1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-25 10:59:53 +03:00

Compare commits

...

21 Commits

Author SHA1 Message Date
Alexey Kryuchkov
a66cf64155
Merge a366bdbf02 into 4e8f797036 2024-07-13 05:28:40 +08:00
Ilya Shipitsin
4e8f797036
Merge pull request #2019 from LinearAlpha/patch-1
URL for Nightly builds  for windows is updated
2024-07-10 21:43:09 +02:00
Ilia Shipitsin
b1bdc03cd7 adjust nightly/releases links 2024-07-10 21:34:31 +02:00
Ilya Shipitsin
c76f11a523
Merge pull request #2026 from siddharth-narayan/fedora-fix-engine
Fix openssl engine support on Fedora Rawhide
2024-07-04 19:26:11 +02:00
siddharth-narayan
25585a1e3d
Guard engine.h include 2024-07-04 13:05:30 -04:00
siddharth-narayan
4370efcc90
replace openssl-devel with openssl-devel-engine 2024-07-04 13:02:16 -04:00
Ilya Shipitsin
b8fbb3e3d8
Merge pull request #2025 from chipitsine/fedora_pull_request
CI: enable Fedora Rawgide on pull requests
2024-07-03 23:43:19 +02:00
Ilia Shipitsin
98a8d5249d CI: enable Fedora Rawgide on pull requests 2024-07-03 23:21:44 +02:00
Ilya Shipitsin
dd2a53e049
Merge pull request #2024 from chipitsine/master
bump version for upcoming 5186 release
2024-07-03 21:16:01 +02:00
Ilia Shipitsin
7ce9c088ff bump version for upcoming 5186 release 2024-07-03 19:20:14 +02:00
Ilya Shipitsin
c2a7aa5481
Merge pull request from GHSA-j35p-p8pj-vqxq
src/Cedar/Proto_IKE.c: ignore packets with no IPSec SA
2024-06-22 18:57:28 +02:00
Ilia Shipitsin
6f57449164 src/Cedar/Proto_IKE.c: ignore packets with no IPSec SA
many thanks to Jonathan Phillibert from Amazon Web Services
for investigating and reporting that responding to such packets
might lead to traffic amplification
2024-06-22 18:53:35 +02:00
Minpyo Kim
48f6bc57cc
URL for Nightly builds is updated
Based on issue #1993, the build has been moved from Azure to Github.
2024-06-22 23:43:23 +09:00
Ilya Shipitsin
bc31a5cfd3
Merge pull request #2002 from siddharth-narayan/quantum-safe-key-agreement
Add Post Quantum key agreement
2024-06-18 22:41:52 +02:00
Siddharth
68964ab0d7 Guard variables with OpenSSL version 2024-06-18 16:09:10 -04:00
siddharth-narayan
bf3c50fde4
Merge branch 'SoftEtherVPN:master' into quantum-safe-key-agreement 2024-06-18 14:55:45 -04:00
Siddharth
b06486b37d Remove unecessary provider include 2024-06-18 00:01:58 -04:00
siddharth-narayan
63ffab9ee4
Merge branch 'SoftEtherVPN:master' into quantum-safe-key-agreement 2024-05-20 23:20:52 -04:00
Siddharth
2fe4ca0f8c Fix incorrect PQ_GROUP_LIST string 2024-05-20 21:46:57 -04:00
Siddharth
a50d8910ba Add PQ Groups and the provider for them 2024-05-20 19:48:23 -04:00
Alexey Kryuchkov
a366bdbf02 Add server option 'JsonRpcWebApiAllowedSubnet' to restrict access to JSON-RPC API based on client IP address 2023-06-02 00:00:43 +03:00
14 changed files with 78 additions and 39 deletions

View File

@ -4,6 +4,7 @@ on:
schedule: schedule:
- cron: "0 0 25 * *" - cron: "0 0 25 * *"
push: push:
pull_request:
workflow_dispatch: workflow_dispatch:
permissions: permissions:
@ -24,7 +25,7 @@ jobs:
submodules: true submodules: true
- name: Install dependencies - name: Install dependencies
run: | run: |
dnf -y install git cmake ncurses-devel openssl-devel libsodium-devel readline-devel zlib-devel gcc-c++ clang dnf -y install git cmake ncurses-devel openssl-devel-engine libsodium-devel readline-devel zlib-devel gcc-c++ clang
- name: Compile with ${{ matrix.cc }} - name: Compile with ${{ matrix.cc }}
run: | run: |
export CC=${{ matrix.cc }} export CC=${{ matrix.cc }}

