v4.32-9731-beta

WARNING.TXT

@@ -20,7 +20,7 @@ Protocol (SE-VPN Protocol)" . SE-VPN protocol encapsulates any Ethernet
 packets into a HTTPS (HTTP over SSL) connection. Therefore SE-VPN protocol can
 communicate beyond firewalls even if the firewall is configured to block
 traditional VPN packets by network administrator. SE-VPN protocol is designed
-and implemented to comply TLS 1.0 (RFC 5246) and HTTPS (RFC 2818). However, it
+and implemented to comply TLS (RFC 5246) and HTTPS (RFC 2818). However, it
 sometimes have different behavior to RFCs. If you are a network administrator
 and want to block SE-VPN protocols on the firewall, you can adopt a
 "white-list" policy on the firewall to filter any TCP or UDP packets on the
@@ -375,10 +375,11 @@ Experiment Service Directory Server. The information includes the operator's
 information which described in section 5.5, logging settings, uptime,
 operating system version, type of protocol, port numbers, quality information,
 statistical information, VPN Gate clients' log history data (includes dates,
-IP addresses, version numbers and IDs) and the version of the software. These
-information will be exposed on the directory. VPN Gate Service also receives a
-key for encoding which is described on the chapter 5.9 from the directory
-server.
+IP addresses, version numbers and IDs), log records of destination IP
+addresses and port numbers of VPN Gate communications, and the version of the
+software. These information may be exposed on the directory. VPN Gate Service
+also receives a key for encoding which is described on the chapter 5.9 from
+the directory server.
 
 5.3. Details of VPN Gate Service's Behavior
 If you enable VPN Gate Service manually, which is disabled by default, the
@@ -490,6 +491,8 @@ of Tsukuba, Japan. You can find the contact address at
 http://www.vpngate.net/. The administrator of VPN Gate Service will respond to
 decode the packet logs if there is an appropriate and legal request from court
 or other judicial authorities, according to laws.
+The Packet Logs Automatic Archiving and Encoding Function may be disabled
+according to technical or administrative reason.
 
 5.10. Caution if You Operate VPN Gate Service in the Japan's Territories
 When a user operates VPN Gate Service in the Japan's territories, such an act
@@ -499,10 +502,7 @@ a subject to the law. However, in such a circumstance, according to the
 non- profitable operations of communications are not identified as a
 "telecommunication business" . So usual operators of VPN Gate Service are not
 subjects to "telecommunication business operators" , and not be mandated to
-register to the government. Even so, legalities to protect the privacy of
-communication still imposed. As a conclusion, if you operate VPN Gate Service
-in the Japan's Territories, you must not leak the secrets of communications
-which are transmitted via your operating VPN Gate Service.
+register to the government.
 
 5.11. VPN Gate Client
 If SoftEther VPN Client contains the VPN Gate Client plug-in, you can use it

src/Cedar/Cedar.h

@@ -126,10 +126,10 @@
 
 
 // Version number
-#define	CEDAR_VER					431
+#define	CEDAR_VER					432
 
 // Build Number
-#define	CEDAR_BUILD					9727
+#define	CEDAR_BUILD					9731
 
 // Beta number
 //#define	BETA_NUMBER					3
@@ -148,12 +148,12 @@
 #endif	// BUILD_PLACE
 
 // Specifies the build date
-#define	BUILD_DATE_Y		2019
-#define	BUILD_DATE_M		11
-#define	BUILD_DATE_D		18
-#define	BUILD_DATE_HO		10
-#define	BUILD_DATE_MI		55
-#define	BUILD_DATE_SE		38
+#define	BUILD_DATE_Y		2020
+#define	BUILD_DATE_M		1
+#define	BUILD_DATE_D		1
+#define	BUILD_DATE_HO		17
+#define	BUILD_DATE_MI		54
+#define	BUILD_DATE_SE		10
 
 // Tolerable time difference
 #define	ALLOW_TIMESTAMP_DIFF		(UINT64)(3 * 24 * 60 * 60 * 1000)

src/Cedar/Hub.c

@@ -1660,13 +1660,15 @@ void HubWatchDogThread(THREAD *t, void *param)
 		o2 = NewListFast(NULL);
 
 		// Send an ARP packet
-		LockList(hub->IpTable);
+		LockHashList(hub->MacHashTable);
 		{
 			num = LIST_NUM(hub->IpTable);
 			for (i = 0;i < LIST_NUM(hub->IpTable);i++)
 			{
 				IP_TABLE_ENTRY *e = LIST_DATA(hub->IpTable, i);
 
+				if (e == NULL) continue;
+
 				if ((e->UpdatedTime + (UINT64)(IP_TABLE_EXPIRE_TIME)) > Tick64())
 				{
 					if (e->MacAddress[0] != 0xff || e->MacAddress[1] != 0xff || e->MacAddress[2] != 0xff ||
@@ -1742,7 +1744,7 @@ void HubWatchDogThread(THREAD *t, void *param)
 				}
 			}
 		}
-		UnlockList(hub->IpTable);
+		UnlockHashList(hub->MacHashTable);
 
 		if ((LIST_NUM(o) + LIST_NUM(o2)) != 0)
 		{
@@ -4120,6 +4122,17 @@ void StorePacket(HUB *hub, SESSION *s, PKT *packet)
 		}
 	}
 
+	if (s != NULL)
+	{
+		if (s->EnableLightRecvFilter)
+		{
+			if (IsValidUnicastMacAddress(packet->MacAddressSrc))
+			{
+				s->LightRecvFilterMac = READ_UINT(packet->MacAddressSrc + 2);
+			}
+		}
+	}
+
 	// Lock the entire MAC address table
 	LockHashList(hub->MacHashTable);
 	{
@@ -4789,6 +4802,18 @@ UPDATE_FDB:
 
