1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-06 09:40:41 +03:00
Commit Graph

1048 Commits

Author SHA1 Message Date
Yihong Wu
fb004345b4 Cedar/Proto_PPP: Fix IPC DHCP renewal 2021-11-23 19:48:46 +08:00
Ilya Shipitsin
4d594e00f8 add "data-ciphers" to generated OpenVPN configs 2021-10-02 15:00:20 +05:00
Yihong Wu
2990b5ae93 Fix memory overrun in policy copy 2021-09-30 19:36:36 +08:00
Yihong Wu
462ebfb960 Fix policy dialog 2021-09-30 16:59:22 +08:00
Yihong Wu
582a739179 Fix auto refreshing of client manager 2021-09-28 20:15:41 +08:00
Yihong Wu
3a2d588722
Merge pull request #1483 from domosekai/ecc
Support ECDSA certificates on server side and show parameters in dialog
2021-09-25 20:58:18 +08:00
Yihong Wu
9c2a573cf2 Display key algorithm and parameters in cert dialog 2021-09-24 17:12:51 +08:00
Tetsuo Sugiyama
c9508b7fb7
Password change from client increments config file revision
Fixed an issue where changing the password from the client did not increment the revision of the server config file and the changes were not saved
2021-09-21 18:28:17 +09:00
Yihong Wu
2853337b81 Allow ECDSA certificates on server side 2021-09-20 08:18:36 +00:00
Yihong Wu
03859eb515
Merge pull request #1443 from domosekai/win32
Add IPv6 route management for Windows client
2021-09-18 22:12:27 +08:00
Yihong Wu
82af38c482 Cedar/Protocol.c: Fix connection to server clusters 2021-09-18 08:06:10 +00:00
Ilya Shipitsin
fc9286b11b enable Control-flow Enforcement Technology (CET) Shadow Stack mitigation
for Windows binaries

found by BinSkim
2021-08-27 12:43:42 +05:00
Ilya Shipitsin
5adeeb75ea Enable Control flow guard and Qspectre protection for windows binaries
found by BinSkim
2021-08-26 23:09:13 +05:00
Steve Muskiewicz
472dde05de apply permission fix suggested by @hornos (for #1457) 2021-08-19 08:14:50 -04:00
Ilya Shipitsin
fbdd6f1f3c
Merge pull request #1453 from SoftEtherVPN/dependabot/npm_and_yarn/src/bin/hamcore/wwwroot/admin/default/path-parse-1.0.7
Merge PR #1453: Bump path-parse from 1.0.6 to 1.0.7 in /src/bin/hamcore/wwwroot/admin/default
2021-08-16 11:32:13 +05:00
dependabot[bot]
2d00ab7dcc
Bump path-parse in /src/bin/hamcore/wwwroot/admin/default
Bumps [path-parse](https://github.com/jbgutierrez/path-parse) from 1.0.6 to 1.0.7.
- [Release notes](https://github.com/jbgutierrez/path-parse/releases)
- [Commits](https://github.com/jbgutierrez/path-parse/commits/v1.0.7)

---
updated-dependencies:
- dependency-name: path-parse
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-08-11 02:56:38 +00:00
Davide Beatrici
7f8e527883 CMake: Fix BLAKE2 build failure with MSVC due to it not defining __SSE2__ 2021-08-10 22:58:28 +02:00
Davide Beatrici
ffc095f95a CMake: Add build time check for EVP_PKEY_get_raw_public_key() availability
We need the function since 9dbbfcd388, but unfortunately it's not provided by LibreSSL.

