diff --git a/developer_tools/vpnserver-jsonrpc-clients/vpnserver-jsonrpc-client-nodejs-package/package-lock.json b/developer_tools/vpnserver-jsonrpc-clients/vpnserver-jsonrpc-client-nodejs-package/package-lock.json index dbfcbe5d..b854915a 100644 --- a/developer_tools/vpnserver-jsonrpc-clients/vpnserver-jsonrpc-client-nodejs-package/package-lock.json +++ b/developer_tools/vpnserver-jsonrpc-clients/vpnserver-jsonrpc-client-nodejs-package/package-lock.json @@ -65,12 +65,23 @@ } }, "braces": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz", - "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz", + "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==", "dev": true, "requires": { - "fill-range": "^7.0.1" + "fill-range": "^7.1.1" + }, + "dependencies": { + "fill-range": { + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", + "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==", + "dev": true, + "requires": { + "to-regex-range": "^5.0.1" + } + } } }, "builtin-modules": { @@ -151,15 +162,6 @@ "integrity": "sha1-Cr9PHKpbyx96nYrMbepPqqBLrJs=", "dev": true }, - "fill-range": { - "version": "7.0.1", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz", - "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==", - "dev": true, - "requires": { - "to-regex-range": "^5.0.1" - } - }, "fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", diff --git a/src/Cedar/Proto_IKE.c b/src/Cedar/Proto_IKE.c index beaf09ab..5d407494 100644 --- a/src/Cedar/Proto_IKE.c +++ b/src/Cedar/Proto_IKE.c @@ -463,39 +463,13 @@ void ProcIPsecEspPacketRecv(IKE_SERVER *ike, UDPPACKET *p) seq = READ_UINT(src + sizeof(UINT)); // Search and retrieve the IPsec SA from SPI + + // thank to @phillibert report, responding to bad SA might lead to amplification + // according to RFC4303 we should drop such packets + ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi); if (ipsec_sa == NULL) { - // Invalid SPI - UINT64 init_cookie = Rand64(); - UINT64 resp_cookie = 0; - IKE_CLIENT *c = NULL; - IKE_CLIENT t; - - - Copy(&t.ClientIP, &p->SrcIP, sizeof(IP)); - t.ClientPort = p->SrcPort; - Copy(&t.ServerIP, &p->DstIP, sizeof(IP)); - t.ServerPort = p->DestPort; - t.CurrentIkeSa = NULL; - - if (p->DestPort == IPSEC_PORT_IPSEC_ESP_RAW) - { - t.ClientPort = t.ServerPort = IPSEC_PORT_IPSEC_ISAKMP; - } - - c = Search(ike->ClientList, &t); - - if (c != NULL && c->CurrentIkeSa != NULL) - { - init_cookie = c->CurrentIkeSa->InitiatorCookie; - resp_cookie = c->CurrentIkeSa->ResponderCookie; - } - - SendInformationalExchangePacketEx(ike, (c == NULL ? &t : c), IkeNewNoticeErrorInvalidSpiPayload(spi), false, - init_cookie, resp_cookie); - - SendDeleteIPsecSaPacket(ike, (c == NULL ? &t : c), spi); return; } diff --git a/src/Mayaqua/Encrypt.c b/src/Mayaqua/Encrypt.c index fed18bdb..fab64387 100644 --- a/src/Mayaqua/Encrypt.c +++ b/src/Mayaqua/Encrypt.c @@ -88,6 +88,7 @@ int ssl_clientcert_index = 0; #if OPENSSL_VERSION_NUMBER >= 0x30000000L static OSSL_PROVIDER *ossl_provider_legacy = NULL; static OSSL_PROVIDER *ossl_provider_default = NULL; +static OSSL_PROVIDER *ossl_provider_oqsprovider = NULL; #endif LOCK **ssl_lock_obj = NULL; @@ -3974,6 +3975,12 @@ void FreeCryptLibrary() OSSL_PROVIDER_unload(ossl_provider_legacy); ossl_provider_legacy = NULL; } + + if (ossl_provider_oqsprovider != NULL) + { + OSSL_PROVIDER_unload(ossl_provider_oqsprovider); + ossl_provider_oqsprovider = NULL; + } #endif } @@ -3996,6 +4003,7 @@ void InitCryptLibrary() #if OPENSSL_VERSION_NUMBER >= 0x30000000L ossl_provider_default = OSSL_PROVIDER_load(NULL, "legacy"); ossl_provider_legacy = OSSL_PROVIDER_load(NULL, "default"); + ossl_provider_oqsprovider = OSSL_PROVIDER_load(NULL, "oqsprovider"); #endif ssl_clientcert_index = SSL_get_ex_new_index(0, "struct SslClientCertInfo *", NULL, NULL, NULL); diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index 52da1246..6b53ecfb 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -11905,6 +11905,10 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char Unlock(openssl_lock); } + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + SSL_set1_groups_list(sock->ssl, PQ_GROUP_LIST); + #endif + if (sock->ServerMode) { // Lock(ssl_connect_lock); @@ -11984,7 +11988,7 