1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-23 18:09:53 +03:00
Commit Graph

1942 Commits

Author SHA1 Message Date
Davide Beatrici
ef24ff74c8 Cedar/Admin.c: Restrict StGetProtoOptions() access to server administrators
This is in order to protect the WireGuard private key.
2021-03-01 02:49:59 +01:00
Davide Beatrici
a8580458c4 Cedar/Command: Add WgkAdd, WgkDelete and WgkEnum commands
WgkAdd command - Add a WireGuard key
Help for command "WgkAdd"

Purpose:
  Add a WireGuard key

Description:
  This command can be used to add a WireGuard key to the allowed key list.
  To execute this command, you must have VPN Server administrator privileges.

Usage:
  WgkAdd [key] [/HUB:hub] [/USER:user]

Parameters:
  key   - WireGuard key. Make sure it is the public one!
  /HUB  - Hub the key will be associated to.
  /USER - User the key will be associated to, in the specified hub.

================================================================================

WgkDelete command - Delete a WireGuard key
Help for command "WgkDelete"

Purpose:
  Delete a WireGuard key

Description:
  This command can be used to delete a WireGuard key from the allowed key list.
  To execute this command, you must have VPN Server administrator privileges.

Usage:
  WgkDelete [key]

Parameters:
  key - WireGuard key.

================================================================================

WgkEnum command - List the WireGuard keys
Help for command "WgkEnum"

Purpose:
  List the WireGuard keys

Description:
  This command retrieves the WireGuard keys that are allowed to connect to the server, along with the associated Virtual Hub and user.
  You can add a key with the WgkAdd command.
  You can delete a key with the WgkDelete command.
  To execute this command, you must have VPN Server administrator privileges.

Usage:
  WgkEnum
2021-03-01 02:49:59 +01:00
Davide Beatrici
6115f1c713 Cedar/Admin: Implement RPC methods to add/delete/list WireGuard keys 2021-03-01 02:49:59 +01:00
Davide Beatrici
dd1eebdbed Cedar: Implement support for WireGuard
Please note that the implementation is not 100% conformant to the protocol whitepaper (https://www.wireguard.com/papers/wireguard.pdf).
More specifically: all peers are expected to send a handshake initiation once the current keypair is about to expire or is expired.
I decided not to do that because our implementation is meant to act as a server only. A true WireGuard peer acts, instead, as both a client and a server.
Once the keypair is expired, we immediately delete the session.

The cookie mechanism can be implemented in future.

As for authentication: unfortunately using the already existing methods is not possible due to the protocol not providing a way to send strings to a peer.
That's because WireGuard doesn't have a concept of "users": it identifies a peer through the public key, which is determined using the source address.
As a solution, this commit adds a special authentication method: once we receive the handshake initiation message and decrypt the peer's public key, we check whether it's in the allowed key list.
If it is, we retrieve the associated Virtual Hub and user; if the hub exists and the user is in it, the authentication is successful.

The allowed key list is stored in the configuration file like this:

declare WireGuardKeyList
{
	declare 96oA7iMvjn7oXiG3ghBDPaSUytT75uXceLV+Fx3XMlM=
	{
		string Hub DEFAULT
		string User user
	}
}
2021-03-01 02:49:59 +01:00
Davide Beatrici
8495388933 Cedar/IPC: Remove unused "UserName" and "Password" variables and assignment code
This commit also removes "HubName"'s first assignment, because the value is retrieved from PACK later (identifier: "IpcHubName").
2021-03-01 02:49:59 +01:00
Davide Beatrici
afe576dcdc Cedar: Add "DefaultGateway" and "DefaultSubnet" virtual hub options
WireGuard does not provide any configuration messages, meaning that we cannot push the IP address we receive from the DHCP server to the client.

In order to overcome the limitation we don't perform any DHCP operations and instead just extract the source IP address from the first IPv4 packet we receive in the tunnel.

The gateway address and the subnet mask can be set using the new "SetStaticNetwork" command. The values can be retrieved using "OptionsGet".

