mirror of
https://github.com/SoftEtherVPN/SoftEtherVPN.git
synced 2024-09-19 18:20:40 +03:00
ac865f04fc
* spelling: accepts * spelling: account * spelling: accept * spelling: accumulate * spelling: adapter * spelling: address * spelling: additional * spelling: aggressive * spelling: adhered * spelling: allowed * spelling: ambiguous * spelling: amount * spelling: anonymous * spelling: acquisition * spelling: assemble * spelling: associated * spelling: assigns * spelling: attach * spelling: attempt * spelling: attribute * spelling: authenticate * spelling: authentication * spelling: available * spelling: bridging * spelling: cascade * spelling: cancel * spelling: check * spelling: challenge * spelling: changing * spelling: characters * spelling: cloud * spelling: compare * spelling: communication * spelling: compatible * spelling: compatibility * spelling: completion * spelling: complete * spelling: computers * spelling: configure * spelling: configuration * spelling: conformant * spelling: connection * spelling: contains * spelling: continuously * spelling: continue * spelling: convert * spelling: counters * spelling: create * spelling: created * spelling: cumulate * spelling: currently * spelling: debugging * spelling: decryption * spelling: description * spelling: default * spelling: driver * spelling: delete * spelling: destination * spelling: disabled * spelling: different * spelling: dynamically * spelling: directory * spelling: disappeared * spelling: disable * spelling: doesn't * spelling: download * spelling: dropped * spelling: enable * spelling: established * spelling: ether * spelling: except * spelling: expired * spelling: field * spelling: following * spelling: forever * spelling: firewall * spelling: first * spelling: fragment * spelling: function * spelling: gateway * spelling: identifier * spelling: identify * spelling: incoming * spelling: information * spelling: initialize * spelling: injection * spelling: inner * spelling: instead * spelling: installation * spelling: inserted * spelling: integer * spelling: interrupt * spelling: intuitive * spelling: interval * spelling: january * spelling: keybytes * spelling: know * spelling: language * spelling: length * spelling: library * spelling: listener * spelling: maintain * spelling: modified * spelling: necessary * spelling: number * spelling: obsoleted * spelling: occurred * spelling: occurring * spelling: occur * spelling: original * spelling: omittable * spelling: omit * spelling: opening * spelling: operation * spelling: packet * spelling: parameters * spelling: pointed * spelling: popupmenuopen * spelling: privilege * spelling: product * spelling: protection * spelling: promiscuous * spelling: prompt * spelling: query * spelling: random * spelling: reconnection * spelling: revocation * spelling: received * spelling: red hat * spelling: registry * spelling: release * spelling: retrieve
650 lines
28 KiB
C
650 lines
28 KiB
C
// SoftEther VPN Source Code
|
|
// Cedar Communication Module
|
|
//
|
|
// SoftEther VPN Server, Client and Bridge are free software under GPLv2.
|
|
//
|
|
// Copyright (c) Daiyuu Nobori.
|
|
// Copyright (c) SoftEther VPN Project, University of Tsukuba, Japan.
|
|
// Copyright (c) SoftEther Corporation.
|
|
//
|
|
// All Rights Reserved.
|
|
//
|
|
// http://www.softether.org/
|
|
//
|
|
// Author: Daiyuu Nobori, Ph.D.
|
|
// Comments: Tetsuo Sugiyama, Ph.D.
|
|
//
|
|
// This program is free software; you can redistribute it and/or
|
|
// modify it under the terms of the GNU General Public License
|
|
// version 2 as published by the Free Software Foundation.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU General Public License version 2
|
|
// along with this program; if not, write to the Free Software
|
|
// Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
//
|
|
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
|
// IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
|
|
// CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
|
|
// TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
|
|
// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
//
|
|
// THE LICENSE AGREEMENT IS ATTACHED ON THE SOURCE-CODE PACKAGE
|
|
// AS "LICENSE.TXT" FILE. READ THE TEXT FILE IN ADVANCE TO USE THE SOFTWARE.
|
|
//
|
|
//
|
|
// THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN,
|
|
// UNDER JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY,
|
|
// MERGE, PUBLISH, DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS
|
|
// SOFTWARE, THAT ANY JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS
|
|
// SOFTWARE OR ITS CONTENTS, AGAINST US (SOFTETHER PROJECT, SOFTETHER
|
|
// CORPORATION, DAIYUU NOBORI OR OTHER SUPPLIERS), OR ANY JURIDICAL
|
|
// DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND OF USING, COPYING,
|
|
// MODIFYING, MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, AND/OR
|
|
// SELLING COPIES OF THIS SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND
|
|
// CONTROLLED BY JAPANESE LAWS, AND YOU MUST FURTHER CONSENT TO
|
|
// EXCLUSIVE JURISDICTION AND VENUE IN THE COURTS SITTING IN TOKYO,
|
|
// JAPAN. YOU MUST WAIVE ALL DEFENSES OF LACK OF PERSONAL JURISDICTION
|
|
// AND FORUM NON CONVENIENS. PROCESS MAY BE SERVED ON EITHER PARTY IN
|
|
// THE MANNER AUTHORIZED BY APPLICABLE LAW OR COURT RULE.
