v4.31-9727-beta

SoftEtherVPN · Nov 18, 2019 · 53f1f21 · 53f1f21
1 parent a81e4c2
commit 53f1f21
Show file tree

Hide file tree

Showing 152 changed files with 15,651 additions and 21,420 deletions.
diff --git a/src/BuildFiles/Library/OpenSSL_Build_ID.txt b/src/BuildFiles/Library/OpenSSL_Build_ID.txt
@@ -0,0 +1 @@
+crosslib_win32_191020_02
diff --git a/src/BuildFiles/Library/Win32_Debug/libeay32.lib b/src/BuildFiles/Library/Win32_Debug/libeay32.lib
diff --git a/src/BuildFiles/Library/Win32_Debug/libintelaes.lib b/src/BuildFiles/Library/Win32_Debug/libintelaes.lib
diff --git a/src/BuildFiles/Library/Win32_Debug/ssleay32.lib b/src/BuildFiles/Library/Win32_Debug/ssleay32.lib
diff --git a/src/BuildFiles/Library/Win32_Debug/zlib.lib b/src/BuildFiles/Library/Win32_Debug/zlib.lib
diff --git a/src/BuildFiles/Library/Win32_Release/libeay32.lib b/src/BuildFiles/Library/Win32_Release/libeay32.lib
diff --git a/src/BuildFiles/Library/Win32_Release/libintelaes.lib b/src/BuildFiles/Library/Win32_Release/libintelaes.lib
diff --git a/src/BuildFiles/Library/Win32_Release/ssleay32.lib b/src/BuildFiles/Library/Win32_Release/ssleay32.lib
diff --git a/src/BuildFiles/Library/Win32_Release/zlib.lib b/src/BuildFiles/Library/Win32_Release/zlib.lib
diff --git a/src/BuildFiles/Library/intel-aesni_Build_ID.txt b/src/BuildFiles/Library/intel-aesni_Build_ID.txt
@@ -0,0 +1 @@
+crosslib_win32_191020_02
diff --git a/src/BuildFiles/Library/x64_Debug/libeay32.lib b/src/BuildFiles/Library/x64_Debug/libeay32.lib
diff --git a/src/BuildFiles/Library/x64_Debug/libintelaes.lib b/src/BuildFiles/Library/x64_Debug/libintelaes.lib
diff --git a/src/BuildFiles/Library/x64_Debug/ssleay32.lib b/src/BuildFiles/Library/x64_Debug/ssleay32.lib
diff --git a/src/BuildFiles/Library/x64_Debug/zlib.lib b/src/BuildFiles/Library/x64_Debug/zlib.lib
diff --git a/src/BuildFiles/Library/x64_Release/libeay32.lib b/src/BuildFiles/Library/x64_Release/libeay32.lib
diff --git a/src/BuildFiles/Library/x64_Release/libintelaes.lib b/src/BuildFiles/Library/x64_Release/libintelaes.lib
diff --git a/src/BuildFiles/Library/x64_Release/ssleay32.lib b/src/BuildFiles/Library/x64_Release/ssleay32.lib
diff --git a/src/BuildFiles/Library/x64_Release/zlib.lib b/src/BuildFiles/Library/x64_Release/zlib.lib
diff --git a/src/BuildFiles/Library/zlib_Build_ID.txt b/src/BuildFiles/Library/zlib_Build_ID.txt
@@ -0,0 +1 @@
+crosslib_win32_191020_02
diff --git a/src/BuildUtil/UnixBuildSoftwares.cs b/src/BuildUtil/UnixBuildSoftwares.cs
@@ -600,13 +600,6 @@ public virtual StringWriter GenerateMakeFileForRelease(string srcDir)
 			string gccOptionForLink;
 			string gccOptionForCompile;
 
-			bool try_no_pie = false;
-
-			if (this.Os == OSList.Linux)
-			{
-				try_no_pie = true;
-			}
-
 			generateGccOptions(srcDir, false, false, out gccOptionForLink, out gccOptionForCompile);
 
