Merge pull request from GHSA-j35p-p8pj-vqxq

src/Cedar/Proto_IKE.c: ignore packets with no IPSec SA

.cirrus.yml

@@ -11,7 +11,7 @@ FreeBSD_task:
       SSL:
   matrix:
     freebsd_instance:
-      image_family: freebsd-13-2
+      image_family: freebsd-14-0
   prepare_script:
     - pkg install -y pkgconf cmake git libsodium $SSL
     - git submodule update --init --recursive

.github/workflows/macos.yml

@@ -7,7 +7,7 @@ jobs:
   build_and_test:
     strategy:
       matrix:
-        os: [macos-13, macos-12, macos-11]
+        os: [macos-14, macos-13, macos-12]
     name: ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
     steps:

CMakeLists.txt

@@ -3,7 +3,7 @@ cmake_minimum_required(VERSION 3.10)
 set(BUILD_NUMBER CACHE STRING "The number of the current build.")
 
 if ("${BUILD_NUMBER}" STREQUAL "")
-	set(BUILD_NUMBER "5184")
+	set(BUILD_NUMBER "5185")
 endif()
 
 if (BUILD_NUMBER LESS 5180)
@@ -53,7 +53,7 @@ if(UNIX)
   #
   # use rpath for locating installed libraries
   #
-  set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/lib")
+  set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}")
   set(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE)
 
   include(CheckIncludeFile)

CMakeSettings.json

@@ -1,5 +1,5 @@
 {
-  "environments": [ { "BuildNumber": "5184" } ],
+  "environments": [ { "BuildNumber": "5185" } ],
   "configurations": [
     {
       "name": "x64-native",

developer_tools/vpnserver-jsonrpc-clients/vpnserver-jsonrpc-client-nodejs-package/package-lock.json

@@ -65,12 +65,23 @@
       }
     },
     "braces": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
-      "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
+      "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
       "dev": true,
       "requires": {
-        "fill-range": "^7.0.1"
+        "fill-range": "^7.1.1"
+      },
+      "dependencies": {
+        "fill-range": {
+          "version": "7.1.1",
+          "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
+          "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
+          "dev": true,
+          "requires": {
+            "to-regex-range": "^5.0.1"
+          }
+        }
       }
     },
     "builtin-modules": {
@@ -151,15 +162,6 @@
       "integrity": "sha1-Cr9PHKpbyx96nYrMbepPqqBLrJs=",
       "dev": true
     },
-    "fill-range": {
-      "version": "7.0.1",
-      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
-      "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
-      "dev": true,
-      "requires": {
-        "to-regex-range": "^5.0.1"
-      }
-    },
     "fs.realpath": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",

src/Cedar/IPC.c

@@ -1517,7 +1517,9 @@ void IPCProcessL3EventsEx(IPC *ipc, UINT64 now)
 									// We save the router advertisement data for later use
 									IPCIPv6AddRouterPrefixes(ipc, &p->ICMPv6HeaderPacketInfo.OptionList, src_mac, &ip_src);
 									IPCIPv6AssociateOnNDTEx(ipc, &ip_src, src_mac, true);
-									IPCIPv6AssociateOnNDTEx(ipc, &ip_src, p->ICMPv6HeaderPacketInfo.OptionList.SourceLinkLayer->Address, true);
+									if (p->ICMPv6HeaderPacketInfo.OptionList.SourceLinkLayer != NULL) {
+										IPCIPv6AssociateOnNDTEx(ipc, &ip_src, p->ICMPv6HeaderPacketInfo.OptionList.SourceLinkLayer->Address, true);
+									}
 									ndtProcessed = true;
 									header_size = sizeof(ICMPV6_ROUTER_ADVERTISEMENT_HEADER);
 									break;
@@ -2354,7 +2356,14 @@ void IPCIPv6AddRouterPrefixes(IPC *ipc, ICMPV6_OPTION_LIST *recvPrefix, UCHAR *m
 				IntToSubnetMask6(&newRA->RoutedMask, recvPrefix->Prefix[i]->SubnetLength);
 				CopyIP(&newRA->RouterAddress, ip);
 				Copy(newRA->RouterMacAddress, macAddress, 6);
-				Copy(newRA->RouterLinkLayerAddress, recvPrefix->SourceLinkLayer->Address, 6);
+				if (recvPrefix->SourceLinkLayer != NULL)
+				{
+					Copy(newRA->RouterLinkLayerAddress, recvPrefix->SourceLinkLayer->Address, 6);
+				}
+				else
+				{
+					Zero(newRA->RouterLinkLayerAddress, 6);
+				}
 				Add(ipc->IPv6RouterAdvs, newRA);
 			}
 		}
@@ -2657,7 +2666,7 @@ void IPCIPv6SendUnicast(IPC *ipc, void *data, UINT size, IP *next_ip)
 		}
 
 		destMac = ra.RouterMacAddress;
-		if (!IsMacUnicast(destMac) && !IsMacInvalid(ra.RouterMacAddress))
+		if (!IsMacUnicast(destMac) && !IsMacInvalid(ra.RouterLinkLayerAddress))
 		{
 			destMac = ra.RouterLinkLayerAddress;
 		}

src/Cedar/Proto_IKE.c

@@ -463,39 +463,13 @@ void ProcIPsecEspPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
 	seq = READ_UINT(src + sizeof(UINT));
 