By introducing a build time check we inform the user about the issue explicitly instead of just letting compilation fail.
2021-08-08 19:29:32 +02:00
Rosen Penev
ee3bf7f507 fix compilation without OpenSSL engines
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-07 20:05:04 -07:00
domosekai
9b3077d955 Store interface metric separately as it mau change 2021-08-02 16:18:37 +08:00
domosekai
dd9c3546f7 Prevent IPv6 leak if only IPv4 default route is added 2021-08-02 16:18:37 +08:00
domosekai
4ddf39e760 Remove obsolete Win32 functions 2021-08-02 16:18:37 +08:00
domosekai
ce0591d924 Add IPv6 route management for Windows client 2021-08-02 16:18:36 +08:00
Ilya Shipitcin
37b5644291 src/Cedar/SW.c: treat "0" build as legitimate
installers built for PR have "0" build. let us treat them as legitimate
2021-08-01 12:26:51 +05:00
domosekai
9182a9b4e9 Mayaqua/Network.c: Fix race condition in TUBE operation 2021-07-22 11:59:15 +00:00
domosekai
8b87c9d4ef Cedar/Proto_PPP.c: Fix memory leak in EAP-MSCHAPv2
Fixes: #1420 (Implement EAP-MSCHAPv2)
2021-07-21 11:16:35 +00:00
domosekai
2761c1ca42 Support user-specified server trust chain 2021-07-21 07:02:42 +00:00
domosekai
1bb01e55e5 Mayaqua/TcpIp.c: Fix building DHCP static routes in new format
Fixes: 1708998 (Change IP structure so that IPv4 addresses are stored in RFC3493 format)
2021-07-14 08:11:05 +00:00
Koichiro IWAO
fce3592917
hamcore(ja,tw,cn): translate "Authentication"
appeared in "OpenSSL Engine Authorization"
2021-07-13 18:44:42 +09:00
Koichiro IWAO
410b7a959d
Fix case of OpenSSL 2021-07-13 18:41:41 +09:00
Koichiro IWAO
1590e6afb3
Fix typo s/has beens/has been/g 2021-07-13 18:15:09 +09:00
domosekai
7863ce8a8e Cedar/IPC.c: Add hub release in NewIPC() 2021-07-12 08:37:12 +00:00
domosekai
a1dff0f594 Mayaqua/Network.c: Create UDP listener for every interface if ListenIP is wildcard 2021-07-11 16:15:29 +00:00
Ilya Shipitsin
7881f8657a
Merge pull request #1420 from domosekai/eap
Implement EAP-MSCHAPv2
2021-07-10 23:27:10 +05:00
domosekai
dfb105c2d7 Fix use-after-free timeout issue for L2TP and SSTP 2021-07-10 16:07:09 +00:00
domosekai
66dc5ee581 Cedar/Radius.c: Fix EAP Message buffer overflow 2021-07-10 08:15:03 +00:00
domosekai
56bd9733d6 Cedar/Proto_PPP.c: Use unified format for negative condition 2021-07-10 05:30:06 +00:00
domosekai
eff784b624 Improve EAP behavior with RADIUS 2021-07-10 05:29:23 +00:00
domosekai
22a9231c33 Implement EAP-MSCHAPv2 2021-07-08 14:26:31 +00:00
domosekai
41b9973c24 Mayaqua/Network.c: Fix L2TP/IPsec over IPv6 when listening on :: 2021-07-07 17:37:06 +00:00
Ilya Shipitsin
60db1962f9
Merge pull request #1416 from domosekai/listener
Fix TCP and UDP listener behavior
2021-07-07 16:08:05 +05:00
domosekai
6e400c19af Fix TCP and UDP listener behavior 2021-07-07 10:50:23 +00:00
Ilya Shipitsin
f2466eb919
Merge pull request #1415 from davidebeatrici/vpncmd-wireguard-keys
Cedar/Command: Add GenX25519 and GetPublicX25519 commands
2021-07-07 13:04:13 +05:00
Davide Beatrici
c310163244 Cedar/Command: Add GenX25519 and GetPublicX25519 commands
GenX25519 command - Create new X25519 keypair
Help for command "GenX25519"

Purpose:
  Create new X25519 keypair

Description:
  Use this to create a new X25519 keypair, which can be used for WireGuard.
  Both the private and public key will be shown.
  The public key can be shared and is used to identify a peer.
  Also, it can always be retrieved from the private key using the GetPublicX25519 command.
  The private key should be kept in a secure place and never be shared.
  It cannot be recovered once lost.

Usage:
  GenX25519

==========================================================================================

GetPublicX25519 command - Retrieve public X25519 key from a private one
Help for command "GetPublicX25519"

Purpose:
  Retrieve public X25519 key from a private one

Description:
  Use this if you have a private X25519 key and want to get its corresponding public key.

Usage:
  GetPublicX25519 [private]

Parameters:
  private - The private X25519 key you want to get the corresponding public key of.
2021-07-07 08:43:41 +02:00
Davide Beatrici
9dbbfcd388 Mayaqua: Add new cryptographic functions for X25519/X448 keys management
The files are created in a new folder to keep the source tree tidier.

Please note that only X25519/X448 keys are supported due to an OpenSSL limitation:
https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new.html

We have functions that handle AES keys in Encrypt.c/.h.
Ideally we should move them into the new files.
2021-07-07 08:11:08 +02:00
Davide Beatrici
4328e6e5ab CMake: Link Cedar to Mayaqua directly
It's Cedar itself that depends on Mayaqua, not the executables.
2021-07-07 08:08:12 +02:00
domosekai
4efed994dc Mayaqua/Network.c: Use int as boolean flags for socket options 2021-07-07 03:07:06 +00:00
Davide Beatrici
513ad6e792
Merge PR #1410: Mayaqua/DNS.c: Fix DNS resolution in dual stack environment 2021-07-05 20:23:09 +02:00
domosekai
bcba88ca73 Cedar/Protocol.c: Use real server IP in creating node info under direct mode 2021-07-05 12:17:57 +00:00
domosekai
883d4d4cd7 Mayaqua/DNS.c: Fix DNS resolution in dual stack environment 2021-07-05 11:10:03 +00:00
domosekai
f6adcd6bfc Cedar/Connection.c: Fix buffer overflow when inserting NAT-T information 2021-07-04 05:53:24 +00:00
Davide Beatrici
233e28f38c Refactor Base64 functions, encode/decode using OpenSSL's EVP interface
Our own implementation works fine, however we should use OpenSSL's one since we already link to the library.

Base64Decode() and Base64Encode() return the required buffer size when "dst" is NULL.

This allows to efficiently allocate a buffer, without wasting memory or risking an overflow.

Base64FromBin() and Base64ToBin() perform all steps, returning a heap-allocated buffer with the data in it.
2021-07-02 09:24:41 +02:00
Davide Beatrici
46ca5f7b98 Use "%S" instead of "%s" for LA_SET_PORTS_UDP and LA_SET_PROTO_OPTIONS
Turns out %S refers to ANSI/UTF-8 and %s to UTF-16.

This commit fixes a buffer overflow reported by AddressSanitizer and removes an unnecessary conversion to UTF-16.
2021-06-27 21:08:26 +02:00
Davide Beatrici
4221579e95 Remove obsolete hardcoded build number checks
The open-source project began with version 1.00, build 9022.

