1 // SoftEther VPN Source Code - Stable Edition Repository 2 // Cedar Communication Module 3 // 4 // SoftEther VPN Server, Client and Bridge are free software under the Apache License, Version 2.0. 5 // 6 // Copyright (c) Daiyuu Nobori. 7 // Copyright (c) SoftEther VPN Project, University of Tsukuba, Japan. 8 // Copyright (c) SoftEther Corporation. 9 // Copyright (c) all contributors on SoftEther VPN project in GitHub. 10 // 11 // All Rights Reserved. 12 // 13 // http://www.softether.org/ 14 // 15 // This stable branch is officially managed by Daiyuu Nobori, the owner of SoftEther VPN Project. 16 // Pull requests should be sent to the Developer Edition Master Repository on https://github.com/SoftEtherVPN/SoftEtherVPN 17 // 18 // License: The Apache License, Version 2.0 19 // https://www.apache.org/licenses/LICENSE-2.0 20 // 21 // DISCLAIMER 22 // ========== 23 // 24 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 25 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 26 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 27 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 28 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 29 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 30 // SOFTWARE. 31 // 32 // THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN, UNDER 33 // JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY, MERGE, PUBLISH, 34 // DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS SOFTWARE, THAT ANY 35 // JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS SOFTWARE OR ITS CONTENTS, 36 // AGAINST US (SOFTETHER PROJECT, SOFTETHER CORPORATION, DAIYUU NOBORI OR OTHER 37 // SUPPLIERS), OR ANY JURIDICAL DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND 38 // OF USING, COPYING, MODIFYING, MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, 39 // AND/OR SELLING COPIES OF THIS SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND 40 // CONTROLLED BY JAPANESE LAWS, AND YOU MUST FURTHER CONSENT TO EXCLUSIVE 41 // JURISDICTION AND VENUE IN THE COURTS SITTING IN TOKYO, JAPAN. YOU MUST WAIVE 42 // ALL DEFENSES OF LACK OF PERSONAL JURISDICTION AND FORUM NON CONVENIENS. 43 // PROCESS MAY BE SERVED ON EITHER PARTY IN THE MANNER AUTHORIZED BY APPLICABLE 44 // LAW OR COURT RULE. 45 // 46 // USE ONLY IN JAPAN. DO NOT USE THIS SOFTWARE IN ANOTHER COUNTRY UNLESS YOU HAVE 47 // A CONFIRMATION THAT THIS SOFTWARE DOES NOT VIOLATE ANY CRIMINAL LAWS OR CIVIL 48 // RIGHTS IN THAT PARTICULAR COUNTRY. USING THIS SOFTWARE IN OTHER COUNTRIES IS 49 // COMPLETELY AT YOUR OWN RISK. THE SOFTETHER VPN PROJECT HAS DEVELOPED AND 50 // DISTRIBUTED THIS SOFTWARE TO COMPLY ONLY WITH THE JAPANESE LAWS AND EXISTING 51 // CIVIL RIGHTS INCLUDING PATENTS WHICH ARE SUBJECTS APPLY IN JAPAN. OTHER 52 // COUNTRIES' LAWS OR CIVIL RIGHTS ARE NONE OF OUR CONCERNS NOR RESPONSIBILITIES. 53 // WE HAVE NEVER INVESTIGATED ANY CRIMINAL REGULATIONS, CIVIL LAWS OR 54 // INTELLECTUAL PROPERTY RIGHTS INCLUDING PATENTS IN ANY OF OTHER 200+ COUNTRIES 55 // AND TERRITORIES. BY NATURE, THERE ARE 200+ REGIONS IN THE WORLD, WITH 56 // DIFFERENT LAWS. IT IS IMPOSSIBLE TO VERIFY EVERY COUNTRIES' LAWS, REGULATIONS 57 // AND CIVIL RIGHTS TO MAKE THE SOFTWARE COMPLY WITH ALL COUNTRIES' LAWS BY THE 58 // PROJECT. EVEN IF YOU WILL BE SUED BY A PRIVATE ENTITY OR BE DAMAGED BY A 59 // PUBLIC SERVANT IN YOUR COUNTRY, THE DEVELOPERS OF THIS SOFTWARE WILL NEVER BE 60 // LIABLE TO RECOVER OR COMPENSATE SUCH DAMAGES, CRIMINAL OR CIVIL 61 // RESPONSIBILITIES. NOTE THAT THIS LINE IS NOT LICENSE RESTRICTION BUT JUST A 62 // STATEMENT FOR WARNING AND DISCLAIMER. 63 // 64 // READ AND UNDERSTAND THE 'WARNING.TXT' FILE BEFORE USING THIS SOFTWARE. 