mirror of
https://github.com/SoftEtherVPN/SoftEtherVPN.git
synced 2024-11-22 01:19:52 +03:00
Merge branch 'SoftEtherVPN:master' into master
This commit is contained in:
commit
e532519f83
@ -65,12 +65,23 @@
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
"braces": {
|
"braces": {
|
||||||
"version": "3.0.2",
|
"version": "3.0.3",
|
||||||
"resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
|
"resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
|
||||||
"integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
|
"integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
|
||||||
"dev": true,
|
"dev": true,
|
||||||
"requires": {
|
"requires": {
|
||||||
"fill-range": "^7.0.1"
|
"fill-range": "^7.1.1"
|
||||||
|
},
|
||||||
|
"dependencies": {
|
||||||
|
"fill-range": {
|
||||||
|
"version": "7.1.1",
|
||||||
|
"resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
|
||||||
|
"integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
|
||||||
|
"dev": true,
|
||||||
|
"requires": {
|
||||||
|
"to-regex-range": "^5.0.1"
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"builtin-modules": {
|
"builtin-modules": {
|
||||||
@ -151,15 +162,6 @@
|
|||||||
"integrity": "sha1-Cr9PHKpbyx96nYrMbepPqqBLrJs=",
|
"integrity": "sha1-Cr9PHKpbyx96nYrMbepPqqBLrJs=",
|
||||||
"dev": true
|
"dev": true
|
||||||
},
|
},
|
||||||
"fill-range": {
|
|
||||||
"version": "7.0.1",
|
|
||||||
"resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
|
|
||||||
"integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
|
|
||||||
"dev": true,
|
|
||||||
"requires": {
|
|
||||||
"to-regex-range": "^5.0.1"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"fs.realpath": {
|
"fs.realpath": {
|
||||||
"version": "1.0.0",
|
"version": "1.0.0",
|
||||||
"resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
|
"resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
|
||||||
|
@ -463,39 +463,13 @@ void ProcIPsecEspPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
|
|||||||
seq = READ_UINT(src + sizeof(UINT));
|
seq = READ_UINT(src + sizeof(UINT));
|
||||||
|
|
||||||
// Search and retrieve the IPsec SA from SPI
|
// Search and retrieve the IPsec SA from SPI
|
||||||
|
|
||||||
|
// thank to @phillibert report, responding to bad SA might lead to amplification
|
||||||
|
// according to RFC4303 we should drop such packets
|
||||||
|
|
||||||
ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi);
|
ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi);
|
||||||
if (ipsec_sa == NULL)
|
if (ipsec_sa == NULL)
|
||||||
{
|
{
|
||||||
// Invalid SPI
|
|
||||||
UINT64 init_cookie = Rand64();
|
|
||||||
UINT64 resp_cookie = 0;
|
|
||||||
IKE_CLIENT *c = NULL;
|
|
||||||
IKE_CLIENT t;
|
|
||||||
|
|
||||||
|
|
||||||
Copy(&t.ClientIP, &p->SrcIP, sizeof(IP));
|
|
||||||
t.ClientPort = p->SrcPort;
|
|
||||||
Copy(&t.ServerIP, &p->DstIP, sizeof(IP));
|
|
||||||
t.ServerPort = p->DestPort;
|
|
||||||
t.CurrentIkeSa = NULL;
|
|
||||||
|
|
||||||
if (p->DestPort == IPSEC_PORT_IPSEC_ESP_RAW)
|
|
||||||
{
|
|
||||||
t.ClientPort = t.ServerPort = IPSEC_PORT_IPSEC_ISAKMP;
|
|
||||||
}
|
|
||||||
|
|
||||||
c = Search(ike->ClientList, &t);
|
|
||||||
|
|
||||||
if (c != NULL && c->CurrentIkeSa != NULL)
|
|
||||||
{
|
|
||||||
init_cookie = c->CurrentIkeSa->InitiatorCookie;
|
|
||||||
resp_cookie = c->CurrentIkeSa->ResponderCookie;
|
|
||||||
}
|
|
||||||
|
|
||||||
SendInformationalExchangePacketEx(ike, (c == NULL ? &t : c), IkeNewNoticeErrorInvalidSpiPayload(spi), false,
|
|
||||||
init_cookie, resp_cookie);
|
|
||||||
|
|
||||||
SendDeleteIPsecSaPacket(ike, (c == NULL ? &t : c), spi);
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -88,6 +88,7 @@ int ssl_clientcert_index = 0;
|
|||||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
static OSSL_PROVIDER *ossl_provider_legacy = NULL;
|
static OSSL_PROVIDER *ossl_provider_legacy = NULL;
|
||||||
static OSSL_PROVIDER *ossl_provider_default = NULL;
|
static OSSL_PROVIDER *ossl_provider_default = NULL;
|
||||||
|
