stb | 10 +++++++- src/bin/hamcore/strtable_en.stb | 10 +++++++- src/bin/hamcore/strtable_ja.stb | 10 +++++++- src/bin/hamcore/strtable_ko.stb | 10 +++++++- src/bin/hamcore/strtable_pt_br.stb | 10 +++++++- src/bin/hamcore/strtable_ru.stb | 10 +++++++- src/bin/hamcore/strtable_tw.stb | 10 +++++++- 16 files changed, 173 insertions(+), 12 deletions(-) diff --git a/src/Cedar/AzureClient.c b/src/Cedar/AzureClient.c index 67d8b7bd..2b06c7cd 100644 --- a/src/Cedar/AzureClient.c +++ b/src/Cedar/AzureClient.c @@ -9,6 +9,7 @@ #include "Cedar.h" #include "Command.h" +#include "Logging.h" #include "Wpc.h" #include "Mayaqua/Encrypt.h" @@ -19,6 +20,7 @@ #include "Mayaqua/Object.h" #include "Mayaqua/Pack.h" #include "Mayaqua/Str.h" +#include "Mayaqua/Table.h" #include "Mayaqua/Tick64.h" #include @@ -80,6 +82,9 @@ void AcWaitForRequest(AZURE_CLIENT *ac, SOCK *s, AZURE_PARAM *param) { SOCK *ns; Debug("Connect Request from %r:%u\n", &client_ip, client_port); + char ipstr[128]; + IPToStr(ipstr, sizeof(ipstr), &client_ip); + SLog(ac->Cedar, "LS_AZURE_START", ipstr, client_port); // Create new socket and connect VPN Azure Server if (ac->DDnsStatusCopy.InternetSetting.ProxyType == PROXY_DIRECT) @@ -103,9 +108,10 @@ void AcWaitForRequest(AZURE_CLIENT *ac, SOCK *s, AZURE_PARAM *param) SetTimeout(ns, param->DataTimeout); + UINT ssl_err = 0; Copy(&ns->SslAcceptSettings, &ac->Cedar->SslAcceptSettings, sizeof(SSL_ACCEPT_SETTINGS)); - if (StartSSLEx(ns, NULL, NULL, 0, NULL)) + if (StartSSLEx3(ns, NULL, NULL, NULL, 0, NULL, NULL, &ssl_err)) { // Check certification char server_cert_hash_str[MAX_SIZE]; @@ -159,6 +165,13 @@ void AcWaitForRequest(AZURE_CLIENT *ac, SOCK *s, AZURE_PARAM *param) } } } + else + { + if (ssl_err != 0) + { + SLog(ac->Cedar, "LS_AZURE_SSL_ERROR", GetUniErrorStr(ssl_err), ssl_err); + } + } ReleaseSock(ns); } diff --git a/src/Cedar/CM.c b/src/Cedar/CM.c index 71b4c433..5f74a107 100644 --- a/src/Cedar/CM.c +++ b/src/Cedar/CM.c @@ -9576,7 +9576,11 @@ void CmPrintStatusToListViewEx(LVB *b, RPC_CLIENT_GET_CONNECTION_STATUS *s, bool } else { - if (StrLen(s->CipherName) != 0) + if (StrLen(s->CipherName) != 0 && StrLen(s->ProtocolName) != 0) + { + UniFormat(tmp, sizeof(tmp), _UU("CM_ST_USE_ENCRYPT_TRUE3"), s->ProtocolName, s->CipherName); + } + else if (StrLen(s->CipherName) != 0) { UniFormat(tmp, sizeof(tmp), _UU("CM_ST_USE_ENCRYPT_TRUE"), s->CipherName); } diff --git a/src/Cedar/Cedar.h b/src/Cedar/Cedar.h index de9ce01d..2c9fafbf 100644 --- a/src/Cedar/Cedar.h +++ b/src/Cedar/Cedar.h @@ -870,6 +870,9 @@ #define ERR_NOT_SUPPORTED_FUNCTION_ON_OPENSOURCE 147 // It is a feature that is not supported in the open source version #define ERR_SUSPENDING 148 // System is suspending #define ERR_HOSTNAME_MISMATCH 149 // SSL hostname mismatch +#define ERR_SSL_PROTOCOL_VERSION 150 // SSL version not supported +#define ERR_SSL_SHARED_CIPHER 151 // Can't find common cipher +#define ERR_SSL_HANDSHAKE 152 // Other SSL handshake error //////////////////////////// diff --git a/src/Cedar/Client.c b/src/Cedar/Client.c index 2f0c7cc4..9f2cabab 100644 --- a/src/Cedar/Client.c +++ b/src/Cedar/Client.c @@ -4836,6 +4836,7 @@ void InRpcClientGetConnectionStatus(RPC_CLIENT_GET_CONNECTION_STATUS *s, PACK *p PackGetStr(p, "ServerName", s->ServerName, sizeof(s->ServerName)); PackGetStr(p, "ServerProductName", s->ServerProductName, sizeof(s->ServerProductName)); + PackGetStr(p, "ProtocolVersion", s->ProtocolName, sizeof(s->ProtocolName)); PackGetStr(p, "CipherName", s->CipherName, sizeof(s->CipherName)); PackGetStr(p, "SessionName", s->SessionName, sizeof(s->SessionName)); PackGetStr(p, "ConnectionName", s->ConnectionName, sizeof(s->ConnectionName)); @@ -4911,6 +4912,7 @@ void OutRpcClientGetConnectionStatus(PACK *p, RPC_CLIENT_GET_CONNECTION_STATUS * PackAddStr(p, "ServerName", c->ServerName); PackAddStr(p, "ServerProductName", c->ServerProductName); + PackAddStr(p, "ProtocolVersion", c->ProtocolName); PackAddStr(p, "CipherName", c->CipherName); PackAddStr(p, "SessionName", c->SessionName); PackAddStr(p, "ConnectionName", c->ConnectionName); @@ -5864,6 +5866,7 @@ void CiGetSessionStatus(RPC_CLIENT_GET_CONNECTION_STATUS *st, SESSION *s) if (st->UseEncrypt) { StrCpy(st->CipherName, sizeof(st->CipherName), s->Connection->CipherName); + StrCpy(st->ProtocolName, sizeof(st->ProtocolName), s->Connection->SslVersion); } // Use