1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-24 18:39:53 +03:00

Compare commits

...

8 Commits

Author SHA1 Message Date
siddharth-narayan
72878d042a
Merge 63ffab9ee4 into bfaff4fdb0 2024-05-27 20:40:37 -04:00
Ilya Shipitsin
bfaff4fdb0
Merge pull request #1994 from hiura2023/master
Fix Virtual DHCP Server: Correct IP reassignment
2024-05-27 13:13:40 +02:00
hiura
08213b7f0e CHANGE ERROR HANDLER FOR SSL ERROR: Change of indent 2024-05-26 23:50:05 +09:00
hiura
98852b77d9 CHANGE ERROR HANDLER FOR SSL ERROR: 2024-05-26 23:36:21 +09:00
siddharth-narayan
63ffab9ee4
Merge branch 'SoftEtherVPN:master' into quantum-safe-key-agreement 2024-05-20 23:20:52 -04:00
Siddharth
2fe4ca0f8c Fix incorrect PQ_GROUP_LIST string 2024-05-20 21:46:57 -04:00
Siddharth
a50d8910ba Add PQ Groups and the provider for them 2024-05-20 19:48:23 -04:00
hiura
5a88b34ddb Fix Virtual DHCP Server: Correct IP reassignment 2024-05-08 10:55:00 +09:00
4 changed files with 82 additions and 54 deletions

