Merge a366bdbf02 into 4e8f797036

Merge pull request #2019 from LinearAlpha/patch-1
URL for Nightly builds for windows is updated
2024-11-22 09:29:52 +03:00 · 2024-07-13 05:28:40 +08:00 · 2024-07-10 21:43:09 +02:00 · 2024-07-10 21:34:31 +02:00 · 2024-07-04 19:26:11 +02:00 · 2024-07-04 13:05:30 -04:00
8 changed files with 30 additions and 35 deletions
--- a/.github/workflows/fedora-rawhide.yml
+++ b/.github/workflows/fedora-rawhide.yml
@ -4,6 +4,7 @@ on:
  schedule:
    - cron: "0 0 25 * *"
  push:
+  pull_request:
  workflow_dispatch:

 permissions:
@ -24,7 +25,7 @@ jobs:
        submodules: true
    - name: Install dependencies
      run: |
-        dnf -y install git cmake ncurses-devel openssl-devel libsodium-devel readline-devel zlib-devel gcc-c++ clang
+        dnf -y install git cmake ncurses-devel openssl-devel-engine libsodium-devel readline-devel zlib-devel gcc-c++ clang
    - name: Compile with ${{ matrix.cc }}
      run: |
        export CC=${{ matrix.cc }}
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -3,7 +3,7 @@ cmake_minimum_required(VERSION 3.10)
 set(BUILD_NUMBER CACHE STRING "The number of the current build.")

 if ("${BUILD_NUMBER}" STREQUAL "")
-	set(BUILD_NUMBER "5185")
+	set(BUILD_NUMBER "5186")
 endif()

 if (BUILD_NUMBER LESS 5180)
--- a/CMakeSettings.json
+++ b/CMakeSettings.json
@ -1,5 +1,5 @@
 {
-  "environments": [ { "BuildNumber": "5185" } ],
+  "environments": [ { "BuildNumber": "5186" } ],
  "configurations": [
    {
      "name": "x64-native",
--- a/README.md
+++ b/README.md
@ -201,7 +201,9 @@ Also SoftEther VPN [Stable Edition](https://www.freshports.org/security/softethe

 ## For Windows

-[Nightly builds](https://dev.azure.com/SoftEther-VPN/SoftEther%20VPN/_build?definitionId=6)
+[Releases](https://github.com/SoftEtherVPN/SoftEtherVPN/releases)
+
+[Nightly builds](https://github.com/SoftEtherVPN/SoftEtherVPN/actions/workflows/windows.yml)
 (choose appropriate platform, then find binaries or installers as artifacts)

 ## From binary installers (stable channel)
--- a/src/Cedar/Proto_IKE.c
+++ b/src/Cedar/Proto_IKE.c
@ -463,39 +463,13 @@ void ProcIPsecEspPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
 	seq = READ_UINT(src + sizeof(UINT));

 	// Search and retrieve the IPsec SA from SPI
+
+	// thank to @phillibert report, responding to bad SA might lead to amplification
+	// according to RFC4303 we should drop such packets
+
 	ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi);
 	if (ipsec_sa == NULL)
 	{
-		// Invalid SPI
-		UINT64 init_cookie = Rand64();
-		UINT64 resp_cookie = 0;
-		IKE_CLIENT *c = NULL;
-		IKE_CLIENT t;
-
-
-		Copy(&t.ClientIP, &p->SrcIP, sizeof(IP));
-		t.ClientPort = p->SrcPort;
-		Copy(&t.ServerIP, &p->DstIP, sizeof(IP));
-		t.ServerPort = p->DestPort;
-		t.CurrentIkeSa = NULL;
-
-		if (p->DestPort == IPSEC_PORT_IPSEC_ESP_RAW)
-		{
-			t.ClientPort = t.ServerPort = IPSEC_PORT_IPSEC_ISAKMP;
-		}
-
-		c = Search(ike->ClientList, &t);
-
-		if (c != NULL && c->CurrentIkeSa != NULL)
-		{
-			init_cookie = c->CurrentIkeSa->InitiatorCookie;
-			resp_cookie = c->CurrentIkeSa->ResponderCookie;
-		}
-
-		SendInformationalExchangePacketEx(ike, (c == NULL ? &t : c), IkeNewNoticeErrorInvalidSpiPayload(spi), false,
-			init_cookie, resp_cookie);
-
-		SendDeleteIPsecSaPacket(ike, (c == NULL ? &t : c), spi);
 		return;
 	}

--- a/src/Mayaqua/Encrypt.c
+++ b/src/Mayaqua/Encrypt.c
@ -20,7 +20,9 @@
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 #include <openssl/bio.h>
 #include <openssl/x509.h>
 #include <openssl/pkcs7.h>
@ -88,6 +90,7 @@ int ssl_clientcert_index = 0;
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 static OSSL_PROVIDER *ossl_provider_legacy = NULL;
 static OSSL_PROVIDER *ossl_provider_default = NULL;
+static OSSL_PROVIDER *ossl_provider_oqsprovider = NULL;
 #endif

