Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support adding custom VPN Azure service #1739

Closed
wants to merge 4 commits into from
Closed

Support adding custom VPN Azure service #1739

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b811023
Cedar/Account: Add SHA1 option to HashPassword
domosekai Jan 4, 2023
03ce6d4
Support custom VPN Azure service
domosekai Jan 4, 2023
a202baf
Localization of custom VPN Azure function
domosekai Jan 6, 2023
7025c36
Cedar/SM: Provide limited support for custom VPN Azure service
domosekai Jan 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
14 changes: 11 additions & 3 deletions src/Cedar/Account.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -553,7 +553,7 @@ void *NewUserCertAuthData(X *x)
}

// Hash the password
void HashPassword(void *dst, char *username, char *password)
void HashPassword(void *dst, char *username, char *password, bool sha1)
{
BUF *b;
char *username_upper;
Expand All @@ -568,7 +568,15 @@ void HashPassword(void *dst, char *username, char *password)
StrUpper(username_upper);
WriteBuf(b, password, StrLen(password));
WriteBuf(b, username_upper, StrLen(username_upper));
Sha0(dst, b->Buf, b->Size);

if (sha1)
{
Sha1(dst, b->Buf, b->Size);
}
else
{
Sha0(dst, b->Buf, b->Size);
}

FreeBuf(b);
Free(username_upper);
Expand All @@ -585,7 +593,7 @@ void *NewPasswordAuthData(char *username, char *password)
}

pw = ZeroMalloc(sizeof(AUTHPASSWORD));
HashPassword(pw->HashedKey, username, password);
HashPassword(pw->HashedKey, username, password, false);
GenerateNtPasswordHash(pw->NtLmSecureHash, password);

return pw;
Expand Down
2 changes: 1 addition & 1 deletion src/Cedar/Account.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ void *NewUserCertAuthData(X *x);
void *NewRootCertAuthData(X_SERIAL *serial, wchar_t *common_name);
void *NewRadiusAuthData(wchar_t *username);
void *NewNTAuthData(wchar_t *username);
void HashPassword(void *dst, char *username, char *password);
void HashPassword(void *dst, char *username, char *password, bool sha1);
POLICY *GetDefaultPolicy();
POLICY *ClonePolicy(POLICY *policy);
void SetUserPolicy(USER *u, POLICY *policy);
Expand Down
159 changes: 154 additions & 5 deletions src/Cedar/Admin.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1644,6 +1644,8 @@ PACK *AdminDispatch(RPC *rpc, char *name, PACK *p)
DECLARE_RPC("GetSpecialListener", RPC_SPECIAL_LISTENER, StGetSpecialListener, InRpcSpecialListener, OutRpcSpecialListener)
DECLARE_RPC("GetAzureStatus", RPC_AZURE_STATUS, StGetAzureStatus, InRpcAzureStatus, OutRpcAzureStatus)
DECLARE_RPC("SetAzureStatus", RPC_AZURE_STATUS, StSetAzureStatus, InRpcAzureStatus, OutRpcAzureStatus)
DECLARE_RPC_EX("SetAzureCustom", RPC_AZURE_CUSTOM, StSetAzureCustom, InRpcAzureCustom, OutRpcAzureCustom, FreeRpcAzureCustom)
DECLARE_RPC_EX("GetAzureCustom", RPC_AZURE_CUSTOM, StGetAzureCustom, InRpcAzureCustom, OutRpcAzureCustom, FreeRpcAzureCustom)
DECLARE_RPC("GetDDnsInternetSettng", INTERNET_SETTING, StGetDDnsInternetSetting, InRpcInternetSetting, OutRpcInternetSetting)
DECLARE_RPC("SetDDnsInternetSettng", INTERNET_SETTING, StSetDDnsInternetSetting, InRpcInternetSetting, OutRpcInternetSetting)
// RPC function declaration: till here
Expand Down Expand Up @@ -1831,6 +1833,8 @@ DECLARE_SC("SetSpecialListener", RPC_SPECIAL_LISTENER, ScSetSpecialListener, InR
DECLARE_SC("GetSpecialListener", RPC_SPECIAL_LISTENER, ScGetSpecialListener, InRpcSpecialListener, OutRpcSpecialListener)
DECLARE_SC("GetAzureStatus", RPC_AZURE_STATUS, ScGetAzureStatus, InRpcAzureStatus, OutRpcAzureStatus)
DECLARE_SC("SetAzureStatus", RPC_AZURE_STATUS, ScSetAzureStatus, InRpcAzureStatus, OutRpcAzureStatus)
DECLARE_SC_EX("GetAzureCustom", RPC_AZURE_CUSTOM, ScGetAzureCustom, InRpcAzureCustom, OutRpcAzureCustom, FreeRpcAzureCustom)
DECLARE_SC_EX("SetAzureCustom", RPC_AZURE_CUSTOM, ScSetAzureCustom, InRpcAzureCustom, OutRpcAzureCustom, FreeRpcAzureCustom)
DECLARE_SC("GetDDnsInternetSettng", INTERNET_SETTING, ScGetDDnsInternetSetting, InRpcInternetSetting, OutRpcInternetSetting)
DECLARE_SC("SetDDnsInternetSettng", INTERNET_SETTING, ScSetDDnsInternetSetting, InRpcInternetSetting, OutRpcInternetSetting)
// RPC call function declaration: till here
Expand Down Expand Up @@ -1919,6 +1923,12 @@ UINT StGetAzureStatus(ADMIN *a, RPC_AZURE_STATUS *t)
{
t->IsConnected = ac->IsConnected;
t->IsEnabled = ac->IsEnabled;
t->UseCustom = ac->UseCustom;