 									Insert(hub->IpTable, e);
 
+									if (s->EnableLightRecvFilter)
+									{
+										if (s->LightRecvFilterIPv4_1 == 0)
+										{
+											s->LightRecvFilterIPv4_1 = uint_ip;
+										}
+										else
+										{
+											s->LightRecvFilterIPv4_2 = uint_ip;
+										}
+									}
+
 									if (0)
 									{
 										char ip_address[64];
@@ -5036,6 +5061,7 @@ DISCARD_UNICAST_PACKET:
 				{
 					// Flooding as a broadcast packet
 					UINT current_tcp_queue_size = 0;
+					UINT bcast_mac_dst = READ_UINT(packet->MacAddressDest + 2);
 
 					// Take a packet log
 					if (s != NULL)
@@ -5061,9 +5087,60 @@ DISCARD_UNICAST_PACKET:
 							{
 								bool delete_default_router_in_ra = false;
 
+								if (dest_session->Policy != NULL && dest_session->Policy->DHCPNoServer)
+								{
+									if (packet->TypeL3 == L3_IPV4 &&
+										packet->TypeL4 == L4_UDP &&
+										packet->TypeL7 == L7_DHCPV4 &&
+										(packet->DhcpOpCode == DHCP_DISCOVER || packet->DhcpOpCode == DHCP_REQUEST || packet->DhcpOpCode == DHCP_RELEASE || packet->DhcpOpCode == DHCP_INFORM))
+									{
+										discard = true;
+										goto L_SKIP_TO_DISCARD;
+									}
+								}
+
+								if (dest_session->EnableLightRecvFilter)
+								{
+									if (packet->BroadcastPacket == false &&
+										dest_session->LightRecvFilterMac != 0 &&
+										dest_session->LightRecvFilterMac != bcast_mac_dst)
+									{
+										discard = true;
+										goto L_SKIP_TO_DISCARD;
+									}
+
+									if (packet->BroadcastPacket &&
+										packet->TypeL3 == L3_ARPV4 &&
+										packet->L3.ARPv4Header->HardwareSize == 6 &&
+										Endian16(packet->L3.ARPv4Header->HardwareType) == ARP_HARDWARE_TYPE_ETHERNET &&
+										packet->L3.ARPv4Header->ProtocolSize == 4 &&
+										Endian16(packet->L3.ARPv4Header->ProtocolType) == MAC_PROTO_IPV4)
+									{
+										if (Endian16(packet->L3.ARPv4Header->Operation) == ARP_OPERATION_REQUEST)
+										{
+											bool ok = false;
+
+											if (dest_session->LightRecvFilterIPv4_1 != 0)
+												if (dest_session->LightRecvFilterIPv4_1 == packet->L3.ARPv4Header->TargetIP)
+													ok = true;
+
+											if (dest_session->LightRecvFilterIPv4_2 != 0)
+												if (dest_session->LightRecvFilterIPv4_2 == packet->L3.ARPv4Header->TargetIP)
+													ok = true;
+
+											if (ok == false)
+											{
+												discard = true;
+												goto L_SKIP_TO_DISCARD;
+											}
+										}
+									}
+								}
+
 								if (dest_session->IsMonitorMode)
 								{
 									discard = true;
+									goto L_SKIP_TO_DISCARD;
 								}
 
 								if (dest_session->NormalClient)
@@ -5075,6 +5152,7 @@ DISCARD_UNICAST_PACKET:
 										{
 											// This is dormant session
 											discard = true;
+											goto L_SKIP_TO_DISCARD;
 										}
 									}
 								}
@@ -5090,6 +5168,7 @@ DISCARD_UNICAST_PACKET:
 											dest_session->Connection->Protocol == CONNECTION_TCP)
 										{
 											discard = true;
+											goto L_SKIP_TO_DISCARD;
 										}
 
 										if (dest_session->LinkModeServer)
@@ -5097,6 +5176,7 @@ DISCARD_UNICAST_PACKET:
 											LINK *k = dest_session->Link;
 
 											discard = true;
+											goto L_SKIP_TO_DISCARD;
 										}
 									}
 								}
@@ -5105,6 +5185,7 @@ DISCARD_UNICAST_PACKET:
 									packet->VlanId != dest_session->VLanId)
 								{
 									discard = true;
+									goto L_SKIP_TO_DISCARD;
 								}
 
 								if (dest_session->Policy->NoIPv6DefaultRouterInRA ||
@@ -5128,6 +5209,7 @@ DISCARD_UNICAST_PACKET:
 										 packet->ICMPv6HeaderPacketInfo.Type == ICMPV6_TYPE_ROUTER_ADVERTISEMENT))
 									{
 										discard = true;
+										goto L_SKIP_TO_DISCARD;
 									}
 								}
 
@@ -5138,6 +5220,7 @@ DISCARD_UNICAST_PACKET:
 										packet->TypeL7 == L7_DHCPV4)
 									{
 										discard = true;
+										goto L_SKIP_TO_DISCARD;
 									}
 								}
 
@@ -5148,6 +5231,7 @@ DISCARD_UNICAST_PACKET:
 										(Endian16(packet->L4.UDPHeader->DstPort) == 546 || Endian16(packet->L4.UDPHeader->DstPort) == 547))
 									{
 										discard = true;
+										goto L_SKIP_TO_DISCARD;
 									}
 								}
 
