v4.22-9634-beta

AUTHORS.TXT

@@ -67,6 +67,57 @@ CONTRIBUTORS on GitHub:
   - ygrek
     https://github.com/ygrek
 
+  - ajee cai
+    https://github.com/ajeecai
+
+  - NOKUBI Takatsugu
+    https://github.com/knok
+
+  - Den Lesnov
+    https://github.com/Leden
+
+  - Ilya Shipitsin
+    https://github.com/chipitsine
+
+  - Matt Lewandowsky
+    https://github.com/lewellyn
+
+  - Raymond Tau
+    https://github.com/rtau
+
+  - Luiz Eduardo Gava
+    https://github.com/LegDog
+
+  - Charles Surett
+    https://github.com/scj643
+
+  - Jeff Tang
+    https://github.com/mrjefftang
+
+  - Victor Salgado
+    https://github.com/mcsalgado
+
+  - micsell
+    https://github.com/micsell
+
+  - yehorov
+    https://github.com/yehorov
+
+  - dglushenok
+    https://github.com/dglushenok
+
+  - NoNameA 774
+    https://github.com/nna774
+
+  - Alexandre De Oliveira
+    https://github.com/yodresh
+
+  - Bernhard Rosenkraenzer
+    https://github.com/berolinux
+
+  - Sacha Bernstein
+    https://github.com/sacha
+
 
 JOIN THE SOFTETHER VPN DEVELOPMENT
 ----------------------------------

centos/SPECS/softethervpn.spec

@@ -100,4 +100,3 @@ fi
 * Tue Jan 21 2014 Dexter Ang <[email protected]>
 - Initial release
 
-

configure

@@ -110,4 +110,3 @@ esac
 cp src/makefiles/${OS}_${CPU}.mak Makefile
 
 echo "The Makefile is generated. Run 'make' to build SoftEther VPN."
-

debian/rules

@@ -21,6 +21,7 @@ configure_config:
 	if [ $(shell uname -m) = 'x86_64' ]; then echo -e "1\n2\n" | ./configure; fi
 	if [ $(shell uname -m) = 'i686' ]; then echo -e "1\n1\n" | ./configure; fi
 	if [ $(shell uname -m) = 'armv6l' ]; then echo -e "1\n1\n" | ./configure; fi
-	if [ $(shell uname -m) = 'armv7l' ]; then echo -e "1\n1\n" | ./configure; fi
 	if [ $(shell uname -m) = 'armv5tel' ]; then echo -e "1\n1\n" | ./configure; fi
+	if [ $(shell uname -m) = 'aarch64' ]; then echo -e "1\n2\n" | ./configure; fi
+	if [ $(shell uname -m) = 'armv7l' ]; then echo -e "1\n1\n" | ./configure; fi
 

debian/softether-vpnserver.init

@@ -1,3 +1,4 @@
+
 #! /bin/sh
 
 ### BEGIN INIT INFO

src/BuildUtil/VpnBuilderConfig.cs

@@ -430,7 +430,7 @@ namespace BuildUtil
 	{
 		// Windows
 		public static readonly OS Windows = new OS("windows", "Windows",
-			"Windows 98 / 98 SE / ME / NT 4.0 SP6a / 2000 SP4 / XP SP2, SP3 / Vista SP1, SP2 / 7 SP1 / 8 / 8.1 / 10 / Server 2003 SP2 / Server 2008 SP1, SP2 / Hyper-V Server 2008 / Server 2008 R2 SP1 / Hyper-V Server 2008 R2 / Server 2012 / Hyper-V Server 2012 / Server 2012 R2 / Hyper-V Server 2012 R2",
+			"Windows 98 / 98 SE / ME / NT 4.0 SP6a / 2000 SP4 / XP SP2, SP3 / Vista SP1, SP2 / 7 SP1 / 8 / 8.1 / 10 / Server 2003 SP2 / Server 2008 SP1, SP2 / Hyper-V Server 2008 / Server 2008 R2 SP1 / Hyper-V Server 2008 R2 / Server 2012 / Hyper-V Server 2012 / Server 2012 R2 / Hyper-V Server 2012 R2 / Server 2016",
 			new Cpu[]
 			{
 				CpuList.intel,
@@ -438,7 +438,7 @@ namespace BuildUtil
 