|
|
//
|
|
// USE ONLY IN JAPAN. DO NOT USE THIS SOFTWARE IN ANOTHER COUNTRY UNLESS
|
|
// YOU HAVE A CONFIRMATION THAT THIS SOFTWARE DOES NOT VIOLATE ANY
|
|
// CRIMINAL LAWS OR CIVIL RIGHTS IN THAT PARTICULAR COUNTRY. USING THIS
|
|
// SOFTWARE IN OTHER COUNTRIES IS COMPLETELY AT YOUR OWN RISK. THE
|
|
// SOFTETHER VPN PROJECT HAS DEVELOPED AND DISTRIBUTED THIS SOFTWARE TO
|
|
// COMPLY ONLY WITH THE JAPANESE LAWS AND EXISTING CIVIL RIGHTS INCLUDING
|
|
// PATENTS WHICH ARE SUBJECTS APPLY IN JAPAN. OTHER COUNTRIES' LAWS OR
|
|
// CIVIL RIGHTS ARE NONE OF OUR CONCERNS NOR RESPONSIBILITIES. WE HAVE
|
|
// NEVER INVESTIGATED ANY CRIMINAL REGULATIONS, CIVIL LAWS OR
|
|
// INTELLECTUAL PROPERTY RIGHTS INCLUDING PATENTS IN ANY OF OTHER 200+
|
|
// COUNTRIES AND TERRITORIES. BY NATURE, THERE ARE 200+ REGIONS IN THE
|
|
// WORLD, WITH DIFFERENT LAWS. IT IS IMPOSSIBLE TO VERIFY EVERY
|
|
// COUNTRIES' LAWS, REGULATIONS AND CIVIL RIGHTS TO MAKE THE SOFTWARE
|
|
// COMPLY WITH ALL COUNTRIES' LAWS BY THE PROJECT. EVEN IF YOU WILL BE
|
|
// SUED BY A PRIVATE ENTITY OR BE DAMAGED BY A PUBLIC SERVANT IN YOUR
|
|
// COUNTRY, THE DEVELOPERS OF THIS SOFTWARE WILL NEVER BE LIABLE TO
|
|
// RECOVER OR COMPENSATE SUCH DAMAGES, CRIMINAL OR CIVIL
|
|
// RESPONSIBILITIES. NOTE THAT THIS LINE IS NOT LICENSE RESTRICTION BUT
|
|
// JUST A STATEMENT FOR WARNING AND DISCLAIMER.
|
|
//
|
|
//
|
|
// SOURCE CODE CONTRIBUTION
|
|
// ------------------------
|
|
//
|
|
// Your contribution to SoftEther VPN Project is much appreciated.
|
|
// Please send patches to us through GitHub.
|
|
// Read the SoftEther VPN Patch Acceptance Policy in advance:
|
|
// http://www.softether.org/5-download/src/9.patch
|
|
//
|
|
//
|
|
// DEAR SECURITY EXPERTS
|
|
// ---------------------
|
|
//
|
|
// If you find a bug or a security vulnerability please kindly inform us
|
|
// about the problem immediately so that we can fix the security problem
|
|
// to protect a lot of users around the world as soon as possible.
|
|
//
|
|
// Our e-mail address for security reports is:
|
|
// softether-vpn-security [at] softether.org
|
|
//
|
|
// Please note that the above e-mail address is not a technical support
|
|
// inquiry address. If you need technical assistance, please visit
|
|
// http://www.softether.org/ and ask your question on the users forum.
|
|
//
|
|
// Thank you for your cooperation.
|
|
//
|
|
//
|
|
// NO MEMORY OR RESOURCE LEAKS
|
|
// ---------------------------
|
|
//
|
|
// The memory-leaks and resource-leaks verification under the stress
|
|
// test has been passed before release this source code.
