"ClientOption", as the name implies, is only used in a client context.
The issue was introduced in 235bd07e67. Before that, an unrelated check prevented UnixVLanSetState() from being called in a server context.
SoftEther VPN originally created the NIC in the UP state and never changed it, even when the the client was not connected.
The behavior was changed in 59e1483dbf, which also added the NicDownOnDisconnect option
The option was disabled by default for backwards compatibility with scripts that don't check whether the NIC is down, but it's not ideal.
This commit forces the correct behavior and removes the commands "TUNDownOnDisconnectEnable", "TUNDownOnDisconnectDisable" and "TUNDownOnDisconnectGet".
PortsUDPSet: This command can be used to specify a single or multiple UDP ports the server should listen on. "0" can be specified to disable the UDP listener.
Administrator privileges are required to execute the command.
PortsUDPGet: This command can be used to retrieve the UDP ports the server is listening on.
The two commands replace the functionality that was previously provided by OpenVpnEnable and OpenVpnGet, respectively.
Originally, StrToPortList() returned NULL when it encountered a number equal to 0 or higher than 65535.
This commit adds a new parameter to the function called "limit_range":
- When its value is true, the function retains the original behavior.
- When its value is false, the function doesn't check whether the number is in the network port number range (1-65535).
The change is required because the command to set the UDP ports will allow to remove all ports by specifying "0" as the port number.
Now that Proto supports UDP, the server can handle multiple protocols on each UDP port.
The UDP ports are specified by the "OpenVPN_UdpPortList" configuration setting, because:
- OpenVPN is currently the only UDP protocol supported by SoftEther VPN to allow a custom port number.
- Before Proto was introduced, a unified interface for the protocols didn't exist; each protocol implementation had to create its own listener.
In preparation for the upcoming WireGuard implementation, this commit renames "OpenVPN_UdpPortList" to "PortsUDP", which should clarify that the setting is global.
The change is reflected in the code. Also, the ports are now stored in a LIST rather than a string. The conversion between string and LIST only happens when loading/saving the configuration.
The default UDP ports are now the same as the TCP ones (443, 992, 1194, 5555).
*** CID 358434: Null pointer dereferences (REVERSE_INULL)
/src/Cedar/Proto.c: 451 in ProtoHandleDatagrams()
445 void ProtoHandleDatagrams(UDPLISTENER *listener, LIST *datagrams)
446 {
447 UINT i;
448 HASH_LIST *sessions;
449 PROTO *proto = listener->Param;
450
>>> CID 358434: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "listener" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
451 if (proto == NULL || listener == NULL || datagrams == NULL)
452 {
453 return;
454 }
455
456 sessions = proto->Sessions;
As a side effect, the DH parameter is now applied to the TCP server as well.
Previously, the default value was always used, ignoring the one from the configuration.
When a datagram is received, the matching session is looked up in a hash list; if it's not found, a new session is created.
This method allows to use a single UDP port for multiple protocols, as we do with TCP.
Also, each session has its own dedicated thread, used to process the received datagrams and generate the ones that are then sent through the UDP listener.
In addition to guaranteeing constant performance, separate threads also prevent a single one from blocking all sessions.
This allows to stop a UDP listener without deleting it.
It's especially useful when no datagrams should be received anymore, but there are other threads accessing the listener.
- An additional parameter is added to IsPacketForMe(), used to specify the protocol type (currently either TCP or UDP).
- SupportedModes() is dropped because it's now redundant.
- IsOk() and EstablishedSessions() are dropped because error checking should be handled by the implementation.
- ProtoImplDetect() now takes a buffer and its size rather than a SOCK, so that it can be used to detect UDP protocols.
- The OpenVPN toggle check is moved to ProtoImplDetect(), so that we don't have to duplicate it once UDP support is implemented.
The PROTO structure is now used to identify the system as a whole, rather than a single protocol. It's stored and initialized in Server.
ProtoCompare(), ProtoAdd() and ProtoDetected() are renamed to make the difference between PROTO and PROTO_IMPL more clear.
ProtoGet() and ProtoNum() are removed because the related list can now be accessed directly by Server.
From https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage:
--block-outside-dns
Block DNS servers on other network adapters to prevent DNS leaks.
This option prevents any application from accessing TCP or UDP port 53 except one inside the tunnel.
It uses Windows Filtering Platform (WFP) and works on Windows Vista or later.
This option is considered unknown on non-Windows platforms and unsupported on Windows XP, resulting in fatal error.
You may want to use --setenv opt or --ignore-unknown-option (not suitable for Windows XP) to ignore said error.
Note that pushing unknown options from server does not trigger fatal errors.
On uClibc, the ifaddrs.h support is optional. While the default
Buildroot uClibc configuration has it enabled, some external
toolchains may not. Therefore this patch detects that and adjusts
softether usage of ifaddrs accordingly.
