v4.37-9758-beta

SoftEtherVPN · Aug 15, 2021 · 005285b · 005285b
1 parent ddc99f0
commit 005285b
Show file tree

Hide file tree

Showing 19 changed files with 140 additions and 20 deletions.
diff --git a/src/BuildUtil/UnixBuildSoftwares.cs b/src/BuildUtil/UnixBuildSoftwares.cs
@@ -632,7 +632,7 @@ public virtual StringWriter GenerateMakeFileForRelease(string srcDir)
 			sr.WriteLine("# You have to read and agree the license agreement at the same directory");
 			sr.WriteLine("#  before using this software.");
 			sr.WriteLine();
-			sr.WriteLine("i_read_and_agree_the_license_agreement:");
+			sr.WriteLine("main:");
 
 			sr.WriteLine("\t@echo \"Preparing {0}...\"", BuildHelper.GetSoftwareTitle(this.Software));
 

diff --git a/src/Cedar/Cedar.h b/src/Cedar/Cedar.h
@@ -126,10 +126,10 @@
 
 
 // Version number
-#define	CEDAR_VER					436
+#define	CEDAR_VER					437
 
 // Build Number
-#define	CEDAR_BUILD					9754
+#define	CEDAR_BUILD					9758
 
 // Beta number
 //#define	BETA_NUMBER					3
@@ -149,11 +149,11 @@
 
 // Specifies the build date
 #define	BUILD_DATE_Y		2021
-#define	BUILD_DATE_M		6
-#define	BUILD_DATE_D		7
-#define	BUILD_DATE_HO		21
-#define	BUILD_DATE_MI		29
-#define	BUILD_DATE_SE		54
+#define	BUILD_DATE_M		8
+#define	BUILD_DATE_D		16
+#define	BUILD_DATE_HO		0
+#define	BUILD_DATE_MI		27
+#define	BUILD_DATE_SE		11
 
 // Tolerable time difference
 #define	ALLOW_TIMESTAMP_DIFF		(UINT64)(3 * 24 * 60 * 60 * 1000)

diff --git a/src/Cedar/CedarType.h b/src/Cedar/CedarType.h
@@ -616,6 +616,7 @@ typedef struct IKE_SA_TRANSFORM_SETTING IKE_SA_TRANSFORM_SETTING;
 typedef struct IKE_CLIENT IKE_CLIENT;
 typedef struct IPSECSA IPSECSA;
 typedef struct IKE_CAPS IKE_CAPS;
+typedef struct IKE_INFOMSG_QUOTA_ENTRY IKE_INFOMSG_QUOTA_ENTRY;
 
 // ==============================================================
 //  IPSec Packet

diff --git a/src/Cedar/Connection.c b/src/Cedar/Connection.c
@@ -3571,6 +3571,7 @@ CONNECTION *NewServerConnection(CEDAR *cedar, SOCK *s, THREAD *t)
 	{
 		AddRef(c->FirstSock->ref);
 		Copy(&c->ClientIp, &s->RemoteIP, sizeof(IP));
+		c->ClientPort = s->RemotePort;
 		StrCpy(c->ClientHostname, sizeof(c->ClientHostname), s->RemoteHostname);
 	}
 	c->Tcp = ZeroMalloc(sizeof(TCP));

diff --git a/src/Cedar/Connection.h b/src/Cedar/Connection.h
@@ -300,6 +300,7 @@ struct CONNECTION
 	char *CipherName;				// Encryption algorithm name
 	UINT64 ConnectedTick;			// Time it is connected
 	IP ClientIp;					// Client IP address
+	UINT ClientPort;				// Client Port number
 	char ClientHostname[MAX_HOST_NAME_LEN + 1];	// Client host name
 	UINT Type;						// Type
 	bool DontUseTls1;				// Do not use TLS 1.0

diff --git a/src/Cedar/IPsec.c b/src/Cedar/IPsec.c
@@ -381,6 +381,13 @@ void IPsecServerUdpPacketRecvProc(UDPLISTENER *u, LIST *packet_list)
 
 	ike->Now = now;
 
+	if (now >= ike->NextInfoMsgQuotaClearTick)
+	{
+		ike->NextInfoMsgQuotaClearTick = now + 1000ULL;
+
+		IkeInfoMsgQuotaDeleteAll(ike);
+	}
+
 	if (ipsec_disable == false)
 	{
 		{

diff --git a/src/Cedar/IPsec_IKE.c b/src/Cedar/IPsec_IKE.c
@@ -159,6 +159,55 @@ void ProcIKEPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
 	}
 }
 