65 // SOME SOFTWARE PROGRAMS FROM THIRD PARTIES ARE INCLUDED ON THIS SOFTWARE WITH 66 // LICENSE CONDITIONS WHICH ARE DESCRIBED ON THE 'THIRD_PARTY.TXT' FILE. 67 // 68 // 69 // SOURCE CODE CONTRIBUTION 70 // ------------------------ 71 // 72 // Your contribution to SoftEther VPN Project is much appreciated. 73 // Please send patches to us through GitHub. 74 // Read the SoftEther VPN Patch Acceptance Policy in advance: 75 // http://www.softether.org/5-download/src/9.patch 76 // 77 // 78 // DEAR SECURITY EXPERTS 79 // --------------------- 80 // 81 // If you find a bug or a security vulnerability please kindly inform us 82 // about the problem immediately so that we can fix the security problem 83 // to protect a lot of users around the world as soon as possible. 84 // 85 // Our e-mail address for security reports is: 86 // softether-vpn-security [at] softether.org 87 // 88 // Please note that the above e-mail address is not a technical support 89 // inquiry address. If you need technical assistance, please visit 90 // http://www.softether.org/ and ask your question on the users forum. 91 // 92 // Thank you for your cooperation. 93 // 94 // 95 // NO MEMORY OR RESOURCE LEAKS 96 // --------------------------- 97 // 98 // The memory-leaks and resource-leaks verification under the stress 99 // test has been passed before release this source code. 100 101 102 // Hub.h 103 // Header of Hub.c 104 105 #ifndef HUB_H 106 #define HUB_H 107 108 109 // Prefix in the access list for investigating whether the user name which is contained in a particular file 110 #define ACCESS_LIST_INCLUDED_PREFIX "include:" // Included 111 #define ACCESS_LIST_EXCLUDED_PREFIX "exclude:" // Not included 112 113 // The default value for the cache expiration of the user name reference file of the access list (in seconds) 114 #define ACCESS_LIST_INCLUDE_FILE_CACHE_LIFETIME 30 115 116 // The maximum length of the include file in the access list 117 #define ACCESS_LIST_INCLUDE_FILE_MAX_SIZE (1024 * 1024) 118 119 // <INFO> tags of the URL in the access list 120 #define ACCESS_LIST_URL_INFO_TAG "<INFO>" 121 122 // Old MAC address entry flush interval 123 #define OLD_MAC_ADDRESS_ENTRY_FLUSH_INTERVAL 1000 124 125 // Default flooding queue length 126 #define DEFAULT_FLOODING_QUEUE_LENGTH (32 * 1024 * 1024) 127 128 // SoftEther link control packet 129 struct SE_LINK 130 { 131 UCHAR DestMacAddress[6]; // Destination MAC address 132 UCHAR SrcMacAddress[6]; // Source MAC address 133 UCHAR SignatureS; // 'S' 134 UCHAR SignatureE; // 'E' 135 UCHAR Padding[2]; // Padding 136 UINT Type; // Type 137 UCHAR HubSignature[16]; // HUB signature 138 UINT TransactionId; // Transaction ID 139 UINT Data; // Data 140 UCHAR Dummy[20]; // Dummy 141 UCHAR Checksum[SHA1_SIZE]; // Checksum 142 }; 143 144 145 // Test packet reception record 146 struct TEST_HISTORY 147 { 148 SESSION *s1; 149 SESSION *s2; 150 }; 151 152 // State machine for link test 153 struct SE_TEST 154 { 155 LOCK *lock; // Lock 156 UINT64 LastTestPacketSentTime; // Time that sent the test packet at the last 157 UINT NextTestPacketSendInterval; // Next test packet transmission interval 158 bool CurrentTesting; // Test by sending a test packet currently 159 UINT TransactionId; // Transaction ID 160 LIST *TestHistory; // Reception history 161 }; 162 163 // Macro 164 #define NO_ACCOUNT_DB(h) ((h)->FarmMember) 165 166 // Database in the case of a stand-alone or a farm master HUB 167 struct HUBDB 168 { 169 LIST *UserList; // User List 170 LIST *GroupList; // Group List 171 LIST *RootCertList; // Certificate list to trust 172 LIST *CrlList; // CRL