View File

@ -9349,62 +9349,35 @@ UINT ServeDhcpDiscoverEx(VH *v, UCHAR *mac, UINT request_ip, bool is_static_ip)
// check whether it is a request from the same MAC address // check whether it is a request from the same MAC address
if (Cmp(mac, d->MacAddress, 6) == 0) if (Cmp(mac, d->MacAddress, 6) == 0)
{ {
// Examine whether the specified IP address is within the range of assignment // Examine whether the specified IP address is within the range of static assignment
if (Endian32(v->DhcpIpStart) > Endian32(request_ip) || if (Endian32(v->DhcpIpStart) > Endian32(request_ip) ||
Endian32(request_ip) > Endian32(v->DhcpIpEnd)) Endian32(request_ip) > Endian32(v->DhcpIpEnd))
{ {
// Accept if within the range // Accept if within the range of static assignment
ret = request_ip; ret = request_ip;
} }
} }
else { else {
// Duplicated IPV4 address found. The DHCP server replies to DHCPREQUEST with DHCP NAK. // Duplicated IPV4 address found. The specified IP address is not available for use
char ipstr[MAX_HOST_NAME_LEN + 1] = { 0 }; char ipstr[MAX_HOST_NAME_LEN + 1] = { 0 };
char macstr[128] = { 0 }; char macstr[128] = { 0 };
IPToStr32(ipstr, sizeof(ipstr), request_ip); IPToStr32(ipstr, sizeof(ipstr), request_ip);
BinToStr(macstr, sizeof(macstr), d->MacAddress, 6); MacToStr(macstr, sizeof(macstr), d->MacAddress);
Debug("Virtual DHC Server: Duplicated IP address detected. Static IP: %s, Used by MAC:%s\n", ipstr, macstr); Debug("Virtual DHC Server: Duplicated IP address detected. Static IP: %s, with the MAC: %s\n", ipstr, macstr);
return ret;
} }
} }
else else
{ {
// Examine whether the specified IP address is within the range of assignment // Examine whether the specified IP address is within the range of static assignment
if (Endian32(v->DhcpIpStart) > Endian32(request_ip) || if (Endian32(v->DhcpIpStart) > Endian32(request_ip) ||
Endian32(request_ip) > Endian32(v->DhcpIpEnd)) Endian32(request_ip) > Endian32(v->DhcpIpEnd))
{ {
// Accept if within the range // Accept if within the range of static assignment
ret = request_ip; ret = request_ip;
} }
else else
{ {
// Propose an IP in the range since it's a Discover although It is out of range // The specified IP address is not available for use
}
}
if (ret == 0)
{
// If there is any entry with the same MAC address
// that are already registered, use it with priority
DHCP_LEASE *d = SearchDhcpLeaseByMac(v, mac);
if (d != NULL)
{
// Examine whether the found IP address is in the allocation region
if (Endian32(v->DhcpIpStart) > Endian32(d->IpAddress) ||
Endian32(d->IpAddress) > Endian32(v->DhcpIpEnd))
{
// Use the IP address if it's found within the range
ret = d->IpAddress;
}
}
}
if (ret == 0)
{
// For static IP, the requested IP address must NOT be within the range of the DHCP pool
if (Endian32(v->DhcpIpStart) > Endian32(request_ip) ||
Endian32(request_ip) > Endian32(v->DhcpIpEnd))
{
