1 files changed, 50 insertions, 28 deletions

diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c
index 9a3b8f00..b3cbab7e 100644
--- a/src/Mayaqua/Network.c
+++ b/src/Mayaqua/Network.c
@@ -178,10 +178,10 @@ struct ROUTE_CHANGE_DATA
 

 

 // HTTP constant

-static char http_404_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>404 Not Found</TITLE>\r\n</HEAD><BODY>\r\n<H1>Not Found</H1>\r\nThe requested URL $TARGET$ was not found on this server.<P>\r\n<HR>\r\n<ADDRESS>HTTP Server at $HOST$ Port $PORT$</ADDRESS>\r\n</BODY></HTML>\r\n";

-static char http_403_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>403 Forbidden</TITLE>\r\n</HEAD><BODY>\r\n<H1>Forbidden</H1>\r\nYou don't have permission to access $TARGET$\r\non this server.<P>\r\n<HR>\r\n<ADDRESS>HTTP Server at $HOST$ Port $PORT$</ADDRESS>\r\n</BODY></HTML>\r\n";

-static char http_500_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>500 Server Error</TITLE>\r\n</HEAD><BODY>\r\n<H1>Server Error</H1>\r\nServer Error<P>\r\n<HR>\r\n<ADDRESS>HTTP Server at $HOST$ Port $PORT$</ADDRESS>\r\n</BODY></HTML>\r\n";

-static char http_501_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>501 Method Not Implemented</TITLE>\r\n</HEAD><BODY>\r\n<H1>Method Not Implemented</H1>\r\n$METHOD$ to $TARGET$ not supported.<P>\r\nInvalid method in request $METHOD$ $TARGET$ $VERSION$<P>\r\n<HR>\r\n<ADDRESS>HTTP Server at $HOST$ Port $PORT$</ADDRESS>\r\n</BODY></HTML>\r\n";

+static char http_404_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>404 Not Found</TITLE>\r\n</HEAD><BODY>\r\n<H1>Not Found</H1>\r\nThe requested URL $TARGET$ was not found on this server.<P>\r\n<HR>\r\n<ADDRESS>HTTPS Server</ADDRESS>\r\n</BODY></HTML>\r\n";

+static char http_403_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>403 Forbidden</TITLE>\r\n</HEAD><BODY>\r\n<H1>Forbidden</H1>\r\nYou don't have permission to access $TARGET$\r\non this server.<P>\r\n<HR>\r\n<ADDRESS>HTTPS Server</ADDRESS>\r\n</BODY></HTML>\r\n";

+static char http_500_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>500 Server Error</TITLE>\r\n</HEAD><BODY>\r\n<H1>Server Error</H1>\r\nServer Error<P>\r\n<HR>\r\n<ADDRESS>HTTPS Server</ADDRESS>\r\n</BODY></HTML>\r\n";

+static char http_501_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>501 Method Not Implemented</TITLE>\r\n</HEAD><BODY>\r\n<H1>Method Not Implemented</H1>\r\n$METHOD$ to $TARGET$ not supported.<P>\r\nInvalid method in request $METHOD$ $TARGET$ $VERSION$<P>\r\n<HR>\r\n<ADDRESS>HTTPS Server</ADDRESS>\r\n</BODY></HTML>\r\n";

 static char http_detect_server_startwith[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>403 Forbidden</TITLE>\r\n</HEAD><BODY>\r\n<H1>Forbidden</H1>\r\nYou don't have permission to access ";

 static char http_detect_server_tag_future[] = "9C37197CA7C2428388C2E6E59B829B30";

 

@@ -1474,7 +1474,9 @@ void RUDPProcess_NatT_Recv(RUDP_STACK *r, UDPPACKET *udp)
 		bool is_ok = PackGetBool(p, "ok");

 		UINT64 tran_id = PackGetInt64(p, "tran_id");

 

-		ExtractAndApplyDynList(p);

+		// This ExtractAndApplyDynList() calling was removed because it is not actually used and could be abused by

+		// illegal UDP packets that spoof the source IP address. 2023-6-14 Daiyuu Nobori

+		// ExtractAndApplyDynList(p);

 

 		if (r->ServerMode)

 		{

@@ -5995,10 +5997,13 @@ int SslCertVerifyCallback(int preverify_ok, X509_STORE_CTX *ctx)
 			if (cert != NULL)

 			{

 				X *tmpX = X509ToX(cert); // this only wraps cert, but we need to make a copy

-				X *copyX = CloneX(tmpX);

-				tmpX->do_not_free = true; // do not release inner X509 object

-				FreeX(tmpX);

-				clientcert->X = copyX;

+				if (tmpX != NULL)

+				{

+					X *copyX = CloneX(tmpX);

+					tmpX->do_not_free = true; // do not release inner X509 object

+					FreeX(tmpX);

+					clientcert->X = copyX;

+				}

 			}

 		}

 	}

@@ -13051,16 +13056,15 @@ void SetWantToUseCipher(SOCK *sock, char *name)
 	StrCat(tmp, sizeof(tmp), " ");

 	StrCat(tmp, sizeof(tmp), cipher_list);

 

-#if OPENSSL_VERSION_NUMBER >= 0x30000000L

-	// OpenSSL 3.x has a bug. https://github.com/openssl/openssl/issues/13363 https://github.com/openssl/openssl/pull/13378

-	// At 2021-09-08 this bug is reported as fixed on Github, but actually still exists on RC4-MD5.

