Merge a366bdbf02 into f6c185f279

Merge pull request #1963 from hiura2023/master
Change bridge function: Make the NIC appear in the "Local Bridge Settings" list
2024-11-23 01:49:53 +03:00 · 2024-03-11 14:02:12 -07:00 · 2024-03-11 20:52:35 +01:00 · 2024-03-11 02:27:36 +09:00 · 2024-03-11 00:16:22 +09:00 · 2024-03-06 11:33:56 +09:00
10 changed files with 100 additions and 16 deletions
--- a/developer_tools/vpnserver-jsonrpc-clients/README.html
+++ b/developer_tools/vpnserver-jsonrpc-clients/README.html
@ -30,6 +30,7 @@
 <ul>
 <li>Older versions of SoftEther VPN before June 2019 don't support JSON-RPC APIs.</li>
 <li>If you want to completely disable the JSON-RPC on your VPN Server, set the <code>DisableJsonRpcWebApi</code> variable to <code>true</code> on the <code>vpn_server.config</code>.</li>
+<li>You may also restrict access to JSON-RPC API to a specific subnet, e.g. your internal network, by setting the <code>JsonRpcWebApiAllowedSubnet</code> variable to, for example, <code>192.168.0.0/16</code>.</li>
 </ul>
 <h3 id="json-rpc-specification">JSON-RPC specification</h3>
 <p>You must use HTTPS 1.1 <code>POST</code> method to call each of JSON-RPC APIs.<br />
--- a/developer_tools/vpnserver-jsonrpc-clients/README.md
+++ b/developer_tools/vpnserver-jsonrpc-clients/README.md
@ -25,6 +25,7 @@ https://<vpn_server_hostname>:<port>/api/

  - Older versions of SoftEther VPN before June 2019 don't support JSON-RPC APIs.
  - If you want to completely disable the JSON-RPC on your VPN Server, set the `DisableJsonRpcWebApi` variable to `true` on the `vpn_server.config`.
+  - You may also restrict access to JSON-RPC API to a specific subnet, e.g. your internal network, by setting the `JsonRpcWebApiAllowedSubnet` variable to, for example, `192.168.0.0/16`.


 ### JSON-RPC specification
--- a/developer_tools/vpnserver-jsonrpc-codegen/Templates/doc.txt
+++ b/developer_tools/vpnserver-jsonrpc-codegen/Templates/doc.txt
@ -25,6 +25,7 @@ https://<vpn_server_hostname>:<port>/api/

  - Older versions of SoftEther VPN before June 2019 don't support JSON-RPC APIs.
  - If you want to completely disable the JSON-RPC on your VPN Server, set the `DisableJsonRpcWebApi` variable to `true` on the `vpn_server.config`.
+  - You may also restrict access to JSON-RPC API to a specific subnet, e.g. your internal network, by setting the `JsonRpcWebApiAllowedSubnet` variable to, for example, `192.168.0.0/16`.


 ### JSON-RPC specification
--- a/src/Cedar/BridgeWin32.c
+++ b/src/Cedar/BridgeWin32.c
@ -1161,7 +1161,8 @@ void Win32EthMakeCombinedName(char *dst, UINT dst_size, char *nicname, char *gui

 	if (IsEmptyStr(guid) == false)
 	{
-		Format(dst, dst_size, "%s (ID=%010u)", nicname, Win32EthGenIdFromGuid(guid));
+		// Allow to combine "FriendlyName" consisting of a NULL character and ID.
+		Format(dst, dst_size, "%s(ID=%010u)", nicname, Win32EthGenIdFromGuid(guid));
 	}
 	else
 	{
@ -1185,18 +1186,19 @@ UINT Win32EthGetNameAndIdFromCombinedName(char *name, UINT name_size, char *str)

 	len = StrLen(str);

-	if (len >= 16)
+	// Allow to combine "FriendlyName" consisting of a NULL character and ID beginning with "(ID=".
+	if (len >= 15)
 	{
-		StrCpy(id_str, sizeof(id_str), str + len - 16);
+		StrCpy(id_str, sizeof(id_str), str + len - 15);

-		if (StartWith(id_str, " (ID="))
+		if (StartWith(id_str, "(ID="))
 		{
 			if (EndWith(id_str, ")"))
 			{
 				char num[MAX_SIZE];

