1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-22 01:19:52 +03:00

Compare commits

...

4 Commits

Author SHA1 Message Date
Syuugo
7464e4d4cb
Merge 9a7e55b3e0 into c2a7aa5481 2024-06-25 11:31:44 +08:00
Ilya Shipitsin
c2a7aa5481
Merge pull request from GHSA-j35p-p8pj-vqxq
src/Cedar/Proto_IKE.c: ignore packets with no IPSec SA
2024-06-22 18:57:28 +02:00
Ilia Shipitsin
6f57449164 src/Cedar/Proto_IKE.c: ignore packets with no IPSec SA
many thanks to Jonathan Phillibert from Amazon Web Services
for investigating and reporting that responding to such packets
might lead to traffic amplification
2024-06-22 18:53:35 +02:00
Syuugo
9a7e55b3e0
Update workflows 2024-06-16 00:31:25 +09:00
10 changed files with 92 additions and 84 deletions

View File

@ -8,15 +8,16 @@ on:
jobs:
build:
name: build
name: Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: Checkout
uses: actions/checkout@v4
with:
submodules: true
- name: archive
- name: Archive
id: archive
run: |
VERSION=${{ github.event.release.tag_name }}
@ -28,12 +29,8 @@ jobs:
tar cJf $TARBALL $PKGNAME
echo "tarball=$TARBALL" >> $GITHUB_OUTPUT
- name: upload tarball
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload tarball
uses: softprops/action-gh-release@v2
with:
upload_url: ${{ github.event.release.upload_url }}
asset_path: ./${{ steps.archive.outputs.tarball }}
asset_name: ${{ steps.archive.outputs.tarball }}
asset_content_type: application/gzip
files: ./${{ steps.archive.outputs.tarball }}
name: ${{ steps.archive.outputs.tarball }}

View File

@ -1,4 +1,3 @@
name: Coverity
on:
@ -10,28 +9,36 @@ permissions:
jobs:
scan:
name: Scan
runs-on: ubuntu-latest
if: ${{ github.repository_owner == 'SoftEtherVPN' }}
if: github.repository_owner == 'SoftEtherVPN'
steps:
- uses: actions/checkout@v2
- name: Checkout
uses: actions/checkout@v4
with:
submodules: true
- name: Install apt dependencies
run: |
sudo apt-get update
sudo apt-get install -y cmake gcc g++ libncurses5-dev libreadline-dev libssl-dev make zlib1g-dev libsodium-dev
- name: Download Coverity build tool
run: |
wget -c -N https://scan.coverity.com/download/linux64 --post-data "token=${{ secrets.COVERITY_SCAN_TOKEN }}&project=SoftEtherVPN%2FSoftEtherVPN" -O coverity_tool.tar.gz
mkdir coverity_tool
tar xzf coverity_tool.tar.gz --strip 1 -C coverity_tool
- name: Configure
run: |
./configure
- name: Build with Coverity build tool
run: |
export PATH=`pwd`/coverity_tool/bin:$PATH
cov-build --dir cov-int make -C build
- name: Submit build result to Coverity Scan
run: |
tar czvf cov.tar.gz cov-int

View File

@ -19,15 +19,18 @@ jobs:
container:
image: fedora:rawhide
steps:
- uses: actions/checkout@v1
with:
submodules: true
- name: Install dependencies
run: |
dnf -y install git cmake ncurses-devel openssl-devel libsodium-devel readline-devel zlib-devel gcc-c++ clang
- name: Checkout
uses: actions/checkout@v4
with:
submodules: true
- name: Compile with ${{ matrix.cc }}
run: |
export CC=${{ matrix.cc }}
./configure
make -C build

View File

@ -1,3 +1,4 @@
name: Linux
on: [push, pull_request]
permissions:
@ -5,14 +6,16 @@ permissions:
jobs:
build_and_test:
name: Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
submodules: true
- name: Install dependencies
run: sudo apt update && sudo apt-get -y install cmake gcc g++ ninja-build libncurses5-dev libreadline-dev libsodium-dev libssl-dev make zlib1g-dev liblz4-dev libnl-genl-3-dev
run: sudo apt-get update && sudo apt-get -y install cmake gcc g++ ninja-build libncurses5-dev libreadline-dev libsodium-dev libssl-dev make zlib1g-dev liblz4-dev libnl-genl-3-dev
- name: Build
run: |

