Merge ed82884202 into c76f11a523

Move duplicated code to one place
Remove testing code
2025-07-06 15:54:57 +03:00 · 2024-07-05 20:50:37 -04:00 · 2024-07-05 20:50:28 -04:00 · 2024-07-04 13:56:13 -04:00 · 2024-07-04 19:26:11 +02:00 · 2024-07-04 13:15:50 -04:00
18 changed files with 192 additions and 127 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -11,7 +11,7 @@ FreeBSD_task:
      SSL:
  matrix:
    freebsd_instance:
-      image_family: freebsd-13-2
+      image_family: freebsd-14-0
  prepare_script:
    - pkg install -y pkgconf cmake git libsodium $SSL
    - git submodule update --init --recursive
--- a/.github/workflows/fedora-rawhide.yml
+++ b/.github/workflows/fedora-rawhide.yml
@ -4,6 +4,7 @@ on:
  schedule:
    - cron: "0 0 25 * *"
  push:
+  pull_request:
  workflow_dispatch:

 permissions:
@ -24,7 +25,7 @@ jobs:
        submodules: true
    - name: Install dependencies
      run: |
-        dnf -y install git cmake ncurses-devel openssl-devel libsodium-devel readline-devel zlib-devel gcc-c++ clang
+        dnf -y install git cmake ncurses-devel openssl-devel-engine libsodium-devel readline-devel zlib-devel gcc-c++ clang
    - name: Compile with ${{ matrix.cc }}
      run: |
        export CC=${{ matrix.cc }}
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@ -7,7 +7,7 @@ jobs:
  build_and_test:
    strategy:
      matrix:
-        os: [macos-13, macos-12, macos-11]
+        os: [macos-14, macos-13, macos-12]
    name: ${{ matrix.os }}
    runs-on: ${{ matrix.os }}
    steps:
--- a/.gitmodules
+++ b/.gitmodules
@ -10,3 +10,9 @@
 [submodule "src/libhamcore"]
 	path = src/libhamcore
 	url = https://github.com/SoftEtherVPN/libhamcore.git
+[submodule "src/Mayaqua/3rdparty/oqs-provider"]
+	path = src/Mayaqua/3rdparty/oqs-provider
+	url = https://github.com/open-quantum-safe/oqs-provider.git
+[submodule "src/Mayaqua/3rdparty/liboqs"]
+	path = src/Mayaqua/3rdparty/liboqs
+	url = https://github.com/open-quantum-safe/liboqs.git
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -3,7 +3,7 @@ cmake_minimum_required(VERSION 3.10)
 set(BUILD_NUMBER CACHE STRING "The number of the current build.")

 if ("${BUILD_NUMBER}" STREQUAL "")
-	set(BUILD_NUMBER "5184")
+	set(BUILD_NUMBER "5186")
 endif()

 if (BUILD_NUMBER LESS 5180)
--- a/CMakeSettings.json
+++ b/CMakeSettings.json
@ -1,5 +1,5 @@
 {
-  "environments": [ { "BuildNumber": "5184" } ],
+  "environments": [ { "BuildNumber": "5186" } ],
  "configurations": [
    {
      "name": "x64-native",
--- a/developer_tools/vpnserver-jsonrpc-clients/vpnserver-jsonrpc-client-nodejs-package/package-lock.json
+++ b/developer_tools/vpnserver-jsonrpc-clients/vpnserver-jsonrpc-client-nodejs-package/package-lock.json
@ -65,12 +65,23 @@
      }
    },
    "braces": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
-      "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
+      "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
      "dev": true,
      "requires": {
-        "fill-range": "^7.0.1"
+        "fill-range": "^7.1.1"
+      },
+      "dependencies": {
+        "fill-range": {
+          "version": "7.1.1",
+          "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
+          "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
+          "dev": true,
+          "requires": {
+            "to-regex-range": "^5.0.1"
+          }
+        }
      }
    },
    "builtin-modules": {
@ -151,15 +162,6 @@
      "integrity": "sha1-Cr9PHKpbyx96nYrMbepPqqBLrJs=",
      "dev": true
    },
-    "fill-range": {
-      "version": "7.0.1",
-      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
-      "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
-      "dev": true,
-      "requires": {
-        "to-regex-range": "^5.0.1"
-      }
-    },
    "fs.realpath": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
--- a/src/Cedar/Proto_IKE.c
+++ b/src/Cedar/Proto_IKE.c
@ -463,39 +463,13 @@ void ProcIPsecEspPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
 	seq = READ_UINT(src + sizeof(UINT));

