1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-30 05:19:53 +03:00
Commit Graph

84 Commits

Author SHA1 Message Date
Yihong Wu
ca996ed89a
Merge pull request #1522 from domosekai/tls
Implement complete server certificate verification
2022-05-12 23:38:38 +08:00
Yihong Wu
d86cf181bf Fix UDP bulk v2 and protocol display 2022-03-20 16:48:15 +08:00
Yihong Wu
0a4455ac40 Add more TLS negotiation info in logging and UI 2021-12-29 17:41:29 +08:00
Yihong Wu
f94ac6351e Implement complete server certificate verification 2021-12-29 17:41:29 +08:00
Yihong Wu
68dc4e23d8 Improve NAT-T hint string handling 2021-12-26 12:11:51 +08:00
Yihong Wu
02ee7b45d7 Save the correct server IP for route management 2021-12-10 16:53:28 +08:00
Tetsuo Sugiyama
c9508b7fb7
Password change from client increments config file revision
Fixed an issue where changing the password from the client did not increment the revision of the server config file and the changes were not saved
2021-09-21 18:28:17 +09:00
Yihong Wu
82af38c482 Cedar/Protocol.c: Fix connection to server clusters 2021-09-18 08:06:10 +00:00
domosekai
bcba88ca73 Cedar/Protocol.c: Use real server IP in creating node info under direct mode 2021-07-05 12:17:57 +00:00
Davide Beatrici
4221579e95 Remove obsolete hardcoded build number checks
The open-source project began with version 1.00, build 9022.

With the exception of an informative message fallback for builds older than 9428 (2014), all checks were for closed-source builds.
2021-06-27 07:21:06 +02:00
Davide Beatrici
81c71d309a Read hamcore.se2 using libhamcore, set arbitrary path through HAMCORE_FILE_PATH 2021-05-26 07:44:45 +02:00
Davide Beatrici
0472f9c286 Rewrite DNS API from scratch into dedicated file(s)
From a functional point of view, the main improvement is that GetIP() now always prioritizes IPv6 over IPv4.
The previous implementation always returned an IPv4 address, unless not available: in such case it failed.
This means that now connections to hostnames should be established via IPv6 if available.

From a programmer point of view, getting rid of the insane wrappers is enough to justify a complete rewrite.

As an extra, several unrelated unused global variables are removed.
2021-04-18 01:46:59 +02:00
Davide Beatrici
d4d15b66d3 Cedar: Make use of IP address reported by NAT-T server for UDP acceleration
Before this commit, the IP address reported by the NAT-T server was immediately discarded.
That's because the peer should be accessible via the IP address used to establish the TCP connection.

User "domosekai" (https://www.domosekai.com) pointed out that the NAT-T IP address should be taken into account.
In his case it's required due to his broadband carrier's NAT causing TCP and UDP to have different external IPs.

Co-authored-by: domosekai <54519668+domosekai@users.noreply.github.com>
2021-04-14 19:49:30 +02:00
Davide Beatrici
1708998a11 Change IP structure so that IPv4 addresses are stored in RFC3493 format
In addition to saving 4 bytes for each instantiation, this change makes IP-related operations faster and clearer.

https://tools.ietf.org/html/rfc3493.html#section-3.7
2021-04-07 21:24:55 +02:00
Davide Beatrici
a6ba9b8788 Include headers properly 2021-04-05 04:48:25 +02:00
Davide Beatrici
dd1eebdbed Cedar: Implement support for WireGuard
Please note that the implementation is not 100% conformant to the protocol whitepaper (https://www.wireguard.com/papers/wireguard.pdf).
More specifically: all peers are expected to send a handshake initiation once the current keypair is about to expire or is expired.
I decided not to do that because our implementation is meant to act as a server only. A true WireGuard peer acts, instead, as both a client and a server.
Once the keypair is expired, we immediately delete the session.

The cookie mechanism can be implemented in future.

As for authentication: unfortunately using the already existing methods is not possible due to the protocol not providing a way to send strings to a peer.
That's because WireGuard doesn't have a concept of "users": it identifies a peer through the public key, which is determined using the source address.
As a solution, this commit adds a special authentication method: once we receive the handshake initiation message and decrypt the peer's public key, we check whether it's in the allowed key list.
If it is, we retrieve the associated Virtual Hub and user; if the hub exists and the user is in it, the authentication is successful.

The allowed key list is stored in the configuration file like this:

declare WireGuardKeyList
{
	declare 96oA7iMvjn7oXiG3ghBDPaSUytT75uXceLV+Fx3XMlM=
	{
		string Hub DEFAULT
		string User user
	}
}
2021-03-01 02:49:59 +01:00
mcallist
ff3910eb86 Openssl engine certificate authentication
TODO cert get, call finish engine, call init engine in another step, handle authentication, internatiolazion (help is needed)
2020-10-09 02:56:51 +02:00
Davide Beatrici
b853140626 Cedar: use Proto API for protocol options 2020-07-28 00:57:36 +02:00
Davide Beatrici
869496be3e Cedar: handle SSTP through Proto 2020-07-17 02:00:30 +02:00
Davide Beatrici
235bd07e67 Cedar: remove "NicDownOnDisconnect" option
SoftEther VPN originally created the NIC in the UP state and never changed it, even when the the client was not connected.