of compression st->UseCompress = s->UseCompress; diff --git a/src/Cedar/Command.c b/src/Cedar/Command.c index ece3ba01..8969ee7b 100644 --- a/src/Cedar/Command.c +++ b/src/Cedar/Command.c @@ -15534,7 +15534,11 @@ void CmdPrintStatusToListViewEx(CT *ct, RPC_CLIENT_GET_CONNECTION_STATUS *s, boo } else { - if (StrLen(s->CipherName) != 0) + if (StrLen(s->CipherName) != 0 && StrLen(s->ProtocolName) != 0) + { + UniFormat(tmp, sizeof(tmp), _UU("CM_ST_USE_ENCRYPT_TRUE3"), s->ProtocolName, s->CipherName); + } + else if (StrLen(s->CipherName) != 0) { UniFormat(tmp, sizeof(tmp), _UU("CM_ST_USE_ENCRYPT_TRUE"), s->CipherName); } diff --git a/src/Cedar/Connection.c b/src/Cedar/Connection.c index 99522447..488c7e73 100644 --- a/src/Cedar/Connection.c +++ b/src/Cedar/Connection.c @@ -28,6 +28,7 @@ #include "Mayaqua/Object.h" #include "Mayaqua/Pack.h" #include "Mayaqua/Str.h" +#include "Mayaqua/Table.h" #include "Mayaqua/Tick64.h" #include @@ -3047,11 +3048,16 @@ void ConnectionAccept(CONNECTION *c) // Start the SSL communication Copy(&s->SslAcceptSettings, &c->Cedar->SslAcceptSettings, sizeof(SSL_ACCEPT_SETTINGS)); - if (StartSSLEx2(s, x, k, chain, 0, NULL) == false) + UINT ssl_err = 0; + if (StartSSLEx3(s, x, k, chain, 0, NULL, NULL, &ssl_err) == false) { // Failed AddNoSsl(c->Cedar, &s->RemoteIP); Debug("ConnectionAccept(): StartSSL() failed\n"); + if (ssl_err != 0) + { + SLog(c->Cedar, "LS_SSL_START_ERROR", c->Name, GetUniErrorStr(ssl_err), ssl_err); + } FreeX(x); FreeK(k); FreeXList(chain); @@ -3063,7 +3069,7 @@ void ConnectionAccept(CONNECTION *c) FreeK(k); FreeXList(chain); - SLog(c->Cedar, "LS_SSL_START", c->Name, s->CipherName); + SLog(c->Cedar, "LS_SSL_START", c->Name, s->SslVersion, s->CipherName); Copy(c->CToken_Hash, ctoken_hash, SHA1_SIZE); @@ -3399,6 +3405,11 @@ void CleanupConnection(CONNECTION *c) Free(c->CipherName); } + if (c->SslVersion != NULL) + { + Free(c->SslVersion); + } + Free(c); } diff --git a/src/Cedar/Connection.h b/src/Cedar/Connection.h index b7eff0a6..16c44f4b 100644 --- a/src/Cedar/Connection.h +++ b/src/Cedar/Connection.h @@ -223,6 +223,7 @@ struct CONNECTION X *ServerX; // Server certificate X *ClientX; // Client certificate char *CipherName; // Encryption algorithm name + char *SslVersion; // SSL protocol version UINT64 ConnectedTick; // Time it is connected IP ClientIp; // Client IP address char ClientHostname[MAX_HOST_NAME_LEN + 1]; // Client host name diff --git a/src/Cedar/Protocol.c b/src/Cedar/Protocol.c index 018ee2ef..d26419d5 100644 --- a/src/Cedar/Protocol.c +++ b/src/Cedar/Protocol.c @@ -1573,6 +1573,12 @@ bool ServerAccept(CONNECTION *c) c->CipherName = NULL; + if (c->SslVersion != NULL) + { + Free(c->SslVersion); + } + c->SslVersion = NULL; + if (IsEmptyStr(tmp) == false) { c->CipherName = CopyStr(tmp); @@ -1592,11 +1598,22 @@ bool ServerAccept(CONNECTION *c) } c->CipherName = NULL; + if (c->SslVersion != NULL) + { + Free(c->SslVersion); + } + c->SslVersion = NULL; + if (c->FirstSock != NULL && IsEmptyStr(c->FirstSock->CipherName) == false) { c->CipherName = CopyStr(c->FirstSock->CipherName); } + if (c->FirstSock != NULL && IsEmptyStr(c->FirstSock->SslVersion) == false) + { + c->SslVersion = CopyStr(c->FirstSock->SslVersion); + } + Format(radius_login_opt.In_VpnProtocolState, sizeof(radius_login_opt.In_VpnProtocolState), "L%u:%s", IPC_LAYER_2, "SEVPN"); } @@ -4975,6 +4992,13 @@ REDIRECTED: } c->CipherName = CopyStr(c->FirstSock->CipherName); + + if (c->SslVersion != NULL) + { + Free(c->SslVersion); + } + + c->SslVersion = CopyStr(c->FirstSock->SslVersion); } Unlock(c->lock); @@ -6183,6 +6207,8 @@ SOCK *ClientConnectToServer(CONNECTION *c) return NULL; } + CLog(c->Cedar->Client, "LC_SSL_CONNECTED", c->Session->ClientOption->AccountName, s->SslVersion, s->CipherName); + return s; } diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index 66ab3b8a..4a61e147 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -11875,6 +11875,27 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char // SSL-Accept failure Lock(openssl_lock); { + unsigned long err; + while (err = ERR_get_error()) + { + Debug("SSL_accept error %X: %s\n", err, ERR_reason_error_string(err)); + if (ERR_GET_LIB(err) == ERR_LIB_SSL) + { + switch (ERR_GET_REASON(err)) + { + case SSL_R_UNSUPPORTED_PROTOCOL: + case SSL_R_VERSION_TOO_LOW: + case SSL_R_VERSION_TOO_HIGH: + *ssl_err = 150; // ERR_SSL_PROTOCOL_VERSION + break; + case SSL_R_NO_SHARED_CIPHER: + *ssl_err = 151; // ERR_SSL_SHARED_CIPHER + break; + default: + *ssl_err = 152; // ERR_SSL_HANDSHAKE + } + } + } SSL_free(sock->ssl); sock->ssl = NULL; } @@ -11918,6 +11939,25 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char // SSL-connect failure Lock(openssl_lock); { + unsigned long err; + while (err = ERR_get_error()) + { + Debug("SSL_connect error %X: %s\n", err, ERR_reason_error_string(err)); + if (ERR_GET_LIB(err) == ERR_LIB_SSL) + { + switch (ERR_GET_REASON(err)) + { + case SSL_R_UNSUPPORTED_PROTOCOL: + case SSL_R_VERSION_TOO_LOW: + case SSL_R_VERSION_TOO_HIGH: + case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION: + *ssl_err = 150; // ERR_SSL_PROTOCOL_VERSION + break; + default: + *ssl_err = 152; // ERR_SSL_HANDSHAKE + } + } + } SSL_free(sock->ssl); sock->ssl = NULL; } diff --git a/src/bin/hamcore/strtable_cn.stb b/src/bin/hamcore/strtable_cn.stb index 2e6f5f12..9f6a1c6f 100644 --- a/src/bin/hamcore/strtable_cn.stb +++ b/src/bin/hamcore/strtable_cn.stb @@ -215,6 +215,9 @@ ERR_146 VPN Gate 服务运行在 VPN 客户端程序内。在此屏幕上 ERR_147 不支持此功能。它尚未在 SoftEther VPN 的开源版本上实施。 ERR_148 VPN 连接被中断,因为该系统被暂停。 ERR_149 目标 VPN Server 的证书与指定的主机名不匹配。 +ERR_150 找不到连接双方都支持的 TLS 版本。这通常意味着一方可能正在使用已被另一方禁用的过时的 TLS 版本。 +ERR_151 找不到连接双方都支持的加密算法,或者指定的算法与服务器证书不兼容。 +ERR_152 TLS 握手失败。 #关于许可证 @@ -843,6 +846,7 @@ CM_ST_NO_VLAN - CM_ST_USE_ENCRYPT 加密 CM_ST_USE_ENCRYPT_TRUE 已启用 (算法: %S) CM_ST_USE_ENCRYPT_TRUE2 已启用 +CM_ST_USE_ENCRYPT_TRUE3 已启用 (%S 算法: %S) CM_ST_USE_ENCRYPT_FALSE 已禁用 (不加密) CM_ST_USE_COMPRESS 使用压缩 CM_ST_UDP_ACCEL_ENABLED 支持 UDP 加速 @@ -1781,8 +1785,9 @@ LS_HUB_STOP 虚拟 HUB "%S" 已关闭。 LS_HUB_MAC 虚拟 HUB "%S" 的 MAC 地址是 "%S"。 LS_NODE_INFO_TAG 客户端产品名:"%S",客户端版本:%u,客户端构建号:%u,服务端产品名:"%S",服务端版本:%u,服务端构建号:%u,客户端操作系统名:"%S",客户端操作系统版本:"%S",客户端产品 ID:"%S",客户端主机名:"%S",客户端 IP 地址:"%S",客户端端口号:%u,服务端主机名:"%S",服务端 IP 地址:"%S",服务端端口号:%u,代理主机名:"%S",代理 IP 地址:"%S",代理端口号:%u,虚拟 HUB 名:"%S",客户端唯一 ID: "%S" LS_CONNECTION_START_1 客户端 (IP 地址:%S,主机名:"%S",端口号:%u) 的连接 "%S" 已建立。 +LS_SSL_START_ERROR 无法启动连接 "%S" 的 SSL 通信。错误: %s (代码 %u) LS_CONNECTION_END_1 连接 "%S" 已结束。 -LS_SSL_START 连接 "%S" 的 SSL 通信已启动。加密算法名为 "%S"。 +LS_SSL_START 连接 "%S" 的 SSL 通信已启动。协议版本是 %S。加密算法名为 "%S"。 LS_CONNECTION_ERROR 连接 "%S"因原因 "%s" (代码 %u)已终止。 LS_FARMMEMBER_NOT_ADMIN 连接 "%S": 服务端是群集成员,但客户端在非管理员 (%S) 用户情况下,尝试直接与虚拟 HUB "%S" 连接。客户端用户名为 "%S"。访问被拒绝。 LS_HUB_NOT_FOUND 连接 "%S": 客户端正在尝试连接的虚拟 HUB "%S" 在服务端上不存在。 @@ -1810,6 +1815,8 @@ LS_LICENSE_VIOLATION_DETECTED 发现许可证违反错误,一个不同的 VPN LS_API_AUTH_OK HTTPS API client "%r:%u" (%S): Administration mode: "%S": The embedded HTTPS web server accepted the successful login. Username: "%S", Method: "%S", Path: "%S" LS_API_AUTH_ERROR HTTPS API client "%r:%u" (%S): The embedded HTTPS web server refused a login attempt. Username: "%S", Method: "%S", Path: "%S" LS_API_RPC_CALL HTTPS API client "%r:%u" (%S): The client called a JSON-API. Method: "%S", Returned error code: %u (0 = success), Returned error message: "%s" +LS_AZURE_START 收到来自客户端 (IP 地址:%S,端口号:%u) 的 VPN Azure 连接请求。 +LS_AZURE_SSL_ERROR 无法启动与 VPN Azure 中继服务器的 SSL 通信。错误: %s (代码 %u) # (Proto log) @@ -2105,6 +2112,7 @@ LC_DELETE_ACCOUNT 已删除 VPN 连接设置 "%s"。 LC_RENAME_ACCOUNT 已变更 VPN 连接设置名 "%s" 为 "%s"。 LC_CONNECT 已开始 VPN 连接设置 "%s" 的连接处理。 LC_CONNECT_1 VPN 连接设置 "%s": 第 %u 次连接操作开始。 +LC_SSL_CONNECTED VPN 连接设置 "%s": SSL 通信已启动。协议版本是 %S。加密算法名为 "%S"。 LC_CONNECT_2 VPN 连接设置 "%s": 连接完成。会话名: "%S"。 LC_CONNECT_ERROR VPN 连接设置 "%s": 连接断开或连接失败。原因: %s (代码 %u) LC_DISCONNECT VPN 连接设置 "%s" 断开中。 