|
|
|
|
|
|
// Hub.h
|
|
// Header of Hub.c
|
|
|
|
#ifndef HUB_H
|
|
#define HUB_H
|
|
|
|
|
|
// Prefix in the access list for investigating whether the user name which is contained in a particular file
|
|
#define ACCESS_LIST_INCLUDED_PREFIX "include:" // Included
|
|
#define ACCESS_LIST_EXCLUDED_PREFIX "exclude:" // Not included
|
|
|
|
// The default value for the cache expiration of the user name reference file of the access list (in seconds)
|
|
#define ACCESS_LIST_INCLUDE_FILE_CACHE_LIFETIME 30
|
|
|
|
// The maximum length of the include file in the access list
|
|
#define ACCESS_LIST_INCLUDE_FILE_MAX_SIZE (1024 * 1024)
|
|
|
|
// <INFO> tags of the URL in the access list
|
|
#define ACCESS_LIST_URL_INFO_TAG "<INFO>"
|
|
|
|
// Old MAC address entry flush interval
|
|
#define OLD_MAC_ADDRESS_ENTRY_FLUSH_INTERVAL 1000
|
|
|
|
// Default flooding queue length
|
|
#define DEFAULT_FLOODING_QUEUE_LENGTH (32 * 1024 * 1024)
|
|
|
|
// SoftEther link control packet
|
|
struct SE_LINK
|
|
{
|
|
UCHAR DestMacAddress[6]; // Destination MAC address
|
|
UCHAR SrcMacAddress[6]; // Source MAC address
|
|
UCHAR SignatureS; // 'S'
|
|
UCHAR SignatureE; // 'E'
|
|
UCHAR Padding[2]; // Padding
|
|
UINT Type; // Type
|
|
UCHAR HubSignature[16]; // HUB signature
|
|
UINT TransactionId; // Transaction ID
|
|
UINT Data; // Data
|
|
UCHAR Dummy[20]; // Dummy
|
|
UCHAR Checksum[SHA1_SIZE]; // Checksum
|
|
};
|
|
|
|
|
|
// Test packet reception record
|
|
struct TEST_HISTORY
|
|
{
|
|
SESSION *s1;
|
|
SESSION *s2;
|
|
};
|
|
|
|
// State machine for link test
|
|
struct SE_TEST
|
|
{
|
|
LOCK *lock; // Lock
|
|
UINT64 LastTestPacketSentTime; // Time that sent the test packet at the last
|
|
UINT NextTestPacketSendInterval; // Next test packet transmission interval
|
|
bool CurrentTesting; // Test by sending a test packet currently
|
|
UINT TransactionId; // Transaction ID
|
|
LIST *TestHistory; // Reception history
|
|
};
|
|
|
|
// Macro
|
|
#define NO_ACCOUNT_DB(h) ((h)->FarmMember)
|
|
|
|
// Database in the case of a stand-alone or a farm master HUB
|
|
struct HUBDB
|
|
{
|
|
LIST *UserList; // User List
|
|
LIST *GroupList; // Group List
|
|
LIST *RootCertList; // Certificate list to trust
|
|
LIST *CrlList; // CRL list
|
|
LIST *AcList; // AC List
|
|
};
|
|
|
|
// Traffic limiter
|
|
struct TRAFFIC_LIMITER
|
|
{
|
|
UINT64 LastTime; // Time of last measured
|
|
UINT64 Value; // The current value
|
|
};
|
|
|
|
// Record the number of broadcast of each endpoint
|
|
struct STORM
|
|
{
|
|
UCHAR MacAddress[6]; // MAC address
|
|
UCHAR Padding[2]; // Padding
|
|
IP SrcIp; // Source IP address
|
|
IP DestIp; // Destination IP address
|
|
UINT64 CheckStartTick; // Time that checking is started
|
|
UINT CurrentBroadcastNum; // The current number of broadcasts
|
|
UINT DiscardValue; // Ratio to discard the broadcast packet
|
|
bool StrictMode; // Strict mode
|
|
};
|
|
|
|
// Packet adapter information structure for HUB
|
|
struct HUB_PA
|
|
{
|
|
CANCEL *Cancel; // Cancel object
|
|
QUEUE *PacketQueue; // Packet queue
|
|
bool MonitorPort; // Monitor port
|
|
UINT64 Now; // Current time
|
|
TRAFFIC_LIMITER UploadLimiter; // Upload bandwidth limit
|
|
TRAFFIC_LIMITER DownloadLimiter; // Download bandwidth limitation
|
|
SESSION *Session; // Session
|
|
LIST *StormList; // Broadcast storm recording list
|
|
UINT64 UsernameHash; // User name hash
|
|
UINT64 UsernameHashSimple; // User name hash (simple)
|
|
UINT64 GroupnameHash; // Group name hash
|
|
};
|
|
|
|
// HUB options
|
|
struct HUB_OPTION
|
|
{
|
|
// Standard options
|
|
UINT MaxSession; // Maximum number of simultaneous connections
|
|
bool NoEnum; // Excluded from the enumeration
|
|
// Advanced options
|
|
bool NoArpPolling; // No ARP polling
|
|
bool NoIPv6AddrPolling; // No IPv6 address polling
|
|
bool NoIpTable; // Do not generate an IP address table
|
|
bool NoMacAddressLog; // Not to write the registration log of the MAC address
|
|
bool ManageOnlyPrivateIP; // Manage only private IP
