Merge d6d0f2dadd into bc31a5cfd3

.github/workflows/fedora-rawhide.yml

@@ -4,7 +4,6 @@ on:
   schedule:
     - cron: "0 0 25 * *"
   push:
-  pull_request:
   workflow_dispatch:
 
 permissions:
@@ -25,7 +24,7 @@ jobs:
         submodules: true
     - name: Install dependencies
       run: |
-        dnf -y install git cmake ncurses-devel openssl-devel-engine libsodium-devel readline-devel zlib-devel gcc-c++ clang
+        dnf -y install git cmake ncurses-devel openssl-devel libsodium-devel readline-devel zlib-devel gcc-c++ clang
     - name: Compile with ${{ matrix.cc }}
       run: |
         export CC=${{ matrix.cc }}

.gitmodules

@@ -10,9 +10,3 @@
 [submodule "src/libhamcore"]
 	path = src/libhamcore
 	url = https://github.com/SoftEtherVPN/libhamcore.git
-[submodule "src/Mayaqua/3rdparty/oqs-provider"]
-	path = src/Mayaqua/3rdparty/oqs-provider
-	url = https://github.com/open-quantum-safe/oqs-provider.git
-[submodule "src/Mayaqua/3rdparty/liboqs"]
-	path = src/Mayaqua/3rdparty/liboqs
-	url = https://github.com/open-quantum-safe/liboqs.git

CMakeLists.txt

@@ -3,7 +3,7 @@ cmake_minimum_required(VERSION 3.10)
 set(BUILD_NUMBER CACHE STRING "The number of the current build.")
 
 if ("${BUILD_NUMBER}" STREQUAL "")
-	set(BUILD_NUMBER "5186")
+	set(BUILD_NUMBER "5185")
 endif()
 
 if (BUILD_NUMBER LESS 5180)

CMakeSettings.json

@@ -1,5 +1,5 @@
 {
-  "environments": [ { "BuildNumber": "5186" } ],
+  "environments": [ { "BuildNumber": "5185" } ],
   "configurations": [
     {
       "name": "x64-native",

README.md

@@ -201,9 +201,7 @@ Also SoftEther VPN [Stable Edition](https://www.freshports.org/security/softethe
 
 ## For Windows
 
-[Releases](https://github.com/SoftEtherVPN/SoftEtherVPN/releases)
+[Nightly builds](https://dev.azure.com/SoftEther-VPN/SoftEther%20VPN/_build?definitionId=6)
-
-[Nightly builds](https://github.com/SoftEtherVPN/SoftEtherVPN/actions/workflows/windows.yml)
 (choose appropriate platform, then find binaries or installers as artifacts)
 
 ## From binary installers (stable channel)

src/Cedar/Proto_IKE.c

@@ -463,13 +463,39 @@ void ProcIPsecEspPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
 	seq = READ_UINT(src + sizeof(UINT));
 
 	// Search and retrieve the IPsec SA from SPI
-
-	// thank to @phillibert report, responding to bad SA might lead to amplification
-	// according to RFC4303 we should drop such packets
-
 	ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi);
 	if (ipsec_sa == NULL)
 	{
+		// Invalid SPI
+		UINT64 init_cookie = Rand64();
+		UINT64 resp_cookie = 0;
+		IKE_CLIENT *c = NULL;
+		IKE_CLIENT t;
+
+
+		Copy(&t.ClientIP, &p->SrcIP, sizeof(IP));
+		t.ClientPort = p->SrcPort;
+		Copy(&t.ServerIP, &p->DstIP, sizeof(IP));
+		t.ServerPort = p->DestPort;
+		t.CurrentIkeSa = NULL;
+
+		if (p->DestPort == IPSEC_PORT_IPSEC_ESP_RAW)
+		{
+			t.ClientPort = t.ServerPort = IPSEC_PORT_IPSEC_ISAKMP;
+		}
+
+		c = Search(ike->ClientList, &t);
+
+		if (c != NULL && c->CurrentIkeSa != NULL)
+		{
+			init_cookie = c->CurrentIkeSa->InitiatorCookie;
+			resp_cookie = c->CurrentIkeSa->ResponderCookie;
+		}
+
+		SendInformationalExchangePacketEx(ike, (c == NULL ? &t : c), IkeNewNoticeErrorInvalidSpiPayload(spi), false,
+			init_cookie, resp_cookie);
+
+		SendDeleteIPsecSaPacket(ike, (c == NULL ? &t : c), spi);
 		return;
 	}
 