@@ -5191,6 +5275,7 @@ DISCARD_UNICAST_PACKET:
 									if (packet->TypeL3 == L3_IPV4 || packet->TypeL3 == L3_ARPV4)
 									{
 										discard = true;
+										goto L_SKIP_TO_DISCARD;
 									}
 								}
 								if (dest_session->Policy->FilterIPv6)
@@ -5198,6 +5283,7 @@ DISCARD_UNICAST_PACKET:
 									if (packet->TypeL3 == L3_IPV6)
 									{
 										discard = true;
+										goto L_SKIP_TO_DISCARD;
 									}
 								}
 								if (dest_session->Policy->FilterNonIP)
@@ -5205,6 +5291,7 @@ DISCARD_UNICAST_PACKET:
 									if (packet->TypeL3 != L3_IPV4 && packet->TypeL3 != L3_ARPV4 && packet->TypeL3 != L3_IPV6)
 									{
 										discard = true;
+										goto L_SKIP_TO_DISCARD;
 									}
 								}
 
@@ -5218,6 +5305,7 @@ DISCARD_UNICAST_PACKET:
 									if (drop_arp_packet_privacy || packet->TypeL3 != L3_ARPV4)
 									{
 										discard = true;
+										goto L_SKIP_TO_DISCARD;
 									}
 								}
 
@@ -5227,9 +5315,12 @@ DISCARD_UNICAST_PACKET:
 										memcmp(packet->MacAddressDest, s->Hub->HubMacAddr, 6) == 0)
 									{
 										discard = true;
+										goto L_SKIP_TO_DISCARD;
 									}
 								}
 
+L_SKIP_TO_DISCARD:
+
 								if (discard == false && dest_pa != NULL)
 								{
 									if (s == NULL ||
@@ -5899,6 +5990,21 @@ bool StorePacketFilterByPolicy(SESSION *s, PKT *p)
 							UINTToIP(&ip, ip_uint);
 							Copy(&t.Ip, &ip, sizeof(IP));
 
+							if (mac_table->Session != NULL)
+							{
+								if (mac_table->Session->EnableLightRecvFilter)
+								{
+									if (mac_table->Session->LightRecvFilterIPv4_1 == 0)
+									{
+										mac_table->Session->LightRecvFilterIPv4_1 = ip_uint;
+									}
+									else
+									{
+										mac_table->Session->LightRecvFilterIPv4_2 = ip_uint;
+									}
+								}
+							}
+
 							e = Search(hub->IpTable, &t);
 							if (e == NULL)
 							{

src/Cedar/IPsec_IPC.c

@@ -179,6 +179,12 @@ IPC_ASYNC *NewIPCAsync(CEDAR *cedar, IPC_PARAM *param, SOCK_EVENT *sock_event)
 
 	Copy(&a->Param, param, sizeof(IPC_PARAM));
 
+	if (param->ClientCertificate != NULL)
+	{
+		// Client certificate must be copied for async processing
+		a->Param.ClientCertificate = CloneX(param->ClientCertificate);
+	}
+
 	if (sock_event != NULL)
 	{
 		a->SockEvent = sock_event;
@@ -297,6 +303,12 @@ void FreeIPCAsync(IPC_ASYNC *a)
 	ReleaseCedar(a->Cedar);
 
 	ReleaseTube(a->TubeForDisconnect);
+
+	if (a->Param.ClientCertificate != NULL)
+	{
+		FreeX(a->Param.ClientCertificate);
+	}
+
 	Free(a);
 }
 

src/Cedar/Logging.c

@@ -1478,12 +1478,19 @@ void AddLogBufToStr(BUF *b, char *name, char *value)
 void MakeSafeLogStr(char *str)
 {
 	UINT i, len;
+	bool is_http = false;
 	// Validate arguments
 	if (str == NULL)
 	{
 		return;
 	}
 
+	if (str[0] == 'h' && str[1] == 't' && str[2] == 't' && str[3] == 'p' &&
+		((str[4] == 's' && str[5] == ':') || (str[4] == ':')))
+	{
+		is_http = true;
+	}
+
 	EnPrintableAsciiStr(str, '?');
 
 	len = StrLen(str);
@@ -1495,7 +1502,10 @@ void MakeSafeLogStr(char *str)
 		}
 		else if (str[i] == ' ')
 		{
-			str[i] = '_';
+			if (is_http == false)
+			{
+				str[i] = '_';
+			}
 		}
 	}
 }
@@ -2242,8 +2252,6 @@ void ReplaceForCsv(char *str)
 		return;
 	}
 
-	// If there are blanks, trim it
-	Trim(str);
 	len = StrLen(str);
 
 	for (i = 0;i < len;i++)

src/Cedar/Session.c

@@ -1399,6 +1399,7 @@ void CleanupSession(SESSION *s)
 
 	ReleaseSharedBuffer(s->IpcSessionSharedBuffer);
 
+
 	Free(s);
 }
 
@@ -2361,6 +2362,7 @@ SESSION *NewServerSessionEx(CEDAR *cedar, CONNECTION *c, HUB *h, char *username,
 		}
 	}
 
+
 	return s;
 }
 

src/Cedar/Session.h

@@ -326,6 +326,12 @@ struct SESSION
 
 	SHARED_BUFFER *IpcSessionSharedBuffer;	// A shared buffer between IPC and Session
 	IPC_SESSION_SHARED_BUFFER_DATA *IpcSessionShared;	// A shared data between IPC and Session
+
+
+	bool EnableLightRecvFilter;		// Enable light receive filter
+	UINT LightRecvFilterMac;		// Light receive filter MAC address
+	UINT LightRecvFilterIPv4_1;		// Light receive filter IPv4 address #1
+	UINT LightRecvFilterIPv4_2;		// Light receive filter IPv4 address #2
 };
 