 	// Search and retrieve the IPsec SA from SPI
+
+	// thank to @phillibert report, responding to bad SA might lead to amplification
+	// according to RFC4303 we should drop such packets
+
 	ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi);
 	if (ipsec_sa == NULL)
 	{
-		// Invalid SPI
-		UINT64 init_cookie = Rand64();
-		UINT64 resp_cookie = 0;
-		IKE_CLIENT *c = NULL;
-		IKE_CLIENT t;
-
-
-		Copy(&t.ClientIP, &p->SrcIP, sizeof(IP));
-		t.ClientPort = p->SrcPort;
-		Copy(&t.ServerIP, &p->DstIP, sizeof(IP));
-		t.ServerPort = p->DestPort;
-		t.CurrentIkeSa = NULL;
-
-		if (p->DestPort == IPSEC_PORT_IPSEC_ESP_RAW)
-		{
-			t.ClientPort = t.ServerPort = IPSEC_PORT_IPSEC_ISAKMP;
-		}
-
-		c = Search(ike->ClientList, &t);
-
-		if (c != NULL && c->CurrentIkeSa != NULL)
-		{
-			init_cookie = c->CurrentIkeSa->InitiatorCookie;
-			resp_cookie = c->CurrentIkeSa->ResponderCookie;
-		}
-
-		SendInformationalExchangePacketEx(ike, (c == NULL ? &t : c), IkeNewNoticeErrorInvalidSpiPayload(spi), false,
-			init_cookie, resp_cookie);
-
-		SendDeleteIPsecSaPacket(ike, (c == NULL ? &t : c), spi);
 		return;
 	}

--- a/src/Cedar/Virtual.c
+++ b/src/Cedar/Virtual.c
@ -9349,62 +9349,35 @@ UINT ServeDhcpDiscoverEx(VH *v, UCHAR *mac, UINT request_ip, bool is_static_ip)
 		// check whether it is a request from the same MAC address
 		if (Cmp(mac, d->MacAddress, 6) == 0)
 		{
-			// Examine whether the specified IP address is within the range of assignment
+			// Examine whether the specified IP address is within the range of static assignment
 			if (Endian32(v->DhcpIpStart) > Endian32(request_ip) ||
 				Endian32(request_ip) > Endian32(v->DhcpIpEnd))
 			{
-				// Accept if within the range
+				// Accept if within the range of static assignment
 				ret = request_ip;
 			}
 		}
 		else {
-			// Duplicated IPV4 address found. The DHCP server replies to DHCPREQUEST with DHCP NAK.
+			// Duplicated IPV4 address found. The specified IP address is not available for use
 			char ipstr[MAX_HOST_NAME_LEN + 1] = { 0 };
 			char macstr[128] = { 0 };
 			IPToStr32(ipstr, sizeof(ipstr), request_ip);
-			BinToStr(macstr, sizeof(macstr), d->MacAddress, 6);
-			Debug("Virtual DHC Server: Duplicated IP address detected. Static IP: %s, Used by MAC:%s\n", ipstr, macstr);
-			return ret;
+			MacToStr(macstr, sizeof(macstr), d->MacAddress);
+			Debug("Virtual DHC Server: Duplicated IP address detected. Static IP: %s, with the MAC: %s\n", ipstr, macstr);
 		}
 	}
 	else
 	{
-		// Examine whether the specified IP address is within the range of assignment
+		// Examine whether the specified IP address is within the range of static assignment
 		if (Endian32(v->DhcpIpStart) > Endian32(request_ip) ||
 			Endian32(request_ip) > Endian32(v->DhcpIpEnd))
 		{
-			// Accept if within the range
+			// Accept if within the range of static assignment
 			ret = request_ip;
 		}
 		else
 		{
-			// Propose an IP in the range since it's a Discover although It is out of range
-		}
-	}
-	if (ret == 0)
-	{
-		// If there is any entry with the same MAC address
-		// that are already registered, use it with priority
-		DHCP_LEASE *d = SearchDhcpLeaseByMac(v, mac);
-
-		if (d != NULL)
-		{
-			// Examine whether the found IP address is in the allocation region
-			if (Endian32(v->DhcpIpStart) > Endian32(d->IpAddress) ||
-				Endian32(d->IpAddress) > Endian32(v->DhcpIpEnd))
-			{
-				// Use the IP address if it's found within the range
-				ret = d->IpAddress;
-			}
-		}
-	}
-	if (ret == 0)
-	{
-		// For static IP, the requested IP address must NOT be within the range of the DHCP pool
-		if (Endian32(v->DhcpIpStart) > Endian32(request_ip) ||
-			Endian32(request_ip) > Endian32(v->DhcpIpEnd))
-		{
-			ret = request_ip;
+			// The specified IP address is not available for use
 		}
 	}