 		// Linux
 		public static readonly OS Linux = new OS("linux", "Linux",
-			"Linux Kernel 2.4 / 2.6 / 3.x",
+			"Linux Kernel 2.4 / 2.6 / 3.x / 4.x",
 			new Cpu[]
 			{
 				CpuList.x86,

src/Cedar/Admin.c

@@ -1166,7 +1166,7 @@ UINT StMakeOpenVpnConfigFile(ADMIN *a, RPC_READ_LOG_FILE *t)
 
 				name = NewName(cn, cn, cn, L"US", NULL, NULL);
 
-				dummy_x = NewRootX(dummy_public_k, dummy_private_k, name, MAX(GetDaysUntil2038(), SERVER_DEFAULT_CERT_DAYS), NULL);
+				dummy_x = NewRootX(dummy_public_k, dummy_private_k, name, GetDaysUntil2038Ex(), NULL);
 
 				FreeName(name);
 

src/Cedar/Cedar.c

@@ -274,6 +274,15 @@ bool IsSupportedWinVer(RPC_WINVER *v)
 				return true;
 			}
 		}
+		else
+		{
+			// Windows Server 2016
+			if (v->ServicePack <= 0)
+			{
+				// SP0 only
+				return true;
+			}
+		}
 	}
 
 	return false;
@@ -1750,7 +1759,7 @@ CEDAR *NewCedar(X *server_x, K *server_k)
 
 	c->TrafficDiffList = NewList(NULL);
 
-	SetCedarCipherList(c, "RC4-MD5");
+	SetCedarCipherList(c, SERVER_DEFAULT_CIPHER_NAME);
 
 	c->ClientId = _II("CLIENT_ID");
 
@@ -1803,8 +1812,6 @@ CEDAR *NewCedar(X *server_x, K *server_k)
 
 	c->BuildInfo = CopyStr(tmp);
 
-	c->DisableSslVersions = SSL_OPT_DEFAULT;
-
 	return c;
 }
 

src/Cedar/Cedar.h

@@ -135,10 +135,10 @@
 
 
 // Version number
-#define	CEDAR_VER					421
+#define	CEDAR_VER					422
 
 // Build Number
-#define	CEDAR_BUILD					9613
+#define	CEDAR_BUILD					9634
 
 // Beta number
 //#define	BETA_NUMBER					3
@@ -158,11 +158,11 @@
 
 // Specifies the build date
 #define	BUILD_DATE_Y		2016
-#define	BUILD_DATE_M		4
-#define	BUILD_DATE_D		24
-#define	BUILD_DATE_HO		15
-#define	BUILD_DATE_MI		39
-#define	BUILD_DATE_SE		17
+#define	BUILD_DATE_M		11
+#define	BUILD_DATE_D		27
+#define	BUILD_DATE_HO		14
+#define	BUILD_DATE_MI		33
+#define	BUILD_DATE_SE		59
 
 // Tolerable time difference
 #define	ALLOW_TIMESTAMP_DIFF		(UINT64)(3 * 24 * 60 * 60 * 1000)
@@ -404,22 +404,7 @@
 #define	KEEP_ALIVE_MAGIC				0xffffffff
 #define	MAX_KEEPALIVE_SIZE				512
 
-// SSL/TLS Versions
-#define SSL_VERSION_SSL_V2	0x01	// SSLv2
-#define SSL_VERSION_SSL_V3	0x02	// SSLv3
-#define SSL_VERSION_TLS_V1_0	0x04	// TLS v1.0
-#define SSL_VERSION_TLS_V1_1	0x08	// TLS v1.1
-#define SSL_VERSION_TLS_V1_2	0x10	// TLS v1.2
 
-// SSL/TLS Version Names
-#define NAME_SSL_VERSION_SSL_V2	"SSL_V2"	// SSLv2
-#define NAME_SSL_VERSION_SSL_V3	"SSL_V3"	// SSLv3
-#define NAME_SSL_VERSION_TLS_V1_0	"TLS_V1_0"	// TLS v1.0
-#define NAME_SSL_VERSION_TLS_V1_1	"TLS_V1_1"	// TLS v1.1
-#define NAME_SSL_VERSION_TLS_V1_2	"TLS_V1_2"	// TLS v1.2
-
-// OpenSSL SSL Context Option Flags default
-#define SSL_OPT_DEFAULT	0x0
 
 //////////////////////////////////////////////////////////////////////
 // 
@@ -685,7 +670,7 @@
 