The behavior was changed in 59e1483dbf, which also added the NicDownOnDisconnect option

The option was disabled by default for backwards compatibility with scripts that don't check whether the NIC is down, but it's not ideal.

This commit forces the correct behavior and removes the commands "TUNDownOnDisconnectEnable", "TUNDownOnDisconnectDisable" and "TUNDownOnDisconnectGet".
2020-06-27 22:47:04 +02:00
Ben RUBSON
3f16a7e704
Log client IP in failed accesses
to be able to feed tools such as Fail2Ban
2020-05-11 23:09:26 +02:00
Georgy Komarov
1416a693e7
protocol: fix uninitialized variable
Value of server_cert is undefined if `b = PackGetBuf(p, "Cert");` was
failed.
2020-03-27 07:25:45 +03:00
Koichiro IWAO
b1aae5080d
put chain_certs in dbdir 2019-12-04 23:59:13 +09:00
dnobori
1d2a58b172 Cedar: handle UDP acceleration and R-UDP versions 2019-11-23 04:38:27 +01:00
dnobori
82a81a3ce6 Cedar: serve new web management interface 2019-11-23 04:23:56 +01:00
dnobori
9aaa9a7f15 Cedar: implement detailed protocol info 2019-11-23 04:23:56 +01:00
Davide Beatrici
63caa4b07f Protocol.c: adapt ClientConnectGetSocket() for new proxy functions
The function has been greatly improved, here are some of the changes:

- The required SESSION (c->Session) parameter is checked correctly: the function returns immediately in case it's NULL. Previously, the function didn't return in case the parameter was NULL; multiple checks were in place, but not in all instances where the parameter was dereferenced.
- The resolved IP address is cached with all proxy types.
- The "RestoreServerNameAndPort" variable is documented.
- The Debug() messages have been improved.
2019-10-30 01:39:11 +01:00
Davide Beatrici
59dc26aa21 Protocol: add ProxyCodeToCedar()
This new function translates a proxy error code to a Cedar error code.
2019-10-30 01:39:11 +01:00
Davide Beatrici
b8f58a2f94 Move generic proxy stuff from Cedar to Mayaqua
This commit moves the generic (not related to our protocol) proxy stuff from Cedar to Mayaqua, in dedicated files.

The functions are refactored so that they all have the same arguments and follow the same logic.

Dedicated error codes are added, in order to indicate clearly why the function(s) failed.
2019-10-30 01:39:04 +01:00
Davide Beatrici
12cc242529 Protocol.c: fix bug in ClientConnectGetSocket() causing custom HTTP header not to work
The bug was caused by a typo in the StrCpy() call: the source buffer was the same as the destination one, meaning that the function didn't do anything.
2019-10-21 20:26:56 +02:00
Davide Beatrici
c3d6ffc533 Move GetMimeTypeFromFileName() and related structure to Mayaqua
The structure (containing all mimetypes) occupies almost 700 lines, which are a lot.

This is just the beginning of the refactor plan.
2019-10-20 04:15:12 +02:00
Daiyuu Nobori
f0357d4000 - Fixed the problem occurs when RPC messages between Cluster Members exceed 64Kbytes.
- Fixed the RADIUS PEAP client to use the standard TLS versioning.
- Implementation of a function to fix the MAC address of L3 VPN protocol by entering e.g. "MAC: 112233445566" in the "Notes" field of the user information.
- Implementation of a function to fix the virtual MAC address to be assigned to the L3 VPN client as a string attribute from RADIUS server when authentication.
2019-10-19 17:34:12 +09:00
Davide Beatrici
7d58e6bf60 Add interface for easy protocol implementation
This commit adds a protocol interface to the server, its purpose is to manage TCP connections and the various third-party protocols.

More specifically, ProtoHandleConnection() takes care of exchanging the packets between the local and remote endpoint; the protocol implementation only has to parse them and act accordingly.