|
|
bool ManageOnlyLocalUnicastIPv6; // Manage only local unicast IPv6 addresses
|
|
bool DisableIPParsing; // Disable the IP interpretation
|
|
bool YieldAfterStorePacket; // Yield after the packet is stored
|
|
bool NoSpinLockForPacketDelay; // Do not use the spin lock
|
|
UINT BroadcastStormDetectionThreshold; // Broadcast number limit threshold
|
|
bool FilterPPPoE; // Filtering the PPPoE (0x8863, 0x8864)
|
|
bool FilterOSPF; // Filtering the OSPF (ip_proto = 89)
|
|
bool FilterIPv4; // Filter IPv4 packets
|
|
bool FilterIPv6; // Filter IPv6 packets
|
|
bool FilterNonIP; // Filter all non-IP packets
|
|
bool FilterBPDU; // Filter the BPDU packets
|
|
UINT ClientMinimumRequiredBuild; // If the build number of the client is lower than a certain value, deny it
|
|
bool NoIPv6DefaultRouterInRAWhenIPv6; // Delete the default router specification from the IPv6 router advertisement (only in the case of IPv6 physical connection)
|
|
bool NoIPv4PacketLog; // Do not save the packet log for the IPv4 packet
|
|
bool NoIPv6PacketLog; // Do not save the packet log of IPv6 packets
|
|
bool NoLookBPDUBridgeId; // Don't look the BPDU bridge ID for switching
|
|
bool NoManageVlanId; // Don't manage the VLAN ID
|
|
UINT VlanTypeId; // Type ID of VLAN packets (usually 0x8100)
|
|
bool FixForDLinkBPDU; // Apply the fix for the BPDU of the strange behavior of the D-Link
|
|
UINT RequiredClientId; // Client ID
|
|
UINT AdjustTcpMssValue; // TCP MSS adjustment value
|
|
bool DisableAdjustTcpMss; // Completely disable the TCP MSS adjustment function
|
|
bool NoDhcpPacketLogOutsideHub; // Suppress DHCP unrelated log
|
|
bool DisableHttpParsing; // Prohibit the HTTP interpretation
|
|
bool DisableUdpAcceleration; // Prohibit the UDP acceleration function
|
|
bool DisableUdpFilterForLocalBridgeNic; // Not to perform filtering DHCP packets associated with local bridge NIC
|
|
bool ApplyIPv4AccessListOnArpPacket; // Apply an IPv4 access list to the ARP packet
|
|
bool RemoveDefGwOnDhcpForLocalhost; // Remove the designation of the DHCP server from the DHCP response packet addressed to localhost
|
|
UINT SecureNAT_MaxTcpSessionsPerIp; // Maximum number of TCP sessions per IP address
|
|
UINT SecureNAT_MaxTcpSynSentPerIp; // Maximum number of TCP sessions of SYN_SENT state per IP address
|
|
UINT SecureNAT_MaxUdpSessionsPerIp; // Maximum number of UDP sessions per IP address
|
|
UINT SecureNAT_MaxDnsSessionsPerIp; // Maximum number of DNS sessions per IP address
|
|
UINT SecureNAT_MaxIcmpSessionsPerIp; // Maximum number of ICMP sessions per IP address
|
|
UINT AccessListIncludeFileCacheLifetime; // Expiration of the access list external file (in seconds)
|
|
bool DisableKernelModeSecureNAT; // Disable the kernel mode NAT
|
|
bool DisableIpRawModeSecureNAT; // Disable the IP Raw Mode NAT
|
|
bool DisableUserModeSecureNAT; // Disable the user mode NAT
|
|
bool DisableCheckMacOnLocalBridge; // Disable the MAC address verification in local bridge
|
|
bool DisableCorrectIpOffloadChecksum; // Disable the correction of checksum that is IP-Offloaded
|
|
bool BroadcastLimiterStrictMode; // Strictly broadcast packets limiting mode
|
|
UINT MaxLoggedPacketsPerMinute; // Maximum number of logging target packets per minute
|
|
bool DoNotSaveHeavySecurityLogs; // Do not take heavy security log
|
|
bool DropBroadcastsInPrivacyFilterMode; // Drop broadcasting packets if the both source and destination session is PrivacyFilter mode
|
|
bool DropArpInPrivacyFilterMode; // Drop ARP packets if the both source and destination session is PrivacyFilter mode
|
|
bool SuppressClientUpdateNotification; // Suppress the update notification function on the VPN Client
|
|
UINT FloodingSendQueueBufferQuota; // The global quota of send queues of flooding packets
|
|
bool AssignVLanIdByRadiusAttribute; // Assign the VLAN ID for the VPN session, by the attribute value of RADIUS
|
|
bool DenyAllRadiusLoginWithNoVlanAssign; // Deny all RADIUS login with no VLAN ID assigned