With the exception of an informative message fallback for builds older than 9428 (2014), all checks were for closed-source builds.
2021-06-27 07:21:06 +02:00
domosekai
65bcbc8db3 Mayaqua/Network.c: Fix EAP-TLS chain certificate verification 2021-06-21 14:41:22 +00:00
domosekai
682052e0dc Cedar/Proto_PPP: Fix EAP-TLS fragmentation 2021-06-17 11:34:09 +00:00
Koichiro IWAO
28c90b190c hamcore(ja): just adding a missing ":" 2021-06-11 12:51:06 +09:00
Koichiro IWAO
b4817fd27a hamdore(ja): translate OpenVPN timeout and ping transmission interval 2021-06-06 23:35:46 +09:00
Koichiro IWAO
89ca29f259 hamcore(ja): translate WireGuard log messages 2021-06-06 23:35:46 +09:00
Koichiro IWAO
7a208d6114 hamcore(ja): translate SetStaticNetwork command 2021-06-06 23:35:45 +09:00
Koichiro IWAO
5b910322a7 hamcore(ja): translate Wgk* commands 2021-06-06 23:35:45 +09:00
Davide Beatrici
2923b5500a Mayaqua/FileIO: Fix typo causing segmentation fault on Hamcore cache expiration 2021-05-26 20:46:21 +02:00
domosekai
8c12e79448 Cedar/Proto_PPP: Fix EAP identifier duplication 2021-05-26 09:26:22 +00:00
Davide Beatrici
81c71d309a Read hamcore.se2 using libhamcore, set arbitrary path through HAMCORE_FILE_PATH 2021-05-26 07:44:45 +02:00
Davide Beatrici
e0182ca3d9 src: Update "libhamcore" submodule 2021-05-26 04:18:08 +02:00
sl077
f9a1d72ce7 Fix IPv6 Neighbor Discovery for PPP based protocols 2021-05-09 13:55:31 +02:00
Davide Beatrici
2f801f30de Fix compile errors on OpenBSD
- <pthread.h> included for the "pthread_t" type definition.
- <net/ethernet.h> include removed as the header doesn't exist.
- AI_ALL and AI_V4MAPPED defined to 0 as the options don't exist.
2021-05-03 19:58:12 +02:00
dependabot[bot]
515d823ef8
Bump ssri from 6.0.1 to 6.0.2 in /src/bin/hamcore/wwwroot/admin/default
Bumps [ssri](https://github.com/npm/ssri) from 6.0.1 to 6.0.2.
- [Release notes](https://github.com/npm/ssri/releases)
- [Changelog](https://github.com/npm/ssri/blob/v6.0.2/CHANGELOG.md)
- [Commits](https://github.com/npm/ssri/compare/v6.0.1...v6.0.2)

Signed-off-by: dependabot[bot] <support@github.com>
2021-04-29 19:34:47 +00:00
domosekai
c20bcb2e60 Mayaqua/Network: Skip IPv6 nameservers for SecureNAT 2021-04-27 07:30:38 +00:00
Ilya Shipitsin
cf318d7219 src/Mayaqua/TcpIp.c: remove redundant condition
src/Mayaqua/TcpIp.c	4236	warn	V560 A part of conditional expression is always true: o2 == NULL.
2021-04-24 12:47:29 +05:00
Davide Beatrici
285e322171
Merge PR #1337: Cedar/IPC: Fix MAC address for IPv4 multicast 2021-04-24 04:01:58 +02:00
domosekai
cca769e2e6 Cedar/IPC: Fix MAC address for IPv4 multicast 2021-04-24 01:46:31 +00:00
Ilya Shipitsin
92f41341d9 src/Mayaqua/TcpIp.c: remove redundant check
src/Mayaqua/TcpIp.c	1811	warn	V560 A part of conditional expression is always false: udp->Checksum == 0.
2021-04-23 15:39:11 +05:00
Davide Beatrici
3a595b4a46 Mayaqua/DNS.c: Fix memory leaks
52 bytes in 2 blocks are definitely lost in loss record 5 of 13
   at 0x483877F: malloc (vg_replace_malloc.c:307)
   by 0x4ABB1BB: UnixMemoryAlloc (Unix.c:2033)
   by 0x4A7FABF: InternalMalloc (Memory.c:3819)
   by 0x4A7B769: MallocEx (Memory.c:3650)
   by 0x4A7B769: Malloc (Memory.c:3641)
   by 0x4AA71A9: CopyStr (Str.c:1884)
   by 0x4A61A9C: DnsCacheReverseUpdate (DNS.c:257)
   by 0x4A62123: DnsResolveReverse (DNS.c:506)
   by 0x4A93EB3: GetHostName (Network.c:15023)
   by 0x4A93EB3: AcceptInitEx (Network.c:12589)
   by 0x4934659: TCPAcceptedThread (Listener.c:172)
   by 0x4A76469: ThreadPoolProc (Kernel.c:872)
   by 0x4ABD159: UnixDefaultThreadProc (Unix.c:1589)
   by 0x51C2EA6: start_thread (pthread_create.c:477)

2,280 (684 direct, 1,596 indirect) bytes in 9 blocks are definitely lost in loss record 11 of 13
   at 0x483877F: malloc (vg_replace_malloc.c:307)
   by 0x4C65AC5: gaih_inet.constprop.0 (getaddrinfo.c:1058)
   by 0x4C67224: getaddrinfo (getaddrinfo.c:2256)
   by 0x4A61E06: DnsResolver (DNS.c:404)
   by 0x4A76469: ThreadPoolProc (Kernel.c:872)
   by 0x4ABD159: UnixDefaultThreadProc (Unix.c:1589)
   by 0x51C2EA6: start_thread (pthread_create.c:477)
   by 0x4C7CDEE: clone (clone.S:95)
2021-04-21 22:35:45 +02:00
Davide Beatrici
2aaf9012a0 Cedar/Proto_OpenVPN: Make timeout and ping transmission interval configurable
Also, the default timeout value is set to 30000 (milliseconds) instead of 10000.