 				Zero(num, sizeof(num));
-				StrCpy(num, sizeof(num), id_str + 5);
+				StrCpy(num, sizeof(num), id_str + 4);

 				num[StrLen(num) - 1] = 0;

@ -1204,7 +1206,7 @@ UINT Win32EthGetNameAndIdFromCombinedName(char *name, UINT name_size, char *str)

 				if (ret != 0)
 				{
-					name[len - 16] = 0;
+					name[len - 15] = 0;
 				}
 			}
 		}
@ -1346,6 +1348,8 @@ TOKEN_LIST *GetEthListEx(UINT *total_num_including_hidden, bool enum_normal, boo

 			Debug("%s - %s\n", a->Guid, a->Title);
 		}
+		// Make sure that "FriendlyName" does not cosist a NULL character.
+		Debug("%s,- s=%d, t=%s, %s,\n", a->Guid, show, tmp, a->Title[0] == 0 ? "check=NG FriendlyName(Title) is NULL !" : "check=OK");
 	}

 	*total_num_including_hidden = ret->NumTokens;
@ -1405,7 +1409,7 @@ LIST *GetEthAdapterListInternal()
 	UINT size;
 	char *buf;
 	UINT i, j;
-	char *qos_tag = " (Microsoft's Packet Scheduler)";
+	char *qos_tag = "(Microsoft's Packet Scheduler)";	// Allow to combine "FriendlyName" consisting of a NULL character and QOS tag.
 	SU *su = NULL;
 	LIST *su_adapter_list = NULL;

@ -1660,7 +1664,8 @@ ANSI_STR:
 				}
 				else
 				{
-					Format(tmp, sizeof(tmp), "%s (%u)", a->Title, k + 1);
+					// Allow to combine "FriendlyName" consisting of a NULL character and SEQ number.
+					Format(tmp, sizeof(tmp), "%s(%u)", a->Title, k + 1);
 				}

 				ok = true;
--- a/src/Cedar/Protocol.c
+++ b/src/Cedar/Protocol.c
@ -5740,6 +5740,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 	UINT num = 0, max = 19;
 	SERVER *server;
 	char *vpn_http_target = HTTP_VPN_TARGET2;
+	bool disableJsonRpcWebApi;
 	// Validate arguments
 	if (c == NULL)
 	{
@ -5750,6 +5751,15 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)

 	s = c->FirstSock;

+	disableJsonRpcWebApi = server->DisableJsonRpcWebApi;
+	if (!disableJsonRpcWebApi && !IsZeroIP(&server->JsonRpcWebApiAllowedSubnetAddr)
+				&& !IsZeroIP(&server->JsonRpcWebApiAllowedSubnetMask)) {
+		// restrict JSON-RPC Web API to specified subnet only
+		if (!IsInSameNetwork(&s->RemoteIP, &server->JsonRpcWebApiAllowedSubnetAddr, &server->JsonRpcWebApiAllowedSubnetMask)) {
+			disableJsonRpcWebApi = true;
+		}
+	}
+
 	while (true)
 	{
 		bool not_found_error = false;
@ -5782,7 +5792,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 			// Receive the data since it's POST
 			data_size = GetContentLength(h);

-			if (server->DisableJsonRpcWebApi == false)
+			if (disableJsonRpcWebApi == false)
 			{
 				if (StrCmpi(h->Target, "/api") == 0 || StrCmpi(h->Target, "/api/") == 0)
 				{
@ -5868,7 +5878,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 		}
 		else if (StrCmpi(h->Method, "OPTIONS") == 0)
 		{
-			if (server->DisableJsonRpcWebApi == false)
+			if (disableJsonRpcWebApi == false)
 			{
 				if (StrCmpi(h->Target, "/api") == 0 || StrCmpi(h->Target, "/api/") == 0 || StartWith(h->Target, "/admin"))
 				{
@ -5939,7 +5949,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 					BUF *b = NULL;
 					*error_detail_str = "HTTP_ROOT";

