From 5a88b34ddbfaf9d7a0e08c2bdbb00c63393361e1 Mon Sep 17 00:00:00 2001 From: hiura Date: Wed, 8 May 2024 10:55:00 +0900 Subject: [PATCH 1/4] Fix Virtual DHCP Server: Correct IP reassignment --- src/Cedar/Virtual.c | 58 +++++++++++++++++---------------------------- 1 file changed, 22 insertions(+), 36 deletions(-) diff --git a/src/Cedar/Virtual.c b/src/Cedar/Virtual.c index fa2367dc..f5d105cf 100644 --- a/src/Cedar/Virtual.c +++ b/src/Cedar/Virtual.c @@ -9349,62 +9349,35 @@ UINT ServeDhcpDiscoverEx(VH *v, UCHAR *mac, UINT request_ip, bool is_static_ip) // check whether it is a request from the same MAC address if (Cmp(mac, d->MacAddress, 6) == 0) { - // Examine whether the specified IP address is within the range of assignment + // Examine whether the specified IP address is within the range of static assignment if (Endian32(v->DhcpIpStart) > Endian32(request_ip) || Endian32(request_ip) > Endian32(v->DhcpIpEnd)) { - // Accept if within the range + // Accept if within the range of static assignment ret = request_ip; } } else { - // Duplicated IPV4 address found. The DHCP server replies to DHCPREQUEST with DHCP NAK. + // Duplicated IPV4 address found. The specified IP address is not available for use char ipstr[MAX_HOST_NAME_LEN + 1] = { 0 }; char macstr[128] = { 0 }; IPToStr32(ipstr, sizeof(ipstr), request_ip); - BinToStr(macstr, sizeof(macstr), d->MacAddress, 6); - Debug("Virtual DHC Server: Duplicated IP address detected. Static IP: %s, Used by MAC:%s\n", ipstr, macstr); - return ret; + MacToStr(macstr, sizeof(macstr), d->MacAddress); + Debug("Virtual DHC Server: Duplicated IP address detected. Static IP: %s, with the MAC: %s\n", ipstr, macstr); } } else { - // Examine whether the specified IP address is within the range of assignment + // Examine whether the specified IP address is within the range of static assignment if (Endian32(v->DhcpIpStart) > Endian32(request_ip) || Endian32(request_ip) > Endian32(v->DhcpIpEnd)) { - // Accept if within the range + // Accept if within the range of static assignment ret = request_ip; } else { - // Propose an IP in the range since it's a Discover although It is out of range - } - } - if (ret == 0) - { - // If there is any entry with the same MAC address - // that are already registered, use it with priority - DHCP_LEASE *d = SearchDhcpLeaseByMac(v, mac); - - if (d != NULL) - { - // Examine whether the found IP address is in the allocation region - if (Endian32(v->DhcpIpStart) > Endian32(d->IpAddress) || - Endian32(d->IpAddress) > Endian32(v->DhcpIpEnd)) - { - // Use the IP address if it's found within the range - ret = d->IpAddress; - } - } - } - if (ret == 0) - { - // For static IP, the requested IP address must NOT be within the range of the DHCP pool - if (Endian32(v->DhcpIpStart) > Endian32(request_ip) || - Endian32(request_ip) > Endian32(v->DhcpIpEnd)) - { - ret = request_ip; + // The specified IP address is not available for use } } @@ -9595,6 +9568,11 @@ void VirtualDhcpServer(VH *v, PKT *p) { ip = ServeDhcpRequestEx(v, p->MacAddressSrc, opt->RequestedIp, ip_static); } + // If the IP address in user's note is changed, then reply to DHCP_REQUEST with DHCP_NAK + if (p->L3.IPv4Header->SrcIP && ip != p->L3.IPv4Header->SrcIP) + { + ip = 0; + } } if (ip != 0 || opt->Opcode == DHCP_INFORM) @@ -9607,6 +9585,14 @@ void VirtualDhcpServer(VH *v, PKT *p) char client_mac[MAX_SIZE]; char client_ip[MAX_SIZE]; + // If there is any entry with the same MAC address, then remove it + d = SearchDhcpLeaseByMac(v, p->MacAddressSrc); + if (d != NULL) + { + FreeDhcpLease(d); + Delete(v->DhcpLeaseList, d); + } + // Remove old records with the same IP address d = SearchDhcpLeaseByIp(v, ip); if (d != NULL) @@ -9765,7 +9751,7 @@ void VirtualDhcpServer(VH *v, PKT *p) } else { - // Reply of DHCP_REQUEST must be either DHCP_ACK or DHCP_NAK. + // Reply of DHCP_REQUEST must be either DHCP_ACK or DHCP_NAK if (opt->Opcode == DHCP_REQUEST) { // There is no IP address that can be provided From 98852b77d90e486f48874a4292c1930ec568aedc Mon Sep 17 00:00:00 2001 From: hiura Date: Sun, 26 May 2024 23:36:21 +0900 Subject: [PATCH 2/4] CHANGE ERROR HANDLER FOR SSL ERROR: --- src/Mayaqua/Network.c | 63 +++++++++++++++++++++++++++++++------------ 1 file changed, 46 insertions(+), 17 deletions(-) diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index c9ea7595..fd3c5c19 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -12288,6 +12288,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size) ret = SSL_peek(ssl, &c, sizeof(c)); } Unlock(sock->ssl_lock); +#if OPENSSL_VERSION_NUMBER < 0x30000000L + // 2021/09/10: After OpenSSL 3.x.x, both 0 and negative values might mean retryable. + // See: https://github.com/openssl/openssl/blob/435981cbadad2c58c35bacd30ca5d8b4c9bea72f/doc/man3/SSL_read.pod + // > Old documentation indicated a difference between 0 and -1, and that -1 was retryable. + // > You should instead call SSL_get_error() to find out if it's retryable. if (ret == 0) { // The communication have been disconnected @@ -12295,7 +12300,8 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size) Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__); return 0; } - if (ret < 0) +#endif + if (ret <= 0) { // An error has occurred e = SSL_get_error(ssl, ret); @@ -12303,14 +12309,16 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size) { if (e == SSL_ERROR_SSL #if OPENSSL_VERSION_NUMBER < 0x10100000L - && - sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL && - sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] && - sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1] + && + sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL && + sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] && + sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1] #endif - ) + ) { - Debug("%s %u SSL Fatal Error on ASYNC socket !!!