1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-24 18:39:53 +03:00

Compare commits

...

18 Commits

Author SHA1 Message Date
Syuugo
e532519f83
Merge branch 'SoftEtherVPN:master' into master 2024-06-26 15:55:14 +09:00
Syuugo
db61205eae
Fix missing name 2024-06-26 15:54:56 +09:00
Ilya Shipitsin
c2a7aa5481
Merge pull request from GHSA-j35p-p8pj-vqxq
src/Cedar/Proto_IKE.c: ignore packets with no IPSec SA
2024-06-22 18:57:28 +02:00
Ilia Shipitsin
6f57449164 src/Cedar/Proto_IKE.c: ignore packets with no IPSec SA
many thanks to Jonathan Phillibert from Amazon Web Services
for investigating and reporting that responding to such packets
might lead to traffic amplification
2024-06-22 18:53:35 +02:00
Ilya Shipitsin
bc31a5cfd3
Merge pull request #2002 from siddharth-narayan/quantum-safe-key-agreement
Add Post Quantum key agreement
2024-06-18 22:41:52 +02:00
Siddharth
68964ab0d7 Guard variables with OpenSSL version 2024-06-18 16:09:10 -04:00
siddharth-narayan
bf3c50fde4
Merge branch 'SoftEtherVPN:master' into quantum-safe-key-agreement 2024-06-18 14:55:45 -04:00
Siddharth
b06486b37d Remove unecessary provider include 2024-06-18 00:01:58 -04:00
Ilya Shipitsin
26c61b3213
Merge pull request #2014 from SoftEtherVPN/dependabot/npm_and_yarn/src/bin/hamcore/wwwroot/admin/default/braces-3.0.3
Bump braces from 3.0.2 to 3.0.3 in /src/bin/hamcore/wwwroot/admin/default
2024-06-17 17:45:14 +02:00
Ilya Shipitsin
1bea86ef94
Merge pull request #2006 from hiura2023/master
Change ssl error handler: Having to read all of the errors using ERR_get_error.
2024-06-17 17:36:55 +02:00
dependabot[bot]
6825234e0a
Bump braces in /src/bin/hamcore/wwwroot/admin/default
Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/braces/compare/3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: braces
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-06-17 15:36:07 +00:00
Ilya Shipitsin
a794726a07
Merge pull request #2011 from SoftEtherVPN/dependabot/npm_and_yarn/developer_tools/vpnserver-jsonrpc-clients/vpnserver-jsonrpc-client-nodejs-package/braces-3.0.3
Bump braces from 3.0.2 to 3.0.3 in /developer_tools/vpnserver-jsonrpc-clients/vpnserver-jsonrpc-client-nodejs-package
2024-06-17 17:35:33 +02:00
dependabot[bot]
dae352104c
Bump braces
Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/braces/compare/3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: braces
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-06-16 09:58:05 +00:00
hiura2023
c06e5ad1dd
Merge branch 'SoftEtherVPN:master' into master 2024-06-08 02:30:04 +09:00
hiura
b2ec1bd5dd Change ssl error handler: Having to read all of the errors using ERR_get_error 2024-06-08 02:28:28 +09:00
siddharth-narayan
63ffab9ee4
Merge branch 'SoftEtherVPN:master' into quantum-safe-key-agreement 2024-05-20 23:20:52 -04:00
Siddharth
2fe4ca0f8c Fix incorrect PQ_GROUP_LIST string 2024-05-20 21:46:57 -04:00
Siddharth
a50d8910ba Add PQ Groups and the provider for them 2024-05-20 19:48:23 -04:00
7 changed files with 77 additions and 65 deletions

View File

@ -13,7 +13,8 @@ jobs:
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:
- uses: actions/checkout@v4 - name: Checkout
uses: actions/checkout@v4
with: with:
submodules: true submodules: true

View File

@ -65,12 +65,23 @@
} }
}, },
"braces": { "braces": {
"version": "3.0.2", "version": "3.0.3",
"resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz", "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
"integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==", "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
"dev": true, "dev": true,
"requires": { "requires": {
"fill-range": "^7.0.1" "fill-range": "^7.1.1"
},
"dependencies": {
"fill-range": {
"version": "7.1.1",
"resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
"integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
"dev": true,
"requires": {
"to-regex-range": "^5.0.1"
}
}
} }
}, },
"builtin-modules": { "builtin-modules": {
@ -151,15 +162,6 @@
"integrity": "sha1-Cr9PHKpbyx96nYrMbepPqqBLrJs=", "integrity": "sha1-Cr9PHKpbyx96nYrMbepPqqBLrJs=",
"dev": true "dev": true
}, },
"fill-range": {
"version": "7.0.1",
"resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
"integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
"dev": true,
"requires": {
"to-regex-range": "^5.0.1"
}
},
"fs.realpath": { "fs.realpath": {
"version": "1.0.0", "version": "1.0.0",
"resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",

