Merge pull request #2182 from siddharth-narayan/pq-submodule-update

Update liboqs and oqs-provider submodules
Disable unecessary liboqs algorithms
2026-01-26 13:20:12 +03:00 · 2025-12-02 10:02:48 +01:00 · 2025-12-02 02:57:15 -06:00 · 2025-12-02 02:05:27 -06:00 · 2025-11-26 16:27:59 +01:00 · 2025-11-26 14:57:58 +01:00
12 changed files with 68 additions and 13 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -4,14 +4,14 @@ FreeBSD_task:
      SSL: openssl
      OPENSSL_ROOT_DIR: /usr/local
    env:
-      SSL: openssl32
+      SSL: openssl36
      OPENSSL_ROOT_DIR: /usr/local
    env:
      # base openssl
      SSL:
  matrix:
    freebsd_instance:
-      image_family: freebsd-14-2
+      image_family: freebsd-14-3
  prepare_script:
    - pkg install -y pkgconf cmake git libsodium cpu_features $SSL
    - git submodule update --init --recursive
--- a/3
+++ b/3
@ -37,15 +37,18 @@ COPY --from=builder /usr/local/src/SoftEtherVPN/build/libcedar.so /usr/local/src

 FROM base AS vpnserver
 COPY --from=builder /usr/local/src/SoftEtherVPN/build/vpnserver ./
+RUN ./vpnserver --help
 EXPOSE 443/tcp 992/tcp 1194/tcp 1194/udp 5555/tcp 500/udp 4500/udp
 CMD ["/usr/local/bin/vpnserver", "execsvc"]


 FROM base AS vpnclient
 COPY --from=builder /usr/local/src/SoftEtherVPN/build/vpnclient ./
+RUN ./vpnclient --help
 CMD ["/usr/local/bin/vpnclient", "execsvc"]


 FROM base AS vpnbridge
 COPY --from=builder /usr/local/src/SoftEtherVPN/build/vpnbridge ./
+RUN ./vpnbridge --help
 CMD ["/usr/local/bin/vpnbridge", "execsvc"]
--- a/src/Cedar/Hub.c
+++ b/src/Cedar/Hub.c
@ -630,6 +630,7 @@ void DataToHubOptionStruct(HUB_OPTION *o, RPC_ADMIN_OPTION *ao)
 	GetHubAdminOptionDataAndSet(ao, "UseHubNameAsDhcpUserClassOption", o->UseHubNameAsDhcpUserClassOption);
 	GetHubAdminOptionDataAndSet(ao, "UseHubNameAsRadiusNasId", o->UseHubNameAsRadiusNasId);
 	GetHubAdminOptionDataAndSet(ao, "AllowEapMatchUserByCert", o->AllowEapMatchUserByCert);
+	GetHubAdminOptionDataAndSet(ao, "DhcpDiscoverTimeoutMs", o->DhcpDiscoverTimeoutMs);
 }

 // Convert the contents of the HUB_OPTION to data
@ -705,6 +706,7 @@ void HubOptionStructToData(RPC_ADMIN_OPTION *ao, HUB_OPTION *o, char *hub_name)
 	Add(aol, NewAdminOption("UseHubNameAsDhcpUserClassOption", o->UseHubNameAsDhcpUserClassOption));
 	Add(aol, NewAdminOption("UseHubNameAsRadiusNasId", o->UseHubNameAsRadiusNasId));
 	Add(aol, NewAdminOption("AllowEapMatchUserByCert", o->AllowEapMatchUserByCert));
+	Add(aol, NewAdminOption("DhcpDiscoverTimeoutMs", o->DhcpDiscoverTimeoutMs));

 	Zero(ao, sizeof(RPC_ADMIN_OPTION));

--- a/src/Cedar/Hub.h
+++ b/src/Cedar/Hub.h
@ -30,6 +30,9 @@
 // Default flooding queue length
 #define	DEFAULT_FLOODING_QUEUE_LENGTH				(32 * 1024 * 1024)

+// Default DHCP Discover Timeout
+#define	DEFAULT_DHCP_DISCOVER_TIMEOUT				(5 * 1000)
+
 // SoftEther link control packet
 struct SE_LINK
 {
@ -183,6 +186,7 @@ struct HUB_OPTION
 	bool UseHubNameAsDhcpUserClassOption;	// Add HubName to DHCP request as User-Class option
 	bool UseHubNameAsRadiusNasId;		// Add HubName to Radius request as NAS-Identifier attrioption
 	bool AllowEapMatchUserByCert;		// Allow matching EAP Identity with user certificate CNs
+	UINT DhcpDiscoverTimeoutMs;			// Timeout to wait for DHCP server response on DISCOVER request
 };