 #define	ARP_ENTRY_EXPIRES			(30 * 1000)		// ARP table expiration date
 #define	ARP_ENTRY_POLLING_TIME		(1 * 1000)		// ARP table cleaning timer
-#define	ARP_REQUEST_TIMEOUT			(200)			// ARP request time-out period
+#define	ARP_REQUEST_TIMEOUT			(1000)			// ARP request time-out period
 #define	ARP_REQUEST_GIVEUP			(5 * 1000)		// Time to give up sending the ARP request
 #define	IP_WAIT_FOR_ARP_TIMEOUT		(5 * 1000)		// Total time that an IP packet waiting for ARP table
 #define	IP_COMBINE_TIMEOUT			(10 * 1000)		// Time-out of IP packet combining
@@ -1067,8 +1052,7 @@ typedef struct CEDAR
 	UINT QueueBudget;				// Queue budget
 	LOCK *FifoBudgetLock;			// Fifo budget lock
 	UINT FifoBudget;				// Fifo budget
-	bool AcceptOnlyTls;				// Accept only TLS (Disable SSL)
-	UINT DisableSslVersions;	// Bitmap of SSL Version to disable
+	SSL_ACCEPT_SETTINGS SslAcceptSettings;	// SSL Accept Settings
 	char OpenVPNDefaultClientOption[MAX_SIZE];	// OpenVPN Default Client Option String
 } CEDAR;
 

src/Cedar/Cedar.vcproj

@@ -46,7 +46,7 @@
 				Name="VCCLCompilerTool"
 				Optimization="0"
 				AdditionalIncludeDirectories="$(SolutionDir)Mayaqua\win32_inc;.;$(SolutionDir);WinPcap"
-				PreprocessorDefinitions="WIN32;_DEBUG;_LIB;_USE_32BIT_TIME_T"
+				PreprocessorDefinitions="WIN32;_DEBUG;_LIB"
 				MinimalRebuild="true"
 				ExceptionHandling="0"
 				BasicRuntimeChecks="3"
@@ -188,7 +188,7 @@
 				EnableIntrinsicFunctions="false"
 				FavorSizeOrSpeed="0"
 				AdditionalIncludeDirectories="$(SolutionDir)Mayaqua\win32_inc;.;$(SolutionDir);WinPcap"
-				PreprocessorDefinitions="WIN32;NDEBUG;_LIB;_USE_32BIT_TIME_T;VPN_SPEED"
+				PreprocessorDefinitions="WIN32;NDEBUG;_LIB;VPN_SPEED"
 				StringPooling="false"
 				ExceptionHandling="0"
 				RuntimeLibrary="0"

src/Cedar/Client.c

@@ -2182,12 +2182,13 @@ BUF *CiAccountToCfg(RPC_CLIENT_CREATE_ACCOUNT *t)
 PACK *CiRpcDispatch(RPC *rpc, char *name, PACK *p)
 {
 	PACK *ret;
+	CLIENT *c;
 	// Validate arguments
 	if (rpc == NULL || name == NULL || p == NULL)
 	{
 		return NULL;
 	}
-	CLIENT *c = rpc->Param;
+	c = rpc->Param;
 
 	ret = NewPack();
 
@@ -6033,8 +6034,9 @@ L_TRY:
 
 	if (ret != NULL)
 	{
-		ret->Rpc = rpc;
 		RPC_CLIENT_VERSION t;
+
+		ret->Rpc = rpc;
 		Zero(&t, sizeof(t));
 		CcGetClientVersion(ret, &t);
 		ret->OsType = t.OsType;
@@ -6487,7 +6489,7 @@ bool Win32CiSecureSign(SECURE_SIGN *sign)
 			// Success
 			ret = true;
 			sign->ClientCert = batch[0].OutputX;
-			Copy(sign->Signature, batch[1].OutputSign, 128);
+			Copy(sign->Signature, batch[1].OutputSign, MIN(sizeof(sign->Signature),sizeof(batch[1].OutputSign)));
 		}
 	}
 

src/Cedar/Command.c

@@ -1245,6 +1245,7 @@ void TtsWorkerThread(THREAD *thread, void *param)
 						if (ret != 0 && ret != SOCK_LATER)
 						{
 							ts->State = 5;
+							ts->LastCommTime = now;
 						}
 						break;
 
@@ -1255,6 +1256,8 @@ void TtsWorkerThread(THREAD *thread, void *param)
 						{
 							UCHAR c;
 
+							ts->LastCommTime = now;
+
 							// Direction of the data is in the first byte that is received
 							c = recv_buf_data[0];
 
@@ -1276,6 +1279,8 @@ void TtsWorkerThread(THREAD *thread, void *param)
 