The change is made because it was reported that some routers failed to connect in time.
2021-04-21 08:29:30 +02:00
Davide Beatrici
4b05de1a93 Cedar: Add support for 32 bit unsigned integer Proto options
This commit also fixes a bug which caused the server to initialize all boolean options to false.

It was caused by SiLoadProtoCfg() not checking whether the item exists in the configuration file.

CfgGetBool() always returns false if the item doesn't exist.
2021-04-21 08:12:45 +02:00
Davide Beatrici
0472f9c286 Rewrite DNS API from scratch into dedicated file(s)
From a functional point of view, the main improvement is that GetIP() now always prioritizes IPv6 over IPv4.
The previous implementation always returned an IPv4 address, unless not available: in such case it failed.
This means that now connections to hostnames should be established via IPv6 if available.

From a programmer point of view, getting rid of the insane wrappers is enough to justify a complete rewrite.

As an extra, several unrelated unused global variables are removed.
2021-04-18 01:46:59 +02:00
Davide Beatrici
d4d15b66d3 Cedar: Make use of IP address reported by NAT-T server for UDP acceleration
Before this commit, the IP address reported by the NAT-T server was immediately discarded.
That's because the peer should be accessible via the IP address used to establish the TCP connection.

User "domosekai" (https://www.domosekai.com) pointed out that the NAT-T IP address should be taken into account.
In his case it's required due to his broadband carrier's NAT causing TCP and UDP to have different external IPs.

Co-authored-by: domosekai <54519668+domosekai@users.noreply.github.com>
2021-04-14 19:49:30 +02:00
Davide Beatrici
1708998a11 Change IP structure so that IPv4 addresses are stored in RFC3493 format
In addition to saving 4 bytes for each instantiation, this change makes IP-related operations faster and clearer.

https://tools.ietf.org/html/rfc3493.html#section-3.7
2021-04-07 21:24:55 +02:00
Davide Beatrici
a6ba9b8788 Include headers properly 2021-04-05 04:48:25 +02:00
Ilya Shipitsin
46b54f00be
Merge pull request #1318 from davidebeatrici/minimum-version-windows-vista
Cedar, Mayaqua: Set minimum Windows version to Vista
2021-04-03 22:02:50 +05:00
Davide Beatrici
5cab279a8c Cedar, Mayaqua: Set minimum Windows version to Vista 2021-04-03 02:25:19 +02:00
Davide Beatrici
84588095d5 Mayaqua/Network.c: Always use fcntl() to toggle socket non-blocking mode (UNIX)
O_NONBLOCK is standardized by POSIX, as opposed to FIONBIO.

This commit also fixes a bug: fcntl() was only called to disable the mode.
2021-04-01 08:04:27 +02:00
dependabot[bot]
ed6013affc
Bump y18n from 4.0.0 to 4.0.1 in /src/bin/hamcore/wwwroot/admin/default
Bumps [y18n](https://github.com/yargs/y18n) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/yargs/y18n/releases)
- [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md)
- [Commits](https://github.com/yargs/y18n/commits)

Signed-off-by: dependabot[bot] <support@github.com>
2021-03-30 18:00:59 +00:00
Davide Beatrici
4db6247b80 Merge Windows manifest files into a single one 2021-03-27 00:33:20 +01:00
domosekai
934e49fea0 Mayaqua/Network.c: Fix UDP send error when used with reverse proxy 2021-03-23 11:59:23 +00:00
David Refoua
808f081e3a
update install dependencies (libsodium) 2021-03-13 05:45:30 +03:30
Davide Beatrici
9d29d8813b New vpndrvinst implementation, independent from Cedar and Mayaqua
This greatly improves performance and reduces the binary's size (~0.2 MB vs ~5 MB).

All recent Windows versions are supported, starting with Vista.

No dialogs are created, aside from error/warning ones in case of failure.

The only dependency (aside from Windows libraries) is libhamcore.
2021-03-12 05:46:20 +01:00
Davide Beatrici
68367fa2fb hamcore: Restore warning_*.txt files
They were accidentally removed in 8e2616ef7d.
2021-03-11 20:15:20 +01:00
Davide Beatrici
68574e9af9 hamcorebuilder: Use libhamcore to build archive
https://github.com/SoftEtherVPN/libhamcore
2021-03-10 02:13:00 +01:00
dependabot[bot]
9e7f26395a
Bump elliptic in /src/bin/hamcore/wwwroot/admin/default
Bumps [elliptic](https://github.com/indutny/elliptic) from 6.5.3 to 6.5.4.
- [Release notes](https://github.com/indutny/elliptic/releases)
- [Commits](https://github.com/indutny/elliptic/compare/v6.5.3...v6.5.4)

Signed-off-by: dependabot[bot] <support@github.com>
2021-03-09 08:28:13 +00:00
Davide Beatrici
2d82d84fd5 CMake: Fix regular expression for BLAKE2 SSE2 source files selection
The comparison was being made against the variable's name instead of its value, causing the result to always be true.
For reference: https://cmake.org/cmake/help/v3.10/manual/cmake-generator-expressions.7.html#genex:BOOL

