Merge 63ffab9ee4 into 645a078f8e

2025-07-16 12:44:57 +03:00 · 2024-05-22 13:41:28 -04:00
7 changed files with 116 additions and 129 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -11,7 +11,7 @@ FreeBSD_task:
      SSL:
  matrix:
    freebsd_instance:
-      image_family: freebsd-14-0
+      image_family: freebsd-13-2
  prepare_script:
    - pkg install -y pkgconf cmake git libsodium $SSL
    - git submodule update --init --recursive
--- a/developer_tools/vpnserver-jsonrpc-clients/vpnserver-jsonrpc-client-nodejs-package/package-lock.json
+++ b/developer_tools/vpnserver-jsonrpc-clients/vpnserver-jsonrpc-client-nodejs-package/package-lock.json
@ -65,23 +65,12 @@
      }
    },
    "braces": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
-      "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
+      "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
      "dev": true,
      "requires": {
-        "fill-range": "^7.1.1"
-      },
-      "dependencies": {
-        "fill-range": {
-          "version": "7.1.1",
-          "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
-          "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
-          "dev": true,
-          "requires": {
-            "to-regex-range": "^5.0.1"
-          }
-        }
+        "fill-range": "^7.0.1"
      }
    },
    "builtin-modules": {
@ -162,6 +151,15 @@
      "integrity": "sha1-Cr9PHKpbyx96nYrMbepPqqBLrJs=",
      "dev": true
    },
+    "fill-range": {
+      "version": "7.0.1",
+      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
+      "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
+      "dev": true,
+      "requires": {
+        "to-regex-range": "^5.0.1"
+      }
+    },
    "fs.realpath": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
--- a/src/Cedar/Proto_IKE.c
+++ b/src/Cedar/Proto_IKE.c
@ -463,13 +463,39 @@ void ProcIPsecEspPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
 	seq = READ_UINT(src + sizeof(UINT));

 	// Search and retrieve the IPsec SA from SPI
-
-	// thank to @phillibert report, responding to bad SA might lead to amplification
-	// according to RFC4303 we should drop such packets
-
 	ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi);
 	if (ipsec_sa == NULL)
 	{
+		// Invalid SPI
+		UINT64 init_cookie = Rand64();
+		UINT64 resp_cookie = 0;
+		IKE_CLIENT *c = NULL;
+		IKE_CLIENT t;
+
+
+		Copy(&t.ClientIP, &p->SrcIP, sizeof(IP));
+		t.ClientPort = p->SrcPort;
+		Copy(&t.ServerIP, &p->DstIP, sizeof(IP));
+		t.ServerPort = p->DestPort;
+		t.CurrentIkeSa = NULL;
+
+		if (p->DestPort == IPSEC_PORT_IPSEC_ESP_RAW)
+		{
+			t.ClientPort = t.ServerPort = IPSEC_PORT_IPSEC_ISAKMP;
+		}
+
+		c = Search(ike->ClientList, &t);
+
+		if (c != NULL && c->CurrentIkeSa != NULL)
+		{
+			init_cookie = c->CurrentIkeSa->InitiatorCookie;
+			resp_cookie = c->CurrentIkeSa->ResponderCookie;
+		}
+
+		SendInformationalExchangePacketEx(ike, (c == NULL ? &t : c), IkeNewNoticeErrorInvalidSpiPayload(spi), false,
+			init_cookie, resp_cookie);
+
+		SendDeleteIPsecSaPacket(ike, (c == NULL ? &t : c), spi);
 		return;
 	}