 			string codeDir = Path.Combine(srcDir, "code");
@@ -629,22 +622,8 @@ public virtual StringWriter GenerateMakeFileForRelease(string srcDir)
 			sr.WriteLine();
 			sr.WriteLine("CC={0}", this.Compiler);
 			sr.WriteLine();
-			if (try_no_pie)
-			{
-				sr.WriteLine("#For Ubuntu 18.04 or later we must add -no-pie option for gcc if supported");
-				sr.WriteLine("RET_NO_PIE_CHECK := $(shell $(CC) -no-pie 2>&1 | grep no-pie | wc -w)");
-				sr.WriteLine("ifeq ($(RET_NO_PIE_CHECK),0)");
-				sr.WriteLine("\tNO_PIE_OPTION=-no-pie");
-				sr.WriteLine("else");
-				sr.WriteLine("\tNO_PIE_OPTION=");
-				sr.WriteLine("endif");
-			}
-			else
-			{
-				sr.WriteLine("NO_PIE_OPTION=");
-			}
 			sr.WriteLine();
-			sr.WriteLine("OPTIONS=$(NO_PIE_OPTION) {0}", gccOptionForLink);
+			sr.WriteLine("OPTIONS={0}", gccOptionForLink);
 			sr.WriteLine();
 			sr.WriteLine("default:");
 			sr.WriteLine("\t@./.install.sh");
@@ -991,6 +970,9 @@ void generateGccOptions(string outDir, bool debugMode, bool crossCompile, out st
 			includes.Add("./Cedar/");
 			includes.Add("./Mayaqua/");
 
+			// Generate the PIE code by default
+			options.Add("-fPIE");
+
 			// Determine options
 			if (debugMode)
 			{
@@ -1069,11 +1051,11 @@ void generateGccOptions(string outDir, bool debugMode, bool crossCompile, out st
 				options.Add("-lrt");
 				options.Add("-lnsl");
 				options.Add("-lsocket");
-				options.Add("-ldl");
+				//options.Add("-ldl");
 			}
 			else if (this.Os == OSList.Linux)
 			{
-				options.Add("-ldl");
+				//options.Add("-ldl");
 				options.Add("-lrt");
 			}
 			else if (this.Os == OSList.MacOS)
@@ -1095,6 +1077,12 @@ void generateGccOptions(string outDir, bool debugMode, bool crossCompile, out st
 			options.Add("-lpthread");
 
 			gccOptionForLink = MakeGccOptions(new string[0], new string[0], options.ToArray(), libs.ToArray());
+
+			if (this.Os == OSList.Linux || this.Os == OSList.Solaris)
+			{
+				// Add the "-ldl" flag on the end of the command line
+				gccOptionForLink += " -ldl";
+			}
 		}
 
 		public static string MakeGccOptions(string[] macros, string[] includeDirs, string[] options, string[] libs)

diff --git a/src/BuildUtil/VpnBuilderConfig.cs b/src/BuildUtil/VpnBuilderConfig.cs
@@ -163,7 +163,7 @@ public static class BuildSoftwareList
 				null);
 		public static readonly BuildSoftware vpnserver_linux_armeabi_ja =
 			new BuildSoftwareUnix(Software.vpnserver, 0, 0, "", CpuList.armeabi, OSList.Linux,
-				"linux-armeabi-32bit", false, "linux-armeabi-32bit-4.3.2", true,
+				"linux-armeabi-32bit", false, "linux-armeabi-32bit-4.3.2", false,
 				null);
 		public static readonly BuildSoftware vpnserver_linux_mipsel_ja =
 			new BuildSoftwareUnix(Software.vpnserver, 0, 0, "", CpuList.mipsel, OSList.Linux,
@@ -193,7 +193,7 @@ public static class BuildSoftwareList
 				null);
 		public static readonly BuildSoftware vpnclient_linux_armeabi_ja =
 			new BuildSoftwareUnix(Software.vpnclient, 0, 0, "", CpuList.armeabi, OSList.Linux,
-				"linux-armeabi-32bit", false, "linux-armeabi-32bit-4.3.2", true,
+				"linux-armeabi-32bit", false, "linux-armeabi-32bit-4.3.2", false,
 				null);
 		public static readonly BuildSoftware vpnclient_linux_mipsel_ja =
 			new BuildSoftwareUnix(Software.vpnclient, 0, 0, "", CpuList.mipsel, OSList.Linux,
@@ -223,7 +223,7 @@ public static class BuildSoftwareList
 				null);
 		public static readonly BuildSoftware vpnbridge_linux_armeabi_ja =
 			new BuildSoftwareUnix(Software.vpnbridge, 0, 0, "", CpuList.armeabi, OSList.Linux,
-				"linux-armeabi-32bit", false, "linux-armeabi-32bit-4.3.2", true,
+				"linux-armeabi-32bit", false, "linux-armeabi-32bit-4.3.2", false,
 				null);
 		public static readonly BuildSoftware vpnbridge_linux_mipsel_ja =
 			new BuildSoftwareUnix(Software.vpnbridge, 0, 0, "", CpuList.mipsel, OSList.Linux,

diff --git a/src/Cedar/Account.c b/src/Cedar/Account.c
@@ -1439,3 +1439,50 @@ int CompareUserName(void *p1, void *p2)
 	return StrCmpi(u1->Name, u2->Name);
 }
 