@ -9595,6 +9568,11 @@ void VirtualDhcpServer(VH *v, PKT *p)
 			{
 				ip = ServeDhcpRequestEx(v, p->MacAddressSrc, opt->RequestedIp, ip_static);
 			}
+			// If the IP address in user's note is changed, then reply to DHCP_REQUEST with DHCP_NAK
+			if (p->L3.IPv4Header->SrcIP && ip != p->L3.IPv4Header->SrcIP)
+			{
+				ip = 0;
+			}
 		}

 		if (ip != 0 || opt->Opcode == DHCP_INFORM)
@ -9607,6 +9585,14 @@ void VirtualDhcpServer(VH *v, PKT *p)
 				char client_mac[MAX_SIZE];
 				char client_ip[MAX_SIZE];

+				// If there is any entry with the same MAC address, then remove it
+				d = SearchDhcpLeaseByMac(v, p->MacAddressSrc);
+				if (d != NULL)
+				{
+					FreeDhcpLease(d);
+					Delete(v->DhcpLeaseList, d);
+				}
+
 				// Remove old records with the same IP address
 				d = SearchDhcpLeaseByIp(v, ip);
 				if (d != NULL)
@ -9765,7 +9751,7 @@ void VirtualDhcpServer(VH *v, PKT *p)
 		}
 		else
 		{
-			// Reply of DHCP_REQUEST must be either DHCP_ACK or DHCP_NAK.
+			// Reply of DHCP_REQUEST must be either DHCP_ACK or DHCP_NAK
 			if (opt->Opcode == DHCP_REQUEST)
 			{
 				// There is no IP address that can be provided
--- a/src/Mayaqua/3rdparty/Findliboqs.cmake
+++ b/src/Mayaqua/3rdparty/Findliboqs.cmake
@ -0,0 +1,2 @@
+set(oqs_FOUND TRUE)
+add_library(OQS::oqs ALIAS oqs)
--- a/src/Mayaqua/3rdparty/liboqs
+++ b/src/Mayaqua/3rdparty/liboqs
--- a/src/Mayaqua/3rdparty/oqs-provider
+++ b/src/Mayaqua/3rdparty/oqs-provider
--- a/src/Mayaqua/CMakeLists.txt
+++ b/src/Mayaqua/CMakeLists.txt
@ -18,6 +18,22 @@ set_target_properties(mayaqua

 find_package(OpenSSL REQUIRED)

+if(OPENSSL_VERSION VERSION_LESS "3") # Disable oqsprovider when OpenSSL version < 3
+  add_definitions(-DSKIP_OQS_PROVIDER)
+else()
+  set(OQS_BUILD_ONLY_LIB ON CACHE BOOL "Set liboqs to build only the library (no tests)")
+  set(BUILD_TESTING OFF CACHE BOOL "By setting this to OFF, no tests or examples will be compiled.")
+  set(OQS_PROVIDER_BUILD_STATIC ON CACHE BOOL "Build a static library instead of a shared library") # Build oqsprovider as a static library (defaults to shared)
+  list(PREPEND CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}/src/Mayaqua/3rdparty/")
+
+  add_subdirectory(3rdparty/liboqs)
+  add_subdirectory(3rdparty/oqs-provider)
+
+  target_include_directories(oqsprovider PUBLIC ${CMAKE_CURRENT_BINARY_DIR}/3rdparty/liboqs/include)
+  set_property(TARGET oqsprovider PROPERTY POSITION_INDEPENDENT_CODE ON)
+  target_link_libraries(mayaqua PRIVATE oqsprovider)
+endif()
+
 include(CheckSymbolExists)