View File

@ -3,7 +3,7 @@ cmake_minimum_required(VERSION 3.10)
set(BUILD_NUMBER CACHE STRING "The number of the current build.") set(BUILD_NUMBER CACHE STRING "The number of the current build.")
if ("${BUILD_NUMBER}" STREQUAL "") if ("${BUILD_NUMBER}" STREQUAL "")
set(BUILD_NUMBER "5185") set(BUILD_NUMBER "5186")
endif() endif()
if (BUILD_NUMBER LESS 5180) if (BUILD_NUMBER LESS 5180)

View File

@ -1,5 +1,5 @@
{ {
"environments": [ { "BuildNumber": "5185" } ], "environments": [ { "BuildNumber": "5186" } ],
"configurations": [ "configurations": [
{ {
"name": "x64-native", "name": "x64-native",

View File

@ -201,7 +201,9 @@ Also SoftEther VPN [Stable Edition](https://www.freshports.org/security/softethe
## For Windows ## For Windows
[Nightly builds](https://dev.azure.com/SoftEther-VPN/SoftEther%20VPN/_build?definitionId=6) [Releases](https://github.com/SoftEtherVPN/SoftEtherVPN/releases)
[Nightly builds](https://github.com/SoftEtherVPN/SoftEtherVPN/actions/workflows/windows.yml)
(choose appropriate platform, then find binaries or installers as artifacts) (choose appropriate platform, then find binaries or installers as artifacts)
## From binary installers (stable channel) ## From binary installers (stable channel)

View File

@ -30,6 +30,7 @@
<ul> <ul>
<li>Older versions of SoftEther VPN before June 2019 don't support JSON-RPC APIs.</li> <li>Older versions of SoftEther VPN before June 2019 don't support JSON-RPC APIs.</li>
<li>If you want to completely disable the JSON-RPC on your VPN Server, set the <code>DisableJsonRpcWebApi</code> variable to <code>true</code> on the <code>vpn_server.config</code>.</li> <li>If you want to completely disable the JSON-RPC on your VPN Server, set the <code>DisableJsonRpcWebApi</code> variable to <code>true</code> on the <code>vpn_server.config</code>.</li>
<li>You may also restrict access to JSON-RPC API to a specific subnet, e.g. your internal network, by setting the <code>JsonRpcWebApiAllowedSubnet</code> variable to, for example, <code>192.168.0.0/16</code>.</li>
</ul> </ul>
<h3 id="json-rpc-specification">JSON-RPC specification</h3> <h3 id="json-rpc-specification">JSON-RPC specification</h3>
<p>You must use HTTPS 1.1 <code>POST</code> method to call each of JSON-RPC APIs.<br /> <p>You must use HTTPS 1.1 <code>POST</code> method to call each of JSON-RPC APIs.<br />

View File

@ -25,6 +25,7 @@ https://<vpn_server_hostname>:<port>/api/
- Older versions of SoftEther VPN before June 2019 don't support JSON-RPC APIs. - Older versions of SoftEther VPN before June 2019 don't support JSON-RPC APIs.
- If you want to completely disable the JSON-RPC on your VPN Server, set the `DisableJsonRpcWebApi` variable to `true` on the `vpn_server.config`. - If you want to completely disable the JSON-RPC on your VPN Server, set the `DisableJsonRpcWebApi` variable to `true` on the `vpn_server.config`.
- You may also restrict access to JSON-RPC API to a specific subnet, e.g. your internal network, by setting the `JsonRpcWebApiAllowedSubnet` variable to, for example, `192.168.0.0/16`.
### JSON-RPC specification ### JSON-RPC specification

View File

@ -25,6 +25,7 @@ https://<vpn_server_hostname>:<port>/api/
- Older versions of SoftEther VPN before June 2019 don't support JSON-RPC APIs. - Older versions of SoftEther VPN before June 2019 don't support JSON-RPC APIs.
- If you want to completely disable the JSON-RPC on your VPN Server, set the `DisableJsonRpcWebApi` variable to `true` on the `vpn_server.config`. - If you want to completely disable the JSON-RPC on your VPN Server, set the `DisableJsonRpcWebApi` variable to `true` on the `vpn_server.config`.
- You may also restrict access to JSON-RPC API to a specific subnet, e.g. your internal network, by setting the `JsonRpcWebApiAllowedSubnet` variable to, for example, `192.168.0.0/16`.
### JSON-RPC specification ### JSON-RPC specification

