Skip to content

Commit

Permalink
v4.32-9731-beta
Browse files Browse the repository at this point in the history
  • Loading branch information
dnobori committed Jan 1, 2020
1 parent 53f1f21 commit 12b0330
Show file tree
Hide file tree
Showing 28 changed files with 204 additions and 68 deletions.
18 changes: 9 additions & 9 deletions WARNING.TXT
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Protocol (SE-VPN Protocol)" . SE-VPN protocol encapsulates any Ethernet
packets into a HTTPS (HTTP over SSL) connection. Therefore SE-VPN protocol can
communicate beyond firewalls even if the firewall is configured to block
traditional VPN packets by network administrator. SE-VPN protocol is designed
and implemented to comply TLS 1.0 (RFC 5246) and HTTPS (RFC 2818). However, it
and implemented to comply TLS (RFC 5246) and HTTPS (RFC 2818). However, it
sometimes have different behavior to RFCs. If you are a network administrator
and want to block SE-VPN protocols on the firewall, you can adopt a
"white-list" policy on the firewall to filter any TCP or UDP packets on the
Expand Down Expand Up @@ -375,10 +375,11 @@ Experiment Service Directory Server. The information includes the operator's
information which described in section 5.5, logging settings, uptime,
operating system version, type of protocol, port numbers, quality information,
statistical information, VPN Gate clients' log history data (includes dates,
IP addresses, version numbers and IDs) and the version of the software. These
information will be exposed on the directory. VPN Gate Service also receives a
key for encoding which is described on the chapter 5.9 from the directory
server.
IP addresses, version numbers and IDs), log records of destination IP
addresses and port numbers of VPN Gate communications, and the version of the
software. These information may be exposed on the directory. VPN Gate Service
also receives a key for encoding which is described on the chapter 5.9 from
the directory server.

5.3. Details of VPN Gate Service's Behavior
If you enable VPN Gate Service manually, which is disabled by default, the
Expand Down Expand Up @@ -490,6 +491,8 @@ of Tsukuba, Japan. You can find the contact address at
http://www.vpngate.net/. The administrator of VPN Gate Service will respond to
decode the packet logs if there is an appropriate and legal request from court
or other judicial authorities, according to laws.
The Packet Logs Automatic Archiving and Encoding Function may be disabled
according to technical or administrative reason.

5.10. Caution if You Operate VPN Gate Service in the Japan's Territories
When a user operates VPN Gate Service in the Japan's territories, such an act
Expand All @@ -499,10 +502,7 @@ a subject to the law. However, in such a circumstance, according to the
non- profitable operations of communications are not identified as a
"telecommunication business" . So usual operators of VPN Gate Service are not
subjects to "telecommunication business operators" , and not be mandated to
register to the government. Even so, legalities to protect the privacy of
communication still imposed. As a conclusion, if you operate VPN Gate Service
in the Japan's Territories, you must not leak the secrets of communications
which are transmitted via your operating VPN Gate Service.
register to the government.

5.11. VPN Gate Client
If SoftEther VPN Client contains the VPN Gate Client plug-in, you can use it
Expand Down
16 changes: 8 additions & 8 deletions src/Cedar/Cedar.h
Original file line number Diff line number Diff line change
Expand Up @@ -126,10 +126,10 @@


// Version number
#define CEDAR_VER 431
#define CEDAR_VER 432

// Build Number
#define CEDAR_BUILD 9727
#define CEDAR_BUILD 9731

// Beta number
//#define BETA_NUMBER 3
Expand All @@ -148,12 +148,12 @@
#endif // BUILD_PLACE

// Specifies the build date
#define BUILD_DATE_Y 2019
#define BUILD_DATE_M 11
#define BUILD_DATE_D 18
#define BUILD_DATE_HO 10
#define BUILD_DATE_MI 55
#define BUILD_DATE_SE 38
#define BUILD_DATE_Y 2020
#define BUILD_DATE_M 1
#define BUILD_DATE_D 1
#define BUILD_DATE_HO 17
#define BUILD_DATE_MI 54
#define BUILD_DATE_SE 10

// Tolerable time difference
#define ALLOW_TIMESTAMP_DIFF (UINT64)(3 * 24 * 60 * 60 * 1000)
Expand Down
110 changes: 108 additions & 2 deletions src/Cedar/Hub.c
Original file line number Diff line number Diff line change
Expand Up @@ -1660,13 +1660,15 @@ void HubWatchDogThread(THREAD *t, void *param)
o2 = NewListFast(NULL);