static OSSL_PROVIDER *ossl_provider_oqsprovider = NULL;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
LOCK **ssl_lock_obj = NULL;
|
LOCK **ssl_lock_obj = NULL;
|
||||||
@ -3974,6 +3975,12 @@ void FreeCryptLibrary()
|
|||||||
OSSL_PROVIDER_unload(ossl_provider_legacy);
|
OSSL_PROVIDER_unload(ossl_provider_legacy);
|
||||||
ossl_provider_legacy = NULL;
|
ossl_provider_legacy = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (ossl_provider_oqsprovider != NULL)
|
||||||
|
{
|
||||||
|
OSSL_PROVIDER_unload(ossl_provider_oqsprovider);
|
||||||
|
ossl_provider_oqsprovider = NULL;
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -3996,6 +4003,7 @@ void InitCryptLibrary()
|
|||||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
ossl_provider_default = OSSL_PROVIDER_load(NULL, "legacy");
|
ossl_provider_default = OSSL_PROVIDER_load(NULL, "legacy");
|
||||||
ossl_provider_legacy = OSSL_PROVIDER_load(NULL, "default");
|
ossl_provider_legacy = OSSL_PROVIDER_load(NULL, "default");
|
||||||
|
ossl_provider_oqsprovider = OSSL_PROVIDER_load(NULL, "oqsprovider");
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
ssl_clientcert_index = SSL_get_ex_new_index(0, "struct SslClientCertInfo *", NULL, NULL, NULL);
|
ssl_clientcert_index = SSL_get_ex_new_index(0, "struct SslClientCertInfo *", NULL, NULL, NULL);
|
||||||
|
@ -11905,6 +11905,10 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
|
|||||||
Unlock(openssl_lock);
|
Unlock(openssl_lock);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
SSL_set1_groups_list(sock->ssl, PQ_GROUP_LIST);
|
||||||
|
#endif
|
||||||
|
|
||||||
if (sock->ServerMode)
|
if (sock->ServerMode)
|
||||||
{
|
{
|
||||||
// Lock(ssl_connect_lock);
|
// Lock(ssl_connect_lock);
|
||||||
@ -11984,7 +11988,7 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
|
|||||||
// Unlock(ssl_connect_lock);
|
// Unlock(ssl_connect_lock);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
prev_timeout = GetTimeout(sock);
|
prev_timeout = GetTimeout(sock);
|
||||||
SetTimeout(sock, ssl_timeout);
|
SetTimeout(sock, ssl_timeout);
|
||||||
// Client mode
|
// Client mode
|
||||||
@ -12285,6 +12289,7 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
|
|||||||
Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
|
Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
ERR_clear_error();
|
||||||
ret = SSL_peek(ssl, &c, sizeof(c));
|
ret = SSL_peek(ssl, &c, sizeof(c));
|
||||||
}
|
}
|
||||||
Unlock(sock->ssl_lock);
|
Unlock(sock->ssl_lock);
|
||||||
@ -12316,9 +12321,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
|
|||||||
#endif
|
#endif
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
UINT ssl_err_no = ERR_get_error();
|
UINT ssl_err_no;
|
||||||
|
while (ssl_err_no = ERR_get_error()){
|
||||||
|
Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
|
||||||
|
};
|
||||||
|
|
||||||
Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
|
|
||||||
Disconnect(sock);
|
Disconnect(sock);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -12350,6 +12357,7 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
|
|||||||
ttparam = NewSocketTimeout(sock);
|
ttparam = NewSocketTimeout(sock);
|
||||||
#endif // UNIX_SOLARIS
|
#endif // UNIX_SOLARIS
|
||||||
|
|
||||||
|
ERR_clear_error();
|
||||||
ret = SSL_read(ssl, data, size);
|
ret = SSL_read(ssl, data, size);
|
||||||
|
|
||||||
// Stop the timeout thread
|
// Stop the timeout thread
|
||||||
@ -12420,9 +12428,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
|
|||||||
#endif
|
#endif
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
UINT ssl_err_no = ERR_get_error();
|
UINT ssl_err_no;
|
||||||
|
while (ssl_err_no = ERR_get_error()) {
|
||||||
|
Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
|
||||||
|
};
|
||||||
|
|
||||||
Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
|
|
||||||
Disconnect(sock);
|
Disconnect(sock);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -12431,8 +12441,8 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
|
|||||||
return SOCK_LATER;
|