 set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
--- a/src/Mayaqua/Encrypt.c
+++ b/src/Mayaqua/Encrypt.c
@ -20,7 +20,9 @@
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 #include <openssl/bio.h>
 #include <openssl/x509.h>
 #include <openssl/pkcs7.h>
@ -40,6 +42,10 @@
 #include <openssl/x509v3.h>
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #include <openssl/provider.h>
+// Static oqsprovider initialization function
+#ifndef SKIP_OQS_PROVIDER
+	extern OSSL_provider_init_fn oqs_provider_init;
+#endif
 #endif

 #ifdef _MSC_VER
@ -88,6 +94,7 @@ int ssl_clientcert_index = 0;
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 static OSSL_PROVIDER *ossl_provider_legacy = NULL;
 static OSSL_PROVIDER *ossl_provider_default = NULL;
+static OSSL_PROVIDER *ossl_provider_oqsprovider = NULL;
 #endif

 LOCK **ssl_lock_obj = NULL;
@ -3974,6 +3981,12 @@ void FreeCryptLibrary()
 		OSSL_PROVIDER_unload(ossl_provider_legacy);
 		ossl_provider_legacy = NULL;
 	}
+
+	if (ossl_provider_oqsprovider != NULL)
+	{
+		OSSL_PROVIDER_unload(ossl_provider_oqsprovider);
+		ossl_provider_oqsprovider = NULL;
+	}
 #endif
 }

@ -3996,6 +4009,13 @@ void InitCryptLibrary()
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 	ossl_provider_default = OSSL_PROVIDER_load(NULL, "legacy");
 	ossl_provider_legacy = OSSL_PROVIDER_load(NULL, "default");
+
+	char *oqs_provider_name = "oqsprovider";
+	#ifndef SKIP_OQS_PROVIDER
+		// Registers "oqsprovider" as a provider -- necessary because oqsprovider is built in now.
+		OSSL_PROVIDER_add_builtin(NULL, oqs_provider_name, oqs_provider_init); 
+	#endif
+	ossl_provider_oqsprovider = OSSL_PROVIDER_load(NULL, oqs_provider_name);
 #endif

 	ssl_clientcert_index = SSL_get_ex_new_index(0, "struct SslClientCertInfo *", NULL, NULL, NULL);
--- a/src/Mayaqua/Network.c
+++ b/src/Mayaqua/Network.c
@ -11905,6 +11905,10 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
 		Unlock(openssl_lock);
 	}

+	#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		SSL_set1_groups_list(sock->ssl, PQ_GROUP_LIST);
+	#endif
+	
 	if (sock->ServerMode)
 	{
 //		Lock(ssl_connect_lock);
@ -12285,9 +12289,15 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 				Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
 				return 0;
 			}
+			ERR_clear_error();
 			ret = SSL_peek(ssl, &c, sizeof(c));
 		}
 		Unlock(sock->ssl_lock);
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+		// 2021/09/10: After OpenSSL 3.x.x, both 0 and negative values might mean retryable.
+		// See: https://github.com/openssl/openssl/blob/435981cbadad2c58c35bacd30ca5d8b4c9bea72f/doc/man3/SSL_read.pod
+		// > Old documentation indicated a difference between 0 and -1, and that -1 was retryable.
+		// > You should instead call SSL_get_error() to find out if it's retryable.
 		if (ret == 0)
 		{
 			// The communication have been disconnected
@ -12295,7 +12305,8 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 			Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
 			return 0;
 		}
-		if (ret < 0)
+#endif
+		if (ret <= 0)
 		{
 			// An error has occurred
 			e = SSL_get_error(ssl, ret);
@ -12310,7 +12321,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 #endif
 					)
 				{
-					Debug("%s %u SSL Fatal Error on ASYNC socket !!!\n", __FILE__, __LINE__);
+					UINT ssl_err_no;
+					while (ssl_err_no = ERR_get_error()){
+						Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
+					};
+
 					Disconnect(sock);
 					return 0;
 				}
@ -12342,6 +12357,7 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 		ttparam = NewSocketTimeout(sock);
 #endif // UNIX_SOLARIS