The interface knows which protocol is the connection for by calling IsPacketForMe(), a function implemented for each protocol.
2019-07-26 08:36:54 +02:00
Daiyuu Nobori
98b08c2ad1 Implementation of the JSON-RPC API and the Web Admin interface. (dnobori's internal note: 7579 - 7682) 2019-05-28 12:51:51 +09:00
Daiyuu Nobori
63c01ba736
Merge pull request #832 from dnobori/181202_switch_to_apache_license
Switching license from GPLv2 to Apache License 2.0.
2019-01-21 09:36:19 +09:00
Daiyuu Nobori
881f34ac56 Compacting headers, updating trivial texts to fit to the license change from GPLv2 to Apache License 2.0. 2019-01-14 12:25:53 +09:00
Ilya Shipitsin
162a181b04 src/Cedar/Protocol: remove unused function
found by cppcheck

[src/Cedar/Protocol.c:6643]: (style) The function 'ProxyConnectEx' is never used.
2019-01-06 23:22:08 +05:00
Davide Beatrici
ef77e95f87 Cedar/IPC.c: fix memory leak occurring when both the username and common name are not present (OpenVPN) 2018-12-21 21:24:22 +01:00
Davide Beatrici
aefbd2e903 Add custom HTTP header feature for HTTP proxy
A custom HTTP header can be used to bypass certain restrictions imposed on the network or to avoid speed limitations applied by the QoS.
2018-11-29 20:32:21 +01:00
Ilya Shipitsin
304893c139 src/Cedar/Protocol, src/Cedar/Session: cleanup, remove unused functions, variables,
resolve possible null pointer dereference

found by cppcheck

[src/Cedar/Protocol.c:3138] -> [src/Cedar/Protocol.c:3071]: (warning) Either the condition 's!=NULL' is redundant or there is possible null pointer dereference: s.
[src/Cedar/Protocol.c:916]: (style) Variable 'save' is assigned a value that is never used.
[src/Cedar/Protocol.c:6242]: (style) Variable 'size' is assigned a value that is never used.
[src/Cedar/Protocol.c:778]: (style) Variable 'old_disable' is assigned a value that is never used.
[src/Cedar/Protocol.c:1021]: (style) Variable 'save' is assigned a value that is never used.
[src/Cedar/Protocol.c:3708]: (style) Variable 'is_vgc' is assigned a value that is never used.
[src/Cedar/Protocol.c:5785]: (style) Variable 's' is assigned a value that is never used.
[src/Cedar/Protocol.c:6164]: (style) The function 'SocksConnectEx' is never used.
[src/Cedar/Protocol.c:907]: (style) The function 'CompareNodeInfo' is never used.
[src/Cedar/Protocol.c:6968]: (style) The function 'ProxyConnect' is never used.
[src/Cedar/Protocol.c:3986]: (style) The function 'SecureDelete' is never used.
[src/Cedar/Protocol.c:4042]: (style) The function 'SecureEnum' is never used.
[src/Cedar/Protocol.c:4127]: (style) The function 'SecureWrite' is never used.
[src/Cedar/Protocol.c:6463]: (style) The function 'SocksConnect' is never used.
[src/Cedar/Protocol.c:7185]: (style) The function 'TcpConnectEx2' is never used.
[src/Cedar/Protocol.c:7206]: (style) The function 'TcpIpConnect' is never used.
2018-11-10 14:18:18 +05:00
Davide Beatrici
53e0a2e5e2 Add support for SOCKS5 proxy protocol 2018-10-30 15:11:16 +01:00
Davide Beatrici
f061557aad Protocol.c: fix crash with OpenVPN when the certificate's common name is empty 2018-10-18 21:21:37 +02:00
Daiyuu Nobori
ee9990317b Fix bugs reported by Coverity Scan. 2018-09-28 22:39:38 +09:00
Davide Beatrici
3f5f716357 Revamp digest functions
- Hash() has been removed because it was ambiguous, Md5() and Sha0() are proper replacements.
- HMacMd5() and HMacSha1() now share a common implementation handled by the new Internal_HMac() function.
- NewMd() and MdProcess() now support plain hashing (without the key).
- NewMd(), SetMdKey() and MdProcess() now check the OpenSSL functions' return value and in case of failure a debug message is printed along with the error string, if available.
- SetMdKey()'s return value has been changed from void to bool, so that it's possible to know whether the function succeeded or not.
- MdProcess()' return value has been changed from void to UINT (unsigned int) and the function now returns the number of bytes written by HMAC_Final() or EVP_DigestFinal_ex().
2018-09-22 06:36:09 +02:00
Davide Beatrici
c21f427fc6 Divide version in multiple macros and set default values 2018-08-27 05:44:32 +02:00
Ilya Shipitsin
99cdd9fe92 src/Cedar/Protocol: remove dead code, silence coverity 2018-08-21 11:55:37 +05:00
Davide Beatrici
daed1ad8b3
Merge PR #594: Remove SSLv3 support 2018-08-18 07:38:05 +02:00
Ilya Shipitsin
981e8d0e77 src/Cedar/Protocol.c: remove logically dead code
found by coverity
2018-08-12 16:15:53 +05:00
Davide Beatrici
eb03d1c54b Protocol: remove RC4 related stuff 2018-08-12 04:07:39 +02:00
Davide Beatrici
02db806181 Remove SSLv3 support 2018-08-09 00:25:40 +02:00