+IKE_INFOMSG_QUOTA_ENTRY *IkeInfoMsgQuotaGetEntry(IKE_SERVER *ike, IP *client_ip)
+{
+	UINT i;
+	IKE_INFOMSG_QUOTA_ENTRY *new_entry = NULL;
+	if (ike == NULL || client_ip == NULL)
+	{
+		return NULL;
+	}
+
+	for (i = 0;i < LIST_NUM(ike->InfoMsgQuotaList);i++)
+	{
+		IKE_INFOMSG_QUOTA_ENTRY *q = LIST_DATA(ike->InfoMsgQuotaList, i);
+
+		if (CmpIpAddr(&q->ClientIp, client_ip) == 0)
+		{
+			return q;
+		}
+	}
+
+	if (LIST_NUM(ike->InfoMsgQuotaList) >= IKE_QUOTA_MAX_INFOMSG_ENTRY_COUNT)
+	{
+		return NULL;
+	}
+
+	new_entry = ZeroMalloc(sizeof(IKE_INFOMSG_QUOTA_ENTRY));
+	CopyIP(&new_entry->ClientIp, client_ip);
+	Add(ike->InfoMsgQuotaList, new_entry);
+
+	return new_entry;
+}
+
+void IkeInfoMsgQuotaDeleteAll(IKE_SERVER *ike)
+{
+	UINT i;
+	if (ike == NULL)
+	{
+		return;
+	}
+
+	for (i = 0;i < LIST_NUM(ike->InfoMsgQuotaList);i++)
+	{
+		IKE_INFOMSG_QUOTA_ENTRY *q = LIST_DATA(ike->InfoMsgQuotaList, i);
+
+		Free(q);
+	}
+
+	DeleteAll(ike->InfoMsgQuotaList);
+}
+
 // Send a packet via IPsec
 void IPsecSendPacketByIPsecSa(IKE_SERVER *ike, IPSECSA *sa, UCHAR *data, UINT data_size, UCHAR protocol_id)
 {
@@ -1337,6 +1386,7 @@ void SendInformationalExchangePacketEx(IKE_SERVER *ike, IKE_CLIENT *c, IKE_PACKE
 	BUF *tmp_buf;
 	UCHAR hash[IKE_MAX_HASH_SIZE];
 	IKE_CRYPTO_PARAM cp;
+	IKE_INFOMSG_QUOTA_ENTRY *quota_entry;
 	bool plain = false;
 	// Validate arguments
 	if (ike == NULL || c == NULL || payload == NULL)
@@ -1345,6 +1395,20 @@ void SendInformationalExchangePacketEx(IKE_SERVER *ike, IKE_CLIENT *c, IKE_PACKE
 		return;
 	}
 
+	quota_entry = IkeInfoMsgQuotaGetEntry(ike, &c->ClientIP);
+	if (quota_entry == NULL)
+	{
+		IkeFreePayload(payload);
+		return;
+	}
+
+	quota_entry->Count++;
+	if (quota_entry->Count >= IKE_QUOTA_MAX_INFOMSG_SEND_PER_IP_PER_SEC)
+	{
+		IkeFreePayload(payload);
+		return;
+	}
+
 	sa = c->CurrentIkeSa;
 	if (sa == NULL)
 	{
@@ -5940,6 +6004,15 @@ void FreeIKEServer(IKE_SERVER *ike)
 
 	FreeIkeEngine(ike->Engine);
 
+	for (i = 0;i < LIST_NUM(ike->InfoMsgQuotaList);i++)
+	{
+		IKE_INFOMSG_QUOTA_ENTRY *q = LIST_DATA(ike->InfoMsgQuotaList, i);
+
+		Free(q);
+	}
+
+	ReleaseList(ike->InfoMsgQuotaList);
+
 	Debug("FreeThreadList()...\n");
 	FreeThreadList(ike->ThreadList);
 	Debug("FreeThreadList() Done.\n");
@@ -5974,6 +6047,8 @@ IKE_SERVER *NewIKEServer(CEDAR *cedar, IPSEC_SERVER *ipsec)
 
 	ike->ClientList = NewList(CmpIkeClient);
 
+	ike->InfoMsgQuotaList = NewList(NULL);
+
 	ike->Engine = NewIkeEngine();
 
 	ike->ThreadList = NewThreadList();

diff --git a/src/Cedar/IPsec_IKE.h b/src/Cedar/IPsec_IKE.h
@@ -148,6 +148,9 @@
 #define	IKE_QUOTA_MAX_NUM_CLIENTS			30000			// Limit number of IKE_CLIENT
 #define	IKE_QUOTA_MAX_SA_PER_CLIENT			100				// The limit number of SA for each IKE_CLIENT
 