 								// Span
 								ts->Span = READ_UINT64(recv_buf_data + sizeof(UINT64) + 1);
+
+								ts->GiveupSpan = ts->Span * 3ULL + 180000ULL;
 							}
 						}
 						break;
@@ -1289,6 +1294,8 @@ void TtsWorkerThread(THREAD *thread, void *param)
 							// Checking the first byte of received
 							UCHAR c = recv_buf_data[0];
 
+							ts->LastCommTime = now;
+
 							if (ts->FirstRecvTick == 0)
 							{
 								// Record the time at which the data has been received for the first
@@ -1326,10 +1333,20 @@ void TtsWorkerThread(THREAD *thread, void *param)
 						if (ts->NoMoreSendData == false)
 						{
 							ret = Send(ts->Sock, send_buf_data, buf_size, false);
+
+							if (ret != 0 && ret != SOCK_LATER)
+							{
+								ts->LastCommTime = now;
+							}
 						}
 						else
 						{
 							ret = Recv(ts->Sock, recv_buf_data, buf_size, false);
+
+							if (ret != 0 && ret != SOCK_LATER)
+							{
+								ts->LastCommTime = now;
+							}
 						}
 
 						if (ts->FirstSendTick == 0)
@@ -1364,6 +1381,11 @@ void TtsWorkerThread(THREAD *thread, void *param)
 						{
 							ret = Send(ts->Sock, &tmp64, sizeof(tmp64), false);
 
+							if (ret != 0 && ret != SOCK_LATER)
+							{
+								ts->LastCommTime = now;
+							}
+
 							if (ret != SOCK_LATER)
 							{
 								UINT j;
@@ -1390,6 +1412,12 @@ void TtsWorkerThread(THREAD *thread, void *param)
 						break;
 					}
 
+					if (now > (ts->LastCommTime + ts->GiveupSpan))
+					{
+						// Timeout: disconnect orphan sessions
+						ret = 0;
+					}
+
 					if (ret == 0)
 					{
 						// Mark as deleting the socket because it is disconnected
@@ -1514,7 +1542,7 @@ void TtsAcceptProc(TTS *tts, SOCK *listen_socket)
 		else
 		{
 			// Connected from the client
-			AcceptInit(s);
+			AcceptInitEx(s, true);
 			tts->NewSocketArrived = true;
 			LockList(tts->TtsSockList);
 			{
@@ -1523,6 +1551,9 @@ void TtsAcceptProc(TTS *tts, SOCK *listen_socket)
 				ts->Id = (++tts->IdSeed);
 				ts->Sock = s;
 
+				ts->GiveupSpan = (UINT64)(10 * 60 * 1000);
+				ts->LastCommTime = Tick64();
+
 				UniFormat(tmp, sizeof(tmp), _UU("TTS_ACCEPTED"), ts->Id,
 					s->RemoteHostname, s->RemotePort);
 				TtPrint(tts->Param, tts->Print, tmp);
@@ -8079,7 +8110,7 @@ UINT PsServerCipherGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
 	RPC_STR t;
 	TOKEN_LIST *ciphers;
 	UINT i;
-	wchar_t tmp[MAX_SIZE];
+	wchar_t tmp[4096];
 
 	o = ParseCommandList(c, cmd_name, str, NULL, 0);
 	if (o == NULL)
@@ -10039,7 +10070,11 @@ UINT PsLogFileGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
 		return ERR_INVALID_PARAMETER;
 	}
 
-	filename = GetParamStr(o, "SAVEPATH");
+	filename = GetParamStr(o, "SAVE");
+	if (IsEmptyStr(filename))
+	{
+		filename = GetParamStr(o, "SAVEPATH");
+	}
 
 	c->Write(c, _UU("CMD_LogFileGet_START"));
 

src/Cedar/Command.h

@@ -204,6 +204,8 @@ struct TTS_SOCK
 	UINT64 FirstRecvTick;	// Time which the data has been received last
 	UINT64 FirstSendTick;	// Time which the data has been sent last
 	UINT64 Span;			// Period
+	UINT64 GiveupSpan;
+	UINT64 LastCommTime;
 };
 
 // Traffic test server

src/Cedar/Connection.c

@@ -3137,8 +3137,7 @@ void ConnectionAccept(CONNECTION *c)
 