In addition to that, this commit also fixes the source file name of the non-SSE2 code.
2021-03-01 23:24:34 +01:00
Davide Beatrici
65483499bf Cedar/WinUi.c: Remove reference to "vpncmd_x64.exe" and "vpncmd_ia64.exe"
It was missed in a3eb115b0a.
2021-03-01 04:27:43 +01:00
Davide Beatrici
3d69a71d9b
Merge PR #1200: Implement support for WireGuard 2021-03-01 03:59:35 +01:00
Davide Beatrici
b6b692046c Cedar/CMInner.h: Fix wrong signature for CmPolicyDlgPrintEx2() 2021-03-01 03:01:34 +01:00
Davide Beatrici
56a19d7651 Cedar/Win32Com.cpp: Fix wrong signature for SetupCopyOEMInfW() and SetupUninstallOEMInfW()
https://docs.microsoft.com/en-us/windows/win32/api/setupapi/nf-setupapi-setupcopyoeminfw
https://docs.microsoft.com/en-us/windows/win32/api/setupapi/nf-setupapi-setupuninstalloeminfw
2021-03-01 03:01:34 +01:00
Davide Beatrici
2078a069de Cedar/Hub: Properly set value for hub admin options
Same deal as with the previous commit: worked fine as long as bool was 4-bytes wide.
2021-03-01 03:01:34 +01:00
Davide Beatrici
562ffe8945 Mayaqua/Pack: Fix PackGetStrSize() and PackGetStrSizeEx()'s return data type
The bug caused ProtoOptionsGet and ProtoOptionsSet not to work anymore after c90617e0e86dedf78e0e3c8a71263a80eec29caa.

The functions were introduced in aa65327e73, but the issue went unnoticed because bool was the same as UINT.
2021-03-01 03:01:34 +01:00
Davide Beatrici
914bfe7d44 Use bool from stdbool.h, get rid of BOOL
BOOL was just an alias for bool, this commit replaces all instances of it for consistency.

For some reason bool was defined as a 4-byte integer instead of a 1-byte one, presumably to match WinAPI's definition: https://docs.microsoft.com/en-us/windows/win32/winprog/windows-data-types
Nothing should break now that bool is 1-byte, as no protocol code appears to be relying on the size of the data type.
PACK, for example, explicitly stores boolean values as 4-byte integers.

This commit can be seen as a follow-up to 61ccaed4f6.
2021-03-01 03:01:34 +01:00
Davide Beatrici
ef24ff74c8 Cedar/Admin.c: Restrict StGetProtoOptions() access to server administrators
This is in order to protect the WireGuard private key.
2021-03-01 02:49:59 +01:00
Davide Beatrici
a8580458c4 Cedar/Command: Add WgkAdd, WgkDelete and WgkEnum commands
WgkAdd command - Add a WireGuard key
Help for command "WgkAdd"

Purpose:
  Add a WireGuard key

Description:
  This command can be used to add a WireGuard key to the allowed key list.
  To execute this command, you must have VPN Server administrator privileges.

Usage:
  WgkAdd [key] [/HUB:hub] [/USER:user]

Parameters:
  key   - WireGuard key. Make sure it is the public one!
  /HUB  - Hub the key will be associated to.
  /USER - User the key will be associated to, in the specified hub.

================================================================================

WgkDelete command - Delete a WireGuard key
Help for command "WgkDelete"

Purpose:
  Delete a WireGuard key

Description:
  This command can be used to delete a WireGuard key from the allowed key list.
  To execute this command, you must have VPN Server administrator privileges.

Usage:
  WgkDelete [key]

Parameters:
  key - WireGuard key.

================================================================================

WgkEnum command - List the WireGuard keys
Help for command "WgkEnum"

Purpose:
  List the WireGuard keys

Description:
  This command retrieves the WireGuard keys that are allowed to connect to the server, along with the associated Virtual Hub and user.
  You can add a key with the WgkAdd command.
  You can delete a key with the WgkDelete command.
  To execute this command, you must have VPN Server administrator privileges.

Usage:
  WgkEnum
2021-03-01 02:49:59 +01:00
Davide Beatrici
6115f1c713 Cedar/Admin: Implement RPC methods to add/delete/list WireGuard keys 2021-03-01 02:49:59 +01:00
Davide Beatrici
dd1eebdbed Cedar: Implement support for WireGuard
Please note that the implementation is not 100% conformant to the protocol whitepaper (https://www.wireguard.com/papers/wireguard.pdf).
More specifically: all peers are expected to send a handshake initiation once the current keypair is about to expire or is expired.
I decided not to do that because our implementation is meant to act as a server only. A true WireGuard peer acts, instead, as both a client and a server.
Once the keypair is expired, we immediately delete the session.

The cookie mechanism can be implemented in future.

As for authentication: unfortunately using the already existing methods is not possible due to the protocol not providing a way to send strings to a peer.
That's because WireGuard doesn't have a concept of "users": it identifies a peer through the public key, which is determined using the source address.
As a solution, this commit adds a special authentication method: once we receive the handshake initiation message and decrypt the peer's public key, we check whether it's in the allowed key list.
If it is, we retrieve the associated Virtual Hub and user; if the hub exists and the user is in it, the authentication is successful.

The allowed key list is stored in the configuration file like this:

declare WireGuardKeyList
{
	declare 96oA7iMvjn7oXiG3ghBDPaSUytT75uXceLV+Fx3XMlM=
	{
		string Hub DEFAULT
		string User user
	}
}
2021-03-01 02:49:59 +01:00
Davide Beatrici
8495388933 Cedar/IPC: Remove unused "UserName" and "Password" variables and assignment code
This commit also removes "HubName"'s first assignment, because the value is retrieved from PACK later (identifier: "IpcHubName").
2021-03-01 02:49:59 +01:00
Davide Beatrici
afe576dcdc Cedar: Add "DefaultGateway" and "DefaultSubnet" virtual hub options
WireGuard does not provide any configuration messages, meaning that we cannot push the IP address we receive from the DHCP server to the client.

