OpenVPN sends the cipher name in uppercase, even if it's not standard, thus we have to convert it to lowercase for EVP_get_cipherbyname().
We also have to send the cipher name as it was received from the OpenVPN client, unless it's a different cipher, to prevent a message such as:
"WARNING: 'cipher' is used inconsistently, local='cipher AES-128-GCM', remote='cipher aes-128-gcm'"
It happens because OpenVPN uses "strcmp()" to compare the local and remote parameters: a6fd48ba36/src/openvpn/options.c (L3819-L3831)
See https://github.com/openssl/openssl/issues/6921 for EVP_get_cipherbyname().
/builds/SoftEther/SoftEtherVPN/src/Cedar/Console.c: In function 'PasswordPrompt':
/builds/SoftEther/SoftEtherVPN/src/Cedar/Console.c:2051:8: warning: implicit declaration of function 'getch'; did you mean 'getc'? [-Wimplicit-function-declaration]
c = getch();
^~~~~
getc
In file included from /builds/SoftEther/SoftEtherVPN/src/Cedar/Bridge.c:130:0:
/builds/SoftEther/SoftEtherVPN/src/Cedar/BridgeUnix.c: In function 'CloseEth':
/builds/SoftEther/SoftEtherVPN/src/Cedar/BridgeUnix.c:1568:3: warning: implicit declaration of function 'FreeTap'; did you mean 'FreeCaps'? [-Wimplicit-function-declaration]
FreeTap(e->Tap);
^~~~~~~
FreeCaps
[src/Cedar/WinUi.c:7240]: (style) The function 'CbInsertStr' is never used.
[src/Cedar/WinUi.c:9271]: (style) The function 'CheckTextLen' is never used.
[src/Cedar/WinUi.c:9252]: (style) The function 'CheckTextSize' is never used.
[src/Cedar/WinUi.c:8936]: (style) The function 'DialogCreateEx' is never used.
[src/Cedar/WinUi.c:2155]: (style) The function 'EndFreeInfoDlg' is never used.
[src/Cedar/WinUi.c:2171]: (style) The function 'ExecuteHamcoreExe' is never used.
[src/Cedar/WinUi.c:9885]: (style) The function 'FormatTextA' is never used.
[src/Cedar/WinUi.c:9323]: (style) The function 'GetFontSize' is never used.
[src/Cedar/WinUi.c:9841]: (style) The function 'GetMonitorSize' is never used.
[src/Cedar/WinUi.c:9759]: (style) The function 'GetWindowClientRect' is never used.
[src/Cedar/WinUi.c:1134]: (style) The function 'GetWizardPageIndex' is never used.
[src/Cedar/WinUi.c:3964]: (style) The function 'IpClear' is never used.
[src/Cedar/WinUi.c:6851]: (style) The function 'LbAddStr' is never used.
[src/Cedar/WinUi.c:6824]: (style) The function 'LbFindStr' is never used.
[src/Cedar/WinUi.c:7064]: (style) The function 'LbGetSelect' is never used.
[src/Cedar/WinUi.c:6812]: (style) The function 'LbGetStr' is never used.
[src/Cedar/WinUi.c:6900]: (style) The function 'LbInsertStr' is never used.
[src/Cedar/WinUi.c:7012]: (style) The function 'LbSetHeight' is never used.
[src/Cedar/WinUi.c:3652]: (style) The function 'LedDrawRect' is never used.
[src/Cedar/WinUi.c:6000]: (style) The function 'LvGetMaskedNum' is never used.
[src/Cedar/WinUi.c:6037]: (style) The function 'LvSearchStr_' is never used.
[src/Cedar/WinUi.c:5703]: (style) The function 'LvSetItemImage' is never used.
[src/Cedar/WinUi.c:5831]: (style) The function 'LvShow' is never used.
[src/Cedar/WinUi.c:10155]: (style) The function 'NoTop' is never used.
[src/Cedar/WinUi.c:10047]: (style) The function 'NoticeSettingChange' is never used.
[src/Cedar/WinUi.c:7854]: (style) The function 'PkcsUtil' is never used.