 	// Search and retrieve the IPsec SA from SPI
+
+	// thank to @phillibert report, responding to bad SA might lead to amplification
+	// according to RFC4303 we should drop such packets
+
 	ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi);
 	if (ipsec_sa == NULL)
 	{
-		// Invalid SPI
-		UINT64 init_cookie = Rand64();
-		UINT64 resp_cookie = 0;
-		IKE_CLIENT *c = NULL;
-		IKE_CLIENT t;
-
-
-		Copy(&t.ClientIP, &p->SrcIP, sizeof(IP));
-		t.ClientPort = p->SrcPort;
-		Copy(&t.ServerIP, &p->DstIP, sizeof(IP));
-		t.ServerPort = p->DestPort;
-		t.CurrentIkeSa = NULL;
-
-		if (p->DestPort == IPSEC_PORT_IPSEC_ESP_RAW)
-		{
-			t.ClientPort = t.ServerPort = IPSEC_PORT_IPSEC_ISAKMP;
-		}
-
-		c = Search(ike->ClientList, &t);
-
-		if (c != NULL && c->CurrentIkeSa != NULL)
-		{
-			init_cookie = c->CurrentIkeSa->InitiatorCookie;
-			resp_cookie = c->CurrentIkeSa->ResponderCookie;
-		}
-
-		SendInformationalExchangePacketEx(ike, (c == NULL ? &t : c), IkeNewNoticeErrorInvalidSpiPayload(spi), false,
-			init_cookie, resp_cookie);
-
-		SendDeleteIPsecSaPacket(ike, (c == NULL ? &t : c), spi);
 		return;
 	}
 

src/Cedar/Virtual.c

@@ -9340,20 +9340,48 @@ UINT ServeDhcpDiscoverEx(VH *v, UCHAR *mac, UINT request_ip, bool is_static_ip)
 		return 0;
 	}
 
+	UINT ret = 0;
 	DHCP_LEASE *d = SearchDhcpLeaseByIp(v, request_ip);
+
 	if (d != NULL)
 	{
-		// The requested IP address is used already
-		return 0;
+		// If an entry for the same IP address already exists,
+		// check whether it is a request from the same MAC address
+		if (Cmp(mac, d->MacAddress, 6) == 0)
+		{
+			// Examine whether the specified IP address is within the range of static assignment
+			if (Endian32(v->DhcpIpStart) > Endian32(request_ip) ||
+				Endian32(request_ip) > Endian32(v->DhcpIpEnd))
+			{
+				// Accept if within the range of static assignment
+				ret = request_ip;
+			}
+		}
+		else {
+			// Duplicated IPV4 address found. The specified IP address is not available for use
+			char ipstr[MAX_HOST_NAME_LEN + 1] = { 0 };
+			char macstr[128] = { 0 };
+			IPToStr32(ipstr, sizeof(ipstr), request_ip);
+			MacToStr(macstr, sizeof(macstr), d->MacAddress);
+			Debug("Virtual DHC Server: Duplicated IP address detected. Static IP: %s, with the MAC: %s\n", ipstr, macstr);
+		}
 	}
-
-	// For static IP, the requested IP address must NOT be within the range of the DHCP pool
-	if (Endian32(request_ip) < Endian32(v->DhcpIpStart) || Endian32(request_ip) > Endian32(v->DhcpIpEnd))
+	else
 	{
-		return request_ip;
+		// Examine whether the specified IP address is within the range of static assignment
+		if (Endian32(v->DhcpIpStart) > Endian32(request_ip) ||
+			Endian32(request_ip) > Endian32(v->DhcpIpEnd))
+		{
+			// Accept if within the range of static assignment
+			ret = request_ip;
+		}
+		else
+		{
+			// The specified IP address is not available for use
+		}
 	}
 
-	return 0;
+	return ret;
 }
 
 // Take an appropriate IP addresses that can be assigned newly
@@ -9540,6 +9568,11 @@ void VirtualDhcpServer(VH *v, PKT *p)
 			{
 				ip = ServeDhcpRequestEx(v, p->MacAddressSrc, opt->RequestedIp, ip_static);
 			}
+			// If the IP address in user's note is changed, then reply to DHCP_REQUEST with DHCP_NAK
+			if (p->L3.IPv4Header->SrcIP && ip != p->L3.IPv4Header->SrcIP)
+			{
+				ip = 0;
+			}
 		}
 
 		if (ip != 0 || opt->Opcode == DHCP_INFORM)
@@ -9552,6 +9585,14 @@ void VirtualDhcpServer(VH *v, PKT *p)
 				char client_mac[MAX_SIZE];
 				char client_ip[MAX_SIZE];
 