 	// Start the SSL communication
 	Debug("StartSSL()\n");
-	s->DisableSslVersions = c->Cedar->DisableSslVersions;
-
+	Copy(&s->SslAcceptSettings, &c->Cedar->SslAcceptSettings, sizeof(SSL_ACCEPT_SETTINGS));
 	if (StartSSL(s, x, k) == false)
 	{
 		// Failed

src/Cedar/Connection.h

@@ -144,7 +144,7 @@ struct SECURE_SIGN
 	char SecurePrivateKeyName[MAX_SECURE_DEVICE_FILE_LEN + 1];	// Secure device secret key name
 	X *ClientCert;					// Client certificate
 	UCHAR Random[SHA1_SIZE];		// Random value for signature
-	UCHAR Signature[128];			// Signed data
+	UCHAR Signature[4096 / 8];		// Signed data
 	UINT UseSecureDeviceId;
 	UINT BitmapId;					// Bitmap ID
 };

src/Cedar/DDNS.c

@@ -670,9 +670,12 @@ UINT DCRegister(DDNS_CLIENT *c, bool ipv6, DDNS_REGISTER_PARAM *p, char *replace
 	if (ret == NULL)
 	{
 		Debug("WpcCall: %s\n", url3);
-		ret = WpcCallEx(url3, &t, DDNS_CONNECT_TIMEOUT, DDNS_COMM_TIMEOUT, "register", req,
-			NULL, NULL, ((cert_hash != NULL && cert_hash->Size == SHA1_SIZE) ? cert_hash->Buf : NULL), NULL, DDNS_RPC_MAX_RECV_SIZE,
-			add_header_name, add_header_value);
+		ret = WpcCallEx2(url3, &t, DDNS_CONNECT_TIMEOUT, DDNS_COMM_TIMEOUT, "register", req,
+			NULL, NULL, ((cert_hash != NULL && ((cert_hash->Size % SHA1_SIZE) == 0)) ? cert_hash->Buf : NULL),
+			(cert_hash != NULL ? cert_hash->Size / SHA1_SIZE : 0),
+			NULL, DDNS_RPC_MAX_RECV_SIZE,
+			add_header_name, add_header_value,
+			DDNS_SNI_VER_STRING);
 		Debug("WpcCall Ret: %u\n", ret);
 	}
 
@@ -874,8 +877,11 @@ UINT DCGetMyIpMain(DDNS_CLIENT *c, bool ipv6, char *dst, UINT dst_size, bool use
 	}
 
 
-	recv = HttpRequest(&data, (ipv6 ? NULL : &c->InternetSetting), DDNS_CONNECT_TIMEOUT, DDNS_COMM_TIMEOUT, &ret, false, NULL, NULL,
-		NULL, ((cert_hash != NULL && cert_hash->Size == SHA1_SIZE) ? cert_hash->Buf : NULL));
+	StrCpy(data.SniString, sizeof(data.SniString), DDNS_SNI_VER_STRING);
+
+	recv = HttpRequestEx3(&data, (ipv6 ? NULL : &c->InternetSetting), DDNS_CONNECT_TIMEOUT, DDNS_COMM_TIMEOUT, &ret, false, NULL, NULL,
+		NULL, ((cert_hash != NULL && (cert_hash->Size % SHA1_SIZE) == 0) ? cert_hash->Buf : NULL),
+		(cert_hash != NULL ? cert_hash->Size / SHA1_SIZE : 0), NULL, 0, NULL, NULL);
 
 	FreeBuf(cert_hash);
 

src/Cedar/DDNS.h

@@ -115,7 +115,14 @@
 #define	DDNS_H
 
 // Certificate hash
-#define	DDNS_CERT_HASH		"EFAC5FA0CDD14E0F864EED58A73C35D7E33B62F3"
+#define	DDNS_CERT_HASH		"78BF0499A99396907C9F49DD13571C81FE26E6F5" \
+							"439BAFA75A6EE5671FC9F9A02D34FF29881761A0" \
+							"EFAC5FA0CDD14E0F864EED58A73C35D7E33B62F3" \
+							"74DF99D4B1B5F0488A388B50D347D26013DC67A5" \
+							"6EBB39AFCA8C900635CFC11218CF293A612457E4"
+
+#define	DDNS_SNI_VER_STRING		"DDNS"
+
 