[src/Cedar/WinUi.c:8968]: (style) The function 'SetBitmap' is never used.
[src/Cedar/WinUi.c:4539]: (style) The function 'SetMenuItemEnable' is never used.
[src/Cedar/WinUi.c:9918]: (style) The function 'SetTextEx' is never used.
[src/Cedar/WinUi.c:9940]: (style) The function 'SetTextExA' is never used.
[src/Cedar/WinUi.c:11272]: (style) The function 'SetWinUiTitle' is never used.
[src/Cedar/WinUi.c:2132]: (style) The function 'StartFreeInfoDlg' is never used.
[src/Cedar/WinUi.c:3920]: (style) The function 'UiTest' is never used.
[src/Cedar/WinUi.c:1558]: (style) The function 'WinConnectEx2' is never used.
[src/Cedar/WinUi.c:10803]: (style) The function 'WinUiDebug' is never used.
[src/Cedar/WinUi.c:6908]: (style) The function 'CbInsertStr9xA' is never used.
[src/Cedar/WinUi.c:2096]: (style) The function 'FreeInfoThread' is never used.
[src/Cedar/WinUi.c:9644]: (style) The function 'GetTextSize' is never used.
[src/Cedar/WinUi.c:2833]: (style) The function 'GetWindowAndControlSizeResizeScale' is never used.
[src/Cedar/WinUi.c:2001]: (style) The function 'IsRegistedToDontShowFreeEditionDialog' is never used.
[src/Cedar/WinUi.c:6606]: (style) The function 'LbAddStrA' is never used.
[src/Cedar/WinUi.c:6739]: (style) The function 'LbGetSelectIndex' is never used.
[src/Cedar/WinUi.c:6627]: (style) The function 'LbInsertStrA' is never used.
[src/Cedar/WinUi.c:7593]: (style) The function 'PkcsUtilProc' is never used.
[src/Cedar/WinUi.c:6598]: (style) The function 'LbSelect' is never used.
[src/Cedar/WinUi.c:7421]: (style) The function 'PkcsUtilErase' is never used.
[src/Cedar/WinUi.c:7349]: (style) The function 'PkcsUtilWrite' is never used.
[src/Cedar/WinUi.c:2059]: (style) The function 'ShowFreeInfoDialog' is never used.
[src/Cedar/WinUi.c:2013]: (style) The function 'FreeInfoDialogProc' is never used.
[src/Cedar/WinUi.c:6558]: (style) The function 'LbFindData' is never used.
[src/Cedar/WinUi.c:6534]: (style) The function 'LbSelectIndex' is never used.
[src/Cedar/WinUi.c:6488]: (style) The function 'LbGetData' is never used.
[src/Cedar/WinUi.c:6464]: (style) The function 'LbNum' is never used.
[src/Cedar/WinUi.c:2001]: (style) The function 'RegistToDontShowFreeEditionDialog' is never used.
With server certificate validation enabled, vpnclient unconditionally
stopped connection on untrusted server certificate. Added account
configuration parameter to retry connection if server certivicate failed
validation.
On startup client creates TUN interface in UP state and kept it UP even
if connection to the server was lost. Creating interface in DOWN state,
turning it UP on successful (re-)connection to server and DOWN on either
disconnect or connection loss would enable DHCP client (say dhclient5)
to detect necessity for lease renewal.
Added a client configuration parameter to create TUN interface in DOWN
state and commands to enable, disable, and query the configuration
parameter.
Enabling the parameter causes client to put all unused TUN interfaces
DOWN, create new TUN interfaces in DOWN state, and turn TUN interfaces
corresponding to active sessions DOWN on connection loss or
disconnecting from server.
Disabling the parameter forces client to turn all TUN interfaces UP and
create new TUN interfaces in UP state.
Default value is 'Disable'.
* use OPENSSL_ROOT_DIR
* add special .configure handling for osx
* move readline, curses to cedar
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
Hubname has to be set after copy or it will be an empty string. To get the real hubname (correct casing) we use it directly from the hub instead of the given parameter
This allows a DHCP server to use the client ID as unique identifier, in order to correctly assign a static lease.