+				// If there is any entry with the same MAC address, then remove it
+				d = SearchDhcpLeaseByMac(v, p->MacAddressSrc);
+				if (d != NULL)
+				{
+					FreeDhcpLease(d);
+					Delete(v->DhcpLeaseList, d);
+				}
+
 				// Remove old records with the same IP address
 				d = SearchDhcpLeaseByIp(v, ip);
 				if (d != NULL)
@@ -9710,36 +9751,40 @@ void VirtualDhcpServer(VH *v, PKT *p)
 		}
 		else
 		{
-			// There is no IP address that can be provided
-			DHCP_OPTION_LIST ret;
-			LIST *o;
-			Zero(&ret, sizeof(ret));
-
-			ret.Opcode = DHCP_NACK;
-			ret.ServerAddress = v->HostIP;
-			StrCpy(ret.DomainName, sizeof(ret.DomainName), v->DhcpDomain);
-			ret.SubnetMask = v->DhcpMask;
-
-			// Build the DHCP option
-			o = BuildDhcpOption(&ret);
-			if (o != NULL)
+			// Reply of DHCP_REQUEST must be either DHCP_ACK or DHCP_NAK
+			if (opt->Opcode == DHCP_REQUEST)
 			{
-				BUF *b = BuildDhcpOptionsBuf(o);
-				if (b != NULL)
-				{
-					UINT dest_ip = p->L3.IPv4Header->SrcIP;
-					if (dest_ip == 0)
-					{
-						dest_ip = 0xffffffff;
-					}
-					// Transmission
-					VirtualDhcpSend(v, tran_id, dest_ip, Endian16(p->L4.UDPHeader->SrcPort),
-					                ip, dhcp->ClientMacAddress, b, dhcp->HardwareType, dhcp->HardwareAddressSize);
+				// There is no IP address that can be provided
+				DHCP_OPTION_LIST ret;
+				LIST *o;
+				Zero(&ret, sizeof(ret));
 
-					// Release the memory
-					FreeBuf(b);
+				ret.Opcode = DHCP_NACK;
+				ret.ServerAddress = v->HostIP;
+				StrCpy(ret.DomainName, sizeof(ret.DomainName), v->DhcpDomain);
+				ret.SubnetMask = v->DhcpMask;
+
+				// Build the DHCP option
+				o = BuildDhcpOption(&ret);
+				if (o != NULL)
+				{
+					BUF *b = BuildDhcpOptionsBuf(o);
+					if (b != NULL)
+					{
+						UINT dest_ip = p->L3.IPv4Header->SrcIP;
+						if (dest_ip == 0)
+						{
+							dest_ip = 0xffffffff;
+						}
+						// Transmission
+						VirtualDhcpSend(v, tran_id, dest_ip, Endian16(p->L4.UDPHeader->SrcPort),
+							ip, dhcp->ClientMacAddress, b, dhcp->HardwareType, dhcp->HardwareAddressSize);
+
+						// Release the memory
+						FreeBuf(b);
+					}
+					FreeDhcpOptions(o);
 				}
-				FreeDhcpOptions(o);
 			}
 		}
 	}

src/Mayaqua/Encrypt.c

@@ -88,6 +88,7 @@ int ssl_clientcert_index = 0;
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 static OSSL_PROVIDER *ossl_provider_legacy = NULL;
 static OSSL_PROVIDER *ossl_provider_default = NULL;
+static OSSL_PROVIDER *ossl_provider_oqsprovider = NULL;
 #endif
 
 LOCK **ssl_lock_obj = NULL;
@@ -3974,6 +3975,12 @@ void FreeCryptLibrary()
 		OSSL_PROVIDER_unload(ossl_provider_legacy);
 		ossl_provider_legacy = NULL;
 	}
+
+	if (ossl_provider_oqsprovider != NULL)
+	{
+		OSSL_PROVIDER_unload(ossl_provider_oqsprovider);
+		ossl_provider_oqsprovider = NULL;
+	}
 #endif
 }
 
@@ -3996,6 +4003,7 @@ void InitCryptLibrary()
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 	ossl_provider_default = OSSL_PROVIDER_load(NULL, "legacy");
 	ossl_provider_legacy = OSSL_PROVIDER_load(NULL, "default");
+	ossl_provider_oqsprovider = OSSL_PROVIDER_load(NULL, "oqsprovider");
 #endif
 
 	ssl_clientcert_index = SSL_get_ex_new_index(0, "struct SslClientCertInfo *", NULL, NULL, NULL);

src/Mayaqua/Network.c

@@ -11905,6 +11905,10 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
 		Unlock(openssl_lock);
 	}
 