 // Password dialog

src/Cedar/Virtual.c

@@ -1543,7 +1543,7 @@ void NnTcpRecvForInternet(VH *v, UINT src_ip, UINT src_port, UINT dest_ip, UINT
 		// Create a new session because there is no existing one
 		UINT public_port;
 
-		if (old_tcp->Flag != TCP_SYN)
+		if (((old_tcp->Flag & TCP_SYN) && ((old_tcp->Flag & TCP_ACK) == 0)) == false)
 		{
 			// If there is no existing session, pass through only for SYN packet
 			return;

src/CurrentBuild.txt

@@ -1,4 +1,4 @@
-BUILD_NUMBER 9727
-VERSION 431
+BUILD_NUMBER 9731
+VERSION 432
 BUILD_NAME beta
-BUILD_DATE 20191118_105538
+BUILD_DATE 20200101_175410

src/WARNING.TXT

@@ -20,7 +20,7 @@ Protocol (SE-VPN Protocol)" . SE-VPN protocol encapsulates any Ethernet
 packets into a HTTPS (HTTP over SSL) connection. Therefore SE-VPN protocol can
 communicate beyond firewalls even if the firewall is configured to block
 traditional VPN packets by network administrator. SE-VPN protocol is designed
-and implemented to comply TLS 1.0 (RFC 5246) and HTTPS (RFC 2818). However, it
+and implemented to comply TLS (RFC 5246) and HTTPS (RFC 2818). However, it
 sometimes have different behavior to RFCs. If you are a network administrator
 and want to block SE-VPN protocols on the firewall, you can adopt a
 "white-list" policy on the firewall to filter any TCP or UDP packets on the
@@ -375,10 +375,11 @@ Experiment Service Directory Server. The information includes the operator's
 information which described in section 5.5, logging settings, uptime,
 operating system version, type of protocol, port numbers, quality information,
 statistical information, VPN Gate clients' log history data (includes dates,
-IP addresses, version numbers and IDs) and the version of the software. These
-information will be exposed on the directory. VPN Gate Service also receives a
-key for encoding which is described on the chapter 5.9 from the directory
-server.
+IP addresses, version numbers and IDs), log records of destination IP
+addresses and port numbers of VPN Gate communications, and the version of the
+software. These information may be exposed on the directory. VPN Gate Service
+also receives a key for encoding which is described on the chapter 5.9 from
+the directory server.
 
 5.3. Details of VPN Gate Service's Behavior
 If you enable VPN Gate Service manually, which is disabled by default, the
@@ -490,6 +491,8 @@ of Tsukuba, Japan. You can find the contact address at
 http://www.vpngate.net/. The administrator of VPN Gate Service will respond to
 decode the packet logs if there is an appropriate and legal request from court
 or other judicial authorities, according to laws.
+The Packet Logs Automatic Archiving and Encoding Function may be disabled
+according to technical or administrative reason.
 
 5.10. Caution if You Operate VPN Gate Service in the Japan's Territories
 When a user operates VPN Gate Service in the Japan's territories, such an act
@@ -499,10 +502,7 @@ a subject to the law. However, in such a circumstance, according to the
 non- profitable operations of communications are not identified as a
 "telecommunication business" . So usual operators of VPN Gate Service are not
 subjects to "telecommunication business operators" , and not be mandated to
-register to the government. Even so, legalities to protect the privacy of
-communication still imposed. As a conclusion, if you operate VPN Gate Service
-in the Japan's Territories, you must not leak the secrets of communications
-which are transmitted via your operating VPN Gate Service.
+register to the government.
 
 5.11. VPN Gate Client
 If SoftEther VPN Client contains the VPN Gate Client plug-in, you can use it

src/bin/hamcore/warning_cn.txt

@@ -5,7 +5,7 @@
 
 1. VPN 通信协议
 1.1. SoftEther VPN 协议
-SoftEther VPN 可以进行 VPN 通信。不同于传统的 VPN 协议， SoftEther VPN 有一个全新设计的 "SoftEther VPN 协议 (SE-VPN 协议)" 的实现。SE-VPN 协议将任何以太网数据包封装进 HTTPS (HTTP over SSL) 连接。因此 SE-VPN 协议可以越过防火墙通信，即使防火墙被网络管理员配置阻止传统的 VPN 数据包。SE-VPN 协议的设计和实施以符合 TLS 1.0 (RFC 5246) 和 HTTPS (RFC 2818)。然面，有时对 RFC 有不同的行为。如果你是一个网络管理员，要在防火墙上阻止 SE-VPN 协议，你可以在防火墙上采取 "白名单" 策略，来过滤任何在边界上的 TCP 或 UDP 数据包，除了明确允许到特定网站和服务器的数据包。
+SoftEther VPN 可以进行 VPN 通信。不同于传统的 VPN 协议， SoftEther VPN 有一个全新设计的 "SoftEther VPN 协议 (SE-VPN 协议)" 的实现。SE-VPN 协议将任何以太网数据包封装进 HTTPS (HTTP over SSL) 连接。因此 SE-VPN 协议可以越过防火墙通信，即使防火墙被网络管理员配置阻止传统的 VPN 数据包。SE-VPN 协议的设计和实施以符合 TLS (RFC 5246) 和 HTTPS (RFC 2818)。然面，有时对 RFC 有不同的行为。如果你是一个网络管理员，要在防火墙上阻止 SE-VPN 协议，你可以在防火墙上采取 "白名单" 策略，来过滤任何在边界上的 TCP 或 UDP 数据包，除了明确允许到特定网站和服务器的数据包。
 