+// Get the MAC address from the user's note string
+bool GetUserMacAddressFromUserNote(UCHAR *mac, wchar_t *note)
+{
+	bool ret = false;
+	UINT i;
+
+	Zero(mac, 6);
+	if (mac == NULL || note == NULL)
+	{
+		return false;
+	}
+
+	i = UniSearchStrEx(note, USER_MAC_STR_PREFIX, 0, false);
+	if (i != INFINITE)
+	{
+		wchar_t *macstr_start = &note[i + UniStrLen(USER_MAC_STR_PREFIX)];
+		wchar_t macstr2[MAX_SIZE];
+		UNI_TOKEN_LIST *tokens;
+
+		UniStrCpy(macstr2, sizeof(macstr2), macstr_start);
+
+		UniTrim(macstr2);
+
+		tokens = UniParseToken(macstr2, L" ,/()[].");
+		if (tokens != NULL)
+		{
+			if (tokens->NumTokens >= 1)
+			{
+				wchar_t *macstr = tokens->Token[0];
+
+				if (UniIsEmptyStr(macstr) == false)
+				{
+					char macstr_a[MAX_SIZE];
+
+					UniToStr(macstr_a, sizeof(macstr_a), macstr);
+
+					ret = StrToMac(mac, macstr_a);
+				}
+			}
+
+			UniFreeToken(tokens);
+		}
+	}
+
+	return ret;
+}
+
diff --git a/src/Cedar/Account.h b/src/Cedar/Account.h
@@ -105,6 +105,8 @@
 #ifndef	ACCOUNT_H
 #define	ACCOUNT_H
 
+#define	USER_MAC_STR_PREFIX		L"MAC:"
+
 // Policy item
 struct POLICY_ITEM
 {
@@ -303,6 +305,7 @@ POLICY_ITEM *GetPolicyItem(UINT id);
 void GetPolicyValueRangeStr(wchar_t *str, UINT size, UINT id);
 void FormatPolicyValue(wchar_t *str, UINT size, UINT id, UINT value);
 char *NormalizePolicyName(char *name);
+bool GetUserMacAddressFromUserNote(UCHAR *mac, wchar_t *note);
 
 
 #endif	// ACCOUNT_H

diff --git a/src/Cedar/Cedar.h b/src/Cedar/Cedar.h
@@ -126,10 +126,10 @@
 
 
 // Version number
-#define	CEDAR_VER					430
+#define	CEDAR_VER					431
 
 // Build Number
-#define	CEDAR_BUILD					9700
+#define	CEDAR_BUILD					9727
 
 // Beta number
 //#define	BETA_NUMBER					3
@@ -139,21 +139,21 @@
 
 // Specify the name of the person in charge building
 #ifndef	BUILDER_NAME
-#define	BUILDER_NAME		"yagi"
+#define	BUILDER_NAME		"buildsan"
 #endif	// BUILDER_NAME
 
 // Specify the location to build
 #ifndef	BUILD_PLACE
-#define	BUILD_PLACE			"pc33"
+#define	BUILD_PLACE			"crosswin"
 #endif	// BUILD_PLACE
 
 // Specifies the build date
 #define	BUILD_DATE_Y		2019
-#define	BUILD_DATE_M		7
-#define	BUILD_DATE_D		13
-#define	BUILD_DATE_HO		21
-#define	BUILD_DATE_MI		37
-#define	BUILD_DATE_SE		51
+#define	BUILD_DATE_M		11
+#define	BUILD_DATE_D		18
+#define	BUILD_DATE_HO		10
+#define	BUILD_DATE_MI		55
+#define	BUILD_DATE_SE		38
 