\n", __FILE__, __LINE__); + UINT ssl_err_no = ERR_get_error(); + + Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL)); Disconnect(sock); return 0; } @@ -12337,14 +12345,14 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size) } #endif // OS_UNIX -// Run the time-out thread for SOLARIS + // Run the time-out thread for SOLARIS #ifdef UNIX_SOLARIS ttparam = NewSocketTimeout(sock); #endif // UNIX_SOLARIS ret = SSL_read(ssl, data, size); -// Stop the timeout thread + // Stop the timeout thread #ifdef UNIX_SOLARIS FreeSocketTimeout(ttparam); #endif // UNIX_SOLARIS @@ -12357,7 +12365,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size) } #endif // OS_UNIX - if (ret < 0) +#if OPENSSL_VERSION_NUMBER < 0x30000000L + if (ret < 0) // OpenSSL version < 3.0.0 +#else + if (ret <= 0) // OpenSSL version >= 3.0.0 +#endif { e = SSL_get_error(ssl, ret); } @@ -12380,6 +12392,12 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size) return (UINT)ret; } + +#if OPENSSL_VERSION_NUMBER < 0x30000000L + // 2021/09/10: After OpenSSL 3.x.x, both 0 and negative values might mean retryable. + // See: https://github.com/openssl/openssl/blob/435981cbadad2c58c35bacd30ca5d8b4c9bea72f/doc/man3/SSL_read.pod + // > Old documentation indicated a difference between 0 and -1, and that -1 was retryable. + // > You should instead call SSL_get_error() to find out if it's retryable. if (ret == 0) { // Disconnect the communication @@ -12387,20 +12405,24 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size) //Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__); return 0; } +#endif + if (sock->AsyncMode) { if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE || e == SSL_ERROR_SSL) { if (e == SSL_ERROR_SSL #if OPENSSL_VERSION_NUMBER < 0x10100000L - && - sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL && - sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] && - sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1] + && + sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL && + sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] && + sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1] #endif - ) + ) { - Debug("%s %u SSL Fatal Error on ASYNC socket !!!\n", __FILE__, __LINE__); + UINT ssl_err_no = ERR_get_error(); + + Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL)); Disconnect(sock); return 0; } @@ -12438,7 +12460,11 @@ UINT SecureSend(SOCK *sock, void *data, UINT size) } ret = SSL_write(ssl, data, size); - if (ret < 0) +#if OPENSSL_VERSION_NUMBER < 0x30000000L + if (ret < 0) // OpenSSL version < 3.0.0 +#else + if (ret <= 0) // OpenSSL version >= 3.0.0 +#endif { e = SSL_get_error(ssl, ret); } @@ -12460,6 +12486,8 @@ UINT SecureSend(SOCK *sock, void *data, UINT size) sock->WriteBlocked = false; return (UINT)ret; } + +#if OPENSSL_VERSION_NUMBER < 0x30000000L if (ret == 0) { // Disconnect @@ -12467,6 +12495,7 @@ UINT SecureSend(SOCK *sock, void *data, UINT size) Disconnect(sock); return 0; } +#endif if (sock->AsyncMode) { From 08213b7f0eb6acebf82920e43c1242822dbdf163 Mon Sep 17 00:00:00 2001 From: hiura Date: Sun, 26 May 2024 23:50:05 +0900 Subject: [PATCH 3/4] CHANGE ERROR HANDLER FOR SSL ERROR: Change of indent --- src/Mayaqua/Network.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index fd3c5c19..52da1246 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -12314,7 +12314,7 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size) sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] && sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1] #endif - ) + ) { UINT ssl_err_no = ERR_get_error(); @@ -12418,7 +12418,7 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size) sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] && sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1] #endif - ) + ) { UINT ssl_err_no = ERR_get_error(); From ebe52afa9a0c13f48c916bb4869a8381f0840f6f Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Sun, 9 Jun 2024 20:43:02 +0900 Subject: [PATCH 4/4] CI: Update to FreeBSD 14.0-RELEASE since FreeBSD 13.2 image is no longer available on the CI platform. --- .cirrus.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cirrus.yml b/.cirrus.yml index 68b66ab5..07218cc8 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -11,7 +11,7 @@ FreeBSD_task: SSL: matrix: freebsd_instance: - image_family: freebsd-13-2 + image_family: freebsd-14-0 prepare_script: - pkg install -y pkgconf cmake git libsodium $SSL - git submodule update --init --recursive