In future we will add a "allowed source IP addresses" function, similar to what the original WireGuard implementation provides.

================================================================================

SetStaticNetwork command - Set Virtual Hub static IPv4 network parameters
Help for command "SetStaticNetwork"

Purpose:
  Set Virtual Hub static IPv4 network parameters

Description:
  Set the static IPv4 network parameters for the Virtual Hub. They are used when DHCP is not available (e.g. WireGuard sessions).
  You can get the current settings by using the OptionsGet command.

Usage:
  SetStaticNetwork [/GATEWAY:gateway] [/SUBNET:subnet]

Parameters:
  /GATEWAY - Specify the IP address of the gateway that will be used for internet communication.
  /SUBNET  - Specify the subnet mask, required to determine the size of the local VPN network.
2021-03-01 02:49:59 +01:00
Davide Beatrici
decfcecc97 Cedar: Add ProtoOptionString() in PROTO_IMPL, to generate default option values
The WireGuard implementation will have two options that should not have a fixed default value, because they represent two keys (one is preshared, the other is private).

Instead of handling these two options differently in ProtoNewContainer(), this commit adds a new function to PROTO_IMPL: ProtoOptionString().

ProtoOptionString() takes the option's name as argument and returns a heap-allocated string that will be used as value. The function returns NULL when the option doesn't need a randomized value.
2021-03-01 02:49:59 +01:00
Davide Beatrici
d8aa470192 Cedar: Improve IsPacketForMe()'s "data" argumment in PROTO_IMPL
This allows a protocol implementation to implicitly cast the variable to the type it prefers.
2021-03-01 02:49:59 +01:00
Davide Beatrici
b339104f4f Cedar: Add "BLAKE2" submodule
OpenSSL provides BLAKE2s, but it only supports an output of 32 bytes. For WireGuard we need a 16 bytes output as well.

The minimum CMake version is bumped to 3.10 because it adds HAS_SSE2 to cmake_host_system_information(): https://cmake.org/cmake/help/v3.10/command/cmake_host_system_information.html
2021-03-01 02:49:57 +01:00
Davide Beatrici
8a37f5ce11 Mayaqua/Network.c: Fix several warnings related to Windows data type mismatches
Also, reported unused variables are removed.
2021-03-01 02:48:38 +01:00
Davide Beatrici
e7bf97583d Mayaqua/Microsoft: Fix several warnings related to Windows data type mismatches
Also, reported unused variables are removed.
2021-03-01 02:30:45 +01:00
Davide Beatrici
a39905c288
Merge PR #1283: Link to Windows libraries in CMake project, remove related #pragma directives 2021-02-28 21:09:05 +01:00
Davide Beatrici
dbd4dd5ae7 Link to Windows libraries in CMake project, remove related #pragma directives
In addition to making the code cleaner, this also prevents potential issues due to #pragma directives being in headers.
2021-02-28 20:35:25 +01:00
Davide Beatrici
ec201f340a
Merge PR #1281: CMake: Build hamcore.se2 only when related files change 2021-02-27 21:20:13 +01:00
Davide Beatrici
0a924aea4d CMake: Build hamcore.se2 only when related files change
Previously, the file was rebuilt even if no changes were made to the source files.
2021-02-27 20:52:44 +01:00
Davide Beatrici
d161b75a7d
Merge PR #1280: hamcorebuilder: Fix possible resource leak found by Coverity 2021-02-27 04:37:57 +01:00
Davide Beatrici
621fb087f8 hamcorebuilder: Fix possible resource leak found by Coverity
FileClose() was not called if FileRead() failed.
2021-02-27 04:18:18 +01:00
Davide Beatrici
809f891f0c
Merge PR #1279: CMake: Explicitly set C standard to 99 2021-02-27 01:25:05 +01:00
Davide Beatrici
82f2c73ce9 CMake: Explicitly set C standard to 99
This change fixes our Ubuntu Trusty and Precise builds on GitLab, which currently fail because they use C89/90 by default.
2021-02-27 00:35:58 +01:00
Davide Beatrici
5cddafbb3b
Merge PR #1278: move coverity scan to github actions, cleanup travis-ci 2021-02-27 00:24:44 +01:00
Ilya Shipitsin
dd6e79d526 remove travis-ci badge 2021-02-27 01:13:29 +05:00
Ilya Shipitsin
5792aa7c41 remove coverity scan from travis 2021-02-27 01:12:59 +05:00
Ilya Shipitsin
0325c13c40 move coverity scan to github actions 2021-02-27 01:12:07 +05:00
Ilya Shipitsin
25e2854725
Merge pull request #1277 from davidebeatrici/hamcorebuilder-revamp
New hamcorebuilder implementation, independent from Cedar and Mayaqua
2021-02-27 00:20:17 +05:00
Davide Beatrici
cf2585c079 Hamcore: Remove unused functions 2021-02-26 07:06:29 +01:00
Davide Beatrici
1301dc93c6 New hamcorebuilder implementation, independent from Cedar and Mayaqua
This new implementation can be easily compiled and executed without the need for other components to be present.