 // Tolerable time difference
 #define	ALLOW_TIMESTAMP_DIFF		(UINT64)(3 * 24 * 60 * 60 * 1000)

diff --git a/src/Cedar/IPsec_IKE.c b/src/Cedar/IPsec_IKE.c
@@ -135,7 +135,10 @@ void ProcIKEPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
 			break;
 
 		case IKE_EXCHANGE_TYPE_AGGRESSIVE:	// Aggressive mode
-			ProcIkeAggressiveModePacketRecv(ike, p, header);
+			if (ike->Cedar->Server->DisableIPsecAggressiveMode == false)
+			{
+				ProcIkeAggressiveModePacketRecv(ike, p, header);
+			}
 			break;
 
 		case IKE_EXCHANGE_TYPE_QUICK:	// Quick mode

diff --git a/src/Cedar/Interop_OpenVPN.c b/src/Cedar/Interop_OpenVPN.c
@@ -482,7 +482,7 @@ void OvsProcessRecvControlPacket(OPENVPN_SERVER *s, OPENVPN_SESSION *se, OPENVPN
 
 		case OPENVPN_P_CONTROL_HARD_RESET_CLIENT_V2:
 			// New connection (hard reset)
-			OvsSendControlPacket(c, OPENVPN_P_CONTROL_HARD_RESET_SERVER_V2, NULL, 0);
+			OvsSendControlPacketEx(c, OPENVPN_P_CONTROL_HARD_RESET_SERVER_V2, NULL, 0, true);
 
 			c->Status = OPENVPN_CHANNEL_STATUS_TLS_WAIT_CLIENT_KEY;
 			break;
@@ -1267,6 +1267,10 @@ void OvsSendControlPacketWithAutoSplit(OPENVPN_CHANNEL *c, UCHAR opcode, UCHAR *
 
 // Send the control packet
 void OvsSendControlPacket(OPENVPN_CHANNEL *c, UCHAR opcode, UCHAR *data, UINT data_size)
+{
+	OvsSendControlPacketEx(c, opcode, data, data_size, false);
+}
+void OvsSendControlPacketEx(OPENVPN_CHANNEL *c, UCHAR opcode, UCHAR *data, UINT data_size, bool no_resend)
 {
 	OPENVPN_CONTROL_PACKET *p;
 	// Validate arguments
@@ -1277,6 +1281,8 @@ void OvsSendControlPacket(OPENVPN_CHANNEL *c, UCHAR opcode, UCHAR *data, UINT da
 
 	p = ZeroMalloc(sizeof(OPENVPN_CONTROL_PACKET));
 
+	p->NoResend = no_resend;
+
 	p->OpCode = opcode;
 	p->PacketId = c->NextSendPacketId++;
 
@@ -2258,20 +2264,25 @@ void OvsRecvPacket(OPENVPN_SERVER *s, LIST *recv_packet_list, UINT protocol)
 
 					if (cp->NextSendTime <= s->Now)
 					{
-						OPENVPN_PACKET *p;
+						if (cp->NoResend == false || cp->NumSent == 0) // To address the UDP reflection amplification attack: https://github.com/SoftEtherVPN/SoftEtherVPN/issues/1001
+						{
+							OPENVPN_PACKET *p;
+
+							cp->NumSent++;
 
-						num = OvsGetAckReplyList(c, acks);
+							num = OvsGetAckReplyList(c, acks);
 
-						p = OvsNewControlPacket(cp->OpCode, j, se->ServerSessionId, num, acks,
-							se->ClientSessionId, cp->PacketId, cp->DataSize, cp->Data);
+							p = OvsNewControlPacket(cp->OpCode, j, se->ServerSessionId, num, acks,
+								se->ClientSessionId, cp->PacketId, cp->DataSize, cp->Data);
 
-						OvsSendPacketNow(s, se, p);
+							OvsSendPacketNow(s, se, p);
 
-						OvsFreePacket(p);
+							OvsFreePacket(p);
 
-						cp->NextSendTime = s->Now + (UINT64)OPENVPN_CONTROL_PACKET_RESEND_INTERVAL;
+							cp->NextSendTime = s->Now + (UINT64)OPENVPN_CONTROL_PACKET_RESEND_INTERVAL;
 
-						AddInterrupt(s->Interrupt, cp->NextSendTime);
+							AddInterrupt(s->Interrupt, cp->NextSendTime);
+						}
 					}
 				}
 

diff --git a/src/Cedar/Interop_OpenVPN.h b/src/Cedar/Interop_OpenVPN.h
@@ -204,6 +204,8 @@ struct OPENVPN_CONTROL_PACKET
 	UINT DataSize;										// Data size
 	UCHAR *Data;										// Data body
 	UINT64 NextSendTime;								// Scheduled next transmission time
+	bool NoResend;										// Disable re-sending
+	UINT NumSent;										// How many times we have sent this packet
 };
 