+	#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		SSL_set1_groups_list(sock->ssl, PQ_GROUP_LIST);
+	#endif
+	
 	if (sock->ServerMode)
 	{
 //		Lock(ssl_connect_lock);
@@ -12285,9 +12289,15 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 				Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
 				return 0;
 			}
+			ERR_clear_error();
 			ret = SSL_peek(ssl, &c, sizeof(c));
 		}
 		Unlock(sock->ssl_lock);
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+		// 2021/09/10: After OpenSSL 3.x.x, both 0 and negative values might mean retryable.
+		// See: https://github.com/openssl/openssl/blob/435981cbadad2c58c35bacd30ca5d8b4c9bea72f/doc/man3/SSL_read.pod
+		// > Old documentation indicated a difference between 0 and -1, and that -1 was retryable.
+		// > You should instead call SSL_get_error() to find out if it's retryable.
 		if (ret == 0)
 		{
 			// The communication have been disconnected
@@ -12295,7 +12305,8 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 			Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
 			return 0;
 		}
-		if (ret < 0)
+#endif
+		if (ret <= 0)
 		{
 			// An error has occurred
 			e = SSL_get_error(ssl, ret);
@@ -12303,14 +12314,18 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 			{
 				if (e == SSL_ERROR_SSL
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
-				        &&
-				        sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL &&
-				        sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] &&
-				        sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1]
+					&&
+					sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL &&
+					sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] &&
+					sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1]
 #endif
-				   )
+					)
 				{
-					Debug("%s %u SSL Fatal Error on ASYNC socket !!!\n", __FILE__, __LINE__);
+					UINT ssl_err_no;
+					while (ssl_err_no = ERR_get_error()){
+						Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
+					};
+
 					Disconnect(sock);
 					return 0;
 				}
@@ -12337,14 +12352,15 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 		}
 #endif	// OS_UNIX
 
-// Run the time-out thread for SOLARIS
+		// Run the time-out thread for SOLARIS
 #ifdef UNIX_SOLARIS
 		ttparam = NewSocketTimeout(sock);
 #endif // UNIX_SOLARIS
 
+		ERR_clear_error();
 		ret = SSL_read(ssl, data, size);
 
-// Stop the timeout thread
+		// Stop the timeout thread
 #ifdef UNIX_SOLARIS
 		FreeSocketTimeout(ttparam);
 #endif // UNIX_SOLARIS
@@ -12357,7 +12373,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 		}
 #endif	// OS_UNIX
 
-		if (ret < 0)
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+		if (ret < 0) // OpenSSL version < 3.0.0
+#else
+		if (ret <= 0) // OpenSSL version >= 3.0.0
+#endif
 		{
 			e = SSL_get_error(ssl, ret);
 		}
@@ -12380,6 +12400,12 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 
 		return (UINT)ret;
 	}
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+	// 2021/09/10: After OpenSSL 3.x.x, both 0 and negative values might mean retryable.
+	// See: https://github.com/openssl/openssl/blob/435981cbadad2c58c35bacd30ca5d8b4c9bea72f/doc/man3/SSL_read.pod
+	// > Old documentation indicated a difference between 0 and -1, and that -1 was retryable.
+	// > You should instead call SSL_get_error() to find out if it's retryable.
 	if (ret == 0)
 	{
 		// Disconnect the communication
@@ -12387,20 +12413,26 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 		//Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
 		return 0;
 	}
+#endif
+
 	if (sock->AsyncMode)
 	{
 		if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE || e == SSL_ERROR_SSL)
 		{
 			if (e == SSL_ERROR_SSL
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
-			        &&
-			        sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL &&
-			        sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] &&
-			        sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1]
+				&&
+				sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL &&
+				sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] &&
+				sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1]
 #endif
-			   )
+				)
 			{
-				Debug("%s %u SSL Fatal Error on ASYNC socket !!!\n", __FILE__, __LINE__);
+				UINT ssl_err_no;
+				while (ssl_err_no = ERR_get_error()) {
+					Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
+				};
+
 				Disconnect(sock);
 				return 0;
 			}
@@ -12409,8 +12441,8 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 			return SOCK_LATER;
 		}
 	}
+	Debug("%s %u e=%u SecureRecv() Disconnect\n", __FILE__, __LINE__, e);
 	Disconnect(sock);
-	Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
 	return 0;
 }
 
@@ -12437,8 +12469,13 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
 			return 0;
 		}
 