-					if (server->DisableJsonRpcWebApi == false)
+					if (disableJsonRpcWebApi == false)
 					{
 						b = ReadDump("|wwwroot/index.html");
 					}
@ -6019,7 +6029,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)

 					if (b == false)
 					{
-						if (server->DisableJsonRpcWebApi == false)
+						if (disableJsonRpcWebApi == false)
 						{
 							if (StartWith(h->Target, "/api?") || StartWith(h->Target, "/api/") || StrCmpi(h->Target, "/api") == 0)
 							{
--- a/src/Cedar/SeLowUser.c
+++ b/src/Cedar/SeLowUser.c
@ -753,11 +753,45 @@ LIST *SuGetAdapterList(SU *u)
 	for (i = 0;i < u->AdapterInfoList.NumAdapters;i++)
 	{
 		SL_ADAPTER_INFO *info = &u->AdapterInfoList.Adapters[i];
-		SU_ADAPTER_LIST *a = SuAdapterInfoToAdapterList(info);

-		if (a != NULL)
+		if (IsEmptyStr(info->FriendlyName))
 		{
-			Add(ret, a);
+			// Some NetAdapterCx drivers doesn't report the FriendlyName in the kernel mode.
+			// So we attempt to obtain the DriverDesc string from NetCfg registry key alternatively.
+			char regkey[MAX_PATH] = {0};
+			char tmp[MAX_PATH] = {0};
+			char adapter_guid[MAX_PATH] = {0};
+
+			UniToStr(adapter_guid, sizeof(adapter_guid), info->AdapterId + StrLen(SL_ADAPTER_ID_PREFIX));
+
+			if (GetClassRegKeyWin32(regkey, sizeof(regkey), tmp, sizeof(tmp), adapter_guid))
+			{
+				char *driver_desc = MsRegReadStrEx2(REG_LOCAL_MACHINE, regkey, "DriverDesc", false, true);
+
+				if (driver_desc != NULL)
+				{
+					StrCpy(info->FriendlyName, sizeof(info->FriendlyName), driver_desc);
+					Free(driver_desc);
+				}
+			}
+		}
+
+		{
+			SU_ADAPTER_LIST *a = SuAdapterInfoToAdapterList(info);
+
+			char macstr[128] = {0};
+			BinToStr(macstr, sizeof(macstr), info->MacAddress, sizeof(info->MacAddress));
+
+			if (a != NULL)
+			{
+				// Debug("SU: Adapter %u (OK): ID=%S, MAC=%s, FriendlyName=%s\n", i, info->AdapterId, macstr, info->FriendlyName);
+
+				Add(ret, a);
+			}
+			else
+			{
+				// Debug("SU: Adapter %u (NG): ID=%S, MAC=%s, FriendlyName=%s\n", i, info->AdapterId, macstr, info->FriendlyName);
+			}
 		}
 	}

@ -827,7 +861,8 @@ SU_ADAPTER_LIST *SuAdapterInfoToAdapterList(SL_ADAPTER_INFO *info)
 	Copy(&t.Info, info, sizeof(SL_ADAPTER_INFO));

 	UniToStr(tmp, sizeof(tmp), info->AdapterId);
-	if (IsEmptyStr(tmp) || IsEmptyStr(info->FriendlyName) || StartWith(tmp, SL_ADAPTER_ID_PREFIX) == false)
+	// Make the NIC appear in the "Local Bridge Settings" list regardless of a NULL character consisted in "FriendlyName".
+	if (IsEmptyStr(tmp) || /* IsEmptyStr(info->FriendlyName) || */ StartWith(tmp, SL_ADAPTER_ID_PREFIX) == false)
 	{
 		// Name is invalid
 		return NULL;
--- a/src/Cedar/Server.c
+++ b/src/Cedar/Server.c
@ -30,6 +30,7 @@
 #include "Mayaqua/Internat.h"
 #include "Mayaqua/Memory.h"
 #include "Mayaqua/Microsoft.h"
+#include "Mayaqua/Network.h"
 #include "Mayaqua/Object.h"
 #include "Mayaqua/OS.h"
 #include "Mayaqua/Pack.h"
@ -6032,6 +6033,15 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
 		// Disable JSON-RPC Web API
 		s->DisableJsonRpcWebApi = CfgGetBool(f, "DisableJsonRpcWebApi");