src/Mayaqua/3rdparty/Findliboqs.cmake

@@ -1,2 +0,0 @@
-set(oqs_FOUND TRUE)
-add_library(OQS::oqs ALIAS oqs)

src/Mayaqua/3rdparty/liboqs

@@ -1 +0,0 @@
-Subproject commit 51ddd33cc04d12bd47c8639c1254714879f4cdf3

src/Mayaqua/3rdparty/oqs-provider

@@ -1 +0,0 @@
-Subproject commit 8f37521d5e27ab4d1e0d69a4b4a5bd17927b24b9

src/Mayaqua/CMakeLists.txt

@@ -18,22 +18,6 @@ set_target_properties(mayaqua
 
 find_package(OpenSSL REQUIRED)
 
-if(OPENSSL_VERSION VERSION_LESS "3") # Disable oqsprovider when OpenSSL version < 3
-  add_definitions(-DSKIP_OQS_PROVIDER)
-else()
-  set(OQS_BUILD_ONLY_LIB ON CACHE BOOL "Set liboqs to build only the library (no tests)")
-  set(BUILD_TESTING OFF CACHE BOOL "By setting this to OFF, no tests or examples will be compiled.")
-  set(OQS_PROVIDER_BUILD_STATIC ON CACHE BOOL "Build a static library instead of a shared library") # Build oqsprovider as a static library (defaults to shared)
-  list(PREPEND CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}/src/Mayaqua/3rdparty/")
-
-  add_subdirectory(3rdparty/liboqs)
-  add_subdirectory(3rdparty/oqs-provider)
-
-  target_include_directories(oqsprovider PUBLIC ${CMAKE_CURRENT_BINARY_DIR}/3rdparty/liboqs/include)
-  set_property(TARGET oqsprovider PROPERTY POSITION_INDEPENDENT_CODE ON)
-  target_link_libraries(mayaqua PRIVATE oqsprovider)
-endif()
-
 include(CheckSymbolExists)
 
 set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})

src/Mayaqua/Encrypt.c

@@ -20,9 +20,7 @@
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
-#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
-#endif
 #include <openssl/bio.h>
 #include <openssl/x509.h>
 #include <openssl/pkcs7.h>
@@ -42,10 +40,6 @@
 #include <openssl/x509v3.h>
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #include <openssl/provider.h>
-// Static oqsprovider initialization function
-#ifndef SKIP_OQS_PROVIDER
-	extern OSSL_provider_init_fn oqs_provider_init;
-#endif
 #endif
 
 #ifdef _MSC_VER
@@ -4009,13 +4003,7 @@ void InitCryptLibrary()
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 	ossl_provider_default = OSSL_PROVIDER_load(NULL, "legacy");
 	ossl_provider_legacy = OSSL_PROVIDER_load(NULL, "default");
-
+	ossl_provider_oqsprovider = OSSL_PROVIDER_load(NULL, "oqsprovider");
-	char *oqs_provider_name = "oqsprovider";
-	#ifndef SKIP_OQS_PROVIDER
-		// Registers "oqsprovider" as a provider -- necessary because oqsprovider is built in now.
-		OSSL_PROVIDER_add_builtin(NULL, oqs_provider_name, oqs_provider_init); 
-	#endif
-	ossl_provider_oqsprovider = OSSL_PROVIDER_load(NULL, oqs_provider_name);
 #endif
 
 	ssl_clientcert_index = SSL_get_ex_new_index(0, "struct SslClientCertInfo *", NULL, NULL, NULL);