+		ERR_clear_error();
 		ret = SSL_read(ssl, data, size);

 		// Stop the timeout thread
@ -12357,7 +12373,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 		}
 #endif	// OS_UNIX

-		if (ret < 0)
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+		if (ret < 0) // OpenSSL version < 3.0.0
+#else
+		if (ret <= 0) // OpenSSL version >= 3.0.0
+#endif
 		{
 			e = SSL_get_error(ssl, ret);
 		}
@ -12380,6 +12400,12 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)

 		return (UINT)ret;
 	}
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+	// 2021/09/10: After OpenSSL 3.x.x, both 0 and negative values might mean retryable.
+	// See: https://github.com/openssl/openssl/blob/435981cbadad2c58c35bacd30ca5d8b4c9bea72f/doc/man3/SSL_read.pod
+	// > Old documentation indicated a difference between 0 and -1, and that -1 was retryable.
+	// > You should instead call SSL_get_error() to find out if it's retryable.
 	if (ret == 0)
 	{
 		// Disconnect the communication
@ -12387,6 +12413,8 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 		//Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
 		return 0;
 	}
+#endif
+
 	if (sock->AsyncMode)
 	{
 		if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE || e == SSL_ERROR_SSL)
@ -12400,7 +12428,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 #endif
 				)
 			{
-				Debug("%s %u SSL Fatal Error on ASYNC socket !!!\n", __FILE__, __LINE__);
+				UINT ssl_err_no;
+				while (ssl_err_no = ERR_get_error()) {
+					Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
+				};
+
 				Disconnect(sock);
 				return 0;
 			}
@ -12409,8 +12441,8 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 			return SOCK_LATER;
 		}
 	}
+	Debug("%s %u e=%u SecureRecv() Disconnect\n", __FILE__, __LINE__, e);
 	Disconnect(sock);
-	Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
 	return 0;
 }

@ -12437,8 +12469,13 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
 			return 0;
 		}

+		ERR_clear_error();
 		ret = SSL_write(ssl, data, size);
-		if (ret < 0)
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+		if (ret < 0) // OpenSSL version < 3.0.0
+#else
+		if (ret <= 0) // OpenSSL version >= 3.0.0
+#endif
 		{
 			e = SSL_get_error(ssl, ret);
 		}
@ -12460,6 +12497,8 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
 		sock->WriteBlocked = false;
 		return (UINT)ret;
 	}
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	if (ret == 0)
 	{
 		// Disconnect
@ -12467,18 +12506,29 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
 		Disconnect(sock);
 		return 0;
 	}
+#endif

 	if (sock->AsyncMode)
 	{
 		// Confirmation of the error value
 		if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE || e == SSL_ERROR_SSL)
 		{
+			if (e == SSL_ERROR_SSL)
+			{
+				UINT ssl_err_no;
+				while (ssl_err_no = ERR_get_error()) {
+					Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
+				};
+
+				Disconnect(sock);
+				return 0;
+			}
+
 			sock->WriteBlocked = true;
 			return SOCK_LATER;
 		}
-		Debug("%s %u e=%u\n", __FILE__, __LINE__, e);
 	}
-	//Debug("%s %u SecureSend() Disconnect\n", __FILE__, __LINE__);
+	Debug("%s %u e=%u SecureSend() Disconnect\n", __FILE__, __LINE__, e);
 	Disconnect(sock);
 	return 0;
 }
--- a/src/Mayaqua/Network.h
+++ b/src/Mayaqua/Network.h
@ -59,6 +59,10 @@ struct DYN_VALUE

 #define	DEFAULT_CIPHER_LIST			"ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES"