 1.2. NAT 穿透功能
 一般来说，如果你使用传统的 VPN 系统，你必须要求网络管理员把 NAT 或防火墙设置为 "打开" 或 "中继" 特定的 TCP 或 UDP 端口。然而，也有需要以某种方式消除网络管理员的这种工作成本。为了满足这种需求， SoftEther VPN 有一个新实施的 "NAT 穿越" 功能。NAT 穿越默认情况下是启用的。一个在 NAT 或防火墙后面、在电脑上运行的 SoftEther VPN 服务器可以接受来自互联网的 VPN 连接，在防火墙或 NAT 上没有任何特殊的配置。如果你想禁用 NAT 穿越功能，修改 SoftEther VPN 服务器上的配置文件 "DisableNatTraversal" 为 "true" 。为了在客户端禁用它，在目标主机添加 "/ tcp" 后缀。
@@ -94,7 +94,7 @@ VPN Gate 学术实验项目是一个在线服务，由日本筑波大学研究
 5.2. 关于 VPN Gate 服务
 SoftEther VPN 服务器和 SoftEther VPN 客户端可能含有 "VPN Gate 服务" 程序。然而， VPN Gate 服务在默认情况下是禁用的。
 VPN Gate 服务通过安装了 SoftEther VPN 服务器或 SoftEther VPN 客户端的计算机所有者的志愿目的被激活并启用。在您激活 VPN Gate 服务以后，计算机将作为全球分布式公共 VPN 中继服务器的一部分开始服务。计算机的 IP 地址、主机名和相关信息将被发送并在 VPN Gate 学术实验项目的服务器目录注册，这些信息将被公布，并向公众披露。这一机制将允许任何 VPN Gate 客户端软件的用户连接到您计算机上运行的 VPN Gate 服务。当在 VPN Gate 客户端和你的 VPN Gate 服务之间建立一个 VPN 会话， VPN Gate 客户端的用户可以发送 / 接收向互联网经由 VPN Gate 服务的任何 IP 数据包。VPN Gate 服务的主机的全球 IP 地址将作为 VPN Gate 客户端启动的这种通信的源 IP 地址被使用。
-VPN Gate 服务将发送一些信息至 VPN Gate 学术实验服务目录服务器。这些信息包括第 5.5 节中描述的运营商的信息、日志设置、正常运行时间、操作系统版本、协议类型、端口号、质量信息、统计信息、VPN Gate 客户端的日志历史数据 (包括日期，IP 地址，版本号和 ID) 和软件的版本。这些信息将被批露在目录上。VPN Gate 服务从目录服务器接收到一个密钥以进行在 5.9 章中描述的编码。
+VPN Gate 服务将发送一些信息至 VPN Gate 学术实验服务目录服务器。这些信息包括第 5.5 节中描述的运营商的信息、日志设置、正常运行时间、操作系统版本、协议类型、端口号、质量信息、统计信息、VPN Gate 客户端的日志历史数据 (包括日期，IP 地址，版本号和 ID) 、VPN Gate 通信的目标 IP 地址和端口号的日志记录和软件的版本。此信息可能会在目录中披露。VPN Gate 服务从目录服务器接收到一个密钥以进行在 5.9 章中描述的编码。
 
 5.3. VPN Gate 服务行为的详细信息
 如果您手动启用 VPN Gate 服务，在默认情况下是禁用的， "VPNGATE" 虚拟 Hub 将在 SoftEther VPN 服务器上被创建。如果您使用的是 SoftEther VPN 客户端，并尝试激活 VPN Gate 服务，相当于 SoftEther VPN 服务器的程序在 SoftEther VPN 客户端的同一进程将被调用，虚拟 HUB "VPNGATE" 将被创建。虚拟 HUB "VPNGATE" 包含一个默认情况下名为 "VPN" 的用户，此用户允许在互联网上的任何人建立 VPN 连接到虚拟 HUB。一旦 VPN 客户端连接到虚拟 HUB "VPNGATE" ，用户与互联网之间的任何通信将穿过虚拟 Hub ，使用运行有 SoftEther VPN 服务器 (或 SoftEther VPN 客户端) 的计算机上的物理网络接口发送 / 接收。这将导致以下结果，目标主机通过 VPN 客户端确定通信的源发起是从 VPN Gate 服务的主机的 IP 地址指定的。不过，为了安全，目的地是在 192.168.0.0/255.255.0.0 ， 172.16.0.0/255.240.0.0 或 10.0.0.0/255.0.0.0 以内的任何数据包将被虚拟 HUB "VPNGATE" 拦截，以保护您的本地网络。因此，如果在您的企业网络或私人网络运行 VPN Gate 服务，这是安全的，因为匿名 VPN 客户端用户将不被允许访问这些私人网络。VPN Gate 服务也可作为中继访问 VPN Gate 目录服务器。
@@ -121,9 +121,10 @@ VPN Gate 学术实验服务是根据日本宪法和法律运营和运行的。
 默认情况下， VPN Gate 服务当前自动配置编码已经过去了两周或以上的数据包日志文件。为了保护通信隐私，如果一个数据包日志文件一旦被编码，即使是本地计算机管理员也无法检查数据包日志文件。这种机制保护 VPN Gate 服务最终用户的隐私。
 您可以更改 VPN Gate 服务的设置，禁用此项自动编码功能。然后数据包日志文件将永远不会被编码，即使两个星期已过去。在这样的配置中，所有数据包日志将以纯文本形式保留在磁盘上。因此，你必须要注意不要侵犯用户的隐私。
 如果你负责解码已编码的数据包日志文件 (例如:一个 VPN Gate 服务的用户非法滥用你的 VPN Gate 服务，你必须解码数据包日志以符合法律) ，请联系日本筑波大学研究生院 VPN Gate 学术实验服务的管理员。你可以从 http://www.vpngate.net/ 找到联系地址。根据法律如果有从法院或其他司法当局适当的和法律的要求， VPN Gate 服务的管理员将响应解码数据包日志。
+根据技术或管理原因，可能会禁用 "数据包日志自动存档和编码" 功能。
 