+		ERR_clear_error();
 		ret = SSL_write(ssl, data, size);
-		if (ret < 0)
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+		if (ret < 0) // OpenSSL version < 3.0.0
+#else
+		if (ret <= 0) // OpenSSL version >= 3.0.0
+#endif
 		{
 			e = SSL_get_error(ssl, ret);
 		}
@@ -12460,6 +12497,8 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
 		sock->WriteBlocked = false;
 		return (UINT)ret;
 	}
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	if (ret == 0)
 	{
 		// Disconnect
@@ -12467,18 +12506,29 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
 		Disconnect(sock);
 		return 0;
 	}
+#endif
 
 	if (sock->AsyncMode)
 	{
 		// Confirmation of the error value
 		if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE || e == SSL_ERROR_SSL)
 		{
+			if (e == SSL_ERROR_SSL)
+			{
+				UINT ssl_err_no;
+				while (ssl_err_no = ERR_get_error()) {
+					Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
+				};
+
+				Disconnect(sock);
+				return 0;
+			}
+
 			sock->WriteBlocked = true;
 			return SOCK_LATER;
 		}
-		Debug("%s %u e=%u\n", __FILE__, __LINE__, e);
 	}
-	//Debug("%s %u SecureSend() Disconnect\n", __FILE__, __LINE__);
+	Debug("%s %u e=%u SecureSend() Disconnect\n", __FILE__, __LINE__, e);
 	Disconnect(sock);
 	return 0;
 }

src/Mayaqua/Network.h

@@ -59,6 +59,10 @@ struct DYN_VALUE
 
 #define	DEFAULT_CIPHER_LIST			"ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES"
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#define PQ_GROUP_LIST				"p521_kyber1024:x25519_kyber768:P-521:X25519:P-256"
+#endif
+
 // SSL logging function
 //#define	ENABLE_SSL_LOGGING
 #define	SSL_LOGGING_DIRNAME			"@ssl_log"

src/bin/hamcore/strtable_cn.stb

@@ -4854,7 +4854,7 @@ CMD_ConnectionList_Help		现在，先获取与 VPN Server 连接的 TCP/IP 一
 CMD_ConnectionList_Args		ConnectionList
 
 
-# ConnectionGet 命令
+# ConnectionList 命令
 CMD_ConnectionGet			获取连接到 VPN Server 的 TCP 信息一览表
 CMD_ConnectionGet_Help		获取与 VPN Server 连接的 TCP/IP 连接的详细信息。\n可以获得 [连接名]，[连接种类]，[连接主机名]，[连接主机 IP]，[联机主机端口 TCP]，[连接时间]，[服务器品牌]，[服务器版本]，[服务器铭牌号]，[客户机品牌]，[客户机版本]，[客户机铭牌号] 等信息。 \n要运行此命令，需要管理员权限。
 CMD_ConnectionGet_Args		ConnectionGet [name]
@@ -7044,7 +7044,7 @@ CMD_RemoteDisable_Args		RemoteDisable
 
 ###################################################
 #                                                 #
-# 下面这是VPN Tools用的指令             #
+# 下面这是VPN工具用的指令             #
 #                                                 #
 ###################################################
 

src/bin/hamcore/strtable_en.stb

@@ -4839,7 +4839,7 @@ CMD_ConnectionList_Help	Use this to get a list of TCP/IP connections that are cu
 CMD_ConnectionList_Args	ConnectionList
 
 
-# ConnectionGet command
+# ConnectionList command
 CMD_ConnectionGet		Get Information of TCP Connections Connecting to the VPN Server
 CMD_ConnectionGet_Help	Use this to get detailed information of a specific TCP/IP connection that is connecting to the VPN Server. \nYou can get the following information: Connection Name, Connection Type, Source Hostname, Source IP Address, Source Port Number (TCP), Connection Start, Server Product Name, Server Version, Server Build Number, Client Product Name, Client Version, and Client Build Number. \nTo execute this command, you must have VPN Server administrator privileges.
 CMD_ConnectionGet_Args	ConnectionGet [name]

src/bin/hamcore/strtable_pt_br.stb

@@ -4558,7 +4558,7 @@ CMD_SyslogGet_COLUMN_2	syslog Server Host Name
 CMD_SyslogGet_COLUMN_3	syslog Server Port Number
 
 
-# ConnectionGet command
+# ConnectionList command
 CMD_ConnectionList	Get List of TCP Connections Connecting to the VPN Server
 CMD_ConnectionList_Help	Use this to get a list of TCP/IP connections that are currently connecting to the VPN Server. It does not display the TCP connections that have been established as VPN sessions. To get the list of TCP/IP connections that have been established as VPN sessions, you can use the SessionList command. \nYou can get the following: Connection Name, Connection Source, Connection Start and Type.\nTo execute this command, you must have VPN Server administrator privileges.
 CMD_ConnectionList_Args	ConnectionList
@@ -4851,7 +4851,7 @@ CMD_HubList_Args	ListaHub
 # Hub command
 CMD_Hub	Select Virtual Hub to Manage
 CMD_Hub_Help	Use this to select the Virtual Hub to be the target of administration. For an administration utility with the status of being connected to a VPN Server, before executing a command to set or manage a Virtual Hub, you must use the Hub command to select the Virtual Hub to manage. \nWhen in the status of being connected to a VPN Server in Virtual Hub Admin Mode, you can select a single Virtual Hub to be the target of administration but you cannot select other Virtual Hubs. When having the status of being connected to the VPN Server in Server Admin Mode, you can make all Virtual Hubs the target of administration. \nTo get a list of Virtual Hubs that currently exist on the VPN Server, use the HubList command. \nFor the VPN Bridge, you can only select the Virtual Hub that has the name "BRIDGE".
-CMD_Hub_Args	Hub [name]
+CMD_Hub_Args	Hub [nome]
 CMD_Hub_[name]	Specify the name of the Virtual Hub to manage. If this parameter is left unspecified, the Select Virtual Hub to Manage will be cancelled.
 CMD_Hub_Unselected	The Virtual Hub selection has been unselected.
 CMD_Hub_Selected	The Virtual Hub "%S" has been selected.
@@ -5619,7 +5619,7 @@ CMD_UserRadiusSet_ALIAS	When this parameter is set, it is possible to make the u
 CMD_UserRadiusSet_Prompt_ALIAS	Alias Name for Authentication (Optional): 
 