+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#define PQ_GROUP_LIST				"p521_kyber1024:x25519_kyber768:P-521:X25519:P-256"
+#endif
+
 // SSL logging function
 //#define	ENABLE_SSL_LOGGING
 #define	SSL_LOGGING_DIRNAME			"@ssl_log"
--- a/src/bin/hamcore/strtable_ru.stb
+++ b/src/bin/hamcore/strtable_ru.stb
@ -2421,8 +2421,8 @@ STATIC17				Другие конфигурации:
 R_NO_ROUTING			Не вносить изменения в таблицу маршрутизации
 STATIC18				Если у вас нет опыта работы с сетью и безопасностью, то оставьте настройки в этом окне по умолчанию.
 STATIC19				Функции VoIP/QoS обрабатывают пакеты (например VoIP) с высоким приоритетом для более быстрой передачи.
-STATIC20				Source IP Address:
-STATIC21				Source Port Number:
+STATIC20				IP адрес источника:
+STATIC21				Номер порта:
 R_DISABLE_QOS			Отключить функции VoIP / QoS
 IDOK					&OK
 IDCANCEL				Отмена
@ -2524,7 +2524,7 @@ STATIC2					Имя Virtual &Hub:
 STATIC3					&Пользователь:
 STATIC4					&Старый пароль:
 STATIC5					&Новый пароль:
-STATIC6					&Подтвердить новый пароль:
+STATIC6					&Подтвердить пароль:
 IDOK					&OK
 IDCANCEL				Отмена
 S_STATIC				Примечание: Вы не сможете изменить пароль пользователя, если выбран тип авторизации "RADIUS или авторизация в домене".
@ -2558,9 +2558,9 @@ STATIC8					Прокси-сервер:
 STATIC9					Вы можете подключиться к VPN-серверу через прокси-сервер.
 STATIC10				Тип прокси:
 R_DIRECT_TCP			&Прямое TCP/IP соединение (без прокси)
-R_HTTPS					Подключиться через HTTP прокси-сервер
-R_SOCKS					Подключиться через SOCKS прокси-сервер
-R_SOCKS5				Подключиться через SOCKS5 прокси-сервер
+R_HTTPS					Через HTTP прокси-сервер
+R_SOCKS					Через SOCKS прокси-сервер
+R_SOCKS5				Через SOCKS5 прокси-сервер
 B_PROXY_CONFIG			Настройки прокси-сервера
 STATIC11				Выберите режим администрирования и введите пароль
 STATIC12				Вы можете подключиться к VPN-серверу, используя либо режим администратора сервера, либо режим Virtual Hub администратора. \r\n\r\nРежим администратора сервера позволяет вам управлять VPN-сервером и всеми Virtual Hub. \r\n\r\nРежим Virtual Hub администратора позволяет вам управлять только одним Virtual Hub, на который у вас есть права.
--- a/src/bin/hamcore/wwwroot/admin/default/package-lock.json
+++ b/src/bin/hamcore/wwwroot/admin/default/package-lock.json
@ -373,12 +373,23 @@
      }
    },
    "braces": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
-      "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
+      "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
      "dev": true,
      "requires": {
-        "fill-range": "^7.0.1"
+        "fill-range": "^7.1.1"
+      },
+      "dependencies": {
+        "fill-range": {
+          "version": "7.1.1",
+          "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
+          "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
+          "dev": true,
+          "requires": {
+            "to-regex-range": "^5.0.1"
+          }
+        }
      }
    },
    "browserslist": {
@ -603,15 +614,6 @@
      "integrity": "sha512-eRnCtTTtGZFpQCwhJiUOuxPQWRXVKYDn0b2PeHfXL6/Zi53SLAzAHfVhVWK2AryC/WH05kGfxhFIPvTF0SXQzg==",
      "dev": true
    },
-    "fill-range": {
-      "version": "7.0.1",
-      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
-      "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
-      "dev": true,
-      "requires": {
-        "to-regex-range": "^5.0.1"
-      }
-    },
    "find-up": {
      "version": "4.1.0",
      "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",
Author	SHA1	Message	Date