Based on an initial patch from Bernd Kuhls.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Retrieved from:
https://git.buildroot.net/buildroot/tree/package/softether/0009-uclibc-ai-addrconfig.patch]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Formerly, SKIP_CPU_FEATURES is automatically detected by system
processor. However, "^(armv7l|aarch64|s390x)$" does not cover all
processors that cpu_features should be skipped.
"armv6", "armv7", "mips", "mips64" on FreeBSD are examples [1]
that cpu_features is not correctly skipped.
This change intends to build SoftEther without any modifications on
CMakeLists.txt on such processors.
cmake . -DSKIP_CPU_FEATURES=1
[1] https://www.freebsd.org/platforms/
DbDir : directory to store files such as vpn_server.config and backups etc
LogDir : directory to write logs (sub directories is created in this dir)
PidDir : directory to put PID files such as .ctl-* .pid-* .VPN-*
Currently the systemd service unit files are installed
into /lib/systemd/system if that directory exists. This
might not be optimal for every user, e.g. when the build
system is not the target system or when building as an
unprivileged user using CMAKE_INSTALL_PREFIX.
Make this configurable by adding a cached cmake variable
CMAKE_INSTALL_SYSTEMD_UNITDIR. Usage:
- install unit files into /lib/systemd/system if it exists (old
behavior)
cmake
- don't install unit files
cmake -D CMAKE_INSTALL_SYSTEMD_UNITDIR=
- install into absolute path
cmake -D CMAKE_INSTALL_SYSTEMD_UNITDIR=/path
- install into path relative to ${CMAKE_INSTALL_PREFIX}
cmake -D CMAKE_INSTALL_SYSTEMD_UNITDIR=path
The function has been greatly improved, here are some of the changes:
- The required SESSION (c->Session) parameter is checked correctly: the function returns immediately in case it's NULL. Previously, the function didn't return in case the parameter was NULL; multiple checks were in place, but not in all instances where the parameter was dereferenced.
- The resolved IP address is cached with all proxy types.
- The "RestoreServerNameAndPort" variable is documented.
- The Debug() messages have been improved.
This commit moves the generic (not related to our protocol) proxy stuff from Cedar to Mayaqua, in dedicated files.
The functions are refactored so that they all have the same arguments and follow the same logic.
Dedicated error codes are added, in order to indicate clearly why the function(s) failed.
Coverity Scan detected an out-of-bounds access issue: OvsProcessData() checked whether the payload size was bigger than the size of the buffer, instead of checking whether the entire packet size (payload size + 2 bytes) was, resulting in an out-of-bounds access in case the payload size is bigger than 1998.
This commit also improves the variable names, the comments and adds two Debug() lines.
OvsDecrypt() returns 0 when it fails, resulting in "size" rolling over with an end result of 4294967292.
This commit fixes the issue by checking whether "size" is greater than sizeof(UINT) before performing the subtraction.
The bug was caused by a typo in the StrCpy() call: the source buffer was the same as the destination one, meaning that the function didn't do anything.
- Fixed the RADIUS PEAP client to use the standard TLS versioning.
- Implementation of a function to fix the MAC address of L3 VPN protocol by entering e.g. "MAC: 112233445566" in the "Notes" field of the user information.
- Implementation of a function to fix the virtual MAC address to be assigned to the L3 VPN client as a string attribute from RADIUS server when authentication.
Hardcoded paths are used in log file enumeration such as LogFileList
command or GenerateEraseFileList function to delete old log files when
disk free space is lacking.
Fixes: SoftEtherVPN/SoftEtherVPN#972
If SecureNAT is enabled and the hostname of the server
is longer than 16characters, every NETBIOS name resolution
query triggers the buffer overflow. If the server was built
with stack protection, the process will be killed.
This commit adds a protocol interface to the server, its purpose is to manage TCP connections and the various third-party protocols.
More specifically, ProtoHandleConnection() takes care of exchanging the packets between the local and remote endpoint; the protocol implementation only has to parse them and act accordingly.
The interface knows which protocol is the connection for by calling IsPacketForMe(), a function implemented for each protocol.
My previous patch used a wrong if directive, which disabled removed
(de)initialization and threading for LibreSSL. This most likely causes
issues at runtime.
A race condition in the DHCP server caused it to offer the same IP address to multiple clients when they connected at the same time, because an offered IP address was considered free until the final step (DHCP_ACK).
This commit introduces a list to keep track of the pending leases created during DHCP_OFFER, so that an IP address is guaranteed to be offered to a single client.
StrCat() appends a string to an already existing string. In order to know where the existing string ends, it uses StrLen() which in turn uses strlen(), a function considered unsafe because it doesn't stop until it finds the null character.