It relies on standard C functions, aside from stat() which is part of POSIX but available on Windows as well.

There's only one third-party dependency, which is tinydir: a single-file header-only library for traversing directories.
2021-02-26 07:06:26 +01:00
Davide Beatrici
5ed11a0270
Merge PR #1276: fix several issues found by Coverity 2021-02-23 21:18:42 +01:00
Ilya Shipitsin
5c346ef96e remove dead code found by Coverity
2575        // Address
    at_least: At condition size < 1U, the value of size must be at least 1.
    cannot_single: At condition size < 1U, the value of size cannot be equal to 0.
    dead_error_condition: The condition size < 1U cannot be true.
2576        if (size < 1)
2577        {
    CID 287533 (#1 of 1): Logically dead code (DEADCODE)dead_error_line: Execution cannot reach this statement: goto LABEL_ERROR;.
2578                goto LABEL_ERROR;
2579        }
2021-02-24 00:35:17 +05:00
Ilya Shipitsin
2715d80e18 fix potential null pointer dereference found by Coverity
CID 355460 (#1 of 1): Dereference before null check (REVERSE_INULL)check_after_deref: Null-checking p suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
737                if (p == NULL)
738                {
739                        return false;
740                }
2021-02-24 00:26:44 +05:00
Ilya Shipitsin
a08857150b cleanup redundant check found by Coverity
CID 287561 (#1 of 1): Array compared against 0 (NO_EFFECT)array_null: Comparing an array to null is not useful: src == NULL, since the test will always evaluate as true.
    Was src formerly declared as a pointer?
3748        if (cedar == NULL || src == NULL || dst == NULL)
3749        {
3750                return false;
3751        }
2021-02-24 00:04:52 +05:00
Ilya Shipitsin
e5cfa347da
Merge pull request #1274 from davidebeatrici/src-bin-hamcore-cleanup
hamcore: Remove files that are not referenced in the code
2021-02-22 13:36:56 +05:00
Ilya Shipitsin
a6239a4ae3
Merge pull request #1238 from metalefty/translate-LH_AUTH_NG
Japanese: translate LH_AUTH_NG again
2021-02-22 12:06:26 +05:00
Davide Beatrici
8e2616ef7d hamcore: Remove files that are not referenced in the code 2021-02-22 00:44:35 +01:00
Davide Beatrici
ea2c8f9861
Merge PR #1273: fix null pointer dereference found by ErrorSanitizer 2021-02-21 14:10:08 +01:00
Ilya Shipitsin
e5e86abc0e fix null pointer dereference found by ErrorSanitizer
(gdb) bt
0  0x00007f43857a5e14 in __GI___pthread_mutex_init (mutex=0x0, mutexattr=0x0) at pthread_mutex_init.c:89
1  0x00007f4385eaaf1b in UnixNewLock () at SoftEtherVPN/src/Mayaqua/Unix.c:1845
2  0x00007f4385e92331 in NewLockMain () at SoftEtherVPN/src/Mayaqua/Object.c:89
3  0x00007f4385e92359 in NewLock () at SoftEtherVPN/src/Mayaqua/Object.c:101