|
|
bool SecureNAT_RandomizeAssignIp; // Randomize the assignment IP address for new DHCP client
|
|
UINT DetectDormantSessionInterval; // Interval (seconds) threshold to detect a dormant VPN session
|
|
bool NoPhysicalIPOnPacketLog; // Disable saving physical IP address on the packet log
|
|
bool UseHubNameAsDhcpUserClassOption; // Add HubName to DHCP request as User-Class option
|
|
bool UseHubNameAsRadiusNasId; // Add HubName to Radius request as NAS-Identifier attrioption
|
|
};
|
|
|
|
// MAC table entry
|
|
struct MAC_TABLE_ENTRY
|
|
{
|
|
UCHAR MacAddress[6]; // MAC address
|
|
UCHAR Padding[2];
|
|
UINT VlanId; // VLAN ID
|
|
SESSION *Session; // Session
|
|
HUB_PA *HubPa; // HUB packet adapter
|
|
UINT64 CreatedTime; // Creation date and time
|
|
UINT64 UpdatedTime; // Updating date
|
|
};
|
|
|
|
// IP table entry
|
|
struct IP_TABLE_ENTRY
|
|
{
|
|
IP Ip; // IP address
|
|
SESSION *Session; // Session
|
|
bool DhcpAllocated; // Assigned by DHCP
|
|
UINT64 CreatedTime; // Creation date and time
|
|
UINT64 UpdatedTime; // Updating date
|
|
UCHAR MacAddress[6]; // MAC address
|
|
};
|
|
|
|
// Loop List
|
|
struct LOOP_LIST
|
|
{
|
|
UINT NumSessions;
|
|
SESSION **Session;
|
|
};
|
|
|
|
// Access list
|
|
struct ACCESS
|
|
{
|
|
// IPv4
|
|
UINT Id; // ID
|
|
wchar_t Note[MAX_ACCESSLIST_NOTE_LEN + 1]; // Note
|
|
|
|
// --- Please add items to the bottom of here for enhancements ---
|
|
bool Active; // Enable flag
|
|
UINT Priority; // Priority
|
|
bool Discard; // Discard flag
|
|
UINT SrcIpAddress; // Source IP address
|
|
UINT SrcSubnetMask; // Source subnet mask
|
|
UINT DestIpAddress; // Destination IP address
|
|
UINT DestSubnetMask; // Destination subnet mask
|
|
UINT Protocol; // Protocol
|
|
UINT SrcPortStart; // Source port number starting point
|
|
UINT SrcPortEnd; // Source port number end point
|
|
UINT DestPortStart; // Destination port number starting point
|
|
UINT DestPortEnd; // Destination port number end point
|
|
UINT64 SrcUsernameHash; // Source user name hash
|
|
bool IsSrcUsernameIncludeOrExclude; // The source user name is formed as the "include:" or "exclude:"
|
|
char SrcUsername[MAX_USERNAME_LEN + 1];
|
|
bool IsDestUsernameIncludeOrExclude; // The destination user name is formed as "include:" or "exclude:"
|
|
UINT64 DestUsernameHash; // Destination user name hash
|
|
char DestUsername[MAX_USERNAME_LEN + 1];
|
|
bool CheckSrcMac; // Presence of a source MAC address setting
|
|
UCHAR SrcMacAddress[6]; // Source MAC address
|
|
UCHAR SrcMacMask[6]; // Source MAC address mask
|
|
bool CheckDstMac; // Whether the setting of the destination MAC address exists
|
|
UCHAR DstMacAddress[6]; // Destination MAC address
|
|
UCHAR DstMacMask[6]; // Destination MAC address mask
|
|
bool CheckTcpState; // The state of the TCP connection
|
|
bool Established; // Established(TCP)
|
|
UINT Delay; // Delay
|
|
UINT Jitter; // Jitter
|
|
UINT Loss; // Packet loss
|
|
char RedirectUrl[MAX_REDIRECT_URL_LEN + 1]; // URL to redirect to
|
|
|
|
// IPv6
|
|
bool IsIPv6; // Whether it's an IPv6
|
|
IPV6_ADDR SrcIpAddress6; // The source IP address (IPv6)
|
|
IPV6_ADDR SrcSubnetMask6; // Source subnet mask (IPv6)
|
|
IPV6_ADDR DestIpAddress6; // Destination IP address (IPv6)
|
|
IPV6_ADDR DestSubnetMask6; // Destination subnet mask (IPv6)
|
|
|
|
// --- Please add items to the above of here for enhancements ---
|
|
|
|
// For management
|
|
UINT UniqueId; // Unique ID
|
|
};
|
|
|
|
// Ticket
|
|
struct TICKET
|
|
{
|
|
UINT64 CreatedTick; // Creation date and time
|
|
UCHAR Ticket[SHA1_SIZE]; // Ticket
|
|
char Username[MAX_USERNAME_LEN + 1]; // User name
|
|
char UsernameReal[MAX_USERNAME_LEN + 1]; // Real user name
|
|
char GroupName[MAX_USERNAME_LEN + 1]; // Group name
|
|
char SessionName[MAX_SESSION_NAME_LEN + 1]; // Session name
|
|
POLICY Policy; // Policy
|
|
};
|
|
|
|
// Traffic difference
|
|
struct TRAFFIC_DIFF
|
|
{
|
|
UINT Type; // Type
|
|
TRAFFIC Traffic; // Traffic
|
|
char *HubName; // HUB name