return SOCK_LATER;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Debug("%s %u e=%u SecureRecv() Disconnect\n", __FILE__, __LINE__, e);
|
||||||
Disconnect(sock);
|
Disconnect(sock);
|
||||||
Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -12459,6 +12469,7 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ERR_clear_error();
|
||||||
ret = SSL_write(ssl, data, size);
|
ret = SSL_write(ssl, data, size);
|
||||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
if (ret < 0) // OpenSSL version < 3.0.0
|
if (ret < 0) // OpenSSL version < 3.0.0
|
||||||
@ -12502,12 +12513,22 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
|
|||||||
// Confirmation of the error value
|
// Confirmation of the error value
|
||||||
if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE || e == SSL_ERROR_SSL)
|
if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE || e == SSL_ERROR_SSL)
|
||||||
{
|
{
|
||||||
|
if (e == SSL_ERROR_SSL)
|
||||||
|
{
|
||||||
|
UINT ssl_err_no;
|
||||||
|
while (ssl_err_no = ERR_get_error()) {
|
||||||
|
Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
|
||||||
|
};
|
||||||
|
|
||||||
|
Disconnect(sock);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
sock->WriteBlocked = true;
|
sock->WriteBlocked = true;
|
||||||
return SOCK_LATER;
|
return SOCK_LATER;
|
||||||
}
|
}
|
||||||
Debug("%s %u e=%u\n", __FILE__, __LINE__, e);
|
|
||||||
}
|
}
|
||||||
//Debug("%s %u SecureSend() Disconnect\n", __FILE__, __LINE__);
|
Debug("%s %u e=%u SecureSend() Disconnect\n", __FILE__, __LINE__, e);
|
||||||
Disconnect(sock);
|
Disconnect(sock);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -59,6 +59,10 @@ struct DYN_VALUE
|
|||||||
|
|
||||||
#define DEFAULT_CIPHER_LIST "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES"
|
#define DEFAULT_CIPHER_LIST "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES"
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
#define PQ_GROUP_LIST "p521_kyber1024:x25519_kyber768:P-521:X25519:P-256"
|
||||||
|
#endif
|
||||||
|
|
||||||
// SSL logging function
|
// SSL logging function
|
||||||
//#define ENABLE_SSL_LOGGING
|
//#define ENABLE_SSL_LOGGING
|
||||||
#define SSL_LOGGING_DIRNAME "@ssl_log"
|
#define SSL_LOGGING_DIRNAME "@ssl_log"
|
||||||
|
@ -373,12 +373,23 @@
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
"braces": {
|
"braces": {
|
||||||
"version": "3.0.2",
|
"version": "3.0.3",
|
||||||
"resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
|
"resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
|
||||||
"integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
|
"integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
|
||||||
"dev": true,
|
"dev": true,
|
||||||
"requires": {
|
"requires": {
|
||||||
"fill-range": "^7.0.1"
|
"fill-range": "^7.1.1"
|
||||||
|
},
|
||||||
|
"dependencies": {
|
||||||
|
"fill-range": {
|
||||||
|
"version": "7.1.1",
|
||||||
|
"resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
|
||||||
|
"integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
|
||||||
|
"dev": true,
|
||||||
|
"requires": {
|
||||||
|
"to-regex-range": "^5.0.1"
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"browserslist": {
|
"browserslist": {
|
||||||
@ -603,15 +614,6 @@
|
|||||||
"integrity": "sha512-eRnCtTTtGZFpQCwhJiUOuxPQWRXVKYDn0b2PeHfXL6/Zi53SLAzAHfVhVWK2AryC/WH05kGfxhFIPvTF0SXQzg==",
|
"integrity": "sha512-eRnCtTTtGZFpQCwhJiUOuxPQWRXVKYDn0b2PeHfXL6/Zi53SLAzAHfVhVWK2AryC/WH05kGfxhFIPvTF0SXQzg==",
|
||||||
"dev": true
|
"dev": true
|
||||||
},
|
},
|
||||||
"fill-range": {
|
|
||||||
"version": "7.0.1",
|
|
||||||
"resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
|
|
||||||
"integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
|
|
||||||
"dev": true,
|
|
||||||
"requires": {
|
|
||||||
"to-regex-range": "^5.0.1"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"find-up": {
|
"find-up": {
|
||||||
"version": "4.1.0",
|
"version": "4.1.0",
|
||||||
"resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",
|
"resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",
|
||||||
|
Loading…
Reference in New Issue
Block a user