if (ac->UseCustom && ac->CustomConfig != NULL)
{
StrCpy(t->CurrentHostname, sizeof(t->CurrentHostname), ac->CustomConfig->Hostname);
}
}
Unlock(ac->Lock);

Expand All @@ -1940,7 +1950,90 @@ UINT StSetAzureStatus(ADMIN *a, RPC_AZURE_STATUS *t)
return ERR_NOT_SUPPORTED;
}

SiSetAzureEnable(s, t->IsEnabled);
SiSetAzureEnable(s, t->IsEnabled, t->UseCustom);

IncrementServerConfigRevision(s);

return ERR_NO_ERROR;
}

// Get Azure custom config
UINT StGetAzureCustom(ADMIN *a, RPC_AZURE_CUSTOM *t)
{
SERVER *s = a->Server;
CEDAR *c = s->Cedar;
UINT ret = ERR_NO_ERROR;
AZURE_CLIENT *ac;

SERVER_ADMIN_ONLY;
NO_SUPPORT_FOR_BRIDGE;

if (SiIsAzureSupported(s) == false)
{
return ERR_NOT_SUPPORTED;
}

ac = s->AzureClient;
if (ac == NULL)
{
return ERR_NOT_SUPPORTED;
}

Zero(t, sizeof(RPC_AZURE_CUSTOM));

Lock(ac->Lock);
{
if (ac->CustomConfig != NULL)
{
StrCpy(t->ServerName, sizeof(t->ServerName), ac->CustomConfig->ServerName);
t->ServerPort = ac->CustomConfig->ServerPort;
StrCpy(t->Hostname, sizeof(t->Hostname), ac->CustomConfig->Hostname);
Copy(t->HashedPassword, ac->CustomConfig->HashedPassword, SHA1_SIZE);
t->ClientX = CloneX(ac->CustomConfig->ClientX);
t->ClientK = CloneK(ac->CustomConfig->ClientK);
t->ServerCert = CloneX(ac->CustomConfig->ServerCert);
t->VerifyServer = ac->CustomConfig->VerifyServer;
t->AddDefaultCA = ac->CustomConfig->AddDefaultCA;
}
}
Unlock(ac->Lock);

return ERR_NO_ERROR;
}

// Set Azure custom config
UINT StSetAzureCustom(ADMIN *a, RPC_AZURE_CUSTOM *t)
{
SERVER *s = a->Server;
CEDAR *c = s->Cedar;
UINT ret = ERR_NO_ERROR;

SERVER_ADMIN_ONLY;
NO_SUPPORT_FOR_BRIDGE;

if (SiIsAzureSupported(s) == false)
{
return ERR_NOT_SUPPORTED;
}

AZURE_CUSTOM_CONFIG *config = ZeroMalloc(sizeof(AZURE_CUSTOM_CONFIG));

if (t->ClientX != NULL && t->ClientK != NULL && CheckXandK(t->ClientX, t->ClientK) == false)
{
return ERR_PROTOCOL_ERROR;
}

StrCpy(config->ServerName, sizeof(config->ServerName), t->ServerName);
config->ServerPort = t->ServerPort;
StrCpy(config->Hostname, sizeof(config->Hostname), t->Hostname);
Copy(config->HashedPassword, t->HashedPassword, SHA1_SIZE);
config->ClientX = CloneX(t->ClientX);
config->ClientK = CloneK(t->ClientK);
config->ServerCert = CloneX(t->ServerCert);
config->VerifyServer = t->VerifyServer;
config->AddDefaultCA = t->AddDefaultCA;

SiApplyAzureConfig(s, NULL, config);