--- a/src/Cedar/Virtual.c
+++ b/src/Cedar/Virtual.c
@ -9349,35 +9349,62 @@ UINT ServeDhcpDiscoverEx(VH *v, UCHAR *mac, UINT request_ip, bool is_static_ip)
 		// check whether it is a request from the same MAC address
 		if (Cmp(mac, d->MacAddress, 6) == 0)
 		{
-			// Examine whether the specified IP address is within the range of static assignment
+			// Examine whether the specified IP address is within the range of assignment
 			if (Endian32(v->DhcpIpStart) > Endian32(request_ip) ||
 				Endian32(request_ip) > Endian32(v->DhcpIpEnd))
 			{
-				// Accept if within the range of static assignment
+				// Accept if within the range
 				ret = request_ip;
 			}
 		}
 		else {
-			// Duplicated IPV4 address found. The specified IP address is not available for use
+			// Duplicated IPV4 address found. The DHCP server replies to DHCPREQUEST with DHCP NAK.
 			char ipstr[MAX_HOST_NAME_LEN + 1] = { 0 };
 			char macstr[128] = { 0 };
 			IPToStr32(ipstr, sizeof(ipstr), request_ip);
-			MacToStr(macstr, sizeof(macstr), d->MacAddress);
-			Debug("Virtual DHC Server: Duplicated IP address detected. Static IP: %s, with the MAC: %s\n", ipstr, macstr);
+			BinToStr(macstr, sizeof(macstr), d->MacAddress, 6);
+			Debug("Virtual DHC Server: Duplicated IP address detected. Static IP: %s, Used by MAC:%s\n", ipstr, macstr);
+			return ret;
 		}
 	}
 	else
 	{
-		// Examine whether the specified IP address is within the range of static assignment
+		// Examine whether the specified IP address is within the range of assignment
 		if (Endian32(v->DhcpIpStart) > Endian32(request_ip) ||
 			Endian32(request_ip) > Endian32(v->DhcpIpEnd))
 		{
-			// Accept if within the range of static assignment
+			// Accept if within the range
 			ret = request_ip;
 		}
 		else
 		{
-			// The specified IP address is not available for use
+			// Propose an IP in the range since it's a Discover although It is out of range
+		}
+	}
+	if (ret == 0)
+	{
+		// If there is any entry with the same MAC address
+		// that are already registered, use it with priority
+		DHCP_LEASE *d = SearchDhcpLeaseByMac(v, mac);
+
+		if (d != NULL)
+		{
+			// Examine whether the found IP address is in the allocation region
+			if (Endian32(v->DhcpIpStart) > Endian32(d->IpAddress) ||
+				Endian32(d->IpAddress) > Endian32(v->DhcpIpEnd))
+			{
+				// Use the IP address if it's found within the range
+				ret = d->IpAddress;
+			}
+		}
+	}
+	if (ret == 0)
+	{
+		// For static IP, the requested IP address must NOT be within the range of the DHCP pool
+		if (Endian32(v->DhcpIpStart) > Endian32(request_ip) ||
+			Endian32(request_ip) > Endian32(v->DhcpIpEnd))
+		{
+			ret = request_ip;
 		}
 	}

@ -9568,11 +9595,6 @@ void VirtualDhcpServer(VH *v, PKT *p)
 			{
 				ip = ServeDhcpRequestEx(v, p->MacAddressSrc, opt->RequestedIp, ip_static);
 			}
-			// If the IP address in user's note is changed, then reply to DHCP_REQUEST with DHCP_NAK
-			if (p->L3.IPv4Header->SrcIP && ip != p->L3.IPv4Header->SrcIP)
-			{
-				ip = 0;
-			}
 		}

 		if (ip != 0 || opt->Opcode == DHCP_INFORM)
@ -9585,14 +9607,6 @@ void VirtualDhcpServer(VH *v, PKT *p)
 				char client_mac[MAX_SIZE];
 				char client_ip[MAX_SIZE];

-				// If there is any entry with the same MAC address, then remove it
-				d = SearchDhcpLeaseByMac(v, p->MacAddressSrc);
-				if (d != NULL)
-				{
-					FreeDhcpLease(d);
-					Delete(v->DhcpLeaseList, d);
-				}
-
 				// Remove old records with the same IP address
 				d = SearchDhcpLeaseByIp(v, ip);
 				if (d != NULL)
@ -9751,7 +9765,7 @@ void VirtualDhcpServer(VH *v, PKT *p)
 		}
 		else
 		{
-			// Reply of DHCP_REQUEST must be either DHCP_ACK or DHCP_NAK
+			// Reply of DHCP_REQUEST must be either DHCP_ACK or DHCP_NAK.
 			if (opt->Opcode == DHCP_REQUEST)
 			{
 				// There is no IP address that can be provided
--- a/src/Mayaqua/Network.c
+++ b/src/Mayaqua/Network.c
@ -25,6 +25,7 @@