 // OpenVPN packet
@@ -343,6 +345,7 @@ void OvsSendPacketRawNow(OPENVPN_SERVER *s, OPENVPN_SESSION *se, void *data, UIN
 
 void OvsProcessRecvControlPacket(OPENVPN_SERVER *s, OPENVPN_SESSION *se, OPENVPN_CHANNEL *c, OPENVPN_PACKET *p);
 void OvsSendControlPacket(OPENVPN_CHANNEL *c, UCHAR opcode, UCHAR *data, UINT data_size);
+void OvsSendControlPacketEx(OPENVPN_CHANNEL *c, UCHAR opcode, UCHAR *data, UINT data_size, bool no_resend);
 void OvsSendControlPacketWithAutoSplit(OPENVPN_CHANNEL *c, UCHAR opcode, UCHAR *data, UINT data_size);
 void OvsFreeControlPacket(OPENVPN_CONTROL_PACKET *p);
 void OvsDeleteFromSendingControlPacketList(OPENVPN_CHANNEL *c, UINT num_acks, UINT *acks);

diff --git a/src/Cedar/Protocol.c b/src/Cedar/Protocol.c
@@ -3021,6 +3021,8 @@ bool ServerAccept(CONNECTION *c)
 				// Get the policy
 				if (farm_member == false)
 				{
+					bool is_asterisk_user = false;
+
 					// In the case of not a farm member
 					user = AcGetUser(hub, username);
 					if (user == NULL)
@@ -3035,12 +3037,28 @@ bool ServerAccept(CONNECTION *c)
 							error_detail = "AcGetUser";
 							goto CLEANUP;
 						}
+
+						is_asterisk_user = true;
 					}
 
 					policy = NULL;
 
 					Lock(user->lock);
 					{
+						if (is_asterisk_user == false)
+						{
+							UCHAR associated_mac_address[6];
+
+							// Get the associated virtual MAC address
+							if (GetUserMacAddressFromUserNote(associated_mac_address, user->Note))
+							{
+								if (IsZero(assigned_ipc_mac_address, 6))
+								{
+									Copy(assigned_ipc_mac_address, associated_mac_address, 6);
+								}
+							}
+						}
+
 						// Get the expiration date
 						user_expires = user->ExpireTime;
 
@@ -7302,7 +7320,12 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 					*error_detail_str = "HTTP_ROOT";
 
 					{
-						BUF *b = ReadDump("|wwwroot\\index.html");
+						BUF *b = NULL;
+
+						if (disable_json_api == false)
+						{
+							b = ReadDump("|wwwroot\\index.html");
+						}
 
 						if (b != NULL)
 						{

diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c
@@ -6003,6 +6003,9 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
 		// Disable the NAT-traversal feature
 		s->DisableNatTraversal = CfgGetBool(f, "DisableNatTraversal");
 
+		// Disable IPsec Aggressive Mode
+		s->DisableIPsecAggressiveMode = CfgGetBool(f, "DisableIPsecAggressiveMode");
+
 		// Intel AES
 		s->DisableIntelAesAcceleration = CfgGetBool(f, "DisableIntelAesAcceleration");
 
@@ -6410,6 +6413,8 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
 			}
 		}
 
+		CfgAddBool(f, "DisableIPsecAggressiveMode", s->DisableIPsecAggressiveMode);
+
 		CfgAddStr(f, "OpenVPNDefaultClientOption", c->OpenVPNDefaultClientOption);
 
 		if (c->Bridge == false)

diff --git a/src/Cedar/Server.h b/src/Cedar/Server.h
@@ -288,6 +288,7 @@ struct SERVER
 	bool NoMoreSave;					// Do not save any more
 	bool EnableConditionalAccept;		// Apply the Conditional Accept the Listener
 	bool EnableLegacySSL;				// Enable Legacy SSL
+	bool DisableIPsecAggressiveMode;	// Disable IPsec Aggressive Mode
 
 	volatile bool Halt;					// Halting flag
 	LOCK *lock;							// Lock

diff --git a/src/CurrentBuild.txt b/src/CurrentBuild.txt
@@ -1,4 +1,4 @@
-BUILD_NUMBER 9700
-VERSION 430
+BUILD_NUMBER 9727
+VERSION 431
 BUILD_NAME beta
-BUILD_DATE 20190713_213751
+BUILD_DATE 20191118_105538