4  0x00007f4385e92765 in NewCounter () at SoftEtherVPN/src/Mayaqua/Object.c:171
5  0x00007f4385e92e76 in NewRef () at SoftEtherVPN/src/Mayaqua/Object.c:339
6  0x00007f4385e76939 in NewSkEx (no_compact=0) at SoftEtherVPN/src/Mayaqua/Memory.c:863
7  0x00007f4385e68c95 in NormalizePathW (
    dst=0x7ffe65932940 L"\xd6ff2ffb\xfbf14ce5\xad8669ca\x41998a9c\x5107d62d\x8d2ab3f2\x37ceaad2\xffc947ec\xad8ed8d8\x33e9f2f7\xc05723a9\x843263e3\x5516beb3\x12571e2a\xd81405f3\xf92194fe\xd807aa98\x12835b01\x243185be\x550c7dc3\xfd74170d\x12835b01\x553185be\x550c7dc3\x72be5d74\x80deb1fe\x9bdc06a7\xc19bf1f4\x72be5d74\x80deb1fe\x9bdc06a7\xc19bf174\x894d4018\xc54302b8\x145dc92\x143b3917\x62aa4fb8\x915764b1\xd5e11bef\x9d5fbc5\xb956c25b\x59f111f1\x923f82a4\xab1c5ed5\x3956c25b\x59f111f1\x923f82a4\xab1c5ed5\xbaeb40", size=2048, src=<optimized out>)
    at SoftEtherVPN/src/Mayaqua/FileIO.c:1960
8  0x00007f4385e69188 in ConbinePathW (
    dst=0x7ffe65932940 L"\xd6ff2ffb\xfbf14ce5\xad8669ca\x41998a9c\x5107d62d\x8d2ab3f2\x37ceaad2\xffc947ec\xad8ed8d8\x33e9f2f7\xc05723a9\x843263e3\x5516beb3\x12571e2a\xd81405f3\xf92194fe\xd807aa98\x12835b01\x243185be\x550c7dc3\xfd74170d\x12835b01\x553185be\x550c7dc3\x72be5d74\x80deb1fe\x9bdc06a7\xc19bf1f4\x72be5d74\x80deb1fe\x9bdc06a7\xc19bf174\x894d4018\xc54302b8\x145dc92\x143b3917\x62aa4fb8\x915764b1\xd5e11bef\x9d5fbc5\xb956c25b\x59f111f1\x923f82a4\xab1c5ed5\x3956c25b\x59f111f1\x923f82a4\xab1c5ed5\xbaeb40", size=2048,
    dirname=0xbace10 L"/root/.local/bin", filename=0x7ffe65932100 L"SoftEtherVPN/build/vpntest") at SoftEtherVPN/src/Mayaqua/FileIO.c:1686
9  0x00007f4385e6af48 in UnixGetExeNameW (name=0x7f4385ede820 <exe_file_name_w> L"/tmp/a.out", size=2048, arg=0xbb5050 L"./vpntest") at SoftEtherVPN/src/Mayaqua/FileIO.c:1401
10 0x00007f4385e6b04b in InitGetExeName (arg=<optimized out>) at SoftEtherVPN/src/Mayaqua/FileIO.c:1367
11 0x00007f4385e7470a in InitMayaqua (memcheck=memcheck@entry=0, debug=debug@entry=1, argc=argc@entry=3, argv=argv@entry=0x7ffe659340e8)
    at SoftEtherVPN/src/Mayaqua/Mayaqua.c:456
12 0x0000000000401282 in main (argc=3, argv=0x7ffe659340e8) at SoftEtherVPN/src/vpntest/vpntest.c:259
2021-02-21 16:13:36 +05:00
Ilya Shipitsin
992410c3d4
Merge pull request #1257 from chipitsine/master
add basic OpenSUSE workflow
2021-02-21 09:29:56 +05:00
Davide Beatrici
cd889f78dc
Merge PR #1272: Azure Pipelines: Use "python3" instead of "python" on macOS, restore inline if statement in version.py 2021-02-20 17:53:20 +01:00
Davide Beatrici
cabcba1ef9 Revert "version.py: Fix CI failure on macOS by avoiding inline if statement"
This reverts commit 63b841efc0.
2021-02-20 17:27:02 +01:00
Davide Beatrici
2969237e04 Azure Pipelines: Use "python3" instead of "python" on macOS
63b841efc0 was not the solution, the error is the print statement itself.