In order to overcome the limitation we don't perform any DHCP operations and instead just extract the source IP address from the first IPv4 packet we receive in the tunnel.

The gateway address and the subnet mask can be set using the new "SetStaticNetwork" command. The values can be retrieved using "OptionsGet".

In future we will add a "allowed source IP addresses" function, similar to what the original WireGuard implementation provides.

================================================================================

SetStaticNetwork command - Set Virtual Hub static IPv4 network parameters
Help for command "SetStaticNetwork"

Purpose:
  Set Virtual Hub static IPv4 network parameters

Description:
  Set the static IPv4 network parameters for the Virtual Hub. They are used when DHCP is not available (e.g. WireGuard sessions).
  You can get the current settings by using the OptionsGet command.

Usage:
  SetStaticNetwork [/GATEWAY:gateway] [/SUBNET:subnet]

Parameters:
  /GATEWAY - Specify the IP address of the gateway that will be used for internet communication.
  /SUBNET  - Specify the subnet mask, required to determine the size of the local VPN network.
2021-03-01 02:49:59 +01:00
Davide Beatrici
decfcecc97 Cedar: Add ProtoOptionString() in PROTO_IMPL, to generate default option values
The WireGuard implementation will have two options that should not have a fixed default value, because they represent two keys (one is preshared, the other is private).

Instead of handling these two options differently in ProtoNewContainer(), this commit adds a new function to PROTO_IMPL: ProtoOptionString().

ProtoOptionString() takes the option's name as argument and returns a heap-allocated string that will be used as value. The function returns NULL when the option doesn't need a randomized value.
2021-03-01 02:49:59 +01:00
Davide Beatrici
d8aa470192 Cedar: Improve IsPacketForMe()'s "data" argumment in PROTO_IMPL
This allows a protocol implementation to implicitly cast the variable to the type it prefers.
2021-03-01 02:49:59 +01:00
Davide Beatrici
b339104f4f Cedar: Add "BLAKE2" submodule
OpenSSL provides BLAKE2s, but it only supports an output of 32 bytes. For WireGuard we need a 16 bytes output as well.

The minimum CMake version is bumped to 3.10 because it adds HAS_SSE2 to cmake_host_system_information(): https://cmake.org/cmake/help/v3.10/command/cmake_host_system_information.html
2021-03-01 02:49:57 +01:00
Davide Beatrici
8a37f5ce11 Mayaqua/Network.c: Fix several warnings related to Windows data type mismatches
Also, reported unused variables are removed.
2021-03-01 02:48:38 +01:00
Davide Beatrici
e7bf97583d Mayaqua/Microsoft: Fix several warnings related to Windows data type mismatches
Also, reported unused variables are removed.
2021-03-01 02:30:45 +01:00
Davide Beatrici
dbd4dd5ae7 Link to Windows libraries in CMake project, remove related #pragma directives
In addition to making the code cleaner, this also prevents potential issues due to #pragma directives being in headers.
2021-02-28 20:35:25 +01:00
Davide Beatrici
0a924aea4d CMake: Build hamcore.se2 only when related files change
Previously, the file was rebuilt even if no changes were made to the source files.
2021-02-27 20:52:44 +01:00
Davide Beatrici
621fb087f8 hamcorebuilder: Fix possible resource leak found by Coverity
FileClose() was not called if FileRead() failed.
2021-02-27 04:18:18 +01:00
Davide Beatrici
cf2585c079 Hamcore: Remove unused functions 2021-02-26 07:06:29 +01:00
Davide Beatrici
1301dc93c6 New hamcorebuilder implementation, independent from Cedar and Mayaqua
This new implementation can be easily compiled and executed without the need for other components to be present.

It relies on standard C functions, aside from stat() which is part of POSIX but available on Windows as well.