 // MAC table entry
--- a/src/Cedar/IPC.c
+++ b/src/Cedar/IPC.c
@ -493,12 +493,14 @@ IPC *NewIPC(CEDAR *cedar, char *client_name, char *postfix, char *hubname, char
 	{
 		UINTToIP(&ipc->DefaultGateway, hub->Option->DefaultGateway);
 		UINTToIP(&ipc->SubnetMask, hub->Option->DefaultSubnet);
+		ipc->DhcpDiscoverTimeoutMs = hub->Option->DhcpDiscoverTimeoutMs;
 		GetBroadcastAddress4(&ipc->BroadcastAddress, &ipc->DefaultGateway, &ipc->SubnetMask);
 	}
 	else
 	{
 		ZeroIP4(&ipc->DefaultGateway);
 		ZeroIP4(&ipc->SubnetMask);
+		ipc->DhcpDiscoverTimeoutMs = DEFAULT_DHCP_DISCOVER_TIMEOUT;
 		ZeroIP4(&ipc->BroadcastAddress);
 	}

@ -793,7 +795,8 @@ bool IPCDhcpAllocateIP(IPC *ipc, DHCP_OPTION_LIST *opt, TUBE *discon_poll_tube)
 	StrCpy(req.Hostname, sizeof(req.Hostname), ipc->ClientHostname);
 	IPCDhcpSetConditionalUserClass(ipc, &req);

-	d = IPCSendDhcpRequest(ipc, NULL, tran_id, &req, DHCP_OFFER, IPC_DHCP_TIMEOUT, discon_poll_tube);
+	UINT discoverTimeout = ipc->DhcpDiscoverTimeoutMs > 0 ? ipc->DhcpDiscoverTimeoutMs : DEFAULT_DHCP_DISCOVER_TIMEOUT;
+	d = IPCSendDhcpRequest(ipc, NULL, tran_id, &req, DHCP_OFFER, discoverTimeout, discon_poll_tube);
 	if (d == NULL)
 	{
 		return false;
@ -896,7 +899,7 @@ DHCPV4_DATA *IPCSendDhcpRequest(IPC *ipc, IP *dest_ip, UINT tran_id, DHCP_OPTION
 	}

 	// Retransmission interval
-	resend_interval = MAX(1, (timeout / 3) - 100);
+	resend_interval = MIN(IPC_DHCP_MAX_RESEND_INTERVAL, MAX(1, (timeout / 3) - 100));

 	// Time-out time
 	giveup_time = Tick64() + (UINT64)timeout;
--- a/src/Cedar/IPC.h
+++ b/src/Cedar/IPC.h
@ -19,6 +19,7 @@
 #define	IPC_DHCP_TIMEOUT				(5 * 1000)
 #define	IPC_DHCP_MIN_LEASE				5
 #define	IPC_DHCP_DEFAULT_LEASE			3600
+#define	IPC_DHCP_MAX_RESEND_INTERVAL	(3 * 1000)

 #define	IPC_MAX_PACKET_QUEUE_LEN		10000

@ -149,6 +150,7 @@ struct IPC
 	SHARED_BUFFER *IpcSessionSharedBuffer;	// A shared buffer between IPC and Session
 	IPC_SESSION_SHARED_BUFFER_DATA *IpcSessionShared;	// Shared data between IPC and Session
 	UINT Layer;
+	UINT DhcpDiscoverTimeoutMs;			// Timeut to wait for DHCP server response on DISCOVER request

 	// IPv6 stuff
 	QUEUE *IPv6ReceivedQueue;			// IPv6 reception queue
--- a/src/Cedar/Layer3.c
+++ b/src/Cedar/Layer3.c
@ -457,10 +457,10 @@ void L3KnownArp(L3IF *f, UINT ip, UCHAR *mac)
 	// Delete an ARP query entry to this IP address
 	Zero(&t, sizeof(t));
 	t.IpAddress = ip;
-	w = Search(f->IpWaitList, &t);
+	w = Search(f->ArpWaitTable, &t);
 	if (w != NULL)
 	{
-		Delete(f->IpWaitList, w);
+		Delete(f->ArpWaitTable, w);
 		Free(w);
 	}