Previously this wasn't possible, as the client identifier was set to its MAC address, which is randomly generated.
OpenVPN sends the default gateway's MAC address, if the option --push-peer-info is enabled.
It also sends the client's environment variables whose names start with "UV_".
This commit adds some lines of code in OvsBeginIPCAsyncConnectionIfEmpty(), in order to set the hostname to "UV_HOSTNAME"'s value, which is defined by the user on their device.
In case "UV_HOSTNAME" is not available, "IV_HWADDR"'s value (the default gateway's MAC address) is used instead.
OvsParseOptions() has been adapted into a new function called OvsParsePeerInfo(), in order to parse the peer info string.
* Improvements on the behavior of the reinstall command of Windows Virtual Network Adapters.
When reinstalling the device driver of the Virtual Network Driver card, we changed the behavior as to cleanup the older driver before installing the newer driver.
* Improvement of the senetence. Add the same sentence to the Taiwan language file.
* Delete the old MsUpgradeVLanWithoutLock_old() function.
[src/Cedar/Connection.c:1090] -> [src/Cedar/Connection.c:1086]:
(warning) Either the condition 's!=NULL' is redundant or there is possible null pointer dereference: s.
macros IS_SEND_TCP_SOCK expands into "s" dereferencing, so check for NULL should go before that macros
[src/Cedar/Protocol.c:2951] -> [src/Cedar/Protocol.c:2892]:
(warning) Either the condition 'policy!=NULL' is redundant or there is possible null pointer dereference: policy.
[src/Cedar/Protocol.c:2951] -> [src/Cedar/Protocol.c:2901]:
(warning) Either the condition 'policy!=NULL' is redundant or there is possible null pointer dereference: policy.
[src/Cedar/Protocol.c:3151] -> [src/Cedar/Protocol.c:3082]:
(warning) Either the condition 'policy!=NULL' is redundant or there is possible null pointer dereference: policy.
[src/Cedar/Protocol.c:3151] -> [src/Cedar/Protocol.c:3083]:
(warning) Either the condition 'policy!=NULL' is redundant or there is possible null pointer dereference: policy.
as we already have a check
if (policy == NULL)
{
// Use the default policy
policy = ClonePolicy(GetDefaultPolicy());
}
no need to compare policy with NULL anymore
* Peer info optional in OvsParseKeyMethod2()
Some OpenVPN clients (MikroTik router for example) do not send the peer info along with the key exchange. This patch makes the peer info string optional on the SoftEtherVPN side.
* Fixed indentation
Added Linux NT Authentication functionality to SoftEther through samba ntlm_auth.
Pre requirements
+ samba-winbind -> Domain Member
+ winbind-seperator \ -> used for group check in ntlm_auth
username from client: fqdn domain\username
username in SoftEther: username
timeout: from security policy
optional: set groupname in servermanager
When installing a new device driver of the Virtual Network Driver card, we changed the initial random MAC address from 00-AC-xx-xx-xx-xx to 5E-xx-xx-xx-xx-xx. This realizes the compliance with the local address bit of the MAC address rule.
[src/Cedar/Admin.c:13452] -> [src/Cedar/Admin.c:13492]: (warning) Either the condition 'cedar!=NULL' is redundant or there is possible null pointer dereference: cedar.
[src/Cedar/SM.c:18455] -> [src/Cedar/SM.c:18379]: (warning) Either the condition 'p!=NULL' is redundant or there is possible null pointer dereference: p.
[src/Cedar/SM.c:18455] -> [src/Cedar/SM.c:18491]: (warning) Either the condition 'p!=NULL' is redundant or there is possible null pointer dereference: p.
[src/Cedar/SM.c:18455] -> [src/Cedar/SM.c:18506]: (warning) Either the condition 'p!=NULL' is redundant or there is possible null pointer dereference: p.
[src/Cedar/Protocol.c:5190] -> [src/Cedar/Protocol.c:5115]: (warning) Either the condition 's!=NULL' is redundant or there is possible null pointer dereference: s.