View File

@ -463,39 +463,13 @@ void ProcIPsecEspPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
seq = READ_UINT(src + sizeof(UINT)); seq = READ_UINT(src + sizeof(UINT));
// Search and retrieve the IPsec SA from SPI // Search and retrieve the IPsec SA from SPI
// thank to @phillibert report, responding to bad SA might lead to amplification
// according to RFC4303 we should drop such packets
ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi); ipsec_sa = SearchClientToServerIPsecSaBySpi(ike, spi);
if (ipsec_sa == NULL) if (ipsec_sa == NULL)
{ {
// Invalid SPI
UINT64 init_cookie = Rand64();
UINT64 resp_cookie = 0;
IKE_CLIENT *c = NULL;
IKE_CLIENT t;
Copy(&t.ClientIP, &p->SrcIP, sizeof(IP));
t.ClientPort = p->SrcPort;
Copy(&t.ServerIP, &p->DstIP, sizeof(IP));
t.ServerPort = p->DestPort;
t.CurrentIkeSa = NULL;
if (p->DestPort == IPSEC_PORT_IPSEC_ESP_RAW)
{
t.ClientPort = t.ServerPort = IPSEC_PORT_IPSEC_ISAKMP;
}
c = Search(ike->ClientList, &t);
if (c != NULL && c->CurrentIkeSa != NULL)
{
init_cookie = c->CurrentIkeSa->InitiatorCookie;
resp_cookie = c->CurrentIkeSa->ResponderCookie;
}
SendInformationalExchangePacketEx(ike, (c == NULL ? &t : c), IkeNewNoticeErrorInvalidSpiPayload(spi), false,
init_cookie, resp_cookie);
SendDeleteIPsecSaPacket(ike, (c == NULL ? &t : c), spi);
return; return;
} }

View File

@ -88,6 +88,7 @@ int ssl_clientcert_index = 0;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L #if OPENSSL_VERSION_NUMBER >= 0x30000000L
static OSSL_PROVIDER *ossl_provider_legacy = NULL; static OSSL_PROVIDER *ossl_provider_legacy = NULL;
static OSSL_PROVIDER *ossl_provider_default = NULL; static OSSL_PROVIDER *ossl_provider_default = NULL;
static OSSL_PROVIDER *ossl_provider_oqsprovider = NULL;
#endif #endif
LOCK **ssl_lock_obj = NULL; LOCK **ssl_lock_obj = NULL;
@ -3974,6 +3975,12 @@ void FreeCryptLibrary()
OSSL_PROVIDER_unload(ossl_provider_legacy); OSSL_PROVIDER_unload(ossl_provider_legacy);
ossl_provider_legacy = NULL; ossl_provider_legacy = NULL;
} }
if (ossl_provider_oqsprovider != NULL)
{
OSSL_PROVIDER_unload(ossl_provider_oqsprovider);
ossl_provider_oqsprovider = NULL;
}
#endif #endif
} }
@ -3996,6 +4003,7 @@ void InitCryptLibrary()
#if OPENSSL_VERSION_NUMBER >= 0x30000000L #if OPENSSL_VERSION_NUMBER >= 0x30000000L
ossl_provider_default = OSSL_PROVIDER_load(NULL, "legacy"); ossl_provider_default = OSSL_PROVIDER_load(NULL, "legacy");
ossl_provider_legacy = OSSL_PROVIDER_load(NULL, "default"); ossl_provider_legacy = OSSL_PROVIDER_load(NULL, "default");
ossl_provider_oqsprovider = OSSL_PROVIDER_load(NULL, "oqsprovider");
#endif #endif
ssl_clientcert_index = SSL_get_ex_new_index(0, "struct SslClientCertInfo *", NULL, NULL, NULL); ssl_clientcert_index = SSL_get_ex_new_index(0, "struct SslClientCertInfo *", NULL, NULL, NULL);