--- a/src/Cedar/Protocol.c
+++ b/src/Cedar/Protocol.c
@ -5843,7 +5843,6 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 				// Target is invalid
 				HttpSendNotFound(s, h->Target);
 				Free(data);
-				FreeHttpHeader(h);
 				*error_detail_str = "POST_Target_Wrong";
 			}
 			else
@ -5861,10 +5860,10 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 				{
 					// WaterMark is incorrect
 					HttpSendForbidden(s, h->Target, NULL);
-					FreeHttpHeader(h);
 					*error_detail_str = "POST_WaterMark_Error";
 				}
 			}
+			FreeHttpHeader(h);
 		}
 		else if (StrCmpi(h->Method, "OPTIONS") == 0)
 		{
@ -5884,6 +5883,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 					continue;
 				}
 			}
+			FreeHttpHeader(h);
 		}
 		else if (StrCmpi(h->Method, "SSTP_DUPLEX_POST") == 0 && (ProtoEnabled(server->Proto, "SSTP") || s->IsReverseAcceptedSocket) && GetServerCapsBool(server, "b_support_sstp"))
 		{
--- a/src/Cedar/Server.c
+++ b/src/Cedar/Server.c
@ -2337,6 +2337,7 @@ void SiSetDefaultHubOption(HUB_OPTION *o)
 	o->AccessListIncludeFileCacheLifetime = ACCESS_LIST_INCLUDE_FILE_CACHE_LIFETIME;
 	o->RemoveDefGwOnDhcpForLocalhost = true;
 	o->FloodingSendQueueBufferQuota = DEFAULT_FLOODING_QUEUE_LENGTH;
+	o->DhcpDiscoverTimeoutMs = DEFAULT_DHCP_DISCOVER_TIMEOUT;
 }

 // Create a default virtual HUB
@ -3942,6 +3943,11 @@ void SiLoadHubOptionCfg(FOLDER *f, HUB_OPTION *o)
 	o->UseHubNameAsDhcpUserClassOption = CfgGetBool(f, "UseHubNameAsDhcpUserClassOption");
 	o->UseHubNameAsRadiusNasId = CfgGetBool(f, "UseHubNameAsRadiusNasId");
 	o->AllowEapMatchUserByCert = CfgGetBool(f, "AllowEapMatchUserByCert");
+	o->DhcpDiscoverTimeoutMs = CfgGetInt(f, "DhcpDiscoverTimeoutMs");
+	if (o->DhcpDiscoverTimeoutMs == 0)
+	{
+		o->DhcpDiscoverTimeoutMs = DEFAULT_DHCP_DISCOVER_TIMEOUT;
+	}

 	// Enabled by default
 	if (CfgIsItem(f, "ManageOnlyPrivateIP"))
@ -4048,6 +4054,7 @@ void SiWriteHubOptionCfg(FOLDER *f, HUB_OPTION *o)
 	CfgAddBool(f, "UseHubNameAsDhcpUserClassOption", o->UseHubNameAsDhcpUserClassOption);
 	CfgAddBool(f, "UseHubNameAsRadiusNasId", o->UseHubNameAsRadiusNasId);
 	CfgAddBool(f, "AllowEapMatchUserByCert", o->AllowEapMatchUserByCert);
+	CfgAddInt(f, "DhcpDiscoverTimeoutMs", o->DhcpDiscoverTimeoutMs);
 }

 // Write the user
@ -7533,6 +7540,11 @@ void SiCalledUpdateHub(SERVER *s, PACK *p)
 	o.UseHubNameAsDhcpUserClassOption = PackGetBool(p, "UseHubNameAsDhcpUserClassOption");
 	o.UseHubNameAsRadiusNasId = PackGetBool(p, "UseHubNameAsRadiusNasId");
 	o.AllowEapMatchUserByCert = PackGetBool(p, "AllowEapMatchUserByCert");
+	o.DhcpDiscoverTimeoutMs = PackGetInt(p, "DhcpDiscoverTimeoutMs");
+	if (o.DhcpDiscoverTimeoutMs == 0)
+	{
+		o.DhcpDiscoverTimeoutMs = DEFAULT_DHCP_DISCOVER_TIMEOUT;
+	}

 	save_packet_log = PackGetInt(p, "SavePacketLog");
 	packet_log_switch_type = PackGetInt(p, "PacketLogSwitchType");
@ -9368,6 +9380,7 @@ void SiPackAddCreateHub(PACK *p, HUB *h)
 	PackAddBool(p, "UseHubNameAsDhcpUserClassOption", h->Option->UseHubNameAsDhcpUserClassOption);
 	PackAddBool(p, "UseHubNameAsRadiusNasId", h->Option->UseHubNameAsRadiusNasId);
 	PackAddBool(p, "AllowEapMatchUserByCert", h->Option->AllowEapMatchUserByCert);
+	PackAddInt(p, "DhcpDiscoverTimeoutMs", h->Option->DhcpDiscoverTimeoutMs);