-	// So, with OpenSSL 3.0 we manually disable RC4-MD5 by default on both SSL server and SSL client.

+	if (IsSslLibVersionBuggyForRc4Md5())

+	{

+		// OpenSSL 3.0.0 to 3.0.2 has a bug with RC4-MD5. https://github.com/openssl/openssl/issues/13363 https://github.com/openssl/openssl/pull/13378

 

-	// If the user specify "RC4-MD5", then "RC4-SHA" will be used manually.

+		// If the user specify "RC4-MD5", then "RC4-SHA" will be used manually.

 

-	// Note: We can remove this code after OpenSSL 3.x will be fixed on this bug.

-	ReplaceStrEx(tmp, sizeof(tmp), tmp, "RC4-MD5", "RC4-SHA", true);

-#endif

+		// Note: We can remove this code after OpenSSL 3.x will be fixed on this bug.

+		ReplaceStrEx(tmp, sizeof(tmp), tmp, "RC4-MD5", "RC4-SHA", true);

+	}

 

 	sock->WaitToUseCipher = CopyStr(tmp);

 }

@@ -13386,6 +13390,13 @@ SSL_CTX_SHARED* NewSslCtxSharedInternal(SSL_CTX_SHARED_SETTINGS* settings)
 	SSL_CTX_set_security_level(ssl_ctx, 0);

 #endif

 

+#if OPENSSL_VERSION_NUMBER >= 0x30000000L

+	// For compatibility with OpenSSL 0.9.8l or older

+	// See https://www.openssl.org/docs/man1.0.2/man3/SSL_get_secure_renegotiation_support.html

+	SSL_CTX_set_options(ssl_ctx, SSL_OP_LEGACY_SERVER_CONNECT);

+	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);

+#endif

+

 	if (settings->Settings2.IsClient == false)

 	{

 		SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());

@@ -13874,14 +13885,11 @@ bool StartSSLWithSettings(SOCK* sock, UINT ssl_timeout, char* sni_hostname, SSL_
 		{

 			char* set_value = OPENSSL_DEFAULT_CIPHER_LIST;

 

-#if OPENSSL_VERSION_NUMBER >= 0x30000000L

-			// OpenSSL 3.x has a bug. https://github.com/openssl/openssl/issues/13363 https://github.com/openssl/openssl/pull/13378

-			// At 2021-09-08 this bug is reported as fixed on Github, but actually still exists on RC4-MD5.

-			// So, with OpenSSL 3.0 we manually disable RC4-MD5 by default on both SSL server and SSL client.

-

-			// Note: We can remove this code after OpenSSL 3.x will be fixed on this bug.

-			set_value = OPENSSL_DEFAULT_CIPHER_LIST_NO_RC4_MD5;

-#endif

+			if (IsSslLibVersionBuggyForRc4Md5())

+			{

+				// OpenSSL 3.0.0 to 3.0.2 has a bug with RC4-MD5. https://github.com/openssl/openssl/issues/13363 https://github.com/openssl/openssl/pull/13378

+				set_value = OPENSSL_DEFAULT_CIPHER_LIST_NO_RC4_MD5;

+			}

 

 			SSL_set_cipher_list(sock->ssl, set_value);

 		}

@@ -14013,9 +14021,16 @@ bool StartSSLWithSettings(SOCK* sock, UINT ssl_timeout, char* sni_hostname, SSL_
 		X *local_x;

 		// Got a certificate

 		local_x = X509ToX(x509);

-		local_x->do_not_free = true;

-		sock->LocalX = CloneX(local_x);

-		FreeX(local_x);

+		if (local_x != NULL)

+		{

+			local_x->do_not_free = true;

+			sock->LocalX = CloneX(local_x);

+			FreeX(local_x);

+		}

+		else

+		{

+			sock->LocalX = NULL;

+		}

 	}

 

 	// Automatic retry mode

@@ -18754,6 +18769,13 @@ struct ssl_ctx_st *NewSSLCtx(bool server_mode)
 	SSL_CTX_set_security_level(ctx, 0);

 #endif

 

+#if OPENSSL_VERSION_NUMBER >= 0x30000000L

+	// For compatibility with OpenSSL 0.9.8l or older

+	// See https://www.openssl.org/docs/man1.0.2/man3/SSL_get_secure_renegotiation_support.html

+	SSL_CTX_set_options(ctx, SSL_OP_LEGACY_SERVER_CONNECT);

+	SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);

+#endif

+

 	return ctx;

 }