View File

@ -1,3 +1,4 @@
name: macOS
on: [push, pull_request, workflow_dispatch]
permissions:
@ -11,18 +12,21 @@ jobs:
name: ${{ matrix.os }}
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v1
- uses: actions/checkout@v4
with:
submodules: true
- name: Install dependencies
run: |
brew install libsodium
- name: Compile
run: |
./configure
make -C build
- name: Test
run: |
otool -L build/vpnserver
.ci/memory-leak-test.sh

View File

@ -1,4 +1,4 @@
name: alpine/musl
name: Alpine/musl
on: [push, pull_request]
@ -7,17 +7,22 @@ permissions:
jobs:
musl:
name: gcc
runs-on: ubuntu-latest
container:
image: alpine:latest
steps:
- uses: actions/checkout@v1
with:
submodules: true
name: gcc
runs-on: ubuntu-latest
container:
image: alpine:latest
steps:
- name: Install dependencies
run: apk add binutils --no-cache build-base readline-dev openssl-dev ncurses-dev git cmake zlib-dev libsodium-dev gnu-libiconv
- name: Checkout
uses: actions/checkout@v4
with:
submodules: true
- name: Configure
run: ./configure
- name: make
run: make -C build
run: make -C build

View File

@ -1,3 +1,4 @@
name: STB Check
on: [push, pull_request]
permissions:
@ -5,12 +6,16 @@ permissions:
jobs:
check:
name: Check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: Checkout
uses: actions/checkout@v4
with:
submodules: true
- name: Check
run: |
cd developer_tools/stbchecker
dotnet run ../../src/bin/hamcore
dotnet run ../../src/bin/hamcore

View File

@ -1,3 +1,4 @@
name: Windows
on: [push, pull_request]
permissions:
@ -14,19 +15,24 @@ jobs:
runs-on: windows-latest
name: ${{ matrix.platform.ARCHITECTURE }}
steps:
- uses: actions/checkout@v4
- name: Checkout
uses: actions/checkout@v4
with:
submodules: true
- name: Cache vcpkg
uses: actions/cache@v4
with:
path: 'build/vcpkg_installed/'
key: vcpkg-${{ matrix.platform.VCPKG_TRIPLET }}
- name: Set version variables
run: |
$v = python version.py
echo "VERSION=$v" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append
shell: pwsh
- name: Build
env:
ARCHITECTURE: ${{ matrix.platform.ARCHITECTURE }}
@ -44,11 +50,14 @@ jobs:
vpnsetup /SFXMODE:vpnclient /SFXOUT:"installers\softether-vpnclient-%VERSION%.%BUILD_NUMBER%.%ARCHITECTURE%.exe"
vpnsetup /SFXMODE:vpnserver_vpnbridge /SFXOUT:"installers\softether-vpnserver_vpnbridge-%VERSION%.%BUILD_NUMBER%.%ARCHITECTURE%.exe"
shell: cmd
- name: Test
shell: powershell
run: |
. .ci/appveyor-vpntest.ps1
- uses: actions/upload-artifact@v4
- name: Upload built binaries
uses: actions/upload-artifact@v4
with:
if-no-files-found: error
name: Binaries-${{ matrix.platform.ARCHITECTURE }}
@ -56,8 +65,10 @@ jobs:
build/*.exe
build/*.pdb
build/*.se2
- uses: actions/upload-artifact@v4
- name: Upload installers
uses: actions/upload-artifact@v4
with:
if-no-files-found: error
name: Installers-${{ matrix.platform.ARCHITECTURE }}
path: build/installers
path: build/installers