Python 2 is probably used by default and thus "python" is an alias to it.
2021-02-20 17:23:53 +01:00
Davide Beatrici
78f06569b3
Merge PR #1270: Update strtable_en.stb 2021-02-20 17:15:40 +01:00
Davide Beatrici
1fa6c14e4e
Merge PR #1271: version.py: Fix CI failure on macOS by avoiding inline if statement 2021-02-20 17:11:32 +01:00
Ilya Shipitsin
586c27d43b
Merge pull request #1269 from chipitsine/openssl_version_agnostic
use SSL_SECOP_VERSION macro instead of OPENSSL_VERSION
2021-02-20 20:56:26 +05:00
Davide Beatrici
63b841efc0 version.py: Fix CI failure on macOS by avoiding inline if statement
File "version.py", line 25
    print(version, end = end)
                       ^
SyntaxError: invalid syntax
2021-02-20 16:55:43 +01:00
Davide Beatrici
2981a44de3
Merge PR #1267: Improve versioning by setting the version in a single place and automatically increasing the build number 2021-02-20 16:44:21 +01:00
djony
2db9f15ea7
Update strtable_en.stb
"2050 LA_DEL_CRL" - this entry appear in logfile when you delete cert from Certificate Revocation List. Thats why need to change it. 
"2051 LA_SET_CRL" - this entry must appear in logfile when you edit cert in Certificate Revocation List, but it doesn't happen (perhaps it's a bug)
2021-02-20 17:56:33 +03:00
Ilya Shipitsin
ebd1d281dd use SSL_SECOP_VERSION macro instead of OPENSSL_VERSION
OPENSSL_VERSION is fragile in LibreSSL, BoringSSL.
security level manipulation is openssl specific defined in
b362ccab5c
2021-02-20 17:48:26 +05:00
Davide Beatrici
9620dcbcd0 Azure Pipelines: Retrieve build number from server, pass it to CMake
The script on our server bumps the build number for every new version + commit combination.
Each combination is associated to a unique build number and vice versa.
There's a separate counter for each version.

The reason why we cannot just use "git describe --tags --dirty" is because it relies on the last tag's name and generates a string like "5.01.9674-212-g54280853".
What we want, instead, is the last part of the version to be increased for every build.
Then, once we consider the branch stable enough, we create a tag like "5.01" and bump the version immediately after the new release.

Please note that for pull requests the build number will always be 0, because the secret token is only available in the Nightly pipeline.
2021-02-19 21:22:48 +01:00
Davide Beatrici
943ddadd3d Move Azure Pipelines configurations into dedicated directory 2021-02-19 21:17:05 +01:00
Davide Beatrici
272ec5a8ef Add BUILD_NUMBER option to CMake and version.py script
The BUILD_NUMBER option controls the last part of the version, allowing us to increase it for each build.

This commit also adds version.py, which simply prints the version (e.g. "5.01") specified in CMakeLists.txt.

The script will be used to determine the build number.
2021-02-19 21:17:05 +01:00
Davide Beatrici
d53f80bfa6 Remove BuildUtil and all MSBuild projects, except the ones not in CMake yet
Since 35200a29ea we build complete installers using CMake, meaning that there's no need for BuildUtil anymore.

MSBuild projects that are not migrated to CMake yet are kept for reference.

This commit also updates BUILD_WINDOWS.md so that it mentions Visual Studio 2019 instead of 2017.
2021-02-19 21:17:01 +01:00