Since the string was allocated but not initialized, StrCat() was either:
- Working correctly.
- Copying only a part of the string.
- Making the program crash via strlen().
The fix consists in using StrCpy(), which starts writing at the beginning of the string.
SSL_free() also frees the associated context.
d6c3c1896c/ssl/ssl_lib.c (L1209)
From https://www.openssl.org/docs/man1.1.1/man3/SSL_free.html:
"SSL_free() also calls the free()ing procedures for indirectly affected items, if applicable: the buffering BIO, the read and write BIOs, cipher lists specially created for this ssl, the SSL_SESSION. Do not explicitly free these indirectly freed up items before or after calling SSL_free(), as trying to free things twice may lead to program failure."
found by cppcheck
[src/Cedar/DDNS.c:656]: (style) Condition 'ret==NULL' is always true
[src/Cedar/DDNS.c:515] -> [src/Cedar/DDNS.c:640]: (style) The expression 'use_https == false' is always true because 'use_https' and 'false' represent the same value.
[src/Cedar/DDNS.c:516] -> [src/Cedar/DDNS.c:648]: (style) The expression 'no_cert_verify == false' is always true because 'no_cert_verify' and 'false' represent the same value.
[src/Cedar/DDNS.c:816] -> [src/Cedar/DDNS.c:860]: (style) The expression 'no_cert_verify == false' is always true because 'no_cert_verify' and 'false' represent the same value.
[src/Cedar/DDNS.c:530]: (style) Variable 'use_vgs' is assigned a value that is never used.
[src/Cedar/DDNS.c:497]: (style) The function 'DCUpdateNow' is never used.
found by cppcheck
[src/Cedar/Account.c:523]: (style) The function 'GetUserPolicy' is never used.
[src/Cedar/Account.c:163]: (style) The function 'NormalizePolicyName' is never used.
found by cppcheck
[src/Cedar/Command.c:23220] -> [src/Cedar/Command.c:23232]: (style) Variable 'len' is reassigned a value before the old one has been used.
found by cppcheck
[src/Cedar/CM.c:4509]: (style) Variable 'easy' is assigned a value that is never used.
[src/Cedar/CM.c:4547]: (style) Variable 'hub_name' is assigned a value that is never used.
[src/Cedar/CM.c:4609]: (style) Variable 'is_account' is assigned a value that is never used.
[src/Cedar/CM.c:8545]: (style) The function 'CmLoadK' is never used.
To fix the bug of OpenVPN 2.4.6 and particular version of kernel mode TAP driver on Linux, the TAP device must be up after the OpenVPN client is connected. However there is no direct push instruction to do so to OpenVPN client. Therefore we push the dummy IPv4 address (RFC7600) to the OpenVPN client to enforce the TAP driver UP state.
found by cppcheck
[src/Mayaqua/Mayaqua.c:753]: (style) Consecutive return, break, continue, goto or throw statements are unnecessary.
[src/Mayaqua/Mayaqua.c:484]: (style) The function 'IsUnicode' is never used.
[src/Mayaqua/Mayaqua.c:438]: (style) The function 'MayaquaDotNetMode' is never used.
[src/Mayaqua/Mayaqua.c:774]: (style) The function 'PrintOsInfo' is never used.
found by cppcheck
[src/Mayaqua/Cfg.c:669]: (style) Variable 'invalid_file' is assigned a value that is never used.
[src/Mayaqua/Cfg.c:2111]: (style) Variable 'v' is assigned a value that is never used.
[src/Mayaqua/Cfg.c:1114]: (style) The function 'CfgFolderToBufText' is never used.
[src/Mayaqua/Cfg.c:539]: (style) The function 'CfgRead' is never used.
[src/Mayaqua/Cfg.c:418]: (style) The function 'CfgSave' is never used.
[src/Mayaqua/Cfg.c:1425]: (style) The function 'CfgStrToType' is never used.
[src/Mayaqua/Cfg.c:708]: (style) The function 'CfgTest' is never used.
[src/Mayaqua/Cfg.c:704]: (style) The function 'CfgTest2' is never used.
[src/Mayaqua/Cfg.c:247]: (style) The function 'NewCfgRwW' is never used.
This allows an OpenVPN client to bypass a firewall which is aware of the protocol and is able to block it.
The XOR mask set on the server has to be the same on the client, otherwise it will not be able to connect with certain obfuscation modes.
A special OpenVPN client built with the "XOR patch" is required in order to use this function, because it has never been merged in the official OpenVPN repository.
Two parameters are added to the server configuration: "OpenVPNObfuscationMethod" and "OpenVPNObfuscationMask".