diff --git a/src/bin/hamcore/strtable_en.stb b/src/bin/hamcore/strtable_en.stb index 943cb4c3..72558e7d 100644 --- a/src/bin/hamcore/strtable_en.stb +++ b/src/bin/hamcore/strtable_en.stb @@ -213,6 +213,9 @@ ERR_146 The VPN Gate Service is running inside the VPN Client program. You c ERR_147 This feature is not supported. It hasn't been implemented yet on the open-source version of SoftEther VPN. ERR_148 The VPN connection was disconnected because the system is being suspended. ERR_149 The destination VPN Server's certificate does not match the specified hostname. +ERR_150 Failed to find the TLS version that is supported by both sides. This usually means that one side may be using an obsolete TLS version which is diabled by the other side. +ERR_151 Failed to find an available cipher that is supported by both sides, or the cipher specified is not compatible with the server certificate. +ERR_152 TLS handshake has failed. # Concerning licenses @@ -837,6 +840,7 @@ CM_ST_NO_VLAN - CM_ST_USE_ENCRYPT Encryption CM_ST_USE_ENCRYPT_TRUE Enabled (Algorithm: %S) CM_ST_USE_ENCRYPT_TRUE2 Enabled +CM_ST_USE_ENCRYPT_TRUE3 Enabled (%S Algorithm: %S) CM_ST_USE_ENCRYPT_FALSE Disabled (No Encryption) CM_ST_USE_COMPRESS Use of Compression CM_ST_UDP_ACCEL_ENABLED UDP Acceleration is Supported @@ -1766,8 +1770,9 @@ LS_HUB_STOP Virtual Hub "%S" has been stopped. LS_HUB_MAC The MAC address of Virtual Hub "%S" is "%S". LS_NODE_INFO_TAG Client product name: "%S", Client version: %u, Client build number: %u, Server product name: "%S", Server version: %u, Server build number: %u, Client OS name: "%S", Client OS version: "%S", Client product ID: "%S", Client host name: "%S", Client IP address: "%S", Client port number: %u, Server host name: "%S", Server IP address: "%S", Server port number: %u, Proxy host name: "%S", Proxy IP address: "%S", Proxy port number: %u, Virtual Hub name: "%S", Client unique ID: "%S" LS_CONNECTION_START_1 For the client (IP address: %S, host name: "%S", port number: %u), connection "%S" has been created. +LS_SSL_START_ERROR Failed to start SSL communication for connection "%S". Error: %s (code %u) LS_CONNECTION_END_1 Connection "%S" has been terminated. -LS_SSL_START SSL communication for connection "%S" has been started. The encryption algorithm name is "%S". +LS_SSL_START SSL communication for connection "%S" has been started. The protocol version is %S. The encryption algorithm name is "%S". LS_CONNECTION_ERROR Connection "%S" terminated by the cause "%s" (code %u). LS_FARMMEMBER_NOT_ADMIN Connection "%S": Although the server is a cluster member, the client attempted that to directly connect to the Virtual Hub "%S" while not being administrator user "%S". The user name provided by the client is "%S". Access is refused. LS_HUB_NOT_FOUND Connection "%S": Virtual Hub "%S" that the client is trying to connect to does not exist on the server. @@ -1795,6 +1800,8 @@ LS_LICENSE_VIOLATION_DETECTED A license violation has been detected. A different LS_API_AUTH_OK HTTPS API client "%r:%u" (%S): Administration mode: "%S": The embedded HTTPS web server accepted the successful login. Username: "%S", Method: "%S", Path: "%S" LS_API_AUTH_ERROR HTTPS API client "%r:%u" (%S): The embedded HTTPS web server refused a login attempt. Username: "%S", Method: "%S", Path: "%S" LS_API_RPC_CALL HTTPS API client "%r:%u" (%S): The client called a JSON-API. Method: "%S", Returned error code: %u (0 = success), Returned error message: "%s" +LS_AZURE_START Received VPN Azure connection request from the client (IP address: %S, port number: %u). +LS_AZURE_SSL_ERROR Failed to start SSL communication with VPN Azure relay server. Error: %s (code %u) # (Proto log) @@ -2088,6 +2095,7 @@ LC_DELETE_ACCOUNT The VPN Connection Setting "%s" has been deleted. LC_RENAME_ACCOUNT The name of VPN Connection Setting "%s" has been changed to "%s". LC_CONNECT Connection processing for VPN Connection Setting "%s" has started. LC_CONNECT_1 VPN Connection Setting "%s": Connection operation starting (this is now %u times). +LC_SSL_CONNECTED VPN Connection Setting "%s": SSL communication has been started. The protocol version is %S. The encryption algorithm name is "%S". LC_CONNECT_2 VPN Connection Setting "%s": Now connected. Session name: "%S" LC_CONNECT_ERROR VPN Connection Setting "%s": The connection has been either disconnected or it failed. Cause: %s (code %u) LC_DISCONNECT Disconnecting the VPN Connection Setting "%s". diff --git a/src/bin/hamcore/strtable_ja.stb b/src/bin/hamcore/strtable_ja.stb index 943e4b7c..85572c68 100644 --- a/src/bin/hamcore/strtable_ja.stb +++ b/src/bin/hamcore/strtable_ja.stb @@ -215,6 +215,9 @@ ERR_146 VPN Gate サービスが VPN Client 内で動作している場合 ERR_147 この機能はオープンソース版 SoftEther VPN にはまだ実装されていません。 ERR_148 Windows システムがサスペンド状態に移行中のため、VPN 通信が切断されました。 ERR_149 接続先サーバーの提示した証明書が指定したホスト名と一致しません。 +ERR_150 両側でサポートされている TLS バージョンが見つかりませんでした。