There's only one third-party dependency, which is tinydir: a single-file header-only library for traversing directories.
2021-02-26 07:06:26 +01:00
Ilya Shipitsin
5c346ef96e remove dead code found by Coverity
2575        // Address
    at_least: At condition size < 1U, the value of size must be at least 1.
    cannot_single: At condition size < 1U, the value of size cannot be equal to 0.
    dead_error_condition: The condition size < 1U cannot be true.
2576        if (size < 1)
2577        {
    CID 287533 (#1 of 1): Logically dead code (DEADCODE)dead_error_line: Execution cannot reach this statement: goto LABEL_ERROR;.
2578                goto LABEL_ERROR;
2579        }
2021-02-24 00:35:17 +05:00
Ilya Shipitsin
2715d80e18 fix potential null pointer dereference found by Coverity
CID 355460 (#1 of 1): Dereference before null check (REVERSE_INULL)check_after_deref: Null-checking p suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
737                if (p == NULL)
738                {
739                        return false;
740                }
2021-02-24 00:26:44 +05:00
Ilya Shipitsin
a08857150b cleanup redundant check found by Coverity
CID 287561 (#1 of 1): Array compared against 0 (NO_EFFECT)array_null: Comparing an array to null is not useful: src == NULL, since the test will always evaluate as true.
    Was src formerly declared as a pointer?
3748        if (cedar == NULL || src == NULL || dst == NULL)
3749        {
3750                return false;
3751        }
2021-02-24 00:04:52 +05:00
Ilya Shipitsin
e5cfa347da
Merge pull request #1274 from davidebeatrici/src-bin-hamcore-cleanup
hamcore: Remove files that are not referenced in the code
2021-02-22 13:36:56 +05:00
Ilya Shipitsin
a6239a4ae3
Merge pull request #1238 from metalefty/translate-LH_AUTH_NG
Japanese: translate LH_AUTH_NG again
2021-02-22 12:06:26 +05:00
Davide Beatrici
8e2616ef7d hamcore: Remove files that are not referenced in the code 2021-02-22 00:44:35 +01:00
Davide Beatrici
ea2c8f9861
Merge PR #1273: fix null pointer dereference found by ErrorSanitizer 2021-02-21 14:10:08 +01:00
Ilya Shipitsin
e5e86abc0e fix null pointer dereference found by ErrorSanitizer
(gdb) bt
0  0x00007f43857a5e14 in __GI___pthread_mutex_init (mutex=0x0, mutexattr=0x0) at pthread_mutex_init.c:89
1  0x00007f4385eaaf1b in UnixNewLock () at SoftEtherVPN/src/Mayaqua/Unix.c:1845
2  0x00007f4385e92331 in NewLockMain () at SoftEtherVPN/src/Mayaqua/Object.c:89
3  0x00007f4385e92359 in NewLock () at SoftEtherVPN/src/Mayaqua/Object.c:101
4  0x00007f4385e92765 in NewCounter () at SoftEtherVPN/src/Mayaqua/Object.c:171
5  0x00007f4385e92e76 in NewRef () at SoftEtherVPN/src/Mayaqua/Object.c:339
6  0x00007f4385e76939 in NewSkEx (no_compact=0) at SoftEtherVPN/src/Mayaqua/Memory.c:863
7  0x00007f4385e68c95 in NormalizePathW (
    dst=0x7ffe65932940 L"\xd6ff2ffb\xfbf14ce5\xad8669ca\x41998a9c\x5107d62d\x8d2ab3f2\x37ceaad2\xffc947ec\xad8ed8d8\x33e9f2f7\xc05723a9\x843263e3\x5516beb3\x12571e2a\xd81405f3\xf92194fe\xd807aa98\x12835b01\x243185be\x550c7dc3\xfd74170d\x12835b01\x553185be\x550c7dc3\x72be5d74\x80deb1fe\x9bdc06a7\xc19bf1f4\x72be5d74\x80deb1fe\x9bdc06a7\xc19bf174\x894d4018\xc54302b8\x145dc92\x143b3917\x62aa4fb8\x915764b1\xd5e11bef\x9d5fbc5\xb956c25b\x59f111f1\x923f82a4\xab1c5ed5\x3956c25b\x59f111f1\x923f82a4\xab1c5ed5\xbaeb40", size=2048, src=<optimized out>)
    at SoftEtherVPN/src/Mayaqua/FileIO.c:1960
8  0x00007f4385e69188 in ConbinePathW (
    dst=0x7ffe65932940 L"\xd6ff2ffb\xfbf14ce5\xad8669ca\x41998a9c\x5107d62d\x8d2ab3f2\x37ceaad2\xffc947ec\xad8ed8d8\x33e9f2f7\xc05723a9\x843263e3\x5516beb3\x12571e2a\xd81405f3\xf92194fe\xd807aa98\x12835b01\x243185be\x550c7dc3\xfd74170d\x12835b01\x553185be\x550c7dc3\x72be5d74\x80deb1fe\x9bdc06a7\xc19bf1f4\x72be5d74\x80deb1fe\x9bdc06a7\xc19bf174\x894d4018\xc54302b8\x145dc92\x143b3917\x62aa4fb8\x915764b1\xd5e11bef\x9d5fbc5\xb956c25b\x59f111f1\x923f82a4\xab1c5ed5\x3956c25b\x59f111f1\x923f82a4\xab1c5ed5\xbaeb40", size=2048,
    dirname=0xbace10 L"/root/.local/bin", filename=0x7ffe65932100 L"SoftEtherVPN/build/vpntest") at SoftEtherVPN/src/Mayaqua/FileIO.c:1686
9  0x00007f4385e6af48 in UnixGetExeNameW (name=0x7f4385ede820 <exe_file_name_w> L"/tmp/a.out", size=2048, arg=0xbb5050 L"./vpntest") at SoftEtherVPN/src/Mayaqua/FileIO.c:1401
10 0x00007f4385e6b04b in InitGetExeName (arg=<optimized out>) at SoftEtherVPN/src/Mayaqua/FileIO.c:1367
11 0x00007f4385e7470a in InitMayaqua (memcheck=memcheck@entry=0, debug=debug@entry=1, argc=argc@entry=3, argv=argv@entry=0x7ffe659340e8)
    at SoftEtherVPN/src/Mayaqua/Mayaqua.c:456
12 0x0000000000401282 in main (argc=3, argv=0x7ffe659340e8) at SoftEtherVPN/src/vpntest/vpntest.c:259
2021-02-21 16:13:36 +05:00
Davide Beatrici
78f06569b3
Merge PR #1270: Update strtable_en.stb 2021-02-20 17:15:40 +01:00
Ilya Shipitsin
586c27d43b
Merge pull request #1269 from chipitsine/openssl_version_agnostic
use SSL_SECOP_VERSION macro instead of OPENSSL_VERSION
2021-02-20 20:56:26 +05:00
djony
2db9f15ea7
Update strtable_en.stb
"2050 LA_DEL_CRL" - this entry appear in logfile when you delete cert from Certificate Revocation List. Thats why need to change it. 
"2051 LA_SET_CRL" - this entry must appear in logfile when you edit cert in Certificate Revocation List, but it doesn't happen (perhaps it's a bug)
2021-02-20 17:56:33 +03:00
Ilya Shipitsin
ebd1d281dd use SSL_SECOP_VERSION macro instead of OPENSSL_VERSION
OPENSSL_VERSION is fragile in LibreSSL, BoringSSL.
security level manipulation is openssl specific defined in
b362ccab5c
2021-02-20 17:48:26 +05:00
Davide Beatrici
d53f80bfa6 Remove BuildUtil and all MSBuild projects, except the ones not in CMake yet
Since 35200a29ea we build complete installers using CMake, meaning that there's no need for BuildUtil anymore.