Their value can be retrieved with "OpenVpnObfuscationGet" and set with "OpenVpnObfuscationEnable" in the VPN Command Line Management Utility.
resolve possible null pointer dereference
found by cppcheck
[src/Cedar/Protocol.c:3138] -> [src/Cedar/Protocol.c:3071]: (warning) Either the condition 's!=NULL' is redundant or there is possible null pointer dereference: s.
[src/Cedar/Protocol.c:916]: (style) Variable 'save' is assigned a value that is never used.
[src/Cedar/Protocol.c:6242]: (style) Variable 'size' is assigned a value that is never used.
[src/Cedar/Protocol.c:778]: (style) Variable 'old_disable' is assigned a value that is never used.
[src/Cedar/Protocol.c:1021]: (style) Variable 'save' is assigned a value that is never used.
[src/Cedar/Protocol.c:3708]: (style) Variable 'is_vgc' is assigned a value that is never used.
[src/Cedar/Protocol.c:5785]: (style) Variable 's' is assigned a value that is never used.
[src/Cedar/Protocol.c:6164]: (style) The function 'SocksConnectEx' is never used.
[src/Cedar/Protocol.c:907]: (style) The function 'CompareNodeInfo' is never used.
[src/Cedar/Protocol.c:6968]: (style) The function 'ProxyConnect' is never used.
[src/Cedar/Protocol.c:3986]: (style) The function 'SecureDelete' is never used.
[src/Cedar/Protocol.c:4042]: (style) The function 'SecureEnum' is never used.
[src/Cedar/Protocol.c:4127]: (style) The function 'SecureWrite' is never used.
[src/Cedar/Protocol.c:6463]: (style) The function 'SocksConnect' is never used.
[src/Cedar/Protocol.c:7185]: (style) The function 'TcpConnectEx2' is never used.
[src/Cedar/Protocol.c:7206]: (style) The function 'TcpIpConnect' is never used.
1.0.0.1 is a real IP address, owned by CloudFlare and used for their DNS service.
This commit changes the IP address we push to 192.0.0.8, which is defined in RFC7600 as dummy IPv4 address.
found by PVS analyzer
src/Mayaqua/Network.c 18715 err V571 Recurring check. The 'if (u->GetNatTIpThread == NULL)' condition was already verified in line 18712.
found by cppcheck
[src/Mayaqua/OS.c:493]: (style) The function 'OSDec32' is never used.
[src/Mayaqua/OS.c:373]: (style) The function 'OSDeleteDir' is never used.
[src/Mayaqua/OS.c:393]: (style) The function 'OSFileCreate' is never used.
[src/Mayaqua/OS.c:353]: (style) The function 'OSFileDelete' is never used.
[src/Mayaqua/OS.c:383]: (style) The function 'OSFileOpen' is never used.
[src/Mayaqua/OS.c:331]: (style) The function 'OSFileRename' is never used.
[src/Mayaqua/OS.c:487]: (style) The function 'OSInc32' is never used.
[src/Mayaqua/OS.c:363]: (style) The function 'OSMakeDir' is never used.
[src/Mayaqua/OS.c:541]: (style) The function 'OSResetEvent' is never used.
found by cppcheck
[src/Cedar/Proto_IkePacket.c:958]: (style) The function 'IkeNewCertPayload' is never used.
[src/Cedar/Proto_IkePacket.c:942]: (style) The function 'IkeNewCertRequestPayload' is never used.
[src/Cedar/Proto_IkePacket.c:875]: (style) The function 'IkeNewNoticeErrorInvalidExchangeTypePayload' is never used.
[src/Cedar/Proto_IkePacket.c:2542]: (style) The function 'IkeNewSpi' is never used.
[src/Cedar/Proto_IkePacket.c:142]: (style) The function 'IkePhase1CryptIdToKeySize' is never used.
[src/Cedar/Proto_IkePacket.c:157]: (style) The function 'IkePhase2CryptIdToKeySize' is never used.
[src/Cedar/Proto_IkePacket.c:172]: (style) The function 'IkeStrToPhase1CryptId' is never used.
[src/Cedar/Proto_IkePacket.c:187]: (style) The function 'IkeStrToPhase1HashId' is never used.
[src/Cedar/Proto_IkePacket.c:196]: (style) The function 'IkeStrToPhase2CryptId' is never used.
[src/Cedar/Proto_IkePacket.c:211]: (style) The function 'IkeStrToPhase2HashId' is never used.
[src/Cedar/Proto_IkePacket.c:2168]: (style) Condition 'b==NULL' is always true
This commit fixes the "TrackDeleteObj: 0x12345678 is not Object!!" (where 0x12345678 is the actual address) errors with memcheck enabled.
It also fixes the following related warnings:
warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
TrackChangeObjSize((DWORD)addr, size, (DWORD)new_addr);
^
warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
TrackChangeObjSize((DWORD)addr, size, (DWORD)new_addr);
^