list 173 LIST *AcList; // AC List 174 }; 175 176 // Traffic limiter 177 struct TRAFFIC_LIMITER 178 { 179 UINT64 LastTime; // Time of last measured 180 UINT64 Value; // The current value 181 }; 182 183 // Record the number of broadcast of each endpoint 184 struct STORM 185 { 186 UCHAR MacAddress[6]; // MAC address 187 UCHAR Padding[2]; // Padding 188 IP SrcIp; // Source IP address 189 IP DestIp; // Destination IP address 190 UINT64 CheckStartTick; // Time that checking is started 191 UINT CurrentBroadcastNum; // The current number of broadcasts 192 UINT DiscardValue; // Ratio to discard the broadcast packet 193 bool StrictMode; // Strict mode 194 }; 195 196 // Packet adapter information structure for HUB 197 struct HUB_PA 198 { 199 CANCEL *Cancel; // Cancel object 200 QUEUE *PacketQueue; // Packet queue 201 bool MonitorPort; // Monitor port 202 UINT64 Now; // Current time 203 TRAFFIC_LIMITER UploadLimiter; // Upload bandwidth limit 204 TRAFFIC_LIMITER DownloadLimiter; // Download bandwidth limitation 205 SESSION *Session; // Session 206 LIST *StormList; // Broadcast storm recording list 207 UINT64 UsernameHash; // User name hash 208 UINT64 UsernameHashSimple; // User name hash (simple) 209 UINT64 GroupnameHash; // Group name hash 210 }; 211 212 // HUB options 213 struct HUB_OPTION 214 { 215 // Standard options 216 UINT MaxSession; // Maximum number of simultaneous connections 217 bool NoEnum; // Excluded from the enumeration 218 // Advanced options 219 bool NoArpPolling; // No ARP polling 220 bool NoIPv6AddrPolling; // No IPv6 address polling 221 bool NoIpTable; // Do not generate an IP address table 222 bool NoMacAddressLog; // Not to write the registration log of the MAC address 223 bool ManageOnlyPrivateIP; // Manage only private IP 224 bool ManageOnlyLocalUnicastIPv6; // Manage only local unicast IPv6 addresses 225 bool DisableIPParsing; // Disable the IP interpretation 226 bool YieldAfterStorePacket; // Yield after the packet is stored 227 bool NoSpinLockForPacketDelay; // Do not use the spin lock 228 UINT BroadcastStormDetectionThreshold; // Broadcast number limit threshold 229 bool FilterPPPoE; // Filtering the PPPoE (0x8863, 0x8864) 230 bool FilterOSPF; // Filtering the OSPF (ip_proto = 89) 231 bool FilterIPv4; // Filter IPv4 packets 232 bool FilterIPv6; // Filter IPv6 packets 233 bool FilterNonIP; // Filter all non-IP packets 234 bool FilterBPDU; // Filter the BPDU packets 235 UINT ClientMinimumRequiredBuild; // If the build number of the client is lower than a certain value, deny it 236 bool NoIPv6DefaultRouterInRAWhenIPv6; // Delete the default router specification from the IPv6 router advertisement (only in the case of IPv6 physical connection) 237 bool NoIPv4PacketLog; // Do not save the packet log for the IPv4 packet 238 bool NoIPv6PacketLog; // Do not save the packet log of IPv6 packets 239 bool NoLookBPDUBridgeId; // Don't look the BPDU bridge ID for switching 240 bool NoManageVlanId; // Don't manage the VLAN ID 241 UINT VlanTypeId; // Type ID of VLAN packets (usually 0x8100) 242 bool FixForDLinkBPDU; // Apply the fix for the BPDU of the strange behavior of the D-Link 243 UINT RequiredClientId; // Client ID 244 UINT AdjustTcpMssValue; // TCP MSS adjustment value 245 bool DisableAdjustTcpMss; // Completely disable the TCP MSS adjustment function 246 bool NoDhcpPacketLogOutsideHub; // Suppress DHCP unrelated log 247 bool DisableHttpParsing; // Prohibit the HTTP interpretation 248 bool DisableUdpAcceleration; // Prohibit the UDP acceleration function 249 bool DisableUdpFilterForLocalBridgeNic; // Not to perform filtering DHCP packets associated with local bridge NIC 250 