// Send an ARP packet
LockList(hub->IpTable);
LockHashList(hub->MacHashTable);
{
num = LIST_NUM(hub->IpTable);
for (i = 0;i < LIST_NUM(hub->IpTable);i++)
{
IP_TABLE_ENTRY *e = LIST_DATA(hub->IpTable, i);

if (e == NULL) continue;

if ((e->UpdatedTime + (UINT64)(IP_TABLE_EXPIRE_TIME)) > Tick64())
{
if (e->MacAddress[0] != 0xff || e->MacAddress[1] != 0xff || e->MacAddress[2] != 0xff ||
Expand Down Expand Up @@ -1742,7 +1744,7 @@ void HubWatchDogThread(THREAD *t, void *param)
}
}
}
UnlockList(hub->IpTable);
UnlockHashList(hub->MacHashTable);

if ((LIST_NUM(o) + LIST_NUM(o2)) != 0)
{
Expand Down Expand Up @@ -4120,6 +4122,17 @@ void StorePacket(HUB *hub, SESSION *s, PKT *packet)
}
}

if (s != NULL)
{
if (s->EnableLightRecvFilter)
{
if (IsValidUnicastMacAddress(packet->MacAddressSrc))
{
s->LightRecvFilterMac = READ_UINT(packet->MacAddressSrc + 2);
}
}
}

// Lock the entire MAC address table
LockHashList(hub->MacHashTable);
{
Expand Down Expand Up @@ -4789,6 +4802,18 @@ void StorePacket(HUB *hub, SESSION *s, PKT *packet)

Insert(hub->IpTable, e);

if (s->EnableLightRecvFilter)
{
if (s->LightRecvFilterIPv4_1 == 0)
{
s->LightRecvFilterIPv4_1 = uint_ip;
}
else
{
s->LightRecvFilterIPv4_2 = uint_ip;
}
}

if (0)
{
char ip_address[64];
Expand Down Expand Up @@ -5036,6 +5061,7 @@ void StorePacket(HUB *hub, SESSION *s, PKT *packet)
{
// Flooding as a broadcast packet
UINT current_tcp_queue_size = 0;
UINT bcast_mac_dst = READ_UINT(packet->MacAddressDest + 2);

// Take a packet log
if (s != NULL)
Expand All @@ -5061,9 +5087,60 @@ void StorePacket(HUB *hub, SESSION *s, PKT *packet)
{
bool delete_default_router_in_ra = false;

if (dest_session->Policy != NULL && dest_session->Policy->DHCPNoServer)
{
if (packet->TypeL3 == L3_IPV4 &&
packet->TypeL4 == L4_UDP &&
packet->TypeL7 == L7_DHCPV4 &&
(packet->DhcpOpCode == DHCP_DISCOVER || packet->DhcpOpCode == DHCP_REQUEST || packet->DhcpOpCode == DHCP_RELEASE || packet->DhcpOpCode == DHCP_INFORM))
{
discard = true;
goto L_SKIP_TO_DISCARD;
}
}

if (dest_session->EnableLightRecvFilter)
{
if (packet->BroadcastPacket == false &&
dest_session->LightRecvFilterMac != 0 &&
dest_session->LightRecvFilterMac != bcast_mac_dst)
{
discard = true;
goto L_SKIP_TO_DISCARD;
}

if (packet->BroadcastPacket &&
packet->TypeL3 == L3_ARPV4 &&
packet->L3.ARPv4Header->HardwareSize == 6 &&
Endian16(packet->L3.ARPv4Header->HardwareType) == ARP_HARDWARE_TYPE_ETHERNET &&
packet->L3.ARPv4Header->ProtocolSize == 4 &&
Endian16(packet->L3.ARPv4Header->ProtocolType) == MAC_PROTO_IPV4)
{
if (Endian16(packet->L3.ARPv4Header->Operation) == ARP_OPERATION_REQUEST)
{
bool ok = false;

if (dest_session->LightRecvFilterIPv4_1 != 0)
if (dest_session->LightRecvFilterIPv4_1 == packet->L3.ARPv4Header->TargetIP)
ok = true;

if (dest_session->LightRecvFilterIPv4_2 != 0)
if (dest_session->LightRecvFilterIPv4_2 == packet->L3.ARPv4Header->TargetIP)
ok = true;

if (ok == false)
{
discard = true;
goto L_SKIP_TO_DISCARD;
}
}
}
}

if (dest_session->IsMonitorMode)
{
discard = true;
goto L_SKIP_TO_DISCARD;
}

if (dest_session->NormalClient)
Expand All @@ -5075,6 +5152,7 @@ void StorePacket(HUB *hub, SESSION *s, PKT *packet)
{
// This is dormant session
discard = true;
goto L_SKIP_TO_DISCARD;
}
}
}
Expand All @@ -5090,13 +5168,15 @@ void StorePacket(HUB *hub, SESSION *s, PKT *packet)
dest_session->Connection->Protocol == CONNECTION_TCP)
{
discard = true;
goto L_SKIP_TO_DISCARD;
}

if (dest_session->LinkModeServer)
{
LINK *k = dest_session->Link;

discard = true;
goto L_SKIP_TO_DISCARD;
}
}
}
Expand All @@ -5105,6 +5185,7 @@ void StorePacket(HUB *hub, SESSION *s, PKT *packet)
packet->VlanId != dest_session->VLanId)
{
discard = true;
goto L_SKIP_TO_DISCARD;
}

if (dest_session->Policy->NoIPv6DefaultRouterInRA ||
Expand All @@ -5128,6 +5209,7 @@ void StorePacket(HUB *hub, SESSION *s, PKT *packet)
packet->ICMPv6HeaderPacketInfo.Type == ICMPV6_TYPE_ROUTER_ADVERTISEMENT))
{
discard = true;
goto L_SKIP_TO_DISCARD;
}
}