|
|
char *Name; // Name
|
|
};
|
|
|
|
// Administration options
|
|
struct ADMIN_OPTION
|
|
{
|
|
char Name[MAX_ADMIN_OPTION_NAME_LEN + 1]; // Name
|
|
UINT Value; // Data
|
|
};
|
|
|
|
// Certificate Revocation List entry
|
|
struct CRL
|
|
{
|
|
X_SERIAL *Serial; // Serial number
|
|
NAME *Name; // Name information
|
|
UCHAR DigestMD5[MD5_SIZE]; // MD5 hash
|
|
UCHAR DigestSHA1[SHA1_SIZE]; // SHA-1 hash
|
|
};
|
|
|
|
// Access control
|
|
struct AC
|
|
{
|
|
UINT Id; // ID
|
|
UINT Priority; // Priority
|
|
bool Deny; // Deny access
|
|
bool Masked; // Is masked
|
|
IP IpAddress; // IP address
|
|
IP SubnetMask; // Subnet mask
|
|
};
|
|
|
|
// User List
|
|
struct USERLIST
|
|
{
|
|
char Filename[MAX_PATH]; // File name
|
|
LIST *UserHashList; // Hash list of user names
|
|
};
|
|
|
|
// HUB structure
|
|
struct HUB
|
|
{
|
|
LOCK *lock; // Lock
|
|
LOCK *lock_online; // Lock for Online
|
|
REF *ref; // Reference counter
|
|
CEDAR *Cedar; // Cedar
|
|
UINT Type; // Type
|
|
HUBDB *HubDb; // Database
|
|
char *Name; // The name of the HUB
|
|
LOCK *RadiusOptionLock; // Lock for Radius option
|
|
char *RadiusServerName; // Radius server name
|
|
UINT RadiusServerPort; // Radius server port number
|
|
UINT RadiusRetryInterval; // Radius retry interval
|
|
BUF *RadiusSecret; // Radius shared key
|
|
char RadiusSuffixFilter[MAX_SIZE]; // Radius suffix filter
|
|
char RadiusRealm[MAX_SIZE]; // Radius realm (optional)
|
|
bool RadiusConvertAllMsChapv2AuthRequestToEap; // Convert all MS-CHAPv2 auth request to EAP
|
|
bool RadiusUsePeapInsteadOfEap; // Use PEAP instead of EAP
|
|
volatile bool Halt; // Halting flag
|
|
bool Offline; // Offline
|
|
bool BeingOffline; // Be Doing Offline
|
|
LIST *SessionList; // Session list
|
|
COUNTER *SessionCounter; // Session number generation counter
|
|
TRAFFIC *Traffic; // Traffic information
|
|
TRAFFIC *OldTraffic; // Old traffic information
|
|
LOCK *TrafficLock; // Traffic lock
|
|
COUNTER *NumSessions; // The current number of sessions
|
|
COUNTER *NumSessionsClient; // The current number of sessions (client)
|
|
COUNTER *NumSessionsBridge; // The current number of sessions (bridge)
|
|
HUB_OPTION *Option; // HUB options
|
|
HASH_LIST *MacHashTable; // MAC address hash table
|
|
LIST *IpTable; // IP address table
|
|
LIST *MonitorList; // Monitor port session list
|
|
LIST *LinkList; // Linked list
|
|
UCHAR HubSignature[16]; // HUB signature
|
|
UCHAR HubMacAddr[6]; // MAC address of the HUB
|
|
IP HubIp; // IP address of the HUB (IPv4)
|
|
IPV6_ADDR HubIpV6; // IP address of the HUB (IPv6)
|
|
UINT HubIP6Id; // IPv6 packet ID of the HUB
|
|
UCHAR Padding[2]; // Padding
|
|
LOCK *LoopListLock; // Lock for the loop list
|
|
UINT NumLoopList; // Number of loop lists
|
|
LOOP_LIST **LoopLists; // Loop List
|
|
LIST *AccessList; // Access list
|
|
HUB_LOG LogSetting; // Log Settings
|
|
LOG *PacketLogger; // Packet logger
|
|
LOG *SecurityLogger; // Security logger
|
|
UCHAR HashedPassword[SHA1_SIZE]; // Password
|
|
UCHAR SecurePassword[SHA1_SIZE]; // Secure password
|
|
LIST *TicketList; // Ticket list
|
|
bool FarmMember; // Farm member
|
|
UINT64 LastIncrementTraffic; // Traffic reporting time
|
|
UINT64 LastSendArpTick; // ARP transmission time of the last
|
|
SNAT *SecureNAT; // SecureNAT
|
|
bool EnableSecureNAT; // SecureNAT enable / disable flag
|
|
VH_OPTION *SecureNATOption; // SecureNAT Option
|
|
THREAD *WatchDogThread; // Watchdog thread
|
|
EVENT *WatchDogEvent; // Watchdog event
|
|
bool WatchDogStarted; // Whether the watchdog thread is used
|
|
volatile bool HaltWatchDog; // Stop the watchdog thread
|
|
LIST *AdminOptionList; // Administration options list
|
|
UINT64 CreatedTime; // Creation date and time
|
|
UINT64 LastCommTime; // Last communication date and time
|
|
UINT64 LastLoginTime; // Last login date and time
|
|
UINT NumLogin; // Number of logins
|
|
bool HubIsOnlineButHalting; // Virtual HUB is really online, but it is in offline state to stop
|
|