+#define IKE_QUOTA_MAX_INFOMSG_SEND_PER_IP_PER_SEC	20
+#define IKE_QUOTA_MAX_INFOMSG_ENTRY_COUNT	100
+
 // Time-out
 #define	IKE_TIMEOUT_FOR_IKE_CLIENT			150000			// IKE_CLIENT non-communication disconnect time
 #define	IKE_TIMEOUT_FOR_IKE_CLIENT_FOR_NOT_ESTABLISHED		10000 // IKE_CLIENT non-communication disconnect time (connection incomplete)
@@ -346,6 +349,12 @@ struct IPSECSA
 	IKE_HASH *SKEYID_Hash;
 };
 
+struct IKE_INFOMSG_QUOTA_ENTRY
+{
+	IP ClientIp;
+	UINT Count;
+};
+
 // IKE server
 struct IKE_SERVER
 {
@@ -360,6 +369,8 @@ struct IKE_SERVER
 	LIST *IkeSaList;							// SA list
 	LIST *IPsecSaList;							// IPsec SA list
 	LIST *ThreadList;							// L2TP thread list
+	LIST *InfoMsgQuotaList;						// Information Message Quota List
+	UINT64 NextInfoMsgQuotaClearTick;
 	bool StateHasChanged;						// Flag whether the state has changed
 	UINT CurrentIkeSaId, CurrentIPsecSaId, CurrentIkeClientId, CurrentEtherId;	// Serial number ID
 
@@ -463,5 +474,8 @@ void ProcL2TPv3PacketRecv(IKE_SERVER *ike, IKE_CLIENT *c, UCHAR *data, UINT data
 
 IKE_SA *SearchIkeSaByCookie(IKE_SERVER *ike, UINT64 init_cookie, UINT64 resp_cookie);
 
+IKE_INFOMSG_QUOTA_ENTRY *IkeInfoMsgQuotaGetEntry(IKE_SERVER *ike, IP *client_ip);
+void IkeInfoMsgQuotaDeleteAll(IKE_SERVER *ike);
+
 #endif	// IPSEC_IKE_H
 
diff --git a/src/Cedar/Logging.c b/src/Cedar/Logging.c
@@ -1147,11 +1147,23 @@ bool PacketLog(HUB *hub, SESSION *src_session, SESSION *dest_session, PKT *packe
 		if (src_session != NULL && src_session->NormalClient)
 		{
 			StrCpy(pl->SrcPhysicalIP, sizeof(pl->SrcPhysicalIP), src_session->ClientIP);
+			if (src_session->ClientPort != 0)
+			{
+				char tmp[32] = {0};
+				Format(tmp, sizeof(tmp), "(port=%u)", src_session->ClientPort);
+				StrCat(pl->SrcPhysicalIP, sizeof(pl->SrcPhysicalIP), tmp);
+			}
 		}
 
 		if (dest_session != NULL && dest_session->NormalClient)
 		{
 			StrCpy(pl->DestPhysicalIP, sizeof(pl->DestPhysicalIP), dest_session->ClientIP);
+			if (dest_session->ClientPort != 0)
+			{
+				char tmp[32] = {0};
+				Format(tmp, sizeof(tmp), "(port=%u)", dest_session->ClientPort);
+				StrCat(pl->DestPhysicalIP, sizeof(pl->DestPhysicalIP), tmp);
+			}
 		}
 
 		pl->WritePhysicalIP = true;

diff --git a/src/Cedar/Protocol.c b/src/Cedar/Protocol.c
@@ -3736,6 +3736,7 @@ bool ServerAccept(CONNECTION *c)
 			s->NormalClient = true;
 
 			IPToStr(s->ClientIP, sizeof(s->ClientIP), &c->ClientIp);
+			s->ClientPort = c->ClientPort;
 
 			if (c->FirstSock->IsRUDPSocket)
 			{
@@ -7783,7 +7784,10 @@ SOCK *SocksConnectEx2(CONNECTION *c, char *proxy_host_name, UINT proxy_port,
 	if (c == NULL || proxy_host_name == NULL || proxy_port == 0 || server_host_name == NULL
 		|| server_port == 0)
 	{
-		c->Err = ERR_PROXY_CONNECT_FAILED;
+		if (c != NULL)
+		{
+			c->Err = ERR_PROXY_CONNECT_FAILED;
+		}
 		return NULL;
 	}
 