bool ApplyIPv4AccessListOnArpPacket; // Apply an IPv4 access list to the ARP packet 251 bool RemoveDefGwOnDhcpForLocalhost; // Remove the designation of the DHCP server from the DHCP response packet addressed to localhost 252 UINT SecureNAT_MaxTcpSessionsPerIp; // Maximum number of TCP sessions per IP address 253 UINT SecureNAT_MaxTcpSynSentPerIp; // Maximum number of TCP sessions of SYN_SENT state per IP address 254 UINT SecureNAT_MaxUdpSessionsPerIp; // Maximum number of UDP sessions per IP address 255 UINT SecureNAT_MaxDnsSessionsPerIp; // Maximum number of DNS sessions per IP address 256 UINT SecureNAT_MaxIcmpSessionsPerIp; // Maximum number of ICMP sessions per IP address 257 UINT AccessListIncludeFileCacheLifetime; // Expiration of the access list external file (in seconds) 258 bool DisableKernelModeSecureNAT; // Disable the kernel mode NAT 259 bool DisableIpRawModeSecureNAT; // Disable the IP Raw Mode NAT 260 bool DisableUserModeSecureNAT; // Disable the user mode NAT 261 bool DisableCheckMacOnLocalBridge; // Disable the MAC address verification in local bridge 262 bool DisableCorrectIpOffloadChecksum; // Disable the correction of checksum that is IP-Offloaded 263 bool BroadcastLimiterStrictMode; // Strictly broadcast packets limiting mode 264 UINT MaxLoggedPacketsPerMinute; // Maximum number of logging target packets per minute 265 bool DoNotSaveHeavySecurityLogs; // Do not take heavy security log 266 bool DropBroadcastsInPrivacyFilterMode; // Drop broadcasting packets if the both source and destination session is PrivacyFilter mode 267 bool DropArpInPrivacyFilterMode; // Drop ARP packets if the both source and destination session is PrivacyFilter mode 268 bool SuppressClientUpdateNotification; // Suppress the update notification function on the VPN Client 269 UINT FloodingSendQueueBufferQuota; // The global quota of send queues of flooding packets 270 bool AssignVLanIdByRadiusAttribute; // Assign the VLAN ID for the VPN session, by the attribute value of RADIUS 271 bool DenyAllRadiusLoginWithNoVlanAssign; // Deny all RADIUS login with no VLAN ID assigned 272 bool SecureNAT_RandomizeAssignIp; // Randomize the assignment IP address for new DHCP client 273 UINT DetectDormantSessionInterval; // Interval (seconds) threshold to detect a dormant VPN session 274 bool NoPhysicalIPOnPacketLog; // Disable saving physical IP address on the packet log 275 bool UseHubNameAsDhcpUserClassOption; // Add HubName to DHCP request as User-Class option 276 bool UseHubNameAsRadiusNasId; // Add HubName to Radius request as NAS-Identifier attrioption 277 }; 278 279 // MAC table entry 280 struct MAC_TABLE_ENTRY 281 { 282 UCHAR MacAddress[6]; // MAC address 283 UCHAR Padding[2]; 284 UINT VlanId; // VLAN ID 285 SESSION *Session; // Session 286 HUB_PA *HubPa; // HUB packet adapter 287 UINT64 CreatedTime; // Creation date and time 288 UINT64 UpdatedTime; // Updating date 289 }; 290 291 // IP table entry 292 struct IP_TABLE_ENTRY 293 { 294 IP Ip; // IP address 295 SESSION *Session; // Session 296 bool DhcpAllocated; // Assigned by DHCP 297 UINT64 CreatedTime; // Creation date and time 298 UINT64 UpdatedTime; // Updating date 299 UCHAR MacAddress[6]; // MAC address 300 }; 301 302 // Loop List 303 struct LOOP_LIST 304 { 305 UINT NumSessions; 306 SESSION **Session; 307 }; 308 309 // Access list 310 struct ACCESS 311 { 312 // IPv4 313 UINT Id; // ID 314 wchar_t Note[MAX_ACCESSLIST_NOTE_LEN + 1]; // Note 315 316 // --- Please add items to the bottom of here for enhancements --- 317 bool Active; // Enable flag 318 UINT Priority; // Priority 319 bool Discard; // Discard flag 320 UINT SrcIpAddress; // Source IP