UINT FarmMember_MaxSessionClient; // Maximum client connection sessions for cluster members
|
|
UINT FarmMember_MaxSessionBridge; // Maximum bridge connection sessions for cluster members
|
|
bool FarmMember_MaxSessionClientBridgeApply; // Apply the FarmMember_MaxSession*
|
|
UINT CurrentVersion; // The current version
|
|
UINT LastVersion; // Version of when the update notification is issued at the last
|
|
wchar_t *Msg; // Message to be displayed when the client is connected
|
|
LIST *UserList; // Cache of the user list file
|
|
bool IsVgsHub; // Whether it's a VGS Virtual HUB
|
|
bool IsVgsSuperRelayHub; // Whether it's a VGS Super Relay Virtual HUB
|
|
UINT64 LastFlushTick; // Last tick to flush the MAC address table
|
|
bool StopAllLinkFlag; // Stop all link flag
|
|
bool ForceDisableComm; // Disable the communication function
|
|
};
|
|
|
|
|
|
// Global variable
|
|
extern ADMIN_OPTION admin_options[];
|
|
extern UINT num_admin_options;
|
|
|
|
|
|
// Function prototype
|
|
HUBDB *NewHubDb();
|
|
void DeleteHubDb(HUBDB *d);
|
|
HUB *NewHub(CEDAR *cedar, char *HubName, HUB_OPTION *option);
|
|
void SetHubMsg(HUB *h, wchar_t *msg);
|
|
wchar_t *GetHubMsg(HUB *h);
|
|
void GenHubMacAddress(UCHAR *mac, char *name);
|
|
void GenHubIpAddress(IP *ip, char *name);
|
|
bool IsHubIpAddress(IP *ip);
|
|
bool IsHubIpAddress32(UINT ip32);
|
|
bool IsHubIpAddress64(IPV6_ADDR *addr);
|
|
bool IsHubMacAddress(UCHAR *mac);
|
|
void ReleaseHub(HUB *h);
|
|
void CleanupHub(HUB *h);
|
|
int CompareHub(void *p1, void *p2);
|
|
void LockHubList(CEDAR *cedar);
|
|
void UnlockHubList(CEDAR *cedar);
|
|
HUB *GetHub(CEDAR *cedar, char *name);
|
|
bool IsHub(CEDAR *cedar, char *name);
|
|
void StopHub(HUB *h);
|
|
void AddSession(HUB *h, SESSION *s);
|
|
void DelSession(HUB *h, SESSION *s);
|
|
SESSION *SearchSessionByUniqueId(HUB *h, UINT id);
|
|
UINT GetNewUniqueId(HUB *h);
|
|
void StopAllSession(HUB *h);
|
|
bool HubPaInit(SESSION *s);
|
|
void HubPaFree(SESSION *s);
|
|
CANCEL *HubPaGetCancel(SESSION *s);
|
|
UINT HubPaGetNextPacket(SESSION *s, void **data);
|
|
bool HubPaPutPacket(SESSION *s, void *data, UINT size);
|
|
PACKET_ADAPTER *GetHubPacketAdapter();
|
|
int CompareMacTable(void *p1, void *p2);
|
|
UINT GetHashOfMacTable(void *p);
|
|
void StorePacket(HUB *hub, SESSION *s, PKT *packet);
|
|
bool StorePacketFilter(SESSION *s, PKT *packet);
|
|
void StorePacketToHubPa(HUB_PA *dest, SESSION *src, void *data, UINT size, PKT *packet, bool is_flooding, bool no_check_acl);
|
|
void SetHubOnline(HUB *h);
|
|
void SetHubOffline(HUB *h);
|
|
SESSION *GetSessionByPtr(HUB *hub, void *ptr);
|
|
SESSION *GetSessionByName(HUB *hub, char *name);
|
|
int CompareIpTable(void *p1, void *p2);
|
|
bool StorePacketFilterByPolicy(SESSION *s, PKT *p);
|
|
bool DeleteIPv6DefaultRouterInRA(PKT *p);
|
|
bool StorePacketFilterByTrafficLimiter(SESSION *s, PKT *p);
|
|
void IntoTrafficLimiter(TRAFFIC_LIMITER *tr, PKT *p);
|
|
bool IsMostHighestPriorityPacket(SESSION *s, PKT *p);
|
|
bool IsPriorityPacketForQoS(PKT *p);
|
|
int CompareStormList(void *p1, void *p2);
|
|
STORM *SearchStormList(HUB_PA *pa, UCHAR *mac_address, IP *src_ip, IP *dest_ip, bool strict);
|
|
STORM *AddStormList(HUB_PA *pa, UCHAR *mac_address, IP *src_ip, IP *dest_ip, bool strict);
|
|
bool CheckBroadcastStorm(HUB *hub, SESSION *s, PKT *p);
|
|
void AddRootCert(HUB *hub, X *x);
|
|
int CmpAccessList(void *p1, void *p2);
|
|
void InitAccessList(HUB *hub);
|
|
void FreeAccessList(HUB *hub);
|
|
void AddAccessList(HUB *hub, ACCESS *a);
|
|
void AddAccessListEx(HUB *hub, ACCESS *a, bool no_sort, bool no_reassign_id);
|
|
bool SetSessionFirstRedirectHttpUrl(SESSION *s, char *url);
|
|
bool IsTcpPacketNcsiHttpAccess(PKT *p);
|
|
UINT64 UsernameToInt64(char *name);
|
|
void MakeSimpleUsernameRemoveNtDomain(char *dst, UINT dst_size, char *src);
|
|
bool ApplyAccessListToStoredPacket(HUB *hub, SESSION *s, PKT *p);
|
|
void ForceRedirectToUrl(HUB *hub, SESSION *src_session, PKT *p, char *redirect_url);