@@ -7977,7 +7981,10 @@ SOCK *ProxyConnectEx2(CONNECTION *c, char *proxy_host_name, UINT proxy_port,
 	if (c == NULL || proxy_host_name == NULL || proxy_port == 0 || server_host_name == NULL ||
 		server_port == 0)
 	{
-		c->Err = ERR_PROXY_CONNECT_FAILED;
+		if (c != NULL)
+		{
+			c->Err = ERR_PROXY_CONNECT_FAILED;
+		}
 		return NULL;
 	}
 	if (username != NULL && password != NULL &&
@@ -8977,7 +8984,7 @@ UINT WsRecvSync(WS *w, void *data, UINT size)
 			return sz;
 		}
 		r = Recv(w->Sock, w->TmpBuf, sizeof(w->TmpBuf), w->Sock->SecureMode);
-		if (r == 0)
+		if (r == 0 || r == SOCK_LATER)
 		{
 			break;
 		}
@@ -9589,9 +9596,9 @@ UINT MvpnDoAccept(CONNECTION *c, WS *w)
 		StrCpy(ipc_param.HubName, sizeof(ipc_param.HubName), client_hub_name);
 		StrCpy(ipc_param.UserName, sizeof(ipc_param.UserName), auth_username);
 		CopyIP(&ipc_param.ClientIp, &w->Sock->RemoteIP);
-		ipc_param.ClientPort, w->Sock->RemotePort;
+		ipc_param.ClientPort = w->Sock->RemotePort;
 		CopyIP(&ipc_param.ServerIp, &w->Sock->LocalIP);
-		ipc_param.ServerPort, w->Sock->LocalPort;
+		ipc_param.ServerPort = w->Sock->LocalPort;
 		StrCpy(ipc_param.ClientHostname, sizeof(ipc_param.ClientHostname), w->Sock->RemoteHostname);
 		StrCpy(ipc_param.CryptName, sizeof(ipc_param.CryptName), w->Sock->CipherName);
 		ipc_param.Layer = IPC_LAYER_3; // TODO

diff --git a/src/Cedar/Session.h b/src/Cedar/Session.h
@@ -185,6 +185,7 @@ struct SESSION
 	THREAD *Thread;					// Management thread
 	CONNECTION *Connection;			// Connection
 	char ClientIP[64];				// Client IP
+	UINT ClientPort;				// Client Port
 	CLIENT_OPTION *ClientOption;	// Client connection options
 	CLIENT_AUTH *ClientAuth;		// Client authentication data
 	volatile bool Halt;				// Halting flag

diff --git a/src/CurrentBuild.txt b/src/CurrentBuild.txt
@@ -1,4 +1,4 @@
-BUILD_NUMBER 9754
-VERSION 436
+BUILD_NUMBER 9758
+VERSION 437
 BUILD_NAME beta
-BUILD_DATE 20210607_212954
+BUILD_DATE 20210816_002711
diff --git a/src/Mayaqua/Encrypt.c b/src/Mayaqua/Encrypt.c
@@ -2642,6 +2642,7 @@ bool RsaPrivateDecrypt(void *dst, void *src, UINT size, K *k)
 	Unlock(openssl_lock);
 	if (ret <= 0)
 	{
+		Free(tmp);
 		return false;
 	}
 

diff --git a/src/Mayaqua/Kernel.c b/src/Mayaqua/Kernel.c
@@ -566,7 +566,7 @@ void GetHomeDir(char *path, UINT size)
 		if (GetEnv("HOMEDRIVE", drive, sizeof(drive)) &&
 			GetEnv("HOMEPATH", hpath, sizeof(hpath)))
 		{
-			Format(path, sizeof(path), "%s%s", drive, hpath);
+			Format(path, size, "%s%s", drive, hpath);
 		}
 		else
 		{

diff --git a/src/bin/vpnweb.cab b/src/bin/vpnweb.cab
diff --git a/src/bin/vpnweb.ocx b/src/bin/vpnweb.ocx
diff --git a/src/vpnweb/vpnweb.h b/src/vpnweb/vpnweb.h
@@ -4,7 +4,7 @@
 
 
  /* File created by MIDL compiler version 7.00.0500 */
-/* at Mon Jun 07 21:30:12 2021
+/* at Mon Aug 16 00:27:28 2021
  */
 /* Compiler settings for .\vpnweb.idl:
     Oicf, W1, Zp8, env=Win32 (32b run)

diff --git a/src/vpnweb/vpnweb_i.c b/src/vpnweb/vpnweb_i.c
@@ -6,7 +6,7 @@
 
 
  /* File created by MIDL compiler version 7.00.0500 */
-/* at Mon Jun 07 21:30:12 2021
+/* at Mon Aug 16 00:27:28 2021
  */
 /* Compiler settings for .\vpnweb.idl:
     Oicf, W1, Zp8, env=Win32 (32b run)

diff --git a/src/vpnweb/vpnweb_p.c b/src/vpnweb/vpnweb_p.c
@@ -4,7 +4,7 @@
 
 
  /* File created by MIDL compiler version 7.00.0500 */
-/* at Mon Jun 07 21:30:12 2021
+/* at Mon Aug 16 00:27:28 2021
  */
 /* Compiler settings for .\vpnweb.idl:
     Oicf, W1, Zp8, env=Win32 (32b run)