AMajor/SoftEtherVPN
1
0
Fork 0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2025-07-13 19:24:57 +03:00
Code Releases Activity

Compare commits

base: AMajor:5.02.5185
Branches Tags
AMajor:master
AMajor:5.02.5187 AMajor:5.02.5186 AMajor:5.02.5185 AMajor:5.02.5184 AMajor:5.02.5183 AMajor:5.02.5182 AMajor:5.02.5181 AMajor:5.02.5180 AMajor:5.02.0 AMajor:5.01.9674 AMajor:5.01.9673 AMajor:5.01.9672 AMajor:5.01.9671 AMajor:5.01.9670 AMajor:5.01.9669 AMajor:5.01.9668 AMajor:5.01.9667 AMajor:5.01.9666 AMajor:5.01.9665 AMajor:5.01.9664 AMajor:5.01.9663 AMajor:5.01.9662 AMajor:5.01.9661 AMajor:5.01.9660 AMajor:5.01.9659 AMajor:5.01.9658
..
compare: AMajor:2736c6c6f5dd8cf151b057177a039d86458e87cf
Branches Tags
AMajor:master
AMajor:5.02.5187 AMajor:5.02.5186 AMajor:5.02.5185 AMajor:5.02.5184 AMajor:5.02.5183 AMajor:5.02.5182 AMajor:5.02.5181 AMajor:5.02.5180 AMajor:5.02.0 AMajor:5.01.9674 AMajor:5.01.9673 AMajor:5.01.9672 AMajor:5.01.9671 AMajor:5.01.9670 AMajor:5.01.9669 AMajor:5.01.9668 AMajor:5.01.9667 AMajor:5.01.9666 AMajor:5.01.9665 AMajor:5.01.9664 AMajor:5.01.9663 AMajor:5.01.9662 AMajor:5.01.9661 AMajor:5.01.9660 AMajor:5.01.9659 AMajor:5.01.9658

1 Commits
5.02.5185 ... 2736c6c6f5

Author SHA1 Message Date
siddharth-narayan
2736c6c6f5 Merge 63ffab9ee4 into 26c61b3213 2024-06-17 17:46:11 +02:00
3 changed files with 33 additions and 10 deletions
Expand all files Collapse all files

34
src/Cedar/Proto_IKE.c
View File

@ -463,13 +463,39 @@ void ProcIPsecEspPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
seq = READ_UINT(src + sizeof(UINT)); seq = READ_UINT(src + sizeof(UINT));
// Search and retrieve the IPsec SA from SPI // Search and retrieve the IPsec SA from SPI
// thank to @phillibert report, responding to bad SA might lead to amplification
// according to RFC4303 we should drop such packets
ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi); ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi);
if (ipsec_sa == NULL) if (ipsec_sa == NULL)
{ {
// Invalid SPI
UINT64 init_cookie = Rand64();
UINT64 resp_cookie = 0;
IKE_CLIENT *c = NULL;
IKE_CLIENT t;
Copy(&t.ClientIP, &p->SrcIP, sizeof(IP));
t.ClientPort = p->SrcPort;
Copy(&t.ServerIP, &p->DstIP, sizeof(IP));
t.ServerPort = p->DestPort;
t.CurrentIkeSa = NULL;
if (p->DestPort == IPSEC_PORT_IPSEC_ESP_RAW)
{
t.ClientPort = t.ServerPort = IPSEC_PORT_IPSEC_ISAKMP;
}
c = Search(ike->ClientList, &t);
if (c != NULL && c->CurrentIkeSa != NULL)
{
init_cookie = c->CurrentIkeSa->InitiatorCookie;
resp_cookie = c->CurrentIkeSa->ResponderCookie;
}
SendInformationalExchangePacketEx(ike, (c == NULL ? &t : c), IkeNewNoticeErrorInvalidSpiPayload(spi), false,
init_cookie, resp_cookie);
SendDeleteIPsecSaPacket(ike, (c == NULL ? &t : c), spi);
return; return;
} }

7
src/Mayaqua/Network.c
View File

@ -25,6 +25,7 @@
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/ssl.h> #include <openssl/ssl.h>
#include <openssl/provider.h>
#ifdef OS_UNIX #ifdef OS_UNIX
#include <fcntl.h> #include <fcntl.h>
@ -11905,10 +11906,8 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
Unlock(openssl_lock); Unlock(openssl_lock);
} }
#if OPENSSL_VERSION_NUMBER >= 0x30000000L SSL_set1_groups_list(sock->ssl, PQ_GROUP_LIST);
SSL_set1_groups_list(sock->ssl, PQ_GROUP_LIST);
#endif
if (sock->ServerMode) if (sock->ServerMode)
{ {
// Lock(ssl_connect_lock); // Lock(ssl_connect_lock);

2
src/Mayaqua/Network.h
View File

@ -59,9 +59,7 @@ struct DYN_VALUE
#define DEFAULT_CIPHER_LIST "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES" #define DEFAULT_CIPHER_LIST "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES"
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#define PQ_GROUP_LIST "p521_kyber1024:x25519_kyber768:P-521:X25519:P-256" #define PQ_GROUP_LIST "p521_kyber1024:x25519_kyber768:P-521:X25519:P-256"
#endif
// SSL logging function // SSL logging function
//#define ENABLE_SSL_LOGGING //#define ENABLE_SSL_LOGGING