address 321 UINT SrcSubnetMask; // Source subnet mask 322 UINT DestIpAddress; // Destination IP address 323 UINT DestSubnetMask; // Destination subnet mask 324 UINT Protocol; // Protocol 325 UINT SrcPortStart; // Source port number starting point 326 UINT SrcPortEnd; // Source port number end point 327 UINT DestPortStart; // Destination port number starting point 328 UINT DestPortEnd; // Destination port number end point 329 UINT64 SrcUsernameHash; // Source user name hash 330 bool IsSrcUsernameIncludeOrExclude; // The source user name is formed as the "include:" or "exclude:" 331 char SrcUsername[MAX_USERNAME_LEN + 1]; 332 bool IsDestUsernameIncludeOrExclude; // The destination user name is formed as "include:" or "exclude:" 333 UINT64 DestUsernameHash; // Destination user name hash 334 char DestUsername[MAX_USERNAME_LEN + 1]; 335 bool CheckSrcMac; // Presence of a source MAC address setting 336 UCHAR SrcMacAddress[6]; // Source MAC address 337 UCHAR SrcMacMask[6]; // Source MAC address mask 338 bool CheckDstMac; // Whether the setting of the destination MAC address exists 339 UCHAR DstMacAddress[6]; // Destination MAC address 340 UCHAR DstMacMask[6]; // Destination MAC address mask 341 bool CheckTcpState; // The state of the TCP connection 342 bool Established; // Establieshed(TCP) 343 UINT Delay; // Delay 344 UINT Jitter; // Jitter 345 UINT Loss; // Packet loss 346 char RedirectUrl[MAX_REDIRECT_URL_LEN + 1]; // URL to redirect to 347 348 // IPv6 349 bool IsIPv6; // Whether it's an IPv6 350 IPV6_ADDR SrcIpAddress6; // The source IP address (IPv6) 351 IPV6_ADDR SrcSubnetMask6; // Source subnet mask (IPv6) 352 IPV6_ADDR DestIpAddress6; // Destination IP address (IPv6) 353 IPV6_ADDR DestSubnetMask6; // Destination subnet mask (IPv6) 354 355 // --- Please add items to the above of here for enhancements --- 356 357 // For management 358 UINT UniqueId; // Unique ID 359 }; 360 361 // Ticket 362 struct TICKET 363 { 364 UINT64 CreatedTick; // Creation date and time 365 UCHAR Ticket[SHA1_SIZE]; // Ticket 366 char Username[MAX_USERNAME_LEN + 1]; // User name 367 char UsernameReal[MAX_USERNAME_LEN + 1]; // Real user name 368 char GroupName[MAX_USERNAME_LEN + 1]; // Group name 369 char SessionName[MAX_SESSION_NAME_LEN + 1]; // Session name 370 POLICY Policy; // Policy 371 }; 372 373 // Traffic difference 374 struct TRAFFIC_DIFF 375 { 376 UINT Type; // Type 377 TRAFFIC Traffic; // Traffic 378 char *HubName; // HUB name 379 char *Name; // Name 380 }; 381 382 // Administration options 383 struct ADMIN_OPTION 384 { 385 char Name[MAX_ADMIN_OPTION_NAME_LEN + 1]; // Name 386 UINT Value; // Data 387 wchar_t Descrption[MAX_SIZE]; // Descrption 388 }; 389 390 // Certificate Revocation List entry 391 struct CRL 392 { 393 X_SERIAL *Serial; // Serial number 394 NAME *Name; // Name information 395 UCHAR DigestMD5[MD5_SIZE]; // MD5 hash 396 UCHAR DigestSHA1[SHA1_SIZE]; // SHA-1 hash 397 }; 398 399 // Access control 400 struct AC 401 { 402 UINT Id; // ID 403 UINT Priority; // Priority 404 bool Deny; // Deny access 405 bool Masked; // Is masked 406 IP IpAddress; // IP address 407 IP SubnetMask; // Subnet mask 408 }; 409 410 // User List 411 struct USERLIST 412 { 413 char Filename[MAX_PATH]; // File name 414 LIST *UserHashList; // Hash list of user names 415 }; 416 417 // HUB structure 418 struct HUB 419 { 420 LOCK *lock; // Lock 421 LOCK *lock_online; // Lock for Online 422 REF *ref; // Reference counter 423 CEDAR *Cedar; // Cedar 424 UINT Type; // Type 425 HUBDB *HubDb; // Database 426 char *Name; // The name of the HUB 427 LOCK *RadiusOptionLock; // Lock for Radius option 428 char *RadiusServerName; // Radius