どちらかが相手側で無効になっている古い TLS バージョンを使用している可能性があります。 +ERR_151 両側でサポートされている暗号化アルゴリズムが見つからなかったか、指定されたアルゴリズムがサーバー証明書と互換性がありません。 +ERR_152 TLS ハンドシェイクが失敗しました。 # ライセンス関係 @@ -839,6 +842,7 @@ CM_ST_NO_VLAN - CM_ST_USE_ENCRYPT 暗号化の使用 CM_ST_USE_ENCRYPT_TRUE はい (暗号化アルゴリズム: %S) CM_ST_USE_ENCRYPT_TRUE2 はい +CM_ST_USE_ENCRYPT_TRUE3 はい (%S 暗号化アルゴリズム: %S) CM_ST_USE_ENCRYPT_FALSE いいえ (暗号化なし) CM_ST_USE_COMPRESS 圧縮の使用 CM_ST_UDP_ACCEL_ENABLED UDP 高速化機能をサポート @@ -1769,8 +1773,9 @@ LS_HUB_STOP 仮想 HUB "%S" を停止しました。 LS_HUB_MAC 仮想 HUB "%S" の MAC アドレスは "%S" です。 LS_NODE_INFO_TAG クライアント製品名 "%S", クライアントバージョン %u, クライアントビルド番号 %u, サーバー製品名 "%S", サーバーバージョン %u, サーバービルド番号 %u, クライアント OS 名 "%S", クライアント OS バージョン "%S", クライアントプロダクト ID "%S", クライアントホスト名 "%S", クライアント IP アドレス "%S", クライアントポート番号 %u, サーバーホスト名 "%S", サーバー IP アドレス "%S", サーバーポート番号 %u, プロキシホスト名 "%S", プロキシ IP アドレス "%S", プロキシポート番号 %u, 仮想 HUB 名 "%S", クライアントユニーク ID "%S" LS_CONNECTION_START_1 クライアント (IP アドレス %S, ホスト名 "%S", ポート番号 %u) に対応するコネクション "%S" が作成されました。 +LS_SSL_START_ERROR コネクション "%S" に対する SSL 通信を開始できませんでした。エラー: %s (コード %u) LS_CONNECTION_END_1 コネクション "%S" が終了しました。 -LS_SSL_START コネクション "%S" に対する SSL 通信が開始されました。暗号化アルゴリズム名は "%S" です。 +LS_SSL_START コネクション "%S" に対する SSL 通信が開始されました。プロトコルバージョンは %S です。暗号化アルゴリズム名は "%S" です。 LS_CONNECTION_ERROR コネクション "%S" は理由 "%s" (コード %u) で終了しました。 LS_FARMMEMBER_NOT_ADMIN コネクション "%S": サーバーはクラスタメンバですが、クライアントは仮想 HUB "%S" に管理者ユーザー "%S" 以外で直接接続しようと試みました。クライアントが提示したユーザー名は "%S" です。アクセスは許可されません。 LS_HUB_NOT_FOUND コネクション "%S": クライアントが接続しようとした仮想 HUB "%S" はサーバー上に存在しません。 @@ -1798,6 +1803,8 @@ LS_LICENSE_VIOLATION_DETECTED ライセンス違反を検出しました。別 LS_API_AUTH_OK HTTPS API クライアント "%r:%u" (%S): 管理モード: "%S" で組み込み HTTPS Web サーバーを用いてログインに成功しました。使用されたユーザー名: "%S", メソッド: "%S", パス: "%S" LS_API_AUTH_ERROR HTTPS API クライアント "%r:%u" (%S): 組み込み HTTPS Web サーバーを用いてログインに失敗しました。使用されたユーザー名: "%S", メソッド: "%S", パス: "%S" LS_API_RPC_CALL HTTPS API クライアント "%r:%u" (%S): JSON-API を呼び出しました。メソッド名: "%S", 結果エラーコード: %u (0 = 成功), 結果エラーメッセージ: "%s" +LS_AZURE_START クライアント (IP アドレス %S, ポート番号 %u) から VPN Azure 接続要求を受信しました。 +LS_AZURE_SSL_ERROR VPN Azure リレーサーバーとの SSL 通信を開始できませんでした。エラー: %s (コード %u) # (Proto ログ) @@ -2091,6 +2098,7 @@ LC_DELETE_ACCOUNT 接続設定 "%s" を削除しました。 LC_RENAME_ACCOUNT 接続設定 "%s" の名前を "%s" に変更しました。 LC_CONNECT 接続設定 "%s" への接続処理を開始しました。 LC_CONNECT_1 接続設定 "%s": %u 回目の接続動作を開始します。 +LC_SSL_CONNECTED 接続設定 "%s": SSL 通信が開始されました。プロトコルバージョンは %S です。暗号化アルゴリズム名は "%S" です。 LC_CONNECT_2 接続設定 "%s": 接続が完了しました。セッション名: "%S" LC_CONNECT_ERROR 接続設定 "%s": 接続が切断されたか、接続に失敗しました。理由: %s (コード %u) LC_DISCONNECT 接続設定 "%s" を切断します。 diff --git a/src/bin/hamcore/strtable_ko.stb b/src/bin/hamcore/strtable_ko.stb index 5278e838..d4e60185 100644 --- a/src/bin/hamcore/strtable_ko.stb +++ b/src/bin/hamcore/strtable_ko.stb @@ -219,6 +219,9 @@ ERR_146 VPN Gate 서비스가 VPN Client에서 실행중인 경우이 설정 화 ERR_147 이 기능은 오픈 소스 버전 SoftEther VPN은 아직 구현되어 있지 않습니다. ERR_148 Windows 시스템이 대기 상태로 전환 중이기 때문에 VPN 통신이 끊어졌습니다. ERR_149 대상 VPN 서버의 인증서가 지정된 호스트 이름과 일치하지 않습니다. +ERR_150 양쪽에서 지원되는 TLS 버전을 찾을 수 없습니다. 한 쪽은 다른 쪽에서 비활성화된 이전 TLS 버전을 사용하고 있을 수 있습니다. +ERR_151 양쪽에서 지원하는 사용 가능한 암호 알고리즘을 찾지 못했거나 지정된 알고리즘이 서버 인증서와 호환되지 않습니다. +ERR_152 TLS 핸드셰이크가 실패했습니다. # 라이센스 관계 @@ -840,6 +843,7 @@ CM_ST_NO_VLAN - CM_ST_USE_ENCRYPT 암호화 사용 CM_ST_USE_ENCRYPT_TRUE 예 (암호화 알고리즘:%S) CM_ST_USE_ENCRYPT_TRUE2 잔 +CM_ST_USE_ENCRYPT_TRUE3 예 (%S 암호화 알고리즘:%S) CM_ST_USE_ENCRYPT_FALSE 아니오 (암호화 없음) CM_ST_USE_COMPRESS 압축 사용 CM_ST_UDP_ACCEL_ENABLED UDP 가속화 기능을 지원 @@ -1750,8 +1754,9 @@ LS_HUB_STOP 가상 HUB "%S"를 중지했습니다. LS_HUB_MAC 가상 HUB "%S"의 MAC 주소는 "%S"입니다. LS_NODE_INFO_TAG 클라이언트 제품 이름 "%S"클라이언트 버전 %u 클라이언트 빌드 번호 %u 서버 제품 이름 "%S"서버 버전 %u 서버 빌드 번호 %u 클라이언트 OS 이름 "%S"클라이언트 OS 버전 "%S"클라이언트 제품 ID "%S"클라이언트 호스트 이름 "%S"클라이언트 IP 주소 "%S"클라이언트 포트 번호 %u 서버 호스트 이름 "%S"서버 IP 주소 "%S" 서버 포트 번호 %u 프록시 호스트 이름 "%S"프록시 IP 주소 "%S"프록시 포트 번호 %u 가상 HUB 이름 "%S"클라이언트 고유 ID "%S" LS_CONNECTION_START_1 클라이언트 (IP 주소 %S 호스트 이름 "%S"포트 번호 %u)에 대응하는 연결 "%S"가 작성되었습니다. +LS_SSL_START_ERROR 연결 "%S"에 대한 SSL 통신을 시작하지 못했습니다. 오류:%s (코드 %u) LS_CONNECTION_END_1 연결 "%S"가 종료되었습니다. -LS_SSL_START 연결 "%S"에 대한 SSL 통신이 시작되었습니다. 암호화 알고리즘 명은 "%S"입니다. +LS_SSL_START 연결 "%S"에 대한 SSL 통신이 시작되었습니다. 프로토콜 버전은 %S입니다. 암호화 알고리즘 명은 "%S"입니다. LS_CONNECTION_ERROR 연결 "%S"는 이유로 "%s"(코드 %u)로 종료되었습니다. LS_FARMMEMBER_NOT_ADMIN 연결 "%S": 서버는 클러스터 멤버이지만, 클라이언트는 가상 HUB "%S"관리자 사용자 "%S"이외로 직접 연결하려고 시도했습니다. 