 
-# UserNTLMSet command
+# UserNTLMSet コマンド
 CMD_UserNTLMSet	Set NT Domain Authentication for User Auth Type
 CMD_UserNTLMSet_Help	Use this to set NT Domain Authentication as the auth type for a user that is registered on the security account database of the currently managed Virtual Hub. When a user connects to a Virtual Hub using a user name that is set for NT Domain authentication, the user name and the user input password is sent to the Windows NT / 2000 / Server 2003 / Server 2008 / Server 2008 R2 / Server 2012 Domain Controller or Active Directory Server where the server checks the user name and password, then if the verification is successful, that user is allowed VPN connection. \nTo use NT Domain authentication, the VPN Server must be operating on a Windows NT 4.0, Windows 2000, Windows XP, Windows Vista, Windows Server 2008, Windows Server 2008 R2 or Windows Server 2012 operating system that is connected to that domain. For details please contact the VPN Server's administrator. \nTo get the list of currently registered users, use the UserList command. \nThis command cannot be run on VPN Bridge. \nYou cannot execute this command for Virtual Hubs of VPN Servers operating as a member server on a cluster.
 CMD_UserNTLMSet_Args	UserNTLMSet [name] [/ALIAS:alias_name]
@@ -6193,7 +6193,7 @@ CMD_VpnAzureGetStatus_PRINT_CONNECTED	Connection to VPN Azure Cloud Server is Es
 CMD_VpnAzureGetStatus_PRINT_HOSTNAME	Hostname of this VPN Server on VPN Azure Service
 
 
-# VpnAzureSetEnable command
+# VpnAzureSetStatus command
 CMD_VpnAzureSetEnable	Enable / Disable VPN Azure Function
 CMD_VpnAzureSetEnable_Help	Enable or disable the VPN Azure function.\n\nVPN Azure makes it easier to establish a VPN Session from your home PC to your office PC. While a VPN connection is established, you can access to any other servers on the private network of your company.\nYou don't need a global IP address on the office PC (VPN Server). It can work behind firewalls or NATs. No network administrator's configuration required. You can use the built-in SSTP-VPN Client of Windows in your home PC.\nVPN Azure is a cloud VPN service operated by SoftEther VPN Project. VPN Azure is free of charge and available to anyone. Visit http://www.vpnazure.net/ to see details and how-to-use instructions.\n\nThe VPN Azure hostname is same to the hostname of the Dynamic DNS setting, but altering the domain suffix to "vpnazure.net". To change the hostname use the DynamicDnsSetHostname command.\n\nTo execute this command, you must have VPN Server administrator privileges. \nThis command cannot be run on VPN Bridge.\nYou cannot execute this command for Virtual Hubs of VPN Servers operating as a cluster.
 CMD_VpnAzureSetEnable_Args	VpnAzureSetEnable [yes|no]
@@ -6702,7 +6702,7 @@ CMD_AccountOpensslCertSet_PROMPT_KEYNAME Specify the openssl engine specific key
 CMD_AccountOpensslCertSet_PROMPT_ENGINENAME Specify the openssl engine name: 
 
 
-# AccountRetrySet command
+# AccountRetrySet コマンド
 CMD_AccountRetrySet	Set Interval between Connection Retries for Connection Failures or Disconnections of VPN Connection Setting
 CMD_AccountRetrySet_Help	When a VPN Connection Setting registered on the VPN Client is specified and that VPN Connection Setting attempts to connect to a VPN Server, use this to specify the interval to wait between connection attempts and the limit of how many times to retry connecting when communication with the VPN Server has been disconnected or when the connection process failed. \nIf the user authentication type is Smart Card Authentication, no connection retry will be performed regardless of the Number of Connection Attempts setting.
 CMD_AccountRetrySet_Args	AccountRetrySet [name] [/NUM:num_retry] [/INTERVAL:retry_interval]