server name 429 UINT RadiusServerPort; // Radius server port number 430 UINT RadiusRetryInterval; // Radius retry interval 431 BUF *RadiusSecret; // Radius shared key 432 char RadiusSuffixFilter[MAX_SIZE]; // Radius suffix filter 433 char RadiusRealm[MAX_SIZE]; // Radius realm (optional) 434 bool RadiusConvertAllMsChapv2AuthRequestToEap; // Convert all MS-CHAPv2 auth request to EAP 435 bool RadiusUsePeapInsteadOfEap; // Use PEAP instead of EAP 436 volatile bool Halt; // Halting flag 437 bool Offline; // Offline 438 bool BeingOffline; // Be Doing Offline 439 LIST *SessionList; // Session list 440 COUNTER *SessionCounter; // Session number generation counter 441 TRAFFIC *Traffic; // Traffic information 442 TRAFFIC *OldTraffic; // Old traffic information 443 LOCK *TrafficLock; // Traffic lock 444 COUNTER *NumSessions; // The current number of sessions 445 COUNTER *NumSessionsClient; // The current number of sessions (client) 446 COUNTER *NumSessionsBridge; // The current number of sessions (bridge) 447 HUB_OPTION *Option; // HUB options 448 HASH_LIST *MacHashTable; // MAC address hash table 449 LIST *IpTable; // IP address table 450 LIST *MonitorList; // Monitor port session list 451 LIST *LinkList; // Linked list 452 UCHAR HubSignature[16]; // HUB signature 453 UCHAR HubMacAddr[6]; // MAC address of the HUB 454 IP HubIp; // IP address of the HUB (IPv4) 455 IPV6_ADDR HubIpV6; // IP address of the HUB (IPv6) 456 UINT HubIP6Id; // IPv6 packet ID of the HUB 457 UCHAR Padding[2]; // Padding 458 LOCK *LoopListLock; // Lock for the loop list 459 UINT NumLoopList; // Number of loop lists 460 LOOP_LIST **LoopLists; // Loop List 461 LIST *AccessList; // Access list 462 HUB_LOG LogSetting; // Log Settings 463 LOG *PacketLogger; // Packet logger 464 LOG *SecurityLogger; // Security logger 465 UCHAR HashedPassword[SHA1_SIZE]; // Password 466 UCHAR SecurePassword[SHA1_SIZE]; // Secure password 467 LIST *TicketList; // Ticket list 468 bool FarmMember; // Farm member 469 UINT64 LastIncrementTraffic; // Traffic reporting time 470 UINT64 LastSendArpTick; // ARP transmission time of the last 471 SNAT *SecureNAT; // SecureNAT 472 bool EnableSecureNAT; // SecureNAT enable / disable flag 473 VH_OPTION *SecureNATOption; // SecureNAT Option 474 THREAD *WatchDogThread; // Watchdog thread 475 EVENT *WatchDogEvent; // Watchdog event 476 bool WatchDogStarted; // Whether the watchdog thread is used 477 volatile bool HaltWatchDog; // Stop the watchdog thread 478 LIST *AdminOptionList; // Administration options list 479 UINT64 CreatedTime; // Creation date and time 480 UINT64 LastCommTime; // Last communication date and time 481 UINT64 LastLoginTime; // Last login date and time 482 UINT NumLogin; // Number of logins 483 bool HubIsOnlineButHalting; // Virtual HUB is really online, but it is in offline state to stop 484 UINT FarmMember_MaxSessionClient; // Maximum client connection sessions for cluster members 485 UINT FarmMember_MaxSessionBridge; // Maximum bridge connection sessions for cluster members 486 bool FarmMember_MaxSessionClientBridgeApply; // Apply the FarmMember_MaxSession* 487 UINT CurrentVersion; // The current version 488 UINT LastVersion; // Version of when the update notification is issued at the last 489 wchar_t *Msg; // Message to be displayed when the client is connected 490 LIST *UserList; // Cache of the user list file 491 bool IsVgsHub; // Whether it's a VGS Virtual HUB 492 bool IsVgsSuperRelayHub; // Whether it's a VGS Super Relay Virtual HUB 493 UINT64 LastFlushTick; // Last tick to flush the MAC address table 494 bool StopAllLinkFlag; // Stop all link flag 495 bool ForceDisableComm; // Disable