View File

@ -463,39 +463,13 @@ void ProcIPsecEspPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
seq = READ_UINT(src + sizeof(UINT)); seq = READ_UINT(src + sizeof(UINT));
// Search and retrieve the IPsec SA from SPI // Search and retrieve the IPsec SA from SPI
// thank to @phillibert report, responding to bad SA might lead to amplification
// according to RFC4303 we should drop such packets
ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi); ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi);
if (ipsec_sa == NULL) if (ipsec_sa == NULL)
{ {
// Invalid SPI
UINT64 init_cookie = Rand64();
UINT64 resp_cookie = 0;
IKE_CLIENT *c = NULL;
IKE_CLIENT t;
Copy(&t.ClientIP, &p->SrcIP, sizeof(IP));
t.ClientPort = p->SrcPort;
Copy(&t.ServerIP, &p->DstIP, sizeof(IP));
t.ServerPort = p->DestPort;
t.CurrentIkeSa = NULL;
if (p->DestPort == IPSEC_PORT_IPSEC_ESP_RAW)
{
t.ClientPort = t.ServerPort = IPSEC_PORT_IPSEC_ISAKMP;
}
c = Search(ike->ClientList, &t);
if (c != NULL && c->CurrentIkeSa != NULL)
{
init_cookie = c->CurrentIkeSa->InitiatorCookie;
resp_cookie = c->CurrentIkeSa->ResponderCookie;
}
SendInformationalExchangePacketEx(ike, (c == NULL ? &t : c), IkeNewNoticeErrorInvalidSpiPayload(spi), false,
init_cookie, resp_cookie);
SendDeleteIPsecSaPacket(ike, (c == NULL ? &t : c), spi);
return; return;
} }

View File

@ -5740,6 +5740,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
UINT num = 0, max = 19; UINT num = 0, max = 19;
SERVER *server; SERVER *server;
char *vpn_http_target = HTTP_VPN_TARGET2; char *vpn_http_target = HTTP_VPN_TARGET2;
bool disableJsonRpcWebApi;
// Validate arguments // Validate arguments
if (c == NULL) if (c == NULL)
{ {
@ -5750,6 +5751,15 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
s = c->FirstSock; s = c->FirstSock;
disableJsonRpcWebApi = server->DisableJsonRpcWebApi;
if (!disableJsonRpcWebApi && !IsZeroIP(&server->JsonRpcWebApiAllowedSubnetAddr)
&& !IsZeroIP(&server->JsonRpcWebApiAllowedSubnetMask)) {
// restrict JSON-RPC Web API to specified subnet only
if (!IsInSameNetwork(&s->RemoteIP, &server->JsonRpcWebApiAllowedSubnetAddr, &server->JsonRpcWebApiAllowedSubnetMask)) {
disableJsonRpcWebApi = true;
}
}
while (true) while (true)
{ {
bool not_found_error = false; bool not_found_error = false;
@ -5782,7 +5792,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
// Receive the data since it's POST // Receive the data since it's POST
data_size = GetContentLength(h); data_size = GetContentLength(h);
if (server->DisableJsonRpcWebApi == false) if (disableJsonRpcWebApi == false)
{ {
if (StrCmpi(h->Target, "/api") == 0 || StrCmpi(h->Target, "/api/") == 0) if (StrCmpi(h->Target, "/api") == 0 || StrCmpi(h->Target, "/api/") == 0)
{ {
@ -5868,7 +5878,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
} }
else if (StrCmpi(h->Method, "OPTIONS") == 0) else if (StrCmpi(h->Method, "OPTIONS") == 0)
{ {
if (server->DisableJsonRpcWebApi == false) if (disableJsonRpcWebApi == false)
{ {
if (StrCmpi(h->Target, "/api") == 0 || StrCmpi(h->Target, "/api/") == 0 || StartWith(h->Target, "/admin")) if (StrCmpi(h->Target, "/api") == 0 || StrCmpi(h->Target, "/api/") == 0 || StartWith(h->Target, "/admin"))
{ {
@ -5939,7 +5949,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
BUF *b = NULL; BUF *b = NULL;
*error_detail_str = "HTTP_ROOT"; *error_detail_str = "HTTP_ROOT";
if (server->DisableJsonRpcWebApi == false) if (disableJsonRpcWebApi == false)
{ {
b = ReadDump("|wwwroot/index.html"); b = ReadDump("|wwwroot/index.html");
} }
@ -6019,7 +6029,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
if (b == false) if (b == false)
{ {
if (server->DisableJsonRpcWebApi == false) if (disableJsonRpcWebApi == false)
{ {
if (StartWith(h->Target, "/api?") || StartWith(h->Target, "/api/") || StrCmpi(h->Target, "/api") == 0) if (StartWith(h->Target, "/api?") || StartWith(h->Target, "/api/") || StrCmpi(h->Target, "/api") == 0)
{ {