[src/Cedar/Protocol.c:5190] -> [src/Cedar/Protocol.c:5145]: (warning) Either the condition 's!=NULL' is redundant or there is possible null pointer dereference: s.
[src/Cedar/Hub.c:5517] -> [src/Cedar/Hub.c:5553]: (warning) Either the condition 'dest!=NULL' is redundant or there is possible null pointer dereference: dest.
[src/Cedar/Hub.c:5517] -> [src/Cedar/Hub.c:5556]: (warning) Either the condition 'dest!=NULL' is redundant or there is possible null pointer dereference: dest.
[src/Cedar/Account.c:854]: (style) The function 'AddGroupTraffic' is never used.
[src/Mayaqua/Secure.c:1455]: (style) The function 'AddSecObjToEnumCache' is never used.
[src/Mayaqua/Network.c:18445]: (style) The function 'AddSockList' is never used.
[src/Cedar/Account.c:870]: (style) The function 'AddUserTraffic' is never used.
[src/Cedar/Server.c:1045]: (style) The function 'AdjoinEnumLogFile' is never used.
[src/Cedar/Admin.c:13780]: (style) The function 'AdminConnect' is never used.
[src/Mayaqua/Encrypt.c:855]: (style) The function 'BigNumToStr' is never used.
[src/Mayaqua/Str.c:2113]: (style) The function 'Bit128ToStr' is never used.
[src/Mayaqua/Encrypt.c:898]: (style) The function 'BufToBigNum' is never used.
[src/Mayaqua/Internat.c:1874]: (style) The function 'CalcStrToUtf8' is never used.
[src/Cedar/Hub.c:6689]: (style) The function 'CalcTrafficDiff' is never used.
[src/Mayaqua/Internat.c:1819]: (style) The function 'CalcUtf8ToStr' is never used.
[src/Mayaqua/Network.c:6495]: (style) The function 'CanGetTcpProcessId' is never used.
[src/Cedar/WinUi.c:7226]: (style) The function 'CbInsertStrA' is never used.
[src/Cedar/Client.c:3035]: (style) The function 'CcEnumObjectInSecure' is never used.
[src/Cedar/Client.c:2826]: (style) The function 'CcGetCommonProxySetting' is never used.
[src/Cedar/Client.c:2857]: (style) The function 'CcSetCommonProxySetting' is never used.
[src/Cedar/Cedar.c:575]: (style) The function 'CedarLog' is never used.
[src/Cedar/WinUi.c:9841]: (style) The function 'Center2' is never used.
[src/Mayaqua/Encrypt.c:814]: (style) The function 'CertTest' is never used.
[src/Mayaqua/Encrypt.c:809]: (style) The function 'CertTest2' is never used.
[src/Mayaqua/Encrypt.c:819]: (style) The function 'CertTest_' is never used.
[src/Mayaqua/Cfg.c:1705]: (style) The function 'CfgIsFolder' is never used.
* Allow specifying cipher suites instead of single ciphers.
CipherName now specifies all cipher suites instead of the
preferred cipher. This allows insecure ciphers like RC4 to
be permanently disabled, instead of being the default fallback
when the preferred cipher is unsupported.
CipherName is now left for OpenSSL to verify. Should it be
invalid, a secure default is used. The default CipherName setting
for new servers is one such invalid string: "~DEFAULT~". This
allows for future updates to change the default and the servers
can stay secure.
* Remove unused temporary variable.
Buffer overread in ParseL2TPPacket()
Memory corruption in IcmpParseResult
Missing bounds check in ParseUDP() can lead to invalid memory access
Out-of-bounds read in IPsec_PPP.c (unterminated string buffer)
Overlapping parameters to memcpy() via StrToIp6()
PACK ReadValue() crash vulnerability
Potential use of uninitialized memory via IPToInAddr6()
4 memory leaks. While the amount of leakage is very small per time, these bugs can finally cause process crash by out of memory. So these bugs must be fixed.