the communication function 496 }; 497 498 499 // Global variable 500 extern ADMIN_OPTION admin_options[]; 501 extern UINT num_admin_options; 502 503 504 // Function prototype 505 HUBDB *NewHubDb(); 506 void DeleteHubDb(HUBDB *d); 507 HUB *NewHub(CEDAR *cedar, char *HubName, HUB_OPTION *option); 508 void SetHubMsg(HUB *h, wchar_t *msg); 509 wchar_t *GetHubMsg(HUB *h); 510 void GenHubMacAddress(UCHAR *mac, char *name); 511 void GenHubIpAddress(IP *ip, char *name); 512 bool IsHubIpAddress(IP *ip); 513 bool IsHubIpAddress32(UINT ip32); 514 bool IsHubIpAddress64(IPV6_ADDR *addr); 515 bool IsHubMacAddress(UCHAR *mac); 516 void ReleaseHub(HUB *h); 517 void CleanupHub(HUB *h); 518 int CompareHub(void *p1, void *p2); 519 void LockHubList(CEDAR *cedar); 520 void UnlockHubList(CEDAR *cedar); 521 HUB *GetHub(CEDAR *cedar, char *name); 522 bool IsHub(CEDAR *cedar, char *name); 523 void StopHub(HUB *h); 524 void AddSession(HUB *h, SESSION *s); 525 void DelSession(HUB *h, SESSION *s); 526 SESSION *SearchSessionByUniqueId(HUB *h, UINT id); 527 UINT GetNewUniqueId(HUB *h); 528 void StopAllSession(HUB *h); 529 bool HubPaInit(SESSION *s); 530 void HubPaFree(SESSION *s); 531 CANCEL *HubPaGetCancel(SESSION *s); 532 UINT HubPaGetNextPacket(SESSION *s, void **data); 533 bool HubPaPutPacket(SESSION *s, void *data, UINT size); 534 PACKET_ADAPTER *GetHubPacketAdapter(); 535 int CompareMacTable(void *p1, void *p2); 536 UINT GetHashOfMacTable(void *p); 537 void StorePacket(HUB *hub, SESSION *s, PKT *packet); 538 bool StorePacketFilter(SESSION *s, PKT *packet); 539 void StorePacketToHubPa(HUB_PA *dest, SESSION *src, void *data, UINT size, PKT *packet, bool is_flooding, bool no_check_acl); 540 void SetHubOnline(HUB *h); 541 void SetHubOffline(HUB *h); 542 SESSION *GetSessionByPtr(HUB *hub, void *ptr); 543 SESSION *GetSessionByName(HUB *hub, char *name); 544 int CompareIpTable(void *p1, void *p2); 545 bool StorePacketFilterByPolicy(SESSION *s, PKT *p); 546 bool DeleteIPv6DefaultRouterInRA(PKT *p); 547 bool StorePacketFilterByTrafficLimiter(SESSION *s, PKT *p); 548 void IntoTrafficLimiter(TRAFFIC_LIMITER *tr, PKT *p); 549 bool IsMostHighestPriorityPacket(SESSION *s, PKT *p); 550 bool IsPriorityPacketForQoS(PKT *p); 551 int CompareStormList(void *p1, void *p2); 552 STORM *SearchStormList(HUB_PA *pa, UCHAR *mac_address, IP *src_ip, IP *dest_ip, bool strict); 553 STORM *AddStormList(HUB_PA *pa, UCHAR *mac_address, IP *src_ip, IP *dest_ip, bool strict); 554 bool CheckBroadcastStorm(HUB *hub, SESSION *s, PKT *p); 555 void AddRootCert(HUB *hub, X *x); 556 int CmpAccessList(void *p1, void *p2); 557 void InitAccessList(HUB *hub); 558 void FreeAccessList(HUB *hub); 559 void AddAccessList(HUB *hub, ACCESS *a); 560 void AddAccessListEx(HUB *hub, ACCESS *a, bool no_sort, bool no_reassign_id); 561 bool SetSessionFirstRedirectHttpUrl(SESSION *s, char *url); 562 bool IsTcpPacketNcsiHttpAccess(PKT *p); 563 UINT64 UsernameToInt64(char *name); 564 void MakeSimpleUsernameRemoveNtDomain(char *dst, UINT dst_size, char *src); 565 bool ApplyAccessListToStoredPacket(HUB *hub, SESSION *s, PKT *p); 566 void ForceRedirectToUrl(HUB *hub, SESSION *src_session, PKT *p, char *redirect_url); 567 BUF *BuildRedirectToUrlPayload(HUB *hub, SESSION *s, char *redirect_url); 568 bool ApplyAccessListToForwardPacket(HUB *hub, SESSION *src_session, SESSION *dest_session, PKT *p); 569 bool IsPacketMaskedByAccessList(SESSION *s, PKT *p, ACCESS *a, UINT64 dest_username, UINT64 dest_groupname, SESSION *dest_session); 570 void GetAccessListStr(char *str, UINT size, ACCESS *a); 571 void DeleteOldIpTableEntry(LIST *o); 572 void SetRadiusServer(HUB *hub, char *name, UINT port, char *secret); 573 void SetRadiusServerEx(HUB *hub, char *name, UINT port, char *secret, UINT interval); 574 bool GetRadiusServer(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size); 575 bool GetRadiusServerEx(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval); 576 bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, char *suffix_filter, UINT suffix_filter_size); 577 int CompareCert(void *p1, void *p2); 578 void GetHubLogSetting(HUB *h, HUB_LOG *setting); 579 void SetHubLogSetting(HUB *h, HUB_LOG *setting); 580 void SetHubLogSettingEx(HUB *h, HUB_LOG *setting, bool no_change_switch_type); 581 void DeleteExpiredIpTableEntry(LIST *o); 582 void DeleteExpiredMacTableEntry(HASH_LIST *h); 583 void AddTrafficDiff(HUB *h, char *name, UINT type, TRAFFIC *traffic); 584 void IncrementHubTraffic(HUB *h); 585 void EnableSecureNAT(HUB *h, bool enable); 586 void EnableSecureNATEx(HUB *h, bool enable, bool no_change); 587 void StartHubWatchDog(HUB *h); 588 void StopHubWatchDog(HUB *h); 589 void HubWatchDogThread(THREAD *t, void *param); 590 int CompareAdminOption(void *p1, void *p2); 591 UINT GetHubAdminOptionEx(HUB *h, char *name, UINT default_value); 592 UINT GetHubAdminOption(HUB *h, char *name); 593 void DeleteAllHubAdminOption(HUB *h, bool lock); 594 void AddHubAdminOptionsDefaults(HUB *h, bool lock); 595 bool IsCertMatchCrl(X *x, CRL *crl); 596 bool IsCertMatchCrlList(X *x, LIST *o); 597 wchar_t *GenerateCrlStr(CRL *crl); 598 bool IsValidCertInHub(HUB *h, X *x); 599 void FreeCrl(CRL *crl); 600 CRL *CopyCrl(CRL *crl); 601 int CmpAc(void *p1, void *p2); 602 LIST *NewAcList(); 603 void AddAc(LIST *o, AC *ac); 604 bool DelAc(LIST *o, UINT id); 605 AC *GetAc(LIST *o, UINT id); 606 void SetAc(LIST *o, UINT id, AC *ac); 607 void DelAllAc(LIST *o); 608 void SetAcList(LIST *o, LIST *src); 609 void NormalizeAcList(LIST *o); 610 bool IsIpMaskedByAc(IP *ip, AC *ac); 611 bool IsIpDeniedByAcList(IP *ip, LIST *o); 612 char *GenerateAcStr(AC *ac); 613 void FreeAcList(LIST *o); 614 LIST *CloneAcList(LIST *o); 615 bool IsIPManagementTargetForHUB(IP *ip, HUB *hub); 616 wchar_t *GetHubAdminOptionHelpString(char *name); 617 void HubOptionStructToData(RPC_ADMIN_OPTION *ao, HUB_OPTION *o, char *hub_name); 618 ADMIN_OPTION *NewAdminOption(char *name, UINT value); 619 void DataToHubOptionStruct(HUB_OPTION *o, RPC_ADMIN_OPTION *ao); 620 UINT GetHubAdminOptionData(RPC_ADMIN_OPTION *ao, char *name); 621 void GetHubAdminOptionDataAndSet(RPC_ADMIN_OPTION *ao, char *name, UINT *dest); 622 bool IsURLMsg(wchar_t *str, char *url, UINT url_size); 623 LIST *NewUserList(); 624 void DeleteAllUserListCache(LIST *o); 625 void FreeUserList(LIST *o); 626 void FreeUserListEntry(USERLIST *u); 627 int CompareUserList(void *p1, void *p2); 628 USERLIST *LoadUserList(LIST *o, char *filename); 629 USERLIST *FindUserList(LIST *o, char *filename); 630 bool IsUserMatchInUserList(LIST *o, char *filename, UINT64 user_hash); 631 bool IsUserMatchInUserListWithCacheExpires(LIST *o, char *filename, UINT64 user_hash, UINT64 lifetime); 632 bool IsUserMatchInUserListWithCacheExpiresAcl(LIST *o, char *name_in_acl, UINT64 user_hash, UINT64 lifetime); 633 void CalcTrafficEntryDiff(TRAFFIC_ENTRY *diff, TRAFFIC_ENTRY *old, TRAFFIC_ENTRY *current); 634 void CalcTrafficDiff(TRAFFIC *diff, TRAFFIC *old, TRAFFIC *current); 635 bool CheckMaxLoggedPacketsPerMinute(SESSION *s, UINT max_packets, UINT64 now); 636 void VgsSetUserAgentValue(char *str); 637 void VgsSetEmbTag(bool b); 638 EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, char *username, char *vpn_protocol_state_str); 639 640 641 #endif // HUB_H 642 643 644