MSBuild projects that are not migrated to CMake yet are kept for reference.

This commit also updates BUILD_WINDOWS.md so that it mentions Visual Studio 2019 instead of 2017.
2021-02-19 21:17:01 +01:00
dependabot[bot]
394354ff8a
Bump ini from 1.3.5 to 1.3.7 in /src/bin/hamcore/wwwroot/admin/default
Bumps [ini](https://github.com/isaacs/ini) from 1.3.5 to 1.3.7.
- [Release notes](https://github.com/isaacs/ini/releases)
- [Commits](https://github.com/isaacs/ini/compare/v1.3.5...v1.3.7)

Signed-off-by: dependabot[bot] <support@github.com>
2020-12-11 09:21:51 +00:00
sl077
5611156ca8 Cedar/Proto.c: fix crash in ProtoHandleConnection()
The bug was introduced in 8685fe0da1.
2020-12-09 01:17:59 +01:00
Allen Cui
501fe217ff
Bug fix: Proxy button not enabled for SOCKS5
https://github.com/SoftEtherVPN/SoftEtherVPN/issues/1247
2020-12-08 14:12:21 +08:00
Daiyuu Nobori
a207260e38 Found the bad remove for lock files. 2020-11-30 18:15:37 +09:00
Kensei Sakai
3fa24c6731
update Install requirements on macOS
Ruby-based Homebrew installer is deprecated by original authors, and replaced Bash-based Installer.
(ref1: https://github.com/Homebrew/install/blob/master/README.md )
(ref2: 2680637777 (diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5) )

note: /Homebrew/install/master/install also runs Bash-based installer now.
2020-11-23 21:22:29 +09:00
Tetsuo Sugiyama
5f6306d5e5
Fixed setting change trigger of keepalive function
To solve the problem that the escape condition of the loop that tries name resolution in UDP mode was reversed in the keep-alive function of the Internet connection, so the name resolution retry is set to 250 msec interval instead of the normal 60 second interval.
2020-11-17 12:23:14 +09:00
Koichiro IWAO
023250df9a
hamcore(ja): translate LH_AUTH_NG
Regressed to English in #1122.
2020-11-10 13:30:08 +09:00
Davide Beatrici
fffed52f3b
Merge PR #1235: Manage security level 2020-10-31 22:12:08 +01:00
Takuho NAKANO
c029b34b80 Run SSL_CTX_set_ssl_version earlier
SSL_CTX_set_ssl_version may change security level.
2020-10-31 20:19:32 +01:00
Takuho NAKANO
7fdacec2a6 Manage OpenSSL security level
Add SslAcceptSettings option Override_Security_Level and Override_Security_Level_Value
to allow user to choose.
2020-10-31 20:19:23 +01:00
Takuho NAKANO
190672bd84 Set RSA bits considering OpenSSL security Level 2020-10-31 20:11:11 +01:00
Takuho NAKANO
5ca62bdd8a Refact: manage SSL_OP_NO_SSLv3 in NewSSLCtx 2020-10-31 20:11:11 +01:00
Takuho NAKANO
d0b3cde485 Refact: move SSL_CTX_set_ssl_version to NewSSLCtx 2020-10-31 20:11:11 +01:00
Ilya Shipitsin
bb2e2ff997 Cedar/Session.c: fix "use after free" in CleanupSession()
Fixes #1226.
2020-10-31 20:03:22 +01:00
Ilya Shipitsin
a2d15615f3
Merge pull request #1115 from takotakot/import_v4_change
Add Tls_Disable1_3 (Import v4 change)
2020-10-31 20:04:20 +03:00
Davide Beatrici
3c140dde8d
Merge PR #1218: Cedar: DHCP server now assigns static IPv4 address, if present in user note 2020-10-12 05:18:41 +02:00
PeTeeR
b890c7d813 Cedar: DHCP server now assigns static IPv4 address, if present in user note
This works for all VPN protocols.

In SessionMain(): for DHCPDISCOVER and DHCPREQUEST frames, write the static IP address (which is retrieved from the user notes) in the SIADDR field of DHCPHEADER.

In VirtualDhcpServer(): for DHCPDISCOVER and DHCPREQUEST frames, read the static IP address from the SIADDR field of DHCPHEADER and assign it to the client.
2020-10-12 04:56:33 +02:00
Ilya Shipitsin
2c9ac51c84 fix build documentation 2020-10-10 17:20:56 +05:00
Ilya Shipitsin
3cf23e58a3
Merge pull request #1210 from nokia/openssl_engine_auth
Openssl engine certificate authentication
2020-10-09 12:31:18 +03:00
mcallist
f52ccc6493 Add translation for pw_type5 for the non-english languages 2020-10-09 11:03:55 +02:00
mcallist
2e0c24f6c8 Add english translation to each language for openssl engine auth 2020-10-09 10:22:23 +02:00
mcallist
d1ad4196bb Change from unix only implementation to all os and skip ENGINE_load_dynamic if oss is 1.1.0 or later 2020-10-09 09:58:34 +02:00