 5.10. 在日本领土操作 VPN Gate 服务的注意事项
-当一个用户在日本领土操作 VPN Gate 服务时，这种行为会根据日本电信法加以规范，操作受法律管辖。然而，在这样的情况下，根据 "日本电信业务竞争手册 [补充版本]" ，非营利性的通信业务不被认为是 "电信业务" 。因此，通常 VPN Gate 服务的运营商不受制于 "电信业务经营者" ，不强制要求到政府注册。即便如此，保护通信隐私的合法性仍强制实行。作为一个结论，如果你在日本领土运营 VPN Gate 服务，你不能泄露经由你操作的 VPN Gate 服务传送的通讯秘密。
+当一个用户在日本领土操作 VPN Gate 服务时，这种行为会根据日本电信法加以规范，操作受法律管辖。然而，在这样的情况下，根据 "日本电信业务竞争手册 [补充版本]" ，非营利性的通信业务不被认为是 "电信业务" 。因此，通常 VPN Gate 服务的运营商不受制于 "电信业务经营者" ，不强制要求到政府注册。
 
 5.11. VPN Gate 客户端
 如果 SoftEther VPN 客户端包含 VPN Gate 客户端插件，你可以在互联网上用它来获得当前操作的 VPN Gate 服务的服务器列表，使一个 VPN 连接到列表上的特定服务器。

src/bin/hamcore/warning_en.txt

@@ -5,7 +5,7 @@ FUNCTIONS OF VPN COMMUNICATIONS EMBEDDED ON THIS SOFTWARE ARE VERY POWERFUL THAN
 
 1. VPN Communication Protocols
 1.1. SoftEther VPN Protocol
-SoftEther VPN can perform VPN communication. Unlike traditional VPN protocols, SoftEther VPN has an implementation of the newly-designed "SoftEther VPN Protocol (SE-VPN Protocol)" . SE-VPN protocol encapsulates any Ethernet packets into a HTTPS (HTTP over SSL) connection. Therefore SE-VPN protocol can communicate beyond firewalls even if the firewall is configured to block traditional VPN packets by network administrator. SE-VPN protocol is designed and implemented to comply TLS 1.0 (RFC 5246) and HTTPS (RFC 2818). However, it sometimes have different behavior to RFCs. If you are a network administrator and want to block SE-VPN protocols on the firewall, you can adopt a "white-list" policy on the firewall to filter any TCP or UDP packets on the border except explicitly allowed packets towards specific web sites and servers.
+SoftEther VPN can perform VPN communication. Unlike traditional VPN protocols, SoftEther VPN has an implementation of the newly-designed "SoftEther VPN Protocol (SE-VPN Protocol)" . SE-VPN protocol encapsulates any Ethernet packets into a HTTPS (HTTP over SSL) connection. Therefore SE-VPN protocol can communicate beyond firewalls even if the firewall is configured to block traditional VPN packets by network administrator. SE-VPN protocol is designed and implemented to comply TLS (RFC 5246) and HTTPS (RFC 2818). However, it sometimes have different behavior to RFCs. If you are a network administrator and want to block SE-VPN protocols on the firewall, you can adopt a "white-list" policy on the firewall to filter any TCP or UDP packets on the border except explicitly allowed packets towards specific web sites and servers.
 
 1.2. NAT Traversal Function
 Generally, if you use traditional VPN systems you have to request a network administrator to make the NAT or firewall to "open" or "relay" specific TCP or UDP ports. However, there are demands somehow to eliminate such working costs on network administrators. In order to satisfy such demands, SoftEther VPN has the newly-implemented "NAT Traversal" function. NAT Traversal is enabled by default. A SoftEther VPN Server running on the computer behind NAT or firewall can accept VPN connections from the Internet, without any special configurations on firewalls or NATs. If you want to disable the NAT Traversal function, modify the "DisableNatTraversal" to "true" on the configuration file of SoftEther VPN Server. In order to disable it on the client-side, append "/tcp" suffix on the destination hostname.
@@ -93,7 +93,7 @@ VPN Gate Academic Experiment Project is an online service operated for just the
 5.2. About VPN Gate Service
 SoftEther VPN Server and SoftEther VPN Client may contain "VPN Gate Service" program. However, VPN Gate Service is disabled by default.
 VPN Gate Service should be activated and enabled by the voluntary intention of the owner of the computer which SoftEther VPN Server or SoftEther VPN Client is installed on. After you activate VPN Gate Service, the computer will be start to serve as a part of the Global Distributed Public VPN Relay Servers. The IP address, hostname and related information of the computer will be sent and registered to the directory server of VPN Gate Academic Experiment Project, and they will be published and disclosed to the public. This mechanism will allow any VPN Gate Client software's user to connect to the VPN Gate Service running on your computer. While the VPN session between a VPN Gate Client and your VPN Gate Service is established, the VPN Gate Client's user can send/receive any IP packets towards the Internet via the VPN Gate Service. The global IP address of the VPN Gate Service's hosing computer will be used as the source IP address of such communications which a VPN Gate Client initiates.
-VPN Gate Service will send some information to the VPN Gate Academic Experiment Service Directory Server. The information includes the operator's information which described in section 5.5, logging settings, uptime, operating system version, type of protocol, port numbers, quality information, statistical information, VPN Gate clients' log history data (includes dates, IP addresses, version numbers and IDs) and the version of the software. These information will be exposed on the directory. VPN Gate Service also receives a key for encoding which is described on the chapter 5.9 from the directory server.
+VPN Gate Service will send some information to the VPN Gate Academic Experiment Service Directory Server. The information includes the operator's information which described in section 5.5, logging settings, uptime, operating system version, type of protocol, port numbers, quality information, statistical information, VPN Gate clients' log history data (includes dates, IP addresses, version numbers and IDs), log records of destination IP addresses and port numbers of VPN Gate communications, and the version of the software. These information may be exposed on the directory. VPN Gate Service also receives a key for encoding which is described on the chapter 5.9 from the directory server.
 