클라이언트가 제공 한 사용자 이름은 "%S"입니다. 액세스는 허용되지 않습니다. LS_HUB_NOT_FOUND 연결 "%S": 클라이언트가 연결을 시도하는 가상 HUB "%S"는 서버에 존재하지 않습니다. @@ -1779,6 +1784,8 @@ LS_LICENSE_VIOLATION_DETECTED 라이센스 위반을 감지했습니다. 다른 LS_API_AUTH_OK HTTPS API client "%r:%u" (%S): Administration mode: "%S": The embedded HTTPS web server accepted the successful login. Username: "%S", Method: "%S", Path: "%S" LS_API_AUTH_ERROR HTTPS API client "%r:%u" (%S): The embedded HTTPS web server refused a login attempt. Username: "%S", Method: "%S", Path: "%S" LS_API_RPC_CALL HTTPS API client "%r:%u" (%S): The client called a JSON-API. Method: "%S", Returned error code: %u (0 = success), Returned error message: "%s" +LS_AZURE_START 클라이언트 (IP 주소 %S 포트 번호 %u)에서 VPN Azure 연결 요청을 받았습니다. +LS_AZURE_SSL_ERROR VPN Azure 릴레이 서버와 SSL 통신을 시작하지 못했습니다. 오류:%s (코드 %u) # (Proto 로그) @@ -2069,6 +2076,7 @@ LC_DELETE_ACCOUNT 연결 설정 "%s"를 삭제했습니다. LC_RENAME_ACCOUNT 연결 설정 "%s"의 이름을 "%s"로 변경했습니다. LC_CONNECT 연결 설정 "%s"연결 처리를 시작했습니다. LC_CONNECT_1 연결 설정 "%s": %u 번째 연결 동작을 시작합니다. +LC_SSL_CONNECTED 연결 설정 "%s": SSL 통신이 시작되었습니다. 프로토콜 버전은 %S입니다. 암호화 알고리즘 명은 "%S"입니다. LC_CONNECT_2 연결 설정 "%s": 연결이 완료되었습니다. 세션 이름:"%S" LC_CONNECT_ERROR 연결 설정 "%s": 연결이 끊어 졌는지 연결에 실패했습니다. 이유:%s (코드 %u) LC_DISCONNECT 연결 설정 "%s"를 끊습니다. diff --git a/src/bin/hamcore/strtable_pt_br.stb b/src/bin/hamcore/strtable_pt_br.stb index 593d296b..12263eac 100644 --- a/src/bin/hamcore/strtable_pt_br.stb +++ b/src/bin/hamcore/strtable_pt_br.stb @@ -232,6 +232,9 @@ ERR_146 The VPN Gate Service is running inside the VPN Client program. You canno ERR_147 This feature is not supported. It hasn't been implemented yet on the open-source version of SoftEther VPN. ERR_148 The VPN connection was disconnected because the system is being suspended. ERR_149 The destination VPN Server's certificate does not match the specified hostname. +ERR_150 Failed to find the TLS version that is supported by both sides. This usually means that one side may be using an obsolete TLS version which is diabled by the other side. +ERR_151 Failed to find an available cipher that is supported by both sides, or the cipher specified is not compatible with the server certificate. +ERR_152 TLS handshake has failed. # Concerning licenses @@ -857,6 +860,7 @@ CM_ST_NO_VLAN - CM_ST_USE_ENCRYPT Criptografia CM_ST_USE_ENCRYPT_TRUE Enabled (Algorithm: %S) CM_ST_USE_ENCRYPT_TRUE2 Ativado +CM_ST_USE_ENCRYPT_TRUE3 Enabled (%S Algorithm: %S) CM_ST_USE_ENCRYPT_FALSE Disabled (No Encryption) CM_ST_USE_COMPRESS Use of Compression CM_ST_UDP_ACCEL_ENABLED UDP Acceleration is Supported @@ -1766,8 +1770,9 @@ LS_HUB_STOP Virtual Hub "%S" has been stopped. LS_HUB_MAC The MAC address of Virtual Hub "%S" is "%S". LS_NODE_INFO_TAG Client product name: "%S", Client version: %u, Client build number: %u, Server product name: "%S", Server version: %u, Server build number: %u, Client OS name: "%S", Client OS version: "%S", Client product ID: "%S", Client host name: "%S", Client IP address: "%S", Client port number: %u, Server host name: "%S", Server IP address: "%S", Server port number: %u, Proxy host name: "%S", Proxy IP address: "%S", Proxy port number: %u, Virtual Hub name: "%S", Client unique ID: "%S" LS_CONNECTION_START_1 For the client (IP address: %S, host name: "%S", port number: %u), connection "%S" has been created. +LS_SSL_START_ERROR Failed to start SSL communication for connection "%S". Error: %s (code %u) LS_CONNECTION_END_1 Connection "%S" has been terminated. -LS_SSL_START SSL communication for connection "%S" has been started. The encryption algorithm name is "%S". +LS_SSL_START SSL communication for connection "%S" has been started. The protocol version is %S. The encryption algorithm name is "%S". LS_CONNECTION_ERROR Connection "%S" terminated by the cause "%s" (code %u). LS_FARMMEMBER_NOT_ADMIN Connection "%S": Although the server is a cluster member, the client attempted that to directly connect to the Virtual Hub "%S" while not being administrator user "%S". The user name provided by the client is "%S". Access is refused. LS_HUB_NOT_FOUND Connection "%S": Virtual Hub "%S" that the client is trying to connect to does not exist on the server. @@ -1795,6 +1800,8 @@ LS_LICENSE_VIOLATION_DETECTED A license violation has been detected. A different