 	SiAccessListToPack(p, h->AccessList);

--- a/src/Mayaqua/3rdparty/liboqs
+++ b/src/Mayaqua/3rdparty/liboqs
--- a/src/Mayaqua/3rdparty/oqs-provider
+++ b/src/Mayaqua/3rdparty/oqs-provider
--- a/src/Mayaqua/CMakeLists.txt
+++ b/src/Mayaqua/CMakeLists.txt
@ -18,20 +18,46 @@ set_target_properties(mayaqua

 find_package(OpenSSL REQUIRED)

-if(OPENSSL_VERSION VERSION_LESS "3") # Disable oqsprovider when OpenSSL version < 3
-  add_definitions(-DSKIP_OQS_PROVIDER)
+if(OPENSSL_VERSION VERSION_GREATER_EQUAL "3")
+  set(OQS_ENABLE ON CACHE BOOL "By setting this to OFF, Open Quantum Safe algorithms will not be built in")
 else()
+  # Disable oqsprovider when OpenSSL version < 3
+  set(OQS_ENABLE OFF)
+endif()
+
+if(OQS_ENABLE)
  set(OQS_BUILD_ONLY_LIB ON CACHE BOOL "Set liboqs to build only the library (no tests)")
  set(BUILD_TESTING OFF CACHE BOOL "By setting this to OFF, no tests or examples will be compiled.")
  set(OQS_PROVIDER_BUILD_STATIC ON CACHE BOOL "Build a static library instead of a shared library") # Build oqsprovider as a static library (defaults to shared)
  list(PREPEND CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}/src/Mayaqua/3rdparty/")

+    # Disable all other KEM families
+  set(OQS_ENABLE_KEM_FRODOKEM OFF)
+  set(OQS_ENABLE_KEM_NTRUPRIME OFF)
+  set(OQS_ENABLE_KEM_NTRU OFF)
+  set(OQS_ENABLE_KEM_CLASSIC_MCELIECE OFF)
+  set(OQS_ENABLE_KEM_HQC OFF)
+  set(OQS_ENABLE_KEM_BIKE OFF)
+
+  # Disable all SIG families
+  set(OQS_ENABLE_SIG_ML_DSA OFF)
+  set(OQS_ENABLE_SIG_FALCON OFF)
+  set(OQS_ENABLE_SIG_DILITHIUM OFF)
+  set(OQS_ENABLE_SIG_SPHINCS OFF)
+  set(OQS_ENABLE_SIG_MAYO OFF)
+  set(OQS_ENABLE_SIG_CROSS OFF)
+  set(OQS_ENABLE_SIG_UOV OFF)
+  set(OQS_ENABLE_SIG_SNOVA OFF)
+  set(OQS_ENABLE_SIG_SLH_DSA OFF)
+
  add_subdirectory(3rdparty/liboqs)
  add_subdirectory(3rdparty/oqs-provider)

  target_include_directories(oqsprovider PUBLIC ${CMAKE_CURRENT_BINARY_DIR}/3rdparty/liboqs/include)
  set_property(TARGET oqsprovider PROPERTY POSITION_INDEPENDENT_CODE ON)
  target_link_libraries(mayaqua PRIVATE oqsprovider)
+else()
+  add_definitions(-DSKIP_OQS_PROVIDER)
 endif()