siddharth-narayan	73c6bc2fa8	Merge `ed82884202` into `c76f11a523`	2024-07-05 20:50:37 -04:00
Siddharth	ed82884202	Move duplicated code to one place	2024-07-05 20:50:28 -04:00
Siddharth	d4d20e4443	Remove testing code	2024-07-04 13:56:13 -04:00
Ilya Shipitsin	c76f11a523	Merge pull request #2026 from siddharth-narayan/fedora-fix-engine Fix openssl engine support on Fedora Rawhide	2024-07-04 19:26:11 +02:00
Siddharth	a45219bb78	Revert "Fix engine include errors on Fedora Rawhide" This reverts commit `1d57ccf94a`.	2024-07-04 13:15:50 -04:00
siddharth-narayan	25585a1e3d	Guard engine.h include	2024-07-04 13:05:30 -04:00
siddharth-narayan	4370efcc90	replace openssl-devel with openssl-devel-engine	2024-07-04 13:02:16 -04:00
Siddharth	1d57ccf94a	Fix engine include errors on Fedora Rawhide	2024-07-04 06:55:06 -04:00
siddharth-narayan	04912037c0	Merge branch 'SoftEtherVPN:master' into built-in-post-quantum	2024-07-03 20:12:21 -04:00
Ilya Shipitsin	b8fbb3e3d8	Merge pull request #2025 from chipitsine/fedora_pull_request CI: enable Fedora Rawgide on pull requests	2024-07-03 23:43:19 +02:00
Ilia Shipitsin	98a8d5249d	CI: enable Fedora Rawgide on pull requests	2024-07-03 23:21:44 +02:00
Ilya Shipitsin	dd2a53e049	Merge pull request #2024 from chipitsine/master bump version for upcoming 5186 release	2024-07-03 21:16:01 +02:00
Ilia Shipitsin	7ce9c088ff	bump version for upcoming 5186 release	2024-07-03 19:20:14 +02:00
Siddharth	1f9ce6f9c2	Skip oqsprovider build when OpenSSL version is less than 3.0	2024-06-28 17:05:52 -04:00
Siddharth	28ded982a7	Remove empty OpenSSL version guard	2024-06-28 14:18:48 -04:00
siddharth-narayan	de9c566f33	Merge branch 'SoftEtherVPN:master' into built-in-post-quantum	2024-06-28 13:43:55 -04:00
Siddharth	0af6c96d88	Skip tests for oqsprovider	2024-06-28 04:01:30 -04:00
Siddharth	c2c1388f8c	Update liboqs and oqs-provider git submodules	2024-06-28 04:00:51 -04:00
Siddharth	d15f92c9b2	Make oqsprovider not build tests	2024-06-28 04:00:51 -04:00
Siddharth	7dc3f2240c	Add liboqs with find_package	2024-06-26 20:55:09 -04:00
Ilya Shipitsin	c2a7aa5481	Merge pull request from GHSA-j35p-p8pj-vqxq src/Cedar/Proto_IKE.c: ignore packets with no IPSec SA	2024-06-22 18:57:28 +02:00
Ilia Shipitsin	6f57449164	src/Cedar/Proto_IKE.c: ignore packets with no IPSec SA many thanks to Jonathan Phillibert from Amazon Web Services for investigating and reporting that responding to such packets might lead to traffic amplification	2024-06-22 18:53:35 +02:00
Siddharth	eb66e7d360	That's not how you comment in C!	2024-06-21 15:16:27 -04:00
Siddharth	13e6369db3	Add liboqs because it isn't normally packaged	2024-06-21 15:14:49 -04:00
Siddharth	102485a4b8	Add oqsprovider statically (built in) by default	2024-06-20 22:08:38 -04:00
Ilya Shipitsin	bc31a5cfd3	Merge pull request #2002 from siddharth-narayan/quantum-safe-key-agreement Add Post Quantum key agreement	2024-06-18 22:41:52 +02:00
Siddharth	68964ab0d7	Guard variables with OpenSSL version	2024-06-18 16:09:10 -04:00
siddharth-narayan	bf3c50fde4	Merge branch 'SoftEtherVPN:master' into quantum-safe-key-agreement	2024-06-18 14:55:45 -04:00
Siddharth	b06486b37d	Remove unecessary provider include	2024-06-18 00:01:58 -04:00
Ilya Shipitsin	26c61b3213	Merge pull request #2014 from SoftEtherVPN/dependabot/npm_and_yarn/src/bin/hamcore/wwwroot/admin/default/braces-3.0.3 Bump braces from 3.0.2 to 3.0.3 in /src/bin/hamcore/wwwroot/admin/default	2024-06-17 17:45:14 +02:00
Ilya Shipitsin	1bea86ef94	Merge pull request #2006 from hiura2023/master Change ssl error handler: Having to read all of the errors using ERR_get_error.	2024-06-17 17:36:55 +02:00