ret = request_ip;
} }
} }
@ -9595,6 +9568,11 @@ void VirtualDhcpServer(VH *v, PKT *p)
{ {
ip = ServeDhcpRequestEx(v, p->MacAddressSrc, opt->RequestedIp, ip_static); ip = ServeDhcpRequestEx(v, p->MacAddressSrc, opt->RequestedIp, ip_static);
} }
// If the IP address in user's note is changed, then reply to DHCP_REQUEST with DHCP_NAK
if (p->L3.IPv4Header->SrcIP && ip != p->L3.IPv4Header->SrcIP)
{
ip = 0;
}
} }
if (ip != 0 || opt->Opcode == DHCP_INFORM) if (ip != 0 || opt->Opcode == DHCP_INFORM)
@ -9607,6 +9585,14 @@ void VirtualDhcpServer(VH *v, PKT *p)
char client_mac[MAX_SIZE]; char client_mac[MAX_SIZE];
char client_ip[MAX_SIZE]; char client_ip[MAX_SIZE];
// If there is any entry with the same MAC address, then remove it
d = SearchDhcpLeaseByMac(v, p->MacAddressSrc);
if (d != NULL)
{
FreeDhcpLease(d);
Delete(v->DhcpLeaseList, d);
}
// Remove old records with the same IP address // Remove old records with the same IP address
d = SearchDhcpLeaseByIp(v, ip); d = SearchDhcpLeaseByIp(v, ip);
if (d != NULL) if (d != NULL)
@ -9765,7 +9751,7 @@ void VirtualDhcpServer(VH *v, PKT *p)
} }
else else
{ {
// Reply of DHCP_REQUEST must be either DHCP_ACK or DHCP_NAK. // Reply of DHCP_REQUEST must be either DHCP_ACK or DHCP_NAK
if (opt->Opcode == DHCP_REQUEST) if (opt->Opcode == DHCP_REQUEST)
{ {
// There is no IP address that can be provided // There is no IP address that can be provided

View File

@ -88,6 +88,7 @@ int ssl_clientcert_index = 0;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L #if OPENSSL_VERSION_NUMBER >= 0x30000000L
static OSSL_PROVIDER *ossl_provider_legacy = NULL; static OSSL_PROVIDER *ossl_provider_legacy = NULL;
static OSSL_PROVIDER *ossl_provider_default = NULL; static OSSL_PROVIDER *ossl_provider_default = NULL;
static OSSL_PROVIDER *ossl_provider_oqsprovider = NULL;
#endif #endif
LOCK **ssl_lock_obj = NULL; LOCK **ssl_lock_obj = NULL;
@ -3974,6 +3975,12 @@ void FreeCryptLibrary()
OSSL_PROVIDER_unload(ossl_provider_legacy); OSSL_PROVIDER_unload(ossl_provider_legacy);
ossl_provider_legacy = NULL; ossl_provider_legacy = NULL;
} }
if (ossl_provider_oqsprovider != NULL)
{
OSSL_PROVIDER_unload(ossl_provider_oqsprovider);
ossl_provider_oqsprovider = NULL;
}
#endif #endif
} }
@ -3996,6 +4003,7 @@ void InitCryptLibrary()
#if OPENSSL_VERSION_NUMBER >= 0x30000000L #if OPENSSL_VERSION_NUMBER >= 0x30000000L
ossl_provider_default = OSSL_PROVIDER_load(NULL, "legacy"); ossl_provider_default = OSSL_PROVIDER_load(NULL, "legacy");
ossl_provider_legacy = OSSL_PROVIDER_load(NULL, "default"); ossl_provider_legacy = OSSL_PROVIDER_load(NULL, "default");
ossl_provider_oqsprovider = OSSL_PROVIDER_load(NULL, "oqsprovider");
#endif #endif
ssl_clientcert_index = SSL_get_ex_new_index(0, "struct SslClientCertInfo *", NULL, NULL, NULL); ssl_clientcert_index = SSL_get_ex_new_index(0, "struct SslClientCertInfo *", NULL, NULL, NULL);