 5.3. Details of VPN Gate Service's Behavior
 If you enable VPN Gate Service manually, which is disabled by default, the "VPNGATE" Virtual Hub will be created on the SoftEther VPN Server. If you are using SoftEther VPN Client and attempt to active VPN Gate Service on it, an equivalent program to SoftEther VPN Server will be invoked on the same process of SoftEther VPN Client, and the "VPNGATE" Virtual Hub will be created. The "VPNGATE" Virtual Hub contains a user named "VPN" by default which permits anyone on the Internet to make a VPN connection to the Virtual Hub. Once a VPN Client connects to the "VPNGATE" Virtual Hub, any communication between the user and the Internet will pass through the Virtual Hub, and transmitted/received using the physical network interface on the computer which SoftEther VPN Server (or SoftEther VPN Client) is running on. This will cause the result that a destination host specified by the VPN Client will identify that the source of the communication has initiated from the VPN Gate Service's hosting computer's IP address. However, for safety, any packets which destinations are within 192.168.0.0/255.255.0.0, 172.16.0.0/255.240.0.0 or 10.0.0.0/255.0.0.0 will be blocked by the "VPNGATE" Virtual Hub in order to protect your local network. Therefore, if you run VPN Gate Service on your corporate network or private network, it is safe because anonymous VPN Client users will not be permitted to access such private networks. VPN Gate Service also serves as relay for accessing to the VPN Gate Directory Server.
@@ -120,9 +120,10 @@ The VPN Gate Academic Experiment Service is operated and running under the Japan
 The VPN Gate Service is currently configured to encode packet log files which has passed two or more weeks automatically, by default. In order to protect privacy of communication, if a packet log file is once encoded, even the administrator of the local computer cannot censor the packet log file. This mechanism protects privacy of end-users of VPN Gate Service.
 You can change the VPN Gate Service setting to disable this automatic encoding function. Then packet log files will never be encoded even after two weeks passed. In such a configuration, all packet logs will remain as plain-text on the disk. Therefore you have to take care not to violate user's privacy.
 If you are liable to decode an encoded packet log files (for example: a VPN Gate Service's user illegally abused your VPN Gate Service and you have to decode the packet logs in order to comply the laws), contact the administrator of the VPN Gate Academic Experiment Service at Graduate School of University of Tsukuba, Japan. You can find the contact address at http://www.vpngate.net/. The administrator of VPN Gate Service will respond to decode the packet logs if there is an appropriate and legal request from court or other judicial authorities, according to laws.
+The Packet Logs Automatic Archiving and Encoding Function may be disabled according to technical or administrative reason.
 
 5.10. Caution if You Operate VPN Gate Service in the Japan's Territories
-When a user operates VPN Gate Service in the Japan's territories, such an act may be regulated under the Japanese Telecommunication Laws if the operation is a subject to the law. However, in such a circumstance, according to the "Japanese Telecommunication Business Compete Manual [supplemental version]" , non- profitable operations of communications are not identified as a "telecommunication business" . So usual operators of VPN Gate Service are not subjects to "telecommunication business operators" , and not be mandated to register to the government. Even so, legalities to protect the privacy of communication still imposed. As a conclusion, if you operate VPN Gate Service in the Japan's Territories, you must not leak the secrets of communications which are transmitted via your operating VPN Gate Service.
+When a user operates VPN Gate Service in the Japan's territories, such an act may be regulated under the Japanese Telecommunication Laws if the operation is a subject to the law. However, in such a circumstance, according to the "Japanese Telecommunication Business Compete Manual [supplemental version]" , non- profitable operations of communications are not identified as a "telecommunication business" . So usual operators of VPN Gate Service are not subjects to "telecommunication business operators" , and not be mandated to register to the government.
 
 5.11. VPN Gate Client
 If SoftEther VPN Client contains the VPN Gate Client plug-in, you can use it to obtain the list of current operating VPN Gate Service servers in the Internet, and make a VPN connection to a specific server on the list.

src/makefiles/freebsd_32bit.mak

@@ -1,7 +1,7 @@
 # SoftEther VPN Source Code
 # 
-# Copyright (c) 2012-2019 SoftEther VPN Project at University of Tsukuba, Japan.
-# Copyright (c) 2012-2019 Daiyuu Nobori.
+# Copyright (c) 2012-2020 SoftEther VPN Project at University of Tsukuba, Japan.
+# Copyright (c) 2012-2020 Daiyuu Nobori.
 # All Rights Reserved.
 # 
 # https://www.softether.org/

src/makefiles/freebsd_64bit.mak

@@ -1,7 +1,7 @@
 # SoftEther VPN Source Code
 # 
-# Copyright (c) 2012-2019 SoftEther VPN Project at University of Tsukuba, Japan.
-# Copyright (c) 2012-2019 Daiyuu Nobori.
+# Copyright (c) 2012-2020 SoftEther VPN Project at University of Tsukuba, Japan.
+# Copyright (c) 2012-2020 Daiyuu Nobori.
 # All Rights Reserved.
 # 
 # https://www.softether.org/