 include(CheckSymbolExists)
@ -125,8 +151,10 @@ if(UNIX)
    message("-- Using system's cpu_features")
    target_link_libraries(mayaqua PRIVATE cpu_features)
  else()
+    message("-- Using bundled cpu_features")
+    set(BUILD_SHARED_LIBS OFF)
+    set(CMAKE_POSITION_INDEPENDENT_CODE ON)
    add_subdirectory(3rdparty/cpu_features)
-    set_property(TARGET cpu_features PROPERTY POSITION_INDEPENDENT_CODE ON)
    target_link_libraries(mayaqua PRIVATE cpu_features)
  endif()
Author	SHA1	Message	Date
Ilya Shipitsin	204ab85e51	Merge pull request #2182 from siddharth-narayan/pq-submodule-update Update liboqs and oqs-provider submodules	2025-12-02 10:02:48 +01:00
Siddharth Narayan	2628c562be	Disable unecessary liboqs algorithms	2025-12-02 02:57:15 -06:00
Siddharth Narayan	e9f7089c8b	Update post quantum submodules	2025-12-02 02:05:27 -06:00
Ilya Shipitsin	9be944a9b2	Merge pull request #2180 from jgrasboeck/configurable_dhcp_discover_timout Config value for dhcp discover timeout	2025-11-26 16:27:59 +01:00
Julian Grasböck	137d7f551f	Ensure DHCP resend interval is not to long	2025-11-26 14:57:58 +01:00
Julian Grasböck	d90e89bbbd	Safety fallback to default behaviour	2025-11-26 14:57:23 +01:00
Julian Grasböck	173df872b8	Config value for dhcp discover timeout	2025-11-26 13:56:29 +01:00
Ilya Shipitsin	acbc514b87	Merge pull request #2170 from kanglongwei/branch2 fix: #2166 L3KnownArp, delete entry from the incorrect list	2025-10-28 21:44:25 +01:00
Ilya Shipitsin	d9d78a0b2c	Merge pull request #2171 from chipitsine/master CI: modernize freebsd image	2025-10-25 11:26:11 +02:00
Ilia Shipitsin	1373ed4c6c	CI: modernize freebsd image	2025-10-25 10:08:15 +02:00
Ilya Shipitsin	ffe9ade675	Merge pull request #2169 from kanglongwei/branch1 fix: #2165 memory leak	2025-10-13 14:13:55 +02:00
w00485423	ab245552b1	fix: #2165 memory leak	2025-10-13 20:05:28 +08:00
w00485423	fdcb0a207b	fix: #2166 L3KnownArp, delete entry from the incorrect list	2025-10-10 21:20:30 +08:00
Ilya Shipitsin	564d2f84b4	Merge pull request #2163 from martinetd/disable_oqs Mayaqua build: allow disabling OQS	2025-10-01 11:27:06 +02:00
Dominique Martinet	4bb366572d	Mayaqua build: allow disabling OQS SoftEtherVPN version 5.02.5186 enable post-quantum algorithms, but these come at a large size increase (after strip, on x86_64, with default options as of master): - default options: 9.1M - new -DOQS_ENABLE=OFF: 762K Note it is also possible to disable all the algorithms individually by passing the (243!) options to cmake -DOQS_ENABLE_KEM_BIKE=OFF -DOQS_ENABLE_KEM_FRODOKEM=OFF -DOQS_ENABLE_KEM_NTRUPRIME=OFF ..., in which case the binary goes back to a reasonable size of 830K In the future, it might make sense to add a few settings picking "sensible" algorithms, e.g. allow everything for a server build or only allow the best algorithms for a lightweight client. See: #2148	2025-10-01 18:05:59 +09:00
Ilya Shipitsin	6c04825b46	Merge pull request #2157 from chipitsine/1ce88cea-29e8-466a-88f4-3713e94171d8 docker: smoke test image during generating	2025-09-06 16:31:04 +02:00
Ilia Shipitsin	0ec8a1ed54	docker: smoke test image during generating reference: https://github.com/SoftEtherVPN/SoftetherVPN-docker/issues/17	2025-09-05 21:22:43 +02:00
Ilya Shipitsin	2acefef41e	Merge pull request #2156 from metalefty/fix_cpu_features Proper fix for #2122 #2150	2025-09-05 19:43:42 +02:00
Koichiro Iwao	efb04daa34	Proper fix for #2122 #2150 Bundled cpu_features needs to be built with PIC but SHARED_LIBS should be OFF.	2025-09-05 22:40:18 +09:00
Ilya Shipitsin	c399ce6bbe	Merge pull request #2152 from metalefty/cpu_features_pic Build bundled cpu_features with PIC	2025-08-25 15:36:27 +02:00
Koichiro Iwao	2746e8dd19	Build bundled cpu_features with PIC After updating bundled cpu_features to 0.9.0, set_property() is not effective. We need to use set() instead. Resolves: #2122 #2150	2025-08-25 21:52:15 +09:00