View File

@ -30,6 +30,7 @@
#include "Mayaqua/Internat.h" #include "Mayaqua/Internat.h"
#include "Mayaqua/Memory.h" #include "Mayaqua/Memory.h"
#include "Mayaqua/Microsoft.h" #include "Mayaqua/Microsoft.h"
#include "Mayaqua/Network.h"
#include "Mayaqua/Object.h" #include "Mayaqua/Object.h"
#include "Mayaqua/OS.h" #include "Mayaqua/OS.h"
#include "Mayaqua/Pack.h" #include "Mayaqua/Pack.h"
@ -6032,6 +6033,15 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
// Disable JSON-RPC Web API // Disable JSON-RPC Web API
s->DisableJsonRpcWebApi = CfgGetBool(f, "DisableJsonRpcWebApi"); s->DisableJsonRpcWebApi = CfgGetBool(f, "DisableJsonRpcWebApi");
char tmpaddr[MAX_PATH];
if (CfgGetStr(f, "JsonRpcWebApiAllowedSubnet", tmpaddr, sizeof(tmpaddr))) {
IP _subnet, _mask;
if (ParseIpAndMask46(tmpaddr, &_subnet, &_mask)) {
s->JsonRpcWebApiAllowedSubnetAddr = _subnet;
s->JsonRpcWebApiAllowedSubnetMask = _mask;
}
}
// Bits of Diffie-Hellman parameters // Bits of Diffie-Hellman parameters
c->DhParamBits = CfgGetInt(f, "DhParamBits"); c->DhParamBits = CfgGetInt(f, "DhParamBits");
if (c->DhParamBits == 0) if (c->DhParamBits == 0)
@ -6365,6 +6375,11 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
// Disable JSON-RPC Web API // Disable JSON-RPC Web API
CfgAddBool(f, "DisableJsonRpcWebApi", s->DisableJsonRpcWebApi); CfgAddBool(f, "DisableJsonRpcWebApi", s->DisableJsonRpcWebApi);
char tmpaddr[MAX_PATH];
IPAndMaskToStr(tmpaddr, sizeof(tmpaddr),
&s->JsonRpcWebApiAllowedSubnetAddr, &s->JsonRpcWebApiAllowedSubnetMask);
CfgAddStr(f, "JsonRpcWebApiAllowedSubnet", tmpaddr);
} }
Unlock(c->lock); Unlock(c->lock);
} }

View File

@ -276,6 +276,9 @@ struct SERVER
IP ListenIP; // Listen IP IP ListenIP; // Listen IP
bool StrictSyslogDatetimeFormat; // Make syslog datetime format strict RFC3164 bool StrictSyslogDatetimeFormat; // Make syslog datetime format strict RFC3164
bool DisableJsonRpcWebApi; // Disable JSON-RPC Web API bool DisableJsonRpcWebApi; // Disable JSON-RPC Web API
IP JsonRpcWebApiAllowedSubnetAddr; // If set, allow access to JSON-RPC Web API from
IP JsonRpcWebApiAllowedSubnetMask; // this subnet only
}; };