 #include <openssl/err.h>
 #include <openssl/ssl.h>
+#include <openssl/provider.h>

 #ifdef OS_UNIX
 #include <fcntl.h>
@ -11905,10 +11906,8 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
 		Unlock(openssl_lock);
 	}

-	#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-		SSL_set1_groups_list(sock->ssl, PQ_GROUP_LIST);
-	#endif
-	
+	SSL_set1_groups_list(sock->ssl, PQ_GROUP_LIST);
+
 	if (sock->ServerMode)
 	{
 //		Lock(ssl_connect_lock);
@ -12289,15 +12288,9 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 				Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
 				return 0;
 			}
-			ERR_clear_error();
 			ret = SSL_peek(ssl, &c, sizeof(c));
 		}
 		Unlock(sock->ssl_lock);
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-		// 2021/09/10: After OpenSSL 3.x.x, both 0 and negative values might mean retryable.
-		// See: https://github.com/openssl/openssl/blob/435981cbadad2c58c35bacd30ca5d8b4c9bea72f/doc/man3/SSL_read.pod
-		// > Old documentation indicated a difference between 0 and -1, and that -1 was retryable.
-		// > You should instead call SSL_get_error() to find out if it's retryable.
 		if (ret == 0)
 		{
 			// The communication have been disconnected
@ -12305,8 +12298,7 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 			Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
 			return 0;
 		}
-#endif
-		if (ret <= 0)
+		if (ret < 0)
 		{
 			// An error has occurred
 			e = SSL_get_error(ssl, ret);
@ -12314,18 +12306,14 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 			{
 				if (e == SSL_ERROR_SSL
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
-					&&
-					sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL &&
-					sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] &&
-					sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1]
+				        &&
+				        sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL &&
+				        sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] &&
+				        sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1]
 #endif
-					)
+				   )
 				{
-					UINT ssl_err_no;
-					while (ssl_err_no = ERR_get_error()){
-						Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
-					};
-
+					Debug("%s %u SSL Fatal Error on ASYNC socket !!!\n", __FILE__, __LINE__);
 					Disconnect(sock);
 					return 0;
 				}
@ -12352,15 +12340,14 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 		}
 #endif	// OS_UNIX

-		// Run the time-out thread for SOLARIS
+// Run the time-out thread for SOLARIS
 #ifdef UNIX_SOLARIS
 		ttparam = NewSocketTimeout(sock);
 #endif // UNIX_SOLARIS

-		ERR_clear_error();
 		ret = SSL_read(ssl, data, size);

-		// Stop the timeout thread
+// Stop the timeout thread
 #ifdef UNIX_SOLARIS
 		FreeSocketTimeout(ttparam);
 #endif // UNIX_SOLARIS
@ -12373,11 +12360,7 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 		}
 #endif	// OS_UNIX

-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-		if (ret < 0) // OpenSSL version < 3.0.0
-#else
-		if (ret <= 0) // OpenSSL version >= 3.0.0
-#endif
+		if (ret < 0)
 		{
 			e = SSL_get_error(ssl, ret);
 		}
@ -12400,12 +12383,6 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)