LS_API_AUTH_OK HTTPS API client "%r:%u" (%S): Administration mode: "%S": The embedded HTTPS web server accepted the successful login. Username: "%S", Method: "%S", Path: "%S" LS_API_AUTH_ERROR HTTPS API client "%r:%u" (%S): The embedded HTTPS web server refused a login attempt. Username: "%S", Method: "%S", Path: "%S" LS_API_RPC_CALL HTTPS API client "%r:%u" (%S): The client called a JSON-API. Method: "%S", Returned error code: %u (0 = success), Returned error message: "%s" +LS_AZURE_START Received VPN Azure connection request from the client (IP address: %S, port number: %u). +LS_AZURE_SSL_ERROR Failed to start SSL communication with VPN Azure relay server. Error: %s (code %u) # (Proto log) @@ -2089,6 +2096,7 @@ LC_DELETE_ACCOUNT The VPN Connection Setting "%s" has been deleted. LC_RENAME_ACCOUNT The name of VPN Connection Setting "%s" has been changed to "%s". LC_CONNECT Connection processing for VPN Connection Setting "%s" has started. LC_CONNECT_1 VPN Connection Setting "%s": Connection operation starting (this is now %u times). +LC_SSL_CONNECTED VPN Connection Setting "%s": SSL communication has been started. The protocol version is %S. The encryption algorithm name is "%S". LC_CONNECT_2 VPN Connection Setting "%s": Now connected. Session name: "%S" LC_CONNECT_ERROR VPN Connection Setting "%s": The connection has been either disconnected or it failed. Cause: %s (code %u) LC_DISCONNECT Disconnecting the VPN Connection Setting "%s". diff --git a/src/bin/hamcore/strtable_ru.stb b/src/bin/hamcore/strtable_ru.stb index 52aff0c3..6b15bbec 100644 --- a/src/bin/hamcore/strtable_ru.stb +++ b/src/bin/hamcore/strtable_ru.stb @@ -213,6 +213,9 @@ ERR_146 The VPN Gate Service is running inside the VPN Client program. You c ERR_147 This feature is not supported. It hasn't been implemented yet on the open-source version of SoftEther VPN. ERR_148 The VPN connection was disconnected because the system is being suspended. ERR_149 The destination VPN Server's certificate does not match the specified hostname. +ERR_150 Failed to find the TLS version that is supported by both sides. This usually means that one side may be using an obsolete TLS version which is diabled by the other side. +ERR_151 Failed to find an available cipher that is supported by both sides, or the cipher specified is not compatible with the server certificate. +ERR_152 TLS handshake has failed. # Concerning licenses @@ -837,6 +840,7 @@ CM_ST_NO_VLAN - CM_ST_USE_ENCRYPT Encryption CM_ST_USE_ENCRYPT_TRUE Enabled (Algorithm: %S) CM_ST_USE_ENCRYPT_TRUE2 Enabled +CM_ST_USE_ENCRYPT_TRUE3 Enabled (%S Algorithm: %S) CM_ST_USE_ENCRYPT_FALSE Disabled (No Encryption) CM_ST_USE_COMPRESS Use of Compression CM_ST_UDP_ACCEL_ENABLED UDP Acceleration is Supported @@ -1766,8 +1770,9 @@ LS_HUB_STOP Virtual Hub "%S" has been stopped. LS_HUB_MAC The MAC address of Virtual Hub "%S" is "%S". LS_NODE_INFO_TAG Client product name: "%S", Client version: %u, Client build number: %u, Server product name: "%S", Server version: %u, Server build number: %u, Client OS name: "%S", Client OS version: "%S", Client product ID: "%S", Client host name: "%S", Client IP address: "%S", Client port number: %u, Server host name: "%S", Server IP address: "%S", Server port number: %u, Proxy host name: "%S", Proxy IP address: "%S", Proxy port number: %u, Virtual Hub name: "%S", Client unique ID: "%S" LS_CONNECTION_START_1 For the client (IP address: %S, host name: "%S", port number: %u), connection "%S" has been created. +LS_SSL_START_ERROR Failed to start SSL communication for connection "%S". Error: %s (code %u) LS_CONNECTION_END_1 Connection "%S" has been terminated. -LS_SSL_START SSL communication for connection "%S" has been started. The encryption algorithm name is "%S". +LS_SSL_START SSL communication for connection "%S" has been started. The protocol version is %S. The encryption algorithm name is "%S". LS_CONNECTION_ERROR Connection "%S" terminated by the cause "%s" (code %u). LS_FARMMEMBER_NOT_ADMIN Connection "%S": Although the server is a cluster member, the client attempted that to directly connect to the Virtual Hub "%S" while not being administrator user "%S". The user name provided by the client is "%S". Access is refused. LS_HUB_NOT_FOUND Connection "%S": Virtual Hub "%S" that the client is trying to connect to does not exist on the server. @@ -1795,6 +1800,8 @@ LS_LICENSE_VIOLATION_DETECTED A license violation has been detected. A different LS_API_AUTH_OK HTTPS API client "%r:%u" (%S): Administration mode: "%S": The embedded HTTPS web server accepted the successful login. Username: "%S", Method: "%S", Path: "%S" LS_API_AUTH_ERROR HTTPS API client "%r:%u" (%S): The embedded HTTPS web server refused a login attempt. Username: "%S", Method: "%S", Path: "%S" LS_API_RPC_CALL HTTPS API client "%r:%u" (%S): The client called a JSON-API. Method: "%S", Returned error code: %u (0 = success), Returned error message: "%s" +LS_AZURE_START Received VPN Azure connection request from the client (IP address: %S, port number: %u). +LS_AZURE_SSL_ERROR Failed to start SSL communication with VPN Azure relay server. Error: %s (code %u) # (Proto log) @@ -2088,6 +2095,7 @@ LC_DELETE_ACCOUNT The VPN Connection Setting "%s" has been deleted. LC_RENAME_ACCOUNT The name of VPN Connection Setting "%s" has been changed to "%s". LC_CONNECT Connection processing for VPN Connection Setting "%s" has started. LC_CONNECT_1 VPN Connection Setting "%s": Connection operation starting (this is now %u times). +LC_SSL_CONNECTED VPN Connection Setting "%s": SSL communication has been started. The protocol version is %S. The encryption algorithm name is "%S". LC_CONNECT_2 VPN Connection Setting "%s": Now connected. Session name: "%S" LC_CONNECT_ERROR VPN Connection Setting "%s": The connection has been either disconnected or it failed. Cause: %s (code %u) LC_DISCONNECT Disconnecting the VPN Connection Setting "%s". diff --git a/src/bin/hamcore/strtable_tw.stb b/src/bin/hamcore/strtable_tw.stb index 1ca3a5bc..260a97ba 100644 --- a/src/bin/hamcore/strtable_tw.stb +++ b/src/bin/hamcore/strtable_tw.stb @@ -219,6 +219,9 @@ ERR_146 VPN Gate 服務運行在 VPN 用戶端程式內。在此螢幕上, ERR_147 不支援此功能。它尚未在 SoftEther VPN 的開源版本上實施。 ERR_148 VPN 連接被中斷,因為該系統被暫停。 ERR_149 目標 VPN Server 的證書與指定的主機名稱不匹配。 +ERR_150 找不到連接雙方都支持的 TLS 版本。這通常意味著一方可能正在使用已被另一方禁用的過時的 TLS 版本。 +ERR_151 找不到連接雙方都支持的加密演算法,或者指定的演算法與伺服器憑證不相容。 +ERR_152 TLS 握手失敗。 #關於許可證 @@ -846,6 +849,7 @@ CM_ST_NO_VLAN - CM_ST_USE_ENCRYPT 加密 CM_ST_USE_ENCRYPT_TRUE 已啟用 (演算法: %S) CM_ST_USE_ENCRYPT_TRUE2 已啟用 +CM_ST_USE_ENCRYPT_TRUE3 已啟用 (%S 演算法: %S) CM_ST_USE_ENCRYPT_FALSE 已禁用 (不加密) CM_ST_USE_COMPRESS 使用壓縮 CM_ST_UDP_ACCEL_ENABLED 支援 UDP 加速 @@ -1784,8 +1788,9 @@ LS_HUB_STOP 虛擬 HUB "%S" 已關閉。 LS_HUB_MAC 虛擬 HUB "%S" 的 MAC 位址是 "%S"。 LS_NODE_INFO_TAG 用戶端產品名:"%S",用戶端版本:%u,用戶端構建號:%u,服務端產品名:"%S",服務端版本:%u,服務端構建號:%u,用戶端作業系統名:"%S",用戶端作業系統版本:"%S",用戶端產品 ID:"%S",用戶端主機名稱:"%S",用戶端 IP 地址:"%S",用戶端埠號:%u,服務端主機名稱:"%S",服務端 IP 位址:"%S",服務端埠號:%u,代理主機名稱:"%S",代理 IP 位址:"%S",代理埠號:%u,虛擬 HUB 名:"%S",用戶端唯一 ID: "%S" LS_CONNECTION_START_1 用戶端 (IP 地址:%S,主機名稱:"%S",埠號:%u) 的連接 "%S" 已建立。 +LS_SSL_START_ERROR 無法啟動連接 "%S" 的 SSL 通信。錯誤: %s (代碼 %u) LS_CONNECTION_END_1 連接 "%S" 已結束。 -LS_SSL_START 連接 "%S" 的 SSL 通信已啟動。加密演算法名為 "%S"。 +LS_SSL_START 連接 "%S" 的 SSL 通信已啟動。協議版本是 %S。加密演算法名為 "%S"。 LS_CONNECTION_ERROR 連接 "%S"因原因 "%s" (代碼 %u)已終止。 LS_FARMMEMBER_NOT_ADMIN 連接 "%S": 服務端是群集成員,但用戶端在非管理員 (%S) 使用者情況下,嘗試直接與虛擬 HUB "%S" 連接。用戶端用戶名為 "%S"。訪問被拒絕。 LS_HUB_NOT_FOUND 連接 "%S": 客戶端正在嘗試連接的虛擬 HUB "%S" 在服務端上不存在。 @@ -1813,6 +1818,8 @@ LS_LICENSE_VIOLATION_DETECTED 發現許可證違反錯誤,一個不同的 VPN LS_API_AUTH_OK HTTPS API client "%r:%u" (%S): Administration mode: "%S": The embedded HTTPS web server accepted the successful login. Username: "%S", Method: "%S", Path: "%S" LS_API_AUTH_ERROR HTTPS API client "%r:%u" (%S): The embedded HTTPS web server refused a login attempt. Username: "%S", Method: "%S", Path: "%S" LS_API_RPC_CALL HTTPS API client "%r:%u" (%S): The client called a JSON-API. Method: "%S", Returned error code: %u (0 = success), Returned error message: "%s" +LS_AZURE_START 收到來自客戶端 (IP 地址:%S,埠號:%u) 的 VPN Azure 連接請求。 +LS_AZURE_SSL_ERROR 無法啟動與 VPN Azure 中繼伺服器的 SSL 通信。錯誤: %s (代碼 %u) # (Proto 日誌) @@ -2107,6 +2114,7 @@ LC_DELETE_ACCOUNT 已刪除 VPN 連接設置 "%s"。 LC_RENAME_ACCOUNT 已變更 VPN 連接設置名 "%s" 為 "%s"。 LC_CONNECT 已開始 VPN 連接設置 "%s" 的連接處理。 LC_CONNECT_1 VPN 連接設置 "%s": 第 %u 次連接操作開始。 +LC_SSL_CONNECTED VPN 連接設置 "%s": SSL 通信已啟動。協議版本是 %S。加密演算法名為 "%S"。 LC_CONNECT_2 VPN 連接設置 "%s": 連接完成。會話名: "%S"。 LC_CONNECT_ERROR VPN 連接設置 "%s": 連接斷開或連接失敗。原因: %s (代碼 %u) LC_DISCONNECT VPN 連接設置 "%s" 斷開中。