Fix Vulnerability: CVE-2023-32275 TALOS-2023-1753

SoftEther VPN CtEnumCa () information disclosure vulnerability
https://www.softether.org/9-about/News/904-SEVPN202301
https://jvn.jp/en/jp/JVN64316789/

src/Mayaqua/Encrypt.c

@@ -712,7 +712,8 @@ UINT RsaPublicSize(K *k)
 // Hash a pointer to a 32-bit
 UINT HashPtrToUINT(void *p)
 {
-	UCHAR hash_data[MD5_SIZE];
+	UCHAR hash_data[SHA256_SIZE];
+	UCHAR hash_src[CANARY_RAND_SIZE + sizeof(void *)];
 	UINT ret;
 	// Validate arguments
 	if (p == NULL)
@@ -720,7 +721,11 @@ UINT HashPtrToUINT(void *p)
 		return 0;
 	}
 
-	Md5(hash_data, &p, sizeof(p));
+	Zero(hash_src, sizeof(hash_src));
+	Copy(hash_src + 0, GetCanaryRand(CANARY_RAND_ID_PTR_KEY_HASH), CANARY_RAND_SIZE);
+	Copy(hash_src + CANARY_RAND_SIZE, p, sizeof(void *));
+
+	Sha2_256(hash_data, hash_src, sizeof(hash_src));
 
 	Copy(&ret, hash_data, sizeof(ret));
 

src/Mayaqua/MayaType.h

@@ -123,11 +123,7 @@ typedef int (COMPARE)(void *p1, void *p2);
 #define	GET_ABS(a)			((a) >= 0 ? (a) : -(a))
 
 // Convert the pointer to UINT
-#ifdef	CPU_64
+#define	POINTER_TO_KEY(p)		(HashPtrToUINT(p))
-#define	POINTER_TO_KEY(p)		HashPtrToUINT(p)
-#else
-#define	POINTER_TO_KEY(p)		(UINT)(p)
-#endif
 
 // Compare the pointer and UINT
 #define	COMPARE_POINTER_AND_KEY(p, i)	(POINTER_TO_KEY(p) == (i))

src/Mayaqua/Memory.h

@@ -378,6 +378,8 @@ bool AddStrToStrListDistinct(LIST *o, char *str);
 #define CANARY_RAND_ID_MEMTAG_MAGIC		0
 #define CANARY_RAND_SIZE				20
 
+#define CANARY_RAND_ID_PTR_KEY_HASH		1
+
 void InitCanaryRand();
 UCHAR *GetCanaryRand(UINT id);