src/makefiles/linux_32bit.mak

@@ -1,7 +1,7 @@
 # SoftEther VPN Source Code
 # 
-# Copyright (c) 2012-2019 SoftEther VPN Project at University of Tsukuba, Japan.
-# Copyright (c) 2012-2019 Daiyuu Nobori.
+# Copyright (c) 2012-2020 SoftEther VPN Project at University of Tsukuba, Japan.
+# Copyright (c) 2012-2020 Daiyuu Nobori.
 # All Rights Reserved.
 # 
 # https://www.softether.org/

src/makefiles/linux_64bit.mak

@@ -1,7 +1,7 @@
 # SoftEther VPN Source Code
 # 
-# Copyright (c) 2012-2019 SoftEther VPN Project at University of Tsukuba, Japan.
-# Copyright (c) 2012-2019 Daiyuu Nobori.
+# Copyright (c) 2012-2020 SoftEther VPN Project at University of Tsukuba, Japan.
+# Copyright (c) 2012-2020 Daiyuu Nobori.
 # All Rights Reserved.
 # 
 # https://www.softether.org/

src/makefiles/macos_32bit.mak

@@ -1,7 +1,7 @@
 # SoftEther VPN Source Code
 # 
-# Copyright (c) 2012-2019 SoftEther VPN Project at University of Tsukuba, Japan.
-# Copyright (c) 2012-2019 Daiyuu Nobori.
+# Copyright (c) 2012-2020 SoftEther VPN Project at University of Tsukuba, Japan.
+# Copyright (c) 2012-2020 Daiyuu Nobori.
 # All Rights Reserved.
 # 
 # https://www.softether.org/

src/makefiles/macos_64bit.mak

@@ -1,7 +1,7 @@
 # SoftEther VPN Source Code
 # 
-# Copyright (c) 2012-2019 SoftEther VPN Project at University of Tsukuba, Japan.
-# Copyright (c) 2012-2019 Daiyuu Nobori.
+# Copyright (c) 2012-2020 SoftEther VPN Project at University of Tsukuba, Japan.
+# Copyright (c) 2012-2020 Daiyuu Nobori.
 # All Rights Reserved.
 # 
 # https://www.softether.org/

src/makefiles/openbsd_32bit.mak

@@ -1,7 +1,7 @@
 # SoftEther VPN Source Code
 # 
-# Copyright (c) 2012-2019 SoftEther VPN Project at University of Tsukuba, Japan.
-# Copyright (c) 2012-2019 Daiyuu Nobori.
+# Copyright (c) 2012-2020 SoftEther VPN Project at University of Tsukuba, Japan.
+# Copyright (c) 2012-2020 Daiyuu Nobori.
 # All Rights Reserved.
 # 
 # https://www.softether.org/

src/makefiles/openbsd_64bit.mak

@@ -1,7 +1,7 @@
 # SoftEther VPN Source Code
 # 
-# Copyright (c) 2012-2019 SoftEther VPN Project at University of Tsukuba, Japan.
-# Copyright (c) 2012-2019 Daiyuu Nobori.
+# Copyright (c) 2012-2020 SoftEther VPN Project at University of Tsukuba, Japan.
+# Copyright (c) 2012-2020 Daiyuu Nobori.
 # All Rights Reserved.
 # 
 # https://www.softether.org/

src/makefiles/solaris_32bit.mak

@@ -1,7 +1,7 @@
 # SoftEther VPN Source Code
 # 
-# Copyright (c) 2012-2019 SoftEther VPN Project at University of Tsukuba, Japan.
-# Copyright (c) 2012-2019 Daiyuu Nobori.
+# Copyright (c) 2012-2020 SoftEther VPN Project at University of Tsukuba, Japan.
+# Copyright (c) 2012-2020 Daiyuu Nobori.
 # All Rights Reserved.
 # 
 # https://www.softether.org/

src/makefiles/solaris_64bit.mak

@@ -1,7 +1,7 @@
 # SoftEther VPN Source Code
 # 
-# Copyright (c) 2012-2019 SoftEther VPN Project at University of Tsukuba, Japan.
-# Copyright (c) 2012-2019 Daiyuu Nobori.
+# Copyright (c) 2012-2020 SoftEther VPN Project at University of Tsukuba, Japan.
+# Copyright (c) 2012-2020 Daiyuu Nobori.
 # All Rights Reserved.
 # 
 # https://www.softether.org/

src/vpnweb/vpnweb.h

@@ -4,7 +4,7 @@
 
 
  /* File created by MIDL compiler version 7.00.0500 */
-/* at Mon Nov 18 10:55:56 2019
+/* at Wed Jan 01 17:54:26 2020
  */
 /* Compiler settings for .\vpnweb.idl:
     Oicf, W1, Zp8, env=Win32 (32b run)

src/vpnweb/vpnweb_i.c

@@ -6,7 +6,7 @@
 
 
  /* File created by MIDL compiler version 7.00.0500 */
-/* at Mon Nov 18 10:55:56 2019
+/* at Wed Jan 01 17:54:26 2020
  */
 /* Compiler settings for .\vpnweb.idl:
     Oicf, W1, Zp8, env=Win32 (32b run)

src/vpnweb/vpnweb_p.c

@@ -4,7 +4,7 @@
 
 
  /* File created by MIDL compiler version 7.00.0500 */
-/* at Mon Nov 18 10:55:56 2019
+/* at Wed Jan 01 17:54:26 2020
  */
 /* Compiler settings for .\vpnweb.idl:
     Oicf, W1, Zp8, env=Win32 (32b run)