 // Destination URL
 #define	DDNS_URL_V4_GLOBAL	"https://x%c.x%c.servers.ddns.softether-network.net/ddns/ddns.aspx"

src/Cedar/Hub.c

@@ -214,7 +214,7 @@ EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, ch
 						if (GetIP(&ip, radius_servers_list->Token[i]))
 						{
 							eap = NewEapClient(&ip, radius_port, radius_secret, radius_retry_interval,
-								RADIUS_INITIAL_EAP_TIMEOUT, client_ip_str, username);
+								RADIUS_INITIAL_EAP_TIMEOUT, client_ip_str, username, hubname);
 
 							if (eap != NULL)
 							{

src/Cedar/Hub.h

@@ -438,9 +438,9 @@ struct HUB
 	UINT RadiusRetryInterval;			// Radius retry interval
 	BUF *RadiusSecret;					// Radius shared key
 	char RadiusSuffixFilter[MAX_SIZE];	// Radius suffix filter
+	char RadiusRealm[MAX_SIZE];			// Radius realm (optional)
 	bool RadiusConvertAllMsChapv2AuthRequestToEap;	// Convert all MS-CHAPv2 auth request to EAP
 	bool RadiusUsePeapInsteadOfEap;			// Use PEAP instead of EAP
-	char RadiusRealm[MAX_SIZE];		// Radius realm (optional)
 	volatile bool Halt;					// Halting flag
 	bool Offline;						// Offline
 	bool BeingOffline;					// Be Doing Offline

src/Cedar/IPsec_IKE.c

@@ -4723,11 +4723,13 @@ bool GetBestTransformSettingForIPsecSa(IKE_SERVER *ike, IKE_PACKET *pr, IPSEC_SA
 					if (transform_payload != NULL)
 					{
 						IKE_PACKET_TRANSFORM_PAYLOAD *transform = &transform_payload->Payload.Transform;
-						IPSEC_SA_TRANSFORM_SETTING *set = NULL;
+						IPSEC_SA_TRANSFORM_SETTING set;
 
-						if (TransformPayloadToTransformSettingForIPsecSa(ike, transform, set, server_ip))
+						Zero(&set, sizeof(set));
+
+						if (TransformPayloadToTransformSettingForIPsecSa(ike, transform, &set, server_ip))
 						{
-							Copy(setting, set, sizeof(IPSEC_SA_TRANSFORM_SETTING));
+							Copy(setting, &set, sizeof(IPSEC_SA_TRANSFORM_SETTING));
 
 							setting->SpiServerToClient = READ_UINT(proposal->Spi->Buf);
 
@@ -4735,11 +4737,11 @@ bool GetBestTransformSettingForIPsecSa(IKE_SERVER *ike, IKE_PACKET *pr, IPSEC_SA
 						}
 						else
 						{
-							if (set != NULL && set->OnlyCapsuleModeIsInvalid)
+							if (set.OnlyCapsuleModeIsInvalid)
 							{
 								if (ocmii_flag == false)
 								{
-									Copy(setting, set, sizeof(IPSEC_SA_TRANSFORM_SETTING));
+									Copy(setting, &set, sizeof(IPSEC_SA_TRANSFORM_SETTING));
 									ocmii_flag = true;
 								}
 							}

src/Cedar/IPsec_IPC.c

@@ -426,7 +426,6 @@ IPC *NewIPC(CEDAR *cedar, char *client_name, char *postfix, char *hubname, char
 
 	// Upload the authentication data
 	p = PackLoginWithPlainPassword(hubname, username, password);
-	PackAddInt64(p, "timestamp", SystemTime64());
 	PackAddStr(p, "hello", client_name);
 	PackAddInt(p, "client_ver", cedar->Version);
 	PackAddInt(p, "client_build", cedar->Build);
@@ -690,7 +689,7 @@ void IPCDhcpSetConditionalUserClass(IPC *ipc, DHCP_OPTION_LIST *req)
 		return;
 	}
 
-	if (hub->Option && hub->Option->UseHubNameAsDhcpUserClassOption == true)
+	if (hub->Option && hub->Option->UseHubNameAsDhcpUserClassOption)
 	{
 		StrCpy(req->UserClass, sizeof(req->UserClass), ipc->HubName);
 	}

src/Cedar/Interop_OpenVPN.c

@@ -2114,8 +2114,8 @@ void OvsRecvPacket(OPENVPN_SERVER *s, LIST *recv_packet_list, UINT protocol)
 											if (r->Exists)
 											{
 												Format(l3_options, sizeof(l3_options),
-													",route %r %r %r",
-													&r->Network, &r->SubnetMask, &r->Gateway);
+													",route %r %r vpn_gateway",
+													&r->Network, &r->SubnetMask);
 
 												StrCat(option_str, sizeof(option_str), l3_options);
 											}

src/Cedar/Layer3.c

@@ -540,6 +540,12 @@ void L3KnownArp(L3IF *f