dependabot[bot]	6825234e0a	Bump braces in /src/bin/hamcore/wwwroot/admin/default Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3. - [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md) - [Commits](https://github.com/micromatch/braces/compare/3.0.2...3.0.3) --- updated-dependencies: - dependency-name: braces dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2024-06-17 15:36:07 +00:00
Ilya Shipitsin	a794726a07	Merge pull request #2011 from SoftEtherVPN/dependabot/npm_and_yarn/developer_tools/vpnserver-jsonrpc-clients/vpnserver-jsonrpc-client-nodejs-package/braces-3.0.3 Bump braces from 3.0.2 to 3.0.3 in /developer_tools/vpnserver-jsonrpc-clients/vpnserver-jsonrpc-client-nodejs-package	2024-06-17 17:35:33 +02:00
dependabot[bot]	dae352104c	Bump braces Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3. - [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md) - [Commits](https://github.com/micromatch/braces/compare/3.0.2...3.0.3) --- updated-dependencies: - dependency-name: braces dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2024-06-16 09:58:05 +00:00
Ilya Shipitsin	4fe5352931	Merge pull request #2007 from metalefty/freebsd-ci CI: Update to FreeBSD 14.0-RELEASE	2024-06-09 17:23:48 +02:00
Koichiro Iwao	ebe52afa9a	CI: Update to FreeBSD 14.0-RELEASE since FreeBSD 13.2 image is no longer available on the CI platform.	2024-06-09 21:33:46 +09:00
hiura2023	c06e5ad1dd	Merge branch 'SoftEtherVPN:master' into master	2024-06-08 02:30:04 +09:00
hiura	b2ec1bd5dd	Change ssl error handler: Having to read all of the errors using ERR_get_error	2024-06-08 02:28:28 +09:00
Ilya Shipitsin	bfaff4fdb0	Merge pull request #1994 from hiura2023/master Fix Virtual DHCP Server: Correct IP reassignment	2024-05-27 13:13:40 +02:00
hiura	08213b7f0e	CHANGE ERROR HANDLER FOR SSL ERROR: Change of indent	2024-05-26 23:50:05 +09:00
hiura	98852b77d9	CHANGE ERROR HANDLER FOR SSL ERROR:	2024-05-26 23:36:21 +09:00
Ilya Shipitsin	645a078f8e	Merge pull request #2003 from djony/master Minor russian traslation update	2024-05-22 18:40:57 +02:00
djony	af2196468a	Update strtable_ru.stb	2024-05-22 17:40:11 +03:00
djony	42647480b0	Update strtable_ru.stb	2024-05-22 17:02:03 +03:00
djony	60496ac7fb	Merge branch 'SoftEtherVPN:master' into master	2024-05-22 16:26:44 +03:00
siddharth-narayan	63ffab9ee4	Merge branch 'SoftEtherVPN:master' into quantum-safe-key-agreement	2024-05-20 23:20:52 -04:00
Siddharth	2fe4ca0f8c	Fix incorrect PQ_GROUP_LIST string	2024-05-20 21:46:57 -04:00
Siddharth	a50d8910ba	Add PQ Groups and the provider for them	2024-05-20 19:48:23 -04:00
Ilya Shipitsin	315ffffeec	Merge pull request #2001 from chipitsine/ci_drop_macos_11 CI: drop macos-11	2024-05-20 23:37:52 +02:00
Ilia Shipitsin	141060101d	CI: drop macos-11 more details: https://github.blog/changelog/2024-05-20-actions-upcoming-changes-to-github-hosted-macos-runners/	2024-05-20 21:50:07 +02:00
hiura	5a88b34ddb	Fix Virtual DHCP Server: Correct IP reassignment	2024-05-08 10:55:00 +09:00
Ilya Shipitsin	7006539732	Merge pull request #1992 from chipitsine/macos_14 CI: add macos-14	2024-05-04 22:16:00 +02:00
Ilya Shipitsin	8ad34b2012	Merge pull request #1991 from chipitsine/master bump version for upcoming 5185 release	2024-05-04 22:04:21 +02:00
Ilia Shipitsin	186d48fba2	CI: add macos-14	2024-05-04 21:25:39 +02:00
Ilia Shipitsin	37231ac006	bump version for upcoming 5185 release	2024-05-04 21:23:00 +02:00
djony	5e63124bb5	Update strtable_ru.stb	2023-08-27 22:20:11 +03:00
djony	716ae59f1f	Update strtable_ru.stb	2023-08-27 22:11:51 +03:00