IncrementServerConfigRevision(s);

Expand Down Expand Up @@ -9107,7 +9200,7 @@ UINT StSetHub(ADMIN *a, RPC_CREATE_HUB *t)
if (StrLen(t->AdminPasswordPlainText) != 0)
{
Sha0(t->HashedPassword, t->AdminPasswordPlainText, StrLen(t->AdminPasswordPlainText));
HashPassword(t->SecurePassword, ADMINISTRATOR_USERNAME, t->AdminPasswordPlainText);
HashPassword(t->SecurePassword, ADMINISTRATOR_USERNAME, t->AdminPasswordPlainText, false);
}

if (IsZero(t->HashedPassword, sizeof(t->HashedPassword)) == false &&
Expand All @@ -9123,7 +9216,7 @@ UINT StSetHub(ADMIN *a, RPC_CREATE_HUB *t)
// Is the password to be set blank
{
UCHAR hash1[SHA1_SIZE], hash2[SHA1_SIZE];
HashPassword(hash1, ADMINISTRATOR_USERNAME, "");
HashPassword(hash1, ADMINISTRATOR_USERNAME, "", false);
Sha0(hash2, "", 0);

if (Cmp(t->HashedPassword, hash2, SHA1_SIZE) == 0 || Cmp(t->SecurePassword, hash1, SHA1_SIZE) == 0)
Expand Down Expand Up @@ -9290,7 +9383,7 @@ UINT StCreateHub(ADMIN *a, RPC_CREATE_HUB *t)
StrLen(t->AdminPasswordPlainText) != 0)
{
Sha0(t->HashedPassword, t->AdminPasswordPlainText, StrLen(t->AdminPasswordPlainText));
HashPassword(t->SecurePassword, ADMINISTRATOR_USERNAME, t->AdminPasswordPlainText);
HashPassword(t->SecurePassword, ADMINISTRATOR_USERNAME, t->AdminPasswordPlainText, false);
}

h = NewHub(c, t->HubName, &o);
Expand Down Expand Up @@ -10545,6 +10638,8 @@ void InRpcAzureStatus(RPC_AZURE_STATUS *t, PACK *p)

t->IsConnected = PackGetBool(p, "IsConnected");
t->IsEnabled = PackGetBool(p, "IsEnabled");
t->UseCustom = PackGetBool(p, "UseCustom");
PackGetStr(p, "CurrentHostname", t->CurrentHostname, sizeof(t->CurrentHostname));
}
void OutRpcAzureStatus(PACK *p, RPC_AZURE_STATUS *t)
{
Expand All @@ -10556,6 +10651,60 @@ void OutRpcAzureStatus(PACK *p, RPC_AZURE_STATUS *t)

PackAddBool(p, "IsConnected", t->IsConnected);
PackAddBool(p, "IsEnabled", t->IsEnabled);
PackAddBool(p, "UseCustom", t->UseCustom);
PackAddStr(p, "CurrentHostname", t->CurrentHostname);
}

// RPC_AZURE_CUSTOM
void InRpcAzureCustom(RPC_AZURE_CUSTOM *t, PACK *p)
{
// Validate arguments
if (t == NULL || p == NULL)
{
return;
}

Zero(t, sizeof(RPC_AZURE_CUSTOM));

PackGetStr(p, "ServerName", t->ServerName, sizeof(t->ServerName));
t->ServerPort = PackGetInt(p, "ServerPort");
PackGetStr(p, "Hostname", t->Hostname, sizeof(t->Hostname));
PackGetData2(p, "HashedPassword", t->HashedPassword, sizeof(t->HashedPassword));
t->ClientX = PackGetX(p, "ClientCert");
t->ClientK = PackGetK(p, "ClientKey");
t->ServerCert = PackGetX(p, "ServerCert");
t->VerifyServer = PackGetBool(p, "VerifyServer");
t->AddDefaultCA = PackGetBool(p, "AddDefaultCA");
}
void OutRpcAzureCustom(PACK *p, RPC_AZURE_CUSTOM *t)
{
// Validate arguments
if (t == NULL || p == NULL)
{
return;
}

PackAddStr(p, "ServerName", t->ServerName);
PackAddInt(p, "ServerPort", t->ServerPort);
PackAddStr(p, "Hostname", t->Hostname);
PackAddData(p, "HashedPassword", t->HashedPassword, sizeof(t->HashedPassword));
PackAddX(p, "ClientCert", t->ClientX);
PackAddK(p, "ClientKey", t->ClientK);
PackAddX(p, "ServerCert", t->ServerCert);
PackAddBool(p, "VerifyServer", t->VerifyServer);
PackAddBool(p, "AddDefaultCA", t->AddDefaultCA);
}
void FreeRpcAzureCustom(RPC_AZURE_CUSTOM *t)
{
// Validate arguments
if (t == NULL)
{
return;
}