+		char tmpaddr[MAX_PATH];
+		if (CfgGetStr(f, "JsonRpcWebApiAllowedSubnet", tmpaddr, sizeof(tmpaddr))) {
+			IP _subnet, _mask;
+			if (ParseIpAndMask46(tmpaddr, &_subnet, &_mask)) {
+				s->JsonRpcWebApiAllowedSubnetAddr = _subnet;
+				s->JsonRpcWebApiAllowedSubnetMask = _mask;
+			}
+		}
+
 		// Bits of Diffie-Hellman parameters
 		c->DhParamBits = CfgGetInt(f, "DhParamBits");
 		if (c->DhParamBits == 0)
@ -6365,6 +6375,11 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)

 		// Disable JSON-RPC Web API
 		CfgAddBool(f, "DisableJsonRpcWebApi", s->DisableJsonRpcWebApi);
+
+		char tmpaddr[MAX_PATH];
+		IPAndMaskToStr(tmpaddr, sizeof(tmpaddr),
+			&s->JsonRpcWebApiAllowedSubnetAddr, &s->JsonRpcWebApiAllowedSubnetMask);
+		CfgAddStr(f, "JsonRpcWebApiAllowedSubnet", tmpaddr);
 	}
 	Unlock(c->lock);
 }
--- a/src/Cedar/Server.h
+++ b/src/Cedar/Server.h
@ -276,6 +276,9 @@ struct SERVER
 	IP ListenIP;						// Listen IP
 	bool StrictSyslogDatetimeFormat;	// Make syslog datetime format strict RFC3164
 	bool DisableJsonRpcWebApi;					// Disable JSON-RPC Web API
+
+	IP JsonRpcWebApiAllowedSubnetAddr;  // If set, allow access to JSON-RPC Web API from
+	IP JsonRpcWebApiAllowedSubnetMask;  //   this subnet only
 };


--- a/src/Mayaqua/Network.c
+++ b/src/Mayaqua/Network.c
@ -6986,6 +6986,18 @@ void IPToStr6Inner(char *str, IP *ip)
 	}
 }

+// Format IP and subnet mask as "<ip>/<masksize>"
+void IPAndMaskToStr(char *str, UINT size, IP *ip, IP *subnet)
+{
+	int iplen;
+	UINT masksize;
+
+	IPToStr(str, size, ip);
+	iplen = StrLen(str);
+	masksize = SubnetMaskToInt(subnet);
+	Format(str + iplen, size - iplen, "/%d", masksize);
+}
+
 // Convert the string to an IP address
 bool StrToIP6(IP *ip, char *str)
 {
--- a/src/Mayaqua/Network.h
+++ b/src/Mayaqua/Network.h
@ -1289,6 +1289,7 @@ void IPToStr6(char *str, UINT size, IP *ip);
 void IP6AddrToStr(char *str, UINT size, IPV6_ADDR *addr);
 void IPToStr6Array(char *str, UINT size, UCHAR *bytes);
 void IPToStr6Inner(char *str, IP *ip);
+void IPAndMaskToStr(char *str, UINT size, IP *ip, IP *subnet);
 void IntToSubnetMask6(IP *ip, UINT i);
 void IPAnd6(IP *dst, IP *a, IP *b);
 void GetAllRouterMulticastAddress6(IP *ip);
Author	SHA1	Message	Date
Alexey Kryuchkov	e9321eae71	Merge `a366bdbf02` into `f6c185f279`	2024-03-11 14:02:12 -07:00
Ilya Shipitsin	f6c185f279	Merge pull request #1963 from hiura2023/master Change bridge function: Make the NIC appear in the "Local Bridge Settings" list	2024-03-11 20:52:35 +01:00
hiura2023	44821c7130	Merge branch 'SoftEtherVPN:master' into master	2024-03-11 02:27:36 +09:00
hiura	64cb8e1eff	Change bridge function: Make the NIC appear in the 'Local Bridge Settings' list No.2	2024-03-11 00:16:22 +09:00
hiura	645d5ebb55	Change bridge function: Make the NIC appear in the 'Local Bridge Settings' list regardless of a NULL character consisted in 'FriendlyName'	2024-03-06 11:33:56 +09:00
Alexey Kryuchkov	a366bdbf02	Add server option 'JsonRpcWebApiAllowedSubnet' to restrict access to JSON-RPC API based on client IP address	2023-06-02 00:00:43 +03:00