View File

@ -20,7 +20,9 @@
#include <openssl/ssl.h> #include <openssl/ssl.h>
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/rand.h> #include <openssl/rand.h>
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h> #include <openssl/engine.h>
#endif
#include <openssl/bio.h> #include <openssl/bio.h>
#include <openssl/x509.h> #include <openssl/x509.h>
#include <openssl/pkcs7.h> #include <openssl/pkcs7.h>
@ -88,6 +90,7 @@ int ssl_clientcert_index = 0;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L #if OPENSSL_VERSION_NUMBER >= 0x30000000L
static OSSL_PROVIDER *ossl_provider_legacy = NULL; static OSSL_PROVIDER *ossl_provider_legacy = NULL;
static OSSL_PROVIDER *ossl_provider_default = NULL; static OSSL_PROVIDER *ossl_provider_default = NULL;
static OSSL_PROVIDER *ossl_provider_oqsprovider = NULL;
#endif #endif
LOCK **ssl_lock_obj = NULL; LOCK **ssl_lock_obj = NULL;
@ -3974,6 +3977,12 @@ void FreeCryptLibrary()
OSSL_PROVIDER_unload(ossl_provider_legacy); OSSL_PROVIDER_unload(ossl_provider_legacy);
ossl_provider_legacy = NULL; ossl_provider_legacy = NULL;
} }
if (ossl_provider_oqsprovider != NULL)
{
OSSL_PROVIDER_unload(ossl_provider_oqsprovider);
ossl_provider_oqsprovider = NULL;
}
#endif #endif
} }
@ -3996,6 +4005,7 @@ void InitCryptLibrary()
#if OPENSSL_VERSION_NUMBER >= 0x30000000L #if OPENSSL_VERSION_NUMBER >= 0x30000000L
ossl_provider_default = OSSL_PROVIDER_load(NULL, "legacy"); ossl_provider_default = OSSL_PROVIDER_load(NULL, "legacy");
ossl_provider_legacy = OSSL_PROVIDER_load(NULL, "default"); ossl_provider_legacy = OSSL_PROVIDER_load(NULL, "default");
ossl_provider_oqsprovider = OSSL_PROVIDER_load(NULL, "oqsprovider");
#endif #endif
ssl_clientcert_index = SSL_get_ex_new_index(0, "struct SslClientCertInfo *", NULL, NULL, NULL); ssl_clientcert_index = SSL_get_ex_new_index(0, "struct SslClientCertInfo *", NULL, NULL, NULL);

View File

@ -6993,6 +6993,18 @@ void IPToStr6Inner(char *str, IP *ip)
} }
} }
// Format IP and subnet mask as "<ip>/<masksize>"
void IPAndMaskToStr(char *str, UINT size, IP *ip, IP *subnet)
{
int iplen;
UINT masksize;
IPToStr(str, size, ip);
iplen = StrLen(str);
masksize = SubnetMaskToInt(subnet);
Format(str + iplen, size - iplen, "/%d", masksize);
}
// Convert the string to an IP address // Convert the string to an IP address
bool StrToIP6(IP *ip, char *str) bool StrToIP6(IP *ip, char *str)
{ {
@ -11905,6 +11917,10 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
Unlock(openssl_lock); Unlock(openssl_lock);
} }
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
SSL_set1_groups_list(sock->ssl, PQ_GROUP_LIST);
#endif
if (sock->ServerMode) if (sock->ServerMode)
{ {
// Lock(ssl_connect_lock); // Lock(ssl_connect_lock);

View File

@ -59,6 +59,10 @@ struct DYN_VALUE
#define DEFAULT_CIPHER_LIST "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES" #define DEFAULT_CIPHER_LIST "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES"
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#define PQ_GROUP_LIST "p521_kyber1024:x25519_kyber768:P-521:X25519:P-256"
#endif
// SSL logging function // SSL logging function
//#define ENABLE_SSL_LOGGING //#define ENABLE_SSL_LOGGING
#define SSL_LOGGING_DIRNAME "@ssl_log" #define SSL_LOGGING_DIRNAME "@ssl_log"
@ -1289,6 +1293,7 @@ void IPToStr6(char *str, UINT size, IP *ip);
void IP6AddrToStr(char *str, UINT size, IPV6_ADDR *addr); void IP6AddrToStr(char *str, UINT size, IPV6_ADDR *addr);
void IPToStr6Array(char *str, UINT size, UCHAR *bytes); void IPToStr6Array(char *str, UINT size, UCHAR *bytes);
void IPToStr6Inner(char *str, IP *ip); void IPToStr6Inner(char *str, IP *ip);
void IPAndMaskToStr(char *str, UINT size, IP *ip, IP *subnet);
void IntToSubnetMask6(IP *ip, UINT i); void IntToSubnetMask6(IP *ip, UINT i);
void IPAnd6(IP *dst, IP *a, IP *b); void IPAnd6(IP *dst, IP *a, IP *b);
void GetAllRouterMulticastAddress6(IP *ip); void GetAllRouterMulticastAddress6(IP *ip);