View File

@ -25,6 +25,7 @@
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/ssl.h> #include <openssl/ssl.h>
#include <openssl/provider.h>
#ifdef OS_UNIX #ifdef OS_UNIX
#include <fcntl.h> #include <fcntl.h>
@ -11905,6 +11906,8 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
Unlock(openssl_lock); Unlock(openssl_lock);
} }
SSL_set1_groups_list(sock->ssl, PQ_GROUP_LIST);
if (sock->ServerMode) if (sock->ServerMode)
{ {
// Lock(ssl_connect_lock); // Lock(ssl_connect_lock);
@ -11984,7 +11987,7 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
// Unlock(ssl_connect_lock); // Unlock(ssl_connect_lock);
} }
else else
{ {
prev_timeout = GetTimeout(sock); prev_timeout = GetTimeout(sock);
SetTimeout(sock, ssl_timeout); SetTimeout(sock, ssl_timeout);
// Client mode // Client mode
@ -12288,6 +12291,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
ret = SSL_peek(ssl, &c, sizeof(c)); ret = SSL_peek(ssl, &c, sizeof(c));
} }
Unlock(sock->ssl_lock); Unlock(sock->ssl_lock);
#if OPENSSL_VERSION_NUMBER < 0x30000000L
// 2021/09/10: After OpenSSL 3.x.x, both 0 and negative values might mean retryable.
// See: https://github.com/openssl/openssl/blob/435981cbadad2c58c35bacd30ca5d8b4c9bea72f/doc/man3/SSL_read.pod
// > Old documentation indicated a difference between 0 and -1, and that -1 was retryable.
// > You should instead call SSL_get_error() to find out if it's retryable.
if (ret == 0) if (ret == 0)
{ {
// The communication have been disconnected // The communication have been disconnected
@ -12295,7 +12303,8 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__); Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
return 0; return 0;
} }
if (ret < 0) #endif
if (ret <= 0)
{ {
// An error has occurred // An error has occurred
e = SSL_get_error(ssl, ret); e = SSL_get_error(ssl, ret);
@ -12303,14 +12312,16 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
{ {
if (e == SSL_ERROR_SSL if (e == SSL_ERROR_SSL
#if OPENSSL_VERSION_NUMBER < 0x10100000L #if OPENSSL_VERSION_NUMBER < 0x10100000L
&& &&
sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL && sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL &&
sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] && sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] &&
sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1] sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1]
#endif #endif
) )
{ {
Debug("%s %u SSL Fatal Error on ASYNC socket !!!\n", __FILE__, __LINE__); UINT ssl_err_no = ERR_get_error();
Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
Disconnect(sock); Disconnect(sock);
return 0; return 0;
} }
@ -12337,14 +12348,14 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
} }
#endif // OS_UNIX #endif // OS_UNIX
// Run the time-out thread for SOLARIS // Run the time-out thread for SOLARIS
#ifdef UNIX_SOLARIS #ifdef UNIX_SOLARIS
ttparam = NewSocketTimeout(sock); ttparam = NewSocketTimeout(sock);
#endif // UNIX_SOLARIS #endif // UNIX_SOLARIS
ret = SSL_read(ssl, data, size); ret = SSL_read(ssl, data, size);
// Stop the timeout thread // Stop the timeout thread
#ifdef UNIX_SOLARIS #ifdef UNIX_SOLARIS
FreeSocketTimeout(ttparam); FreeSocketTimeout(ttparam);
#endif // UNIX_SOLARIS #endif // UNIX_SOLARIS
@ -12357,7 +12368,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
} }
#endif // OS_UNIX #endif // OS_UNIX
if (ret < 0) #if OPENSSL_VERSION_NUMBER < 0x30000000L
if (ret < 0) // OpenSSL version < 3.0.0
#else
if (ret <= 0) // OpenSSL version >= 3.0.0
#endif
{ {
e = SSL_get_error(ssl, ret); e = SSL_get_error(ssl, ret);
} }
@ -12380,6 +12395,12 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
return (UINT)ret; return (UINT)ret;
} }
#if OPENSSL_VERSION_NUMBER < 0x30000000L
// 2021/09/10: After OpenSSL 3.x.x, both 0 and negative values might mean retryable.
// See: https://github.com/openssl/openssl/blob/435981cbadad2c58c35bacd30ca5d8b4c9bea72f/doc/man3/SSL_read.pod
// > Old documentation indicated a difference between 0 and -1, and that -1 was retryable.
// > You should instead call SSL_get_error() to find out if it's retryable.
if (ret == 0) if (ret == 0)
{ {
// Disconnect the communication // Disconnect the communication
@ -12387,20 +12408,24 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
//Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__); //Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
return 0; return 0;
} }
#endif
if (sock->AsyncMode) if (sock->AsyncMode)
{ {
if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE || e == SSL_ERROR_SSL) if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE || e == SSL_ERROR_SSL)
{ {
if (e == SSL_ERROR_SSL if (e == SSL_ERROR_SSL
#if OPENSSL_VERSION_NUMBER < 0x10100000L #if OPENSSL_VERSION_NUMBER < 0x10100000L
&& &&
sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL && sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL &&
sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] && sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] &&
sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1] sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1]
#endif #endif
) )
{ {
Debug("%s %u SSL Fatal Error on ASYNC socket !!!\n", __FILE__, __LINE__); UINT ssl_err_no = ERR_get_error();
Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
Disconnect(sock); Disconnect(sock);
return 0; return 0;
} }
@ -12438,7 +12463,11 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
} }
ret = SSL_write(ssl, data, size); ret = SSL_write(ssl, data, size);
if (ret < 0) #if OPENSSL_VERSION_NUMBER < 0x30000000L
if (ret < 0) // OpenSSL version < 3.0.0
#else
if (ret <= 0) // OpenSSL version >= 3.0.0
#endif
{ {
e = SSL_get_error(ssl, ret); e = SSL_get_error(ssl, ret);
} }
@ -12460,6 +12489,8 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
sock->WriteBlocked = false; sock->WriteBlocked = false;
return (UINT)ret; return (UINT)ret;
} }
#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (ret == 0) if (ret == 0)
{ {
// Disconnect // Disconnect
@ -12467,6 +12498,7 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
Disconnect(sock); Disconnect(sock);
return 0; return 0;
} }
#endif
if (sock->AsyncMode) if (sock->AsyncMode)
{ {

View File

@ -59,6 +59,8 @@ struct DYN_VALUE
#define DEFAULT_CIPHER_LIST "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES" #define DEFAULT_CIPHER_LIST "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES"
#define PQ_GROUP_LIST "p521_kyber1024:x25519_kyber768:P-521:X25519:P-256"
// SSL logging function // SSL logging function
//#define ENABLE_SSL_LOGGING //#define ENABLE_SSL_LOGGING
#define SSL_LOGGING_DIRNAME "@ssl_log" #define SSL_LOGGING_DIRNAME "@ssl_log"