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char // Unlock(ssl_connect_lock); } else - { + { prev_timeout = GetTimeout(sock); SetTimeout(sock, ssl_timeout); // Client mode @@ -12285,6 +12289,7 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size) Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__); return 0; } + ERR_clear_error(); ret = SSL_peek(ssl, &c, sizeof(c)); } Unlock(sock->ssl_lock); @@ -12316,9 +12321,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size) #endif ) { - UINT ssl_err_no = ERR_get_error(); + UINT ssl_err_no; + while (ssl_err_no = ERR_get_error()){ + Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL)); + }; - Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL)); Disconnect(sock); return 0; } @@ -12350,6 +12357,7 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size) ttparam = NewSocketTimeout(sock); #endif // UNIX_SOLARIS + ERR_clear_error(); ret = SSL_read(ssl, data, size); // Stop the timeout thread @@ -12420,9 +12428,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size) #endif ) { - UINT ssl_err_no = ERR_get_error(); + UINT ssl_err_no; + while (ssl_err_no = ERR_get_error()) { + Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL)); + }; - Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL)); Disconnect(sock); return 0; } @@ -12431,8 +12441,8 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size) return SOCK_LATER; } } + Debug("%s %u e=%u SecureRecv() Disconnect\n", __FILE__, __LINE__, e); Disconnect(sock); - Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__); return 0; } @@ -12459,6 +12469,7 @@ UINT SecureSend(SOCK *sock, void *data, UINT size) return 0; } + ERR_clear_error(); ret = SSL_write(ssl, data, size); #if OPENSSL_VERSION_NUMBER < 0x30000000L if (ret < 0) // OpenSSL version < 3.0.0 @@ -12502,12 +12513,22 @@ UINT SecureSend(SOCK *sock, void *data, UINT size) // Confirmation of the error value if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE || e == SSL_ERROR_SSL) { + if (e == SSL_ERROR_SSL) + { + UINT ssl_err_no; + while (ssl_err_no = ERR_get_error()) { + Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL)); + }; + + Disconnect(sock); + return 0; + } + sock->WriteBlocked = true; return SOCK_LATER; } - Debug("%s %u e=%u\n", __FILE__, __LINE__, e); } - //Debug("%s %u SecureSend() Disconnect\n", __FILE__, __LINE__); + Debug("%s %u e=%u SecureSend() Disconnect\n", __FILE__, __LINE__, e); Disconnect(sock); return 0; } diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h index 39e3f5fc..94a50c2b 100644 --- a/src/Mayaqua/Network.h +++ b/src/Mayaqua/Network.h @@ -59,6 +59,10 @@ struct DYN_VALUE #define DEFAULT_CIPHER_LIST "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES" +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#define PQ_GROUP_LIST "p521_kyber1024:x25519_kyber768:P-521:X25519:P-256" +#endif + // SSL logging function //#define ENABLE_SSL_LOGGING #define SSL_LOGGING_DIRNAME "@ssl_log" diff --git a/src/bin/hamcore/wwwroot/admin/default/package-lock.json b/src/bin/hamcore/wwwroot/admin/default/package-lock.json index 65ae50a8..b15268b9 100644 --- a/src/bin/hamcore/wwwroot/admin/default/package-lock.json +++ b/src/bin/hamcore/wwwroot/admin/default/package-lock.json @@ -373,12 +373,23 @@ } }, "braces": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz", - "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz", + "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==", "dev": true, "requires": { - "fill-range": "^7.0.1" + "fill-range": "^7.1.1" + }, + "dependencies": { + "fill-range": { + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", + "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==", + "dev": true, + "requires": { + "to-regex-range": "^5.0.1" + } + } } }, "browserslist": { @@ -603,15 +614,6 @@ "integrity": "sha512-eRnCtTTtGZFpQCwhJiUOuxPQWRXVKYDn0b2PeHfXL6/Zi53SLAzAHfVhVWK2AryC/WH05kGfxhFIPvTF0SXQzg==", "dev": true }, - "fill-range": { - "version": "7.0.1", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz", - "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==", - "dev": true, - "requires": { - "to-regex-range": "^5.0.1" - } - }, "find-up": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",