View File

@ -14,16 +14,19 @@ permissions:
jobs:
release:
name: Release
runs-on: windows-latest
outputs:
upload_url: "${{ steps.create_release.outputs.upload_url }}"
steps:
- name: "Checkout repository"
uses: actions/checkout@v4
- name: "Create GitHub release"
id: create_release
uses: softprops/action-gh-release@v1
uses: softprops/action-gh-release@v2
build-windows:
name: ${{ matrix.platform.ARCHITECTURE }}
runs-on: windows-latest
@ -35,15 +38,18 @@ jobs:
{ ARCHITECTURE: x64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe", VCPKG_TRIPLET: "x64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars64.bat"}
]
steps:
- name: "Checkout repository"
uses: actions/checkout@v4
with:
submodules: true
- name: Cache vcpkg
uses: actions/cache@v4
with:
path: 'build/vcpkg_installed/'
key: vcpkg-release-${{ matrix.platform.VCPKG_TRIPLET }}
- name: Set version variables
run: |
$b=(Get-Content CMakeSettings.json | Out-String | ConvertFrom-Json).environments.BuildNumber
@ -51,6 +57,7 @@ jobs:
$v = python version.py
echo "VERSION=$v" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append
shell: pwsh
- name: Build
env:
ARCHITECTURE: ${{ matrix.platform.ARCHITECTURE }}
@ -68,27 +75,19 @@ jobs:
vpnsetup /SFXMODE:vpnserver_vpnbridge /SFXOUT:"installers\softether-vpnserver_vpnbridge-%VERSION%.%BUILD_NUMBER%.%ARCHITECTURE%.exe"
shell: cmd
- name: dir
- name: Show directory items
run: |
Get-ChildItem -Recurse build/installers
shell: pwsh
- name: "Upload softether-vpnclient"
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: "${{ github.token }}"
uses: softprops/action-gh-release@v2
with:
upload_url: "${{ needs.release.outputs.upload_url }}"
asset_path: "build/installers/softether-vpnclient-${{ env.VERSION }}.${{ env.BUILD_NUMBER }}.${{ matrix.platform.ARCHITECTURE }}.exe"
asset_name: "softether-vpnclient-${{ env.VERSION }}.${{ env.BUILD_NUMBER }}.${{ matrix.platform.ARCHITECTURE }}.exe"
asset_content_type: "application/octet-stream"
files: "build/installers/softether-vpnclient-${{ env.VERSION }}.${{ env.BUILD_NUMBER }}.${{ matrix.platform.ARCHITECTURE }}.exe"
name: "softether-vpnclient-${{ env.VERSION }}.${{ env.BUILD_NUMBER }}.${{ matrix.platform.ARCHITECTURE }}.exe"
- name: "Upload softether-vpnserver_vpnbridge"
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: "${{ github.token }}"
uses: softprops/action-gh-release@v2
with:
upload_url: "${{ needs.release.outputs.upload_url }}"
asset_path: "build/installers/softether-vpnserver_vpnbridge-${{ env.VERSION }}.${{ env.BUILD_NUMBER }}.${{ matrix.platform.ARCHITECTURE }}.exe"
asset_name: "softether-vpnserver_vpnbridge-${{ env.VERSION }}.${{ env.BUILD_NUMBER }}.${{ matrix.platform.ARCHITECTURE }}.exe"
asset_content_type: "application/octet-stream"
files: "build/installers/softether-vpnserver_vpnbridge-${{ env.VERSION }}.${{ env.BUILD_NUMBER }}.${{ matrix.platform.ARCHITECTURE }}.exe"
name: "softether-vpnserver_vpnbridge-${{ env.VERSION }}.${{ env.BUILD_NUMBER }}.${{ matrix.platform.ARCHITECTURE }}.exe"

View File

@ -463,39 +463,13 @@ void ProcIPsecEspPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
seq = READ_UINT(src + sizeof(UINT));
// Search and retrieve the IPsec SA from SPI
// thank to @phillibert report, responding to bad SA might lead to amplification
// according to RFC4303 we should drop such packets
ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi);
if (ipsec_sa == NULL)
{
// Invalid SPI
UINT64 init_cookie = Rand64();
UINT64 resp_cookie = 0;
IKE_CLIENT *c = NULL;
IKE_CLIENT t;
Copy(&t.ClientIP, &p->SrcIP, sizeof(IP));
t.ClientPort = p->SrcPort;
Copy(&t.ServerIP, &p->DstIP, sizeof(IP));
t.ServerPort = p->DestPort;
t.CurrentIkeSa = NULL;
if (p->DestPort == IPSEC_PORT_IPSEC_ESP_RAW)
{
t.ClientPort = t.ServerPort = IPSEC_PORT_IPSEC_ISAKMP;
}
c = Search(ike->ClientList, &t);
if (c != NULL && c->CurrentIkeSa != NULL)
{
init_cookie = c->CurrentIkeSa->InitiatorCookie;
resp_cookie = c->CurrentIkeSa->ResponderCookie;
}
SendInformationalExchangePacketEx(ike, (c == NULL ? &t : c), IkeNewNoticeErrorInvalidSpiPayload(spi), false,
init_cookie, resp_cookie);
SendDeleteIPsecSaPacket(ike, (c == NULL ? &t : c), spi);
return;
}