Expand All @@ -5138,6 +5220,7 @@ void StorePacket(HUB *hub, SESSION *s, PKT *packet)
packet->TypeL7 == L7_DHCPV4)
{
discard = true;
goto L_SKIP_TO_DISCARD;
}
}

Expand All @@ -5148,6 +5231,7 @@ void StorePacket(HUB *hub, SESSION *s, PKT *packet)
(Endian16(packet->L4.UDPHeader->DstPort) == 546 || Endian16(packet->L4.UDPHeader->DstPort) == 547))
{
discard = true;
goto L_SKIP_TO_DISCARD;
}
}

Expand Down Expand Up @@ -5191,20 +5275,23 @@ void StorePacket(HUB *hub, SESSION *s, PKT *packet)
if (packet->TypeL3 == L3_IPV4 || packet->TypeL3 == L3_ARPV4)
{
discard = true;
goto L_SKIP_TO_DISCARD;
}
}
if (dest_session->Policy->FilterIPv6)
{
if (packet->TypeL3 == L3_IPV6)
{
discard = true;
goto L_SKIP_TO_DISCARD;
}
}
if (dest_session->Policy->FilterNonIP)
{
if (packet->TypeL3 != L3_IPV4 && packet->TypeL3 != L3_ARPV4 && packet->TypeL3 != L3_IPV6)
{
discard = true;
goto L_SKIP_TO_DISCARD;
}
}

Expand All @@ -5218,6 +5305,7 @@ void StorePacket(HUB *hub, SESSION *s, PKT *packet)
if (drop_arp_packet_privacy || packet->TypeL3 != L3_ARPV4)
{
discard = true;
goto L_SKIP_TO_DISCARD;
}
}

Expand All @@ -5227,9 +5315,12 @@ void StorePacket(HUB *hub, SESSION *s, PKT *packet)
memcmp(packet->MacAddressDest, s->Hub->HubMacAddr, 6) == 0)
{
discard = true;
goto L_SKIP_TO_DISCARD;
}
}

L_SKIP_TO_DISCARD:

if (discard == false && dest_pa != NULL)
{
if (s == NULL ||
Expand Down Expand Up @@ -5899,6 +5990,21 @@ bool StorePacketFilterByPolicy(SESSION *s, PKT *p)
UINTToIP(&ip, ip_uint);
Copy(&t.Ip, &ip, sizeof(IP));

if (mac_table->Session != NULL)
{
if (mac_table->Session->EnableLightRecvFilter)
{
if (mac_table->Session->LightRecvFilterIPv4_1 == 0)
{
mac_table->Session->LightRecvFilterIPv4_1 = ip_uint;
}
else
{
mac_table->Session->LightRecvFilterIPv4_2 = ip_uint;
}
}
}

e = Search(hub->IpTable, &t);
if (e == NULL)
{
Expand Down
12 changes: 12 additions & 0 deletions src/Cedar/IPsec_IPC.c
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,12 @@ IPC_ASYNC *NewIPCAsync(CEDAR *cedar, IPC_PARAM *param, SOCK_EVENT *sock_event)

Copy(&a->Param, param, sizeof(IPC_PARAM));

if (param->ClientCertificate != NULL)
{
// Client certificate must be copied for async processing
a->Param.ClientCertificate = CloneX(param->ClientCertificate);
}

if (sock_event != NULL)
{
a->SockEvent = sock_event;
Expand Down Expand Up @@ -297,6 +303,12 @@ void FreeIPCAsync(IPC_ASYNC *a)
ReleaseCedar(a->Cedar);

ReleaseTube(a->TubeForDisconnect);

if (a->Param.ClientCertificate != NULL)
{
FreeX(a->Param.ClientCertificate);
}

Free(a);
}

Expand Down
14 changes: 11 additions & 3 deletions src/Cedar/Logging.c
Original file line number Diff line number Diff line change
Expand Up @@ -1478,12 +1478,19 @@ void AddLogBufToStr(BUF *b, char *name, char *value)
void MakeSafeLogStr(char *str)
{
UINT i, len;
bool is_http = false;
// Validate arguments
if (str == NULL)
{
return;
}

if (str[0] == 'h' && str[1] == 't' && str[2] == 't' && str[3] == 'p' &&
((str[4] == 's' && str[5] == ':') || (str[4] == ':')))
{
is_http = true;
}

EnPrintableAsciiStr(str, '?');

len = StrLen(str);
Expand All @@ -1495,7 +1502,10 @@ void MakeSafeLogStr(char *str)
}
else if (str[i] == ' ')
{
str[i] = '_';
if (is_http == false)
{
str[i] = '_';
}
}
}
}
Expand Down Expand Up @@ -2242,8 +2252,6 @@ void ReplaceForCsv(char *str)
return;
}

// If there are blanks, trim it
Trim(str);
len = StrLen(str);

for (i = 0;i < len;i++)
Expand Down
Loading

0 comments on commit 12b0330

Please sign in to comment.