View File

@ -11905,6 +11905,10 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
Unlock(openssl_lock); Unlock(openssl_lock);
} }
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
SSL_set1_groups_list(sock->ssl, PQ_GROUP_LIST);
#endif
if (sock->ServerMode) if (sock->ServerMode)
{ {
// Lock(ssl_connect_lock); // Lock(ssl_connect_lock);
@ -12285,6 +12289,7 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__); Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
return 0; return 0;
} }
ERR_clear_error();
ret = SSL_peek(ssl, &c, sizeof(c)); ret = SSL_peek(ssl, &c, sizeof(c));
} }
Unlock(sock->ssl_lock); Unlock(sock->ssl_lock);
@ -12316,9 +12321,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
#endif #endif
) )
{ {
UINT ssl_err_no = ERR_get_error(); UINT ssl_err_no;
while (ssl_err_no = ERR_get_error()){
Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
};
Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
Disconnect(sock); Disconnect(sock);
return 0; return 0;
} }
@ -12350,6 +12357,7 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
ttparam = NewSocketTimeout(sock); ttparam = NewSocketTimeout(sock);
#endif // UNIX_SOLARIS #endif // UNIX_SOLARIS
ERR_clear_error();
ret = SSL_read(ssl, data, size); ret = SSL_read(ssl, data, size);
// Stop the timeout thread // Stop the timeout thread
@ -12420,9 +12428,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
#endif #endif
) )
{ {
UINT ssl_err_no = ERR_get_error(); UINT ssl_err_no;
while (ssl_err_no = ERR_get_error()) {
Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
};
Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
Disconnect(sock); Disconnect(sock);
return 0; return 0;
} }
@ -12431,8 +12441,8 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
return SOCK_LATER; return SOCK_LATER;
} }
} }
Debug("%s %u e=%u SecureRecv() Disconnect\n", __FILE__, __LINE__, e);
Disconnect(sock); Disconnect(sock);
Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
return 0; return 0;
} }
@ -12459,6 +12469,7 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
return 0; return 0;
} }
ERR_clear_error();
ret = SSL_write(ssl, data, size); ret = SSL_write(ssl, data, size);
#if OPENSSL_VERSION_NUMBER < 0x30000000L #if OPENSSL_VERSION_NUMBER < 0x30000000L
if (ret < 0) // OpenSSL version < 3.0.0 if (ret < 0) // OpenSSL version < 3.0.0
@ -12502,12 +12513,22 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
// Confirmation of the error value // Confirmation of the error value
if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE || e == SSL_ERROR_SSL) if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE || e == SSL_ERROR_SSL)
{ {
if (e == SSL_ERROR_SSL)
{
UINT ssl_err_no;
while (ssl_err_no = ERR_get_error()) {
Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
};
Disconnect(sock);
return 0;
}
sock->WriteBlocked = true; sock->WriteBlocked = true;
return SOCK_LATER; return SOCK_LATER;
} }
Debug("%s %u e=%u\n", __FILE__, __LINE__, e);
} }
//Debug("%s %u SecureSend() Disconnect\n", __FILE__, __LINE__); Debug("%s %u e=%u SecureSend() Disconnect\n", __FILE__, __LINE__, e);
Disconnect(sock); Disconnect(sock);
return 0; return 0;
} }

View File

@ -59,6 +59,10 @@ struct DYN_VALUE
#define DEFAULT_CIPHER_LIST "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES" #define DEFAULT_CIPHER_LIST "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:ECDHE+AES256:DHE+AES256:RSA+AES"
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#define PQ_GROUP_LIST "p521_kyber1024:x25519_kyber768:P-521:X25519:P-256"
#endif
// SSL logging function // SSL logging function
//#define ENABLE_SSL_LOGGING //#define ENABLE_SSL_LOGGING
#define SSL_LOGGING_DIRNAME "@ssl_log" #define SSL_LOGGING_DIRNAME "@ssl_log"

View File

@ -373,12 +373,23 @@
} }
}, },
"braces": { "braces": {
"version": "3.0.2", "version": "3.0.3",
"resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz", "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
"integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==", "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
"dev": true, "dev": true,
"requires": { "requires": {
"fill-range": "^7.0.1" "fill-range": "^7.1.1"
},
"dependencies": {
"fill-range": {
"version": "7.1.1",
"resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
"integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
"dev": true,
"requires": {
"to-regex-range": "^5.0.1"
}
}
} }
}, },
"browserslist": { "browserslist": {
@ -603,15 +614,6 @@
"integrity": "sha512-eRnCtTTtGZFpQCwhJiUOuxPQWRXVKYDn0b2PeHfXL6/Zi53SLAzAHfVhVWK2AryC/WH05kGfxhFIPvTF0SXQzg==", "integrity": "sha512-eRnCtTTtGZFpQCwhJiUOuxPQWRXVKYDn0b2PeHfXL6/Zi53SLAzAHfVhVWK2AryC/WH05kGfxhFIPvTF0SXQzg==",
"dev": true "dev": true
}, },
"fill-range": {
"version": "7.0.1",
"resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
"integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
"dev": true,
"requires": {
"to-regex-range": "^5.0.1"
}
},
"find-up": { "find-up": {
"version": "4.1.0", "version": "4.1.0",
"resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz", "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",