Memory leak in NnReadDnsRecord
Memory leak in RadiusLogin()
Memory leak via ParsePacketIPv4WithDummyMacHeader
Remote memory leak in OpenVPN server code
1 coding improvement. This is not a bug, however, I fixed the code to avoid furture misunderstanding.
RecvAll can return success on failure (leading to use of uninitialized memory)
Contributors for this bugfix:
- Max Planck Institute for Molecular Genetics
- Guido Vranken
Using the global client variable might lead to strange behavoir if multiple clients are allocated and to crashes in the case the client was not initialized with CtStartClient()
Suppose there is a TCP SYN or SYN-ACK packet taking options as:
02 04 05 b4 01 01 04 02 01 03 03 04
which is
Options: (12 bytes)
>Maximum segment size: 1460 bytes
>No-Operation (NOP)
>No-Operation (NOP)
>TCP SACK Permitted Option: True
>No-Operation (NOP)
>Window scale: 4 (multiply by 16)
Then the original parse function only returns MSS 1460 while WSS is 0.
[src/Cedar/Client.c:2184] -> [src/Cedar/Client.c:2187]: (warning) Either the condition 'rpc==0' is redundant or there is possible null pointer dereference: rpc.
[src/Cedar/Client.c:6032] -> [src/Cedar/Client.c:6035]: (warning) Either the condition 'ret!=0' is redundant or there is possible null pointer dereference: ret.
[src/Cedar/Connection.c:1041] -> [src/Cedar/Connection.c:1043]: (warning) Either the condition 's!=0' is redundant or there is possible null pointer dereference: s.
[src/Cedar/SM.c:875] -> [src/Cedar/SM.c:882]: (warning) Either the condition 'd==0' is redundant or there is possible null pointer dereference: d.
[src/Cedar/UdpAccel.c:119] -> [src/Cedar/UdpAccel.c:123]: (warning) Either the condition 'a==0' is redundant or there is possible null pointer dereference: a.
[src/Cedar/Virtual.c:2389] -> [src/Cedar/Virtual.c:2398]: (warning) Either the condition 'a==0' is redundant or there is possible null pointer dereference: a.
[src/Cedar/Virtual.c:4000] -> [src/Cedar/Virtual.c:4004]: (warning) Either the condition 'n==0' is redundant or there is possible null pointer dereference: n.
[src/Cedar/Virtual.c:4203] -> [src/Cedar/Virtual.c:4207]: (warning) Either the condition 'n==0' is redundant or there is possible null pointer dereference: n.
[src/Cedar/WebUI.c:1728] -> [src/Cedar/WebUI.c:1730]: (warning) Either the condition 'buf==0' is redundant or there is possible null pointer dereference: buf.
[src/Mayaqua/FileIO.c:383] -> [src/Mayaqua/FileIO.c:386]: (warning) Either the condition 'p==0' is redundant or there is possible null pointer dereference: p.
[src/Mayaqua/TcpIp.c:1837] -> [src/Mayaqua/TcpIp.c:1839]: (warning) Either the condition 'tcp!=0' is redundant or there is possible null pointer dereference: tcp.
[src/Cedar/Admin.c:11843] -> [src/Cedar/Admin.c:11845]: (warning) Either the condition 't==0' is redundant or there is possible null pointer dereference: t.
[src/Cedar/Admin.c:12316] -> [src/Cedar/Admin.c:12318]: (warning) Either the condition 'a==0' is redundant or there is possible null pointer dereference: a.
[src/Cedar/Admin.c:12576] -> [src/Cedar/Admin.c:12578]: (warning) Either the condition 't==0' is redundant or there is possible null pointer dereference: t.
[src/Cedar/Admin.c:12790] -> [src/Cedar/Admin.c:12792]: (warning) Either the condition 't==0' is redundant or there is possible null pointer dereference: t.
Due to DROWN (CVE-2016-0800), SSLv2 must be disabled by default. This is the most straight-forward way to ensure new installations are not vulnerable. The upgrade use case is not addressed by this PR, though I posted information to the forum: http://www.vpnusers.com/viewtopic.php?f=7&t=5596
This patch is made available under Contribution Option 1, to allow PacketiX to be fixed the same way.