src/bin/hamcore/strtable_ru.stb

@@ -115,7 +115,7 @@ ERR_48					Не удалось подключиться к контроллер
 ERR_49					Контроллеру кластера не удалось установить новую сессию в кластере.
 ERR_50					Не удается управлять Virtual Hub-ом сервера-члена кластера.
 ERR_51					Удаленное подключение запрещено, т.к. использован пустой пароль пользователя. Пустой пароль может быть разрешен только для соединений с локального хоста VPN-сервера (127.0.0.1).
-ERR_52					Не достаточно прав.
+ERR_52					Недостаточно прав.
 ERR_53					Указанный порт прослушивания не найден.
 ERR_54					Указанный порт прослушивания уже существует.
 ERR_55					Этот сервер не член кластера.
@@ -2421,8 +2421,8 @@ STATIC17				Другие конфигурации:
 R_NO_ROUTING			Не вносить изменения в таблицу маршрутизации
 STATIC18				Если у вас нет опыта работы с сетью и безопасностью, то оставьте настройки в этом окне по умолчанию.
 STATIC19				Функции VoIP/QoS обрабатывают пакеты (например VoIP) с высоким приоритетом для более быстрой передачи.
-STATIC20				Source IP Address:
-STATIC21				Source Port Number:
+STATIC20				IP адрес источника:
+STATIC21				Номер порта:
 R_DISABLE_QOS			Отключить функции VoIP / QoS
 IDOK					&OK
 IDCANCEL				Отмена
@@ -2524,7 +2524,7 @@ STATIC2					Имя Virtual &Hub:
 STATIC3					&Пользователь:
 STATIC4					&Старый пароль:
 STATIC5					&Новый пароль:
-STATIC6					&Подтвердить новый пароль:
+STATIC6					&Подтвердить пароль:
 IDOK					&OK
 IDCANCEL				Отмена
 S_STATIC				Примечание: Вы не сможете изменить пароль пользователя, если выбран тип авторизации "RADIUS или авторизация в домене".
@@ -2533,7 +2533,7 @@ S_STATIC				Примечание: Вы не сможете изменить па
 PREFIX					D_SM_MAIN
 CAPTION					SoftEther VPN-сервер менеджер Developer Edition
 STATIC1					Настройки подключения для VPN-сервера:
-STATIC2					Настройки подключения для VPN-сервера или VPN-моста. Чтобы подключиться к серверу дважды щелкните по его названию.\r\n Чтобы добавить новое подключение, нажмите "Новое подключение".
+STATIC2					Настройки подключения для VPN-сервера или VPN-моста. Чтобы подключиться к серверу дважды щелкните по его названию.\r\nЧтобы добавить новое подключение, нажмите "Новое подключение".
 B_NEW_SETTING			&Создать
 B_EDIT_SETTING			&Изменить
 B_DELETE				&Удалить
@@ -2558,9 +2558,9 @@ STATIC8					Прокси-сервер:
 STATIC9					Вы можете подключиться к VPN-серверу через прокси-сервер.
 STATIC10				Тип прокси:
 R_DIRECT_TCP			&Прямое TCP/IP соединение (без прокси)
-R_HTTPS					Подключиться через HTTP прокси-сервер
-R_SOCKS					Подключиться через SOCKS прокси-сервер
-R_SOCKS5				Подключиться через SOCKS5 прокси-сервер
+R_HTTPS					Через HTTP прокси-сервер
+R_SOCKS					Через SOCKS прокси-сервер
+R_SOCKS5				Через SOCKS5 прокси-сервер
 B_PROXY_CONFIG			Настройки прокси-сервера
 STATIC11				Выберите режим администрирования и введите пароль
 STATIC12				Вы можете подключиться к VPN-серверу, используя либо режим администратора сервера, либо режим Virtual Hub администратора. \r\n\r\nРежим администратора сервера позволяет вам управлять VPN-сервером и всеми Virtual Hub. \r\n\r\nРежим Virtual Hub администратора позволяет вам управлять только одним Virtual Hub, на который у вас есть права.
@@ -4111,7 +4111,7 @@ S_LATEST_STR			Версия %S%s
 
 PREFIX					D_UPDATE_CONFIG
 CAPTION					Настройка уведомлений об обновлении
-S_INFO					Периодически проверяет новые версии %s и показывает уведомление, когда будет выпущена новая версия.\r\n\r\nДля проверки обновлений будут использоваться HTTPS пакеты  между этим компьютером и сервером обновлений SoftEther, расположенным в городе Цукуба, префектура Ибараки, Япония. Никакая личная информация отправляться не будет.
+S_INFO					Периодически проверяет новые версии %s и показывает уведомление, когда будет выпущена новая версия.\r\n\r\nДля проверки обновлений будут использоваться HTTPS пакеты между этим компьютером и сервером обновлений SoftEther, расположенным в городе Цукуба, префектура Ибараки, Япония. Никакая личная информация отправляться не будет.
 S_TITLE					%s настройки уведомлений об обновлении
 S_ENABLE				&Включить проверку обновлений
 S_DISABLE				&Отключить проверку обновлений
@@ -4839,7 +4839,7 @@ CMD_ConnectionList_Help	Use this to get a list of TCP/IP connections that are cu
 CMD_ConnectionList_Args	ConnectionList
 