FreeX(t->ServerCert);
FreeX(t->ClientX);
FreeK(t->ClientK);
}

// RPC_SPECIAL_LISTENER
Expand Down Expand Up @@ -14070,7 +14219,7 @@ void *InRpcAuthData(PACK *p, UINT *authtype, char *username)
{
if (IsZero(pw->HashedKey, sizeof(pw->HashedKey)))
{
HashPassword(pw->HashedKey, username, plain_pw);
HashPassword(pw->HashedKey, username, plain_pw, false);
GenerateNtPasswordHash(pw->NtLmSecureHash, plain_pw);
}
}
Expand Down
23 changes: 23 additions & 0 deletions src/Cedar/Admin.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -933,6 +933,22 @@ struct RPC_AZURE_STATUS
{
bool IsEnabled; // Whether enabled
bool IsConnected; // Whether it's connected
bool UseCustom; // Whether using custom service
char CurrentHostname[MAX_HOST_NAME_LEN + 1];
};

// Get / Set the custom Azure config
struct RPC_AZURE_CUSTOM
{
char ServerName[MAX_HOST_NAME_LEN + 1]; // VPN Azure server name
UINT ServerPort; // VPN Azure port number
char Hostname[MAX_HOST_NAME_LEN + 1]; // VPN Azure client hostname
UCHAR HashedPassword[SHA1_SIZE]; // Hashed passwords
X *ClientX; // VPN Azure client certificate
K *ClientK; // VPN Azure client private key
X *ServerCert; // VPN Azure server certificate
bool VerifyServer; // Verify server certificate
bool AddDefaultCA; // Use default trust store to verify server
};

// Constants
Expand Down Expand Up @@ -1130,6 +1146,8 @@ UINT StSetSpecialListener(ADMIN *a, RPC_SPECIAL_LISTENER *t);
UINT StGetSpecialListener(ADMIN *a, RPC_SPECIAL_LISTENER *t);
UINT StGetAzureStatus(ADMIN *a, RPC_AZURE_STATUS *t);
UINT StSetAzureStatus(ADMIN *a, RPC_AZURE_STATUS *t);
UINT StGetAzureCustom(ADMIN *a, RPC_AZURE_CUSTOM *t);
UINT StSetAzureCustom(ADMIN *a, RPC_AZURE_CUSTOM *t);
UINT StGetDDnsInternetSetting(ADMIN *a, INTERNET_SETTING *t);
UINT StSetDDnsInternetSetting(ADMIN *a, INTERNET_SETTING *t);
UINT StSetVgsConfig(ADMIN *a, VGS_CONFIG *t);
Expand Down Expand Up @@ -1281,6 +1299,8 @@ UINT ScSetSpecialListener(RPC *r, RPC_SPECIAL_LISTENER *t);
UINT ScGetSpecialListener(RPC *r, RPC_SPECIAL_LISTENER *t);
UINT ScGetAzureStatus(RPC *r, RPC_AZURE_STATUS *t);
UINT ScSetAzureStatus(RPC *r, RPC_AZURE_STATUS *t);
UINT ScGetAzureCustom(RPC *r, RPC_AZURE_CUSTOM *t);
UINT ScSetAzureCustom(RPC *r, RPC_AZURE_CUSTOM *t);
UINT ScGetDDnsInternetSetting(RPC *r, INTERNET_SETTING *t);
UINT ScSetDDnsInternetSetting(RPC *r, INTERNET_SETTING *t);
UINT ScSetVgsConfig(RPC *r, VGS_CONFIG *t);
Expand Down Expand Up @@ -1512,6 +1532,9 @@ void InRpcSpecialListener(RPC_SPECIAL_LISTENER *t, PACK *p);
void OutRpcSpecialListener(PACK *p, RPC_SPECIAL_LISTENER *t);
void InRpcAzureStatus(RPC_AZURE_STATUS *t, PACK *p);
void OutRpcAzureStatus(PACK *p, RPC_AZURE_STATUS *t);
void InRpcAzureCustom(RPC_AZURE_CUSTOM *t, PACK *p);
void OutRpcAzureCustom(PACK *p, RPC_AZURE_CUSTOM *t);
void FreeRpcAzureCustom(RPC_AZURE_CUSTOM *t);
void InRpcInternetSetting(INTERNET_SETTING *t, PACK *p);
void OutRpcInternetSetting(PACK *p, INTERNET_SETTING *t);

Expand Down