 LOCK **ssl_lock_obj = NULL;
@ -3974,6 +3977,12 @@ void FreeCryptLibrary()
 		OSSL_PROVIDER_unload(ossl_provider_legacy);
 		ossl_provider_legacy = NULL;
 	}
+
+	if (ossl_provider_oqsprovider != NULL)
+	{
+		OSSL_PROVIDER_unload(ossl_provider_oqsprovider);
+		ossl_provider_oqsprovider = NULL;
+	}
 #endif
 }

@ -3996,6 +4005,7 @@ void InitCryptLibrary()
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 	ossl_provider_default = OSSL_PROVIDER_load(NULL, "legacy");
 	ossl_provider_legacy = OSSL_PROVIDER_load(NULL, "default");
+	ossl_provider_oqsprovider = OSSL_PROVIDER_load(NULL, "oqsprovider");
 #endif

 	ssl_clientcert_index = SSL_get_ex_new_index(0, "struct SslClientCertInfo *", NULL, NULL, NULL);
--- a/src/Mayaqua/Network.c
+++ b/src/Mayaqua/Network.c
@ -11917,6 +11917,10 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
 		Unlock(openssl_lock);
 	}

+	#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		SSL_set1_groups_list(sock->ssl, PQ_GROUP_LIST);
+	#endif
+	
 	if (sock->ServerMode)
 	{
 //		Lock(ssl_connect_lock);
--- a/src/Mayaqua/Network.h
+++ b/src/Mayaqua/Network.h
@ -59,6 +59,10 @@ struct DYN_VALUE

 #define	DEFAULT_CIPHER_LIST			"ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES"

+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#define PQ_GROUP_LIST				"p521_kyber1024:x25519_kyber768:P-521:X25519:P-256"
+#endif
+
 // SSL logging function
 //#define	ENABLE_SSL_LOGGING
 #define	SSL_LOGGING_DIRNAME			"@ssl_log"
Author	SHA1	Message	Date
Alexey Kryuchkov	a66cf64155	Merge `a366bdbf02` into `4e8f797036`	2024-07-13 05:28:40 +08:00
Ilya Shipitsin	4e8f797036	Merge pull request #2019 from LinearAlpha/patch-1 URL for Nightly builds for windows is updated	2024-07-10 21:43:09 +02:00
Ilia Shipitsin	b1bdc03cd7	adjust nightly/releases links	2024-07-10 21:34:31 +02:00
Ilya Shipitsin	c76f11a523	Merge pull request #2026 from siddharth-narayan/fedora-fix-engine Fix openssl engine support on Fedora Rawhide	2024-07-04 19:26:11 +02:00
siddharth-narayan	25585a1e3d	Guard engine.h include	2024-07-04 13:05:30 -04:00
siddharth-narayan	4370efcc90	replace openssl-devel with openssl-devel-engine	2024-07-04 13:02:16 -04:00
Ilya Shipitsin	b8fbb3e3d8	Merge pull request #2025 from chipitsine/fedora_pull_request CI: enable Fedora Rawgide on pull requests	2024-07-03 23:43:19 +02:00
Ilia Shipitsin	98a8d5249d	CI: enable Fedora Rawgide on pull requests	2024-07-03 23:21:44 +02:00
Ilya Shipitsin	dd2a53e049	Merge pull request #2024 from chipitsine/master bump version for upcoming 5186 release	2024-07-03 21:16:01 +02:00
Ilia Shipitsin	7ce9c088ff	bump version for upcoming 5186 release	2024-07-03 19:20:14 +02:00
Ilya Shipitsin	c2a7aa5481	Merge pull request from GHSA-j35p-p8pj-vqxq src/Cedar/Proto_IKE.c: ignore packets with no IPSec SA	2024-06-22 18:57:28 +02:00
Ilia Shipitsin	6f57449164	src/Cedar/Proto_IKE.c: ignore packets with no IPSec SA many thanks to Jonathan Phillibert from Amazon Web Services for investigating and reporting that responding to such packets might lead to traffic amplification	2024-06-22 18:53:35 +02:00
Minpyo Kim	48f6bc57cc	URL for Nightly builds is updated Based on issue #1993, the build has been moved from Azure to Github.	2024-06-22 23:43:23 +09:00
Ilya Shipitsin	bc31a5cfd3	Merge pull request #2002 from siddharth-narayan/quantum-safe-key-agreement Add Post Quantum key agreement	2024-06-18 22:41:52 +02:00
Siddharth	68964ab0d7	Guard variables with OpenSSL version	2024-06-18 16:09:10 -04:00
siddharth-narayan	bf3c50fde4	Merge branch 'SoftEtherVPN:master' into quantum-safe-key-agreement	2024-06-18 14:55:45 -04:00
Siddharth	b06486b37d	Remove unecessary provider include	2024-06-18 00:01:58 -04:00
siddharth-narayan	63ffab9ee4	Merge branch 'SoftEtherVPN:master' into quantum-safe-key-agreement	2024-05-20 23:20:52 -04:00
Siddharth	2fe4ca0f8c	Fix incorrect PQ_GROUP_LIST string	2024-05-20 21:46:57 -04:00
Siddharth	a50d8910ba	Add PQ Groups and the provider for them	2024-05-20 19:48:23 -04:00