 		return (UINT)ret;
 	}
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-	// 2021/09/10: After OpenSSL 3.x.x, both 0 and negative values might mean retryable.
-	// See: https://github.com/openssl/openssl/blob/435981cbadad2c58c35bacd30ca5d8b4c9bea72f/doc/man3/SSL_read.pod
-	// > Old documentation indicated a difference between 0 and -1, and that -1 was retryable.
-	// > You should instead call SSL_get_error() to find out if it's retryable.
 	if (ret == 0)
 	{
 		// Disconnect the communication
@ -12413,26 +12390,20 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 		//Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
 		return 0;
 	}
-#endif
-
 	if (sock->AsyncMode)
 	{
 		if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE || e == SSL_ERROR_SSL)
 		{
 			if (e == SSL_ERROR_SSL
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
-				&&
-				sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL &&
-				sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] &&
-				sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1]
+			        &&
+			        sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL &&
+			        sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] &&
+			        sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1]
 #endif
-				)
+			   )
 			{
-				UINT ssl_err_no;
-				while (ssl_err_no = ERR_get_error()) {
-					Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
-				};
-
+				Debug("%s %u SSL Fatal Error on ASYNC socket !!!\n", __FILE__, __LINE__);
 				Disconnect(sock);
 				return 0;
 			}
@ -12441,8 +12412,8 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 			return SOCK_LATER;
 		}
 	}
-	Debug("%s %u e=%u SecureRecv() Disconnect\n", __FILE__, __LINE__, e);
 	Disconnect(sock);
+	Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
 	return 0;
 }

@ -12469,13 +12440,8 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
 			return 0;
 		}

-		ERR_clear_error();
 		ret = SSL_write(ssl, data, size);
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-		if (ret < 0) // OpenSSL version < 3.0.0
-#else
-		if (ret <= 0) // OpenSSL version >= 3.0.0
-#endif
+		if (ret < 0)
 		{
 			e = SSL_get_error(ssl, ret);
 		}
@ -12497,8 +12463,6 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
 		sock->WriteBlocked = false;
 		return (UINT)ret;
 	}
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	if (ret == 0)
 	{
 		// Disconnect
@ -12506,29 +12470,18 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
 		Disconnect(sock);
 		return 0;
 	}
-#endif

 	if (sock->AsyncMode)
 	{
 		// Confirmation of the error value
 		if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE || e == SSL_ERROR_SSL)
 		{
-			if (e == SSL_ERROR_SSL)
-			{
-				UINT ssl_err_no;
-				while (ssl_err_no = ERR_get_error()) {
-					Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
-				};
-
-				Disconnect(sock);
-				return 0;
-			}
-
 			sock->WriteBlocked = true;
 			return SOCK_LATER;
 		}
+		Debug("%s %u e=%u\n", __FILE__, __LINE__, e);
 	}
-	Debug("%s %u e=%u SecureSend() Disconnect\n", __FILE__, __LINE__, e);
+	//Debug("%s %u SecureSend() Disconnect\n", __FILE__, __LINE__);
 	Disconnect(sock);
 	return 0;
 }
--- a/src/Mayaqua/Network.h
+++ b/src/Mayaqua/Network.h
@ -59,9 +59,7 @@ struct DYN_VALUE

 #define	DEFAULT_CIPHER_LIST			"ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES"

-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #define PQ_GROUP_LIST				"p521_kyber1024:x25519_kyber768:P-521:X25519:P-256"
-#endif

 // SSL logging function
 //#define	ENABLE_SSL_LOGGING
--- a/src/bin/hamcore/wwwroot/admin/default/package-lock.json
+++ b/src/bin/hamcore/wwwroot/admin/default/package-lock.json
@ -373,23 +373,12 @@
      }
    },
    "braces": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
-      "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
+      "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
      "dev": true,
      "requires": {
-        "fill-range": "^7.1.1"
-      },
-      "dependencies": {
-        "fill-range": {
-          "version": "7.1.1",
-          "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
-          "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
-          "dev": true,
-          "requires": {
-            "to-regex-range": "^5.0.1"
-          }
-        }
+        "fill-range": "^7.0.1"
      }
    },
    "browserslist": {
@ -614,6 +603,15 @@
      "integrity": "sha512-eRnCtTTtGZFpQCwhJiUOuxPQWRXVKYDn0b2PeHfXL6/Zi53SLAzAHfVhVWK2AryC/WH05kGfxhFIPvTF0SXQzg==",
      "dev": true
    },
+    "fill-range": {
+      "version": "7.0.1",
+      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
+      "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
+      "dev": true,
+      "requires": {
+        "to-regex-range": "^5.0.1"
+      }
+    },
    "find-up": {
      "version": "4.1.0",
      "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",