 
-# ConnectionGet command
+# ConnectionList command
 CMD_ConnectionGet		Get Information of TCP Connections Connecting to the VPN Server
 CMD_ConnectionGet_Help	Use this to get detailed information of a specific TCP/IP connection that is connecting to the VPN Server. \nYou can get the following information: Connection Name, Connection Type, Source Hostname, Source IP Address, Source Port Number (TCP), Connection Start, Server Product Name, Server Version, Server Build Number, Client Product Name, Client Version, and Client Build Number. \nTo execute this command, you must have VPN Server administrator privileges.
 CMD_ConnectionGet_Args	ConnectionGet [name]
@@ -7122,7 +7122,7 @@ CMD_TrafficClient_ERROR_HOSTPORT	The host name or port number is incorrectly spe
 # TrafficServer command
 CMD_TrafficServer		Запустить средство тестирования скорости сетевого трафика в режиме сервера
 CMD_TrafficServer_Help	Используется для запуска инструмента измерения пропускной способности в режиме сервера. \nДве команды, TrafficClient и TrafficServer, используются для измерения пропускной способности между двумя компьютерами, соединенными сетью IP. \nУкажите номер порта и запустите серверную часть с помощью команды TrafficServer, чтобы прослушивать подключение от TrafficClient другого компьютера. \nВы можете отобразить более подробную информацию об инструменте измерения пропускной способности, введя "TrafficClient ?". \n\nПримечание. Эту команду можно вызвать из утилиты управления командной строкой SoftEther VPN. Вы также можете выполнить эту команду при подключении к текущему VPN-серверу или VPN клиенту в режиме администрирования, но фактически осуществляет связь и измеряет пропускную способность тот компьютер, на котором выполняется команда, а не компьютер с которого выполнено подключение в режиме администрирования.
-CMD_TrafficServer_Args	TrafficServer [port] [/NOHUP:yes|no]
+CMD_TrafficServer_Args	TrafficServer [порт] [/NOHUP:да|нет]
 CMD_TrafficServer_[port]	Укажите номер порта для прослушивания соединения. Если указанный порт уже используется другой программой или порт не может быть открыт, произойдет ошибка
 CMD_TrafficServer_NOHUP	Если указано «да», серверная часть игнорирует любой ввод с консоли и никогда не останавливается. Это удобно, если вы хотите запустить TrafficServer в бесконечном режиме.
 

src/bin/hamcore/strtable_tw.stb

@@ -4855,7 +4855,7 @@ CMD_ConnectionList_Help		現在，先獲取與 VPN Server 連接的 TCP/IP 一
 CMD_ConnectionList_Args		ConnectionList
 
 
-# ConnectionGet 命令
+# ConnectionList 命令
 CMD_ConnectionGet			獲取連接到 VPN Server 的 TCP 資訊一覽表
 CMD_ConnectionGet_Help		獲取與 VPN Server 連接的 TCP/IP 連接的詳細資訊。\n可以獲得 [連接名]，[連接種類]，[連接主機名稱]，[連接主機 IP]，[連線主機埠 TCP]，[連線時間]，[伺服器品牌]，[伺服器版本]，[伺服器銘牌號]，[客戶機品牌]，[客戶機版本]，[客戶機銘牌號] 等資訊。 \n要運行此命令，需要管理員許可權。
 CMD_ConnectionGet_Args		ConnectionGet [name]
@@ -7046,7 +7046,7 @@ CMD_RemoteDisable_Args		RemoteDisable
 
 ###################################################
 #                                                 #
-# 下面這是VPN Tools用的指令                         #
+# 下面這是VPN工具用的指令                         #
 #                                                 #
 ###################################################
 

src/bin/hamcore/wwwroot/admin/default/package-lock.json

@@ -373,12 +373,23 @@
       }
     },
     "braces": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
-      "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
+      "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
       "dev": true,
       "requires": {
-        "fill-range": "^7.0.1"
+        "fill-range": "^7.1.1"
+      },
+      "dependencies": {
+        "fill-range": {
+          "version": "7.1.1",
+          "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
+          "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
+          "dev": true,
+          "requires": {
+            "to-regex-range": "^5.0.1"
+          }
+        }
       }
     },
     "browserslist": {
@@ -603,15 +614,6 @@
       "integrity": "sha512-eRnCtTTtGZFpQCwhJiUOuxPQWRXVKYDn0b2PeHfXL6/Zi53SLAzAHfVhVWK2AryC/WH05kGfxhFIPvTF0SXQzg==",
       "dev": true
     },
-    "fill-range": {
-      "version": "7.0.1",
-      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
-      "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
-      "dev": true,
-      "requires": {
-        "to-regex-range": "^5.0.1"
-      }
-    },
     "find-up": {
       "version": "4.1.0",
       "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",