|
|
BUF *BuildRedirectToUrlPayload(HUB *hub, SESSION *s, char *redirect_url);
|
|
bool ApplyAccessListToForwardPacket(HUB *hub, SESSION *src_session, SESSION *dest_session, PKT *p);
|
|
bool IsPacketMaskedByAccessList(SESSION *s, PKT *p, ACCESS *a, UINT64 dest_username, UINT64 dest_groupname, SESSION *dest_session);
|
|
void GetAccessListStr(char *str, UINT size, ACCESS *a);
|
|
void DeleteOldIpTableEntry(LIST *o);
|
|
void SetRadiusServer(HUB *hub, char *name, UINT port, char *secret);
|
|
void SetRadiusServerEx(HUB *hub, char *name, UINT port, char *secret, UINT interval);
|
|
bool GetRadiusServer(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size);
|
|
bool GetRadiusServerEx(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval);
|
|
bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, char *suffix_filter, UINT suffix_filter_size);
|
|
int CompareCert(void *p1, void *p2);
|
|
void GetHubLogSetting(HUB *h, HUB_LOG *setting);
|
|
void SetHubLogSetting(HUB *h, HUB_LOG *setting);
|
|
void SetHubLogSettingEx(HUB *h, HUB_LOG *setting, bool no_change_switch_type);
|
|
void DeleteExpiredIpTableEntry(LIST *o);
|
|
void DeleteExpiredMacTableEntry(HASH_LIST *h);
|
|
void AddTrafficDiff(HUB *h, char *name, UINT type, TRAFFIC *traffic);
|
|
void IncrementHubTraffic(HUB *h);
|
|
void EnableSecureNAT(HUB *h, bool enable);
|
|
void EnableSecureNATEx(HUB *h, bool enable, bool no_change);
|
|
void StartHubWatchDog(HUB *h);
|
|
void StopHubWatchDog(HUB *h);
|
|
void HubWatchDogThread(THREAD *t, void *param);
|
|
int CompareAdminOption(void *p1, void *p2);
|
|
UINT GetHubAdminOptionEx(HUB *h, char *name, UINT default_value);
|
|
UINT GetHubAdminOption(HUB *h, char *name);
|
|
void DeleteAllHubAdminOption(HUB *h, bool lock);
|
|
void AddHubAdminOptionsDefaults(HUB *h, bool lock);
|
|
bool IsCertMatchCrl(X *x, CRL *crl);
|
|
bool IsCertMatchCrlList(X *x, LIST *o);
|
|
wchar_t *GenerateCrlStr(CRL *crl);
|
|
bool IsValidCertInHub(HUB *h, X *x);
|
|
void FreeCrl(CRL *crl);
|
|
CRL *CopyCrl(CRL *crl);
|
|
int CmpAc(void *p1, void *p2);
|
|
LIST *NewAcList();
|
|
void AddAc(LIST *o, AC *ac);
|
|
bool DelAc(LIST *o, UINT id);
|
|
AC *GetAc(LIST *o, UINT id);
|
|
void SetAc(LIST *o, UINT id, AC *ac);
|
|
void DelAllAc(LIST *o);
|
|
void SetAcList(LIST *o, LIST *src);
|
|
void NormalizeAcList(LIST *o);
|
|
bool IsIpMaskedByAc(IP *ip, AC *ac);
|
|
bool IsIpDeniedByAcList(IP *ip, LIST *o);
|
|
char *GenerateAcStr(AC *ac);
|
|
void FreeAcList(LIST *o);
|
|
LIST *CloneAcList(LIST *o);
|
|
bool IsIPManagementTargetForHUB(IP *ip, HUB *hub);
|
|
wchar_t *GetHubAdminOptionHelpString(char *name);
|
|
void HubOptionStructToData(RPC_ADMIN_OPTION *ao, HUB_OPTION *o, char *hub_name);
|
|
ADMIN_OPTION *NewAdminOption(char *name, UINT value);
|
|
void DataToHubOptionStruct(HUB_OPTION *o, RPC_ADMIN_OPTION *ao);
|
|
UINT GetHubAdminOptionData(RPC_ADMIN_OPTION *ao, char *name);
|
|
void GetHubAdminOptionDataAndSet(RPC_ADMIN_OPTION *ao, char *name, UINT *dest);
|
|
bool IsURLMsg(wchar_t *str, char *url, UINT url_size);
|
|
LIST *NewUserList();
|
|
void DeleteAllUserListCache(LIST *o);
|
|
void FreeUserList(LIST *o);
|
|
void FreeUserListEntry(USERLIST *u);
|
|
int CompareUserList(void *p1, void *p2);
|
|
USERLIST *LoadUserList(LIST *o, char *filename);
|
|
USERLIST *FindUserList(LIST *o, char *filename);
|
|
bool IsUserMatchInUserList(LIST *o, char *filename, UINT64 user_hash);
|
|
bool IsUserMatchInUserListWithCacheExpires(LIST *o, char *filename, UINT64 user_hash, UINT64 lifetime);
|
|
bool IsUserMatchInUserListWithCacheExpiresAcl(LIST *o, char *name_in_acl, UINT64 user_hash, UINT64 lifetime);
|
|
void CalcTrafficEntryDiff(TRAFFIC_ENTRY *diff, TRAFFIC_ENTRY *old, TRAFFIC_ENTRY *current);
|
|
bool CheckMaxLoggedPacketsPerMinute(SESSION *s, UINT max_packets, UINT64 now);
|
|
void VgsSetUserAgentValue(char *str);
|
|
void VgsSetEmbTag(bool b);
|
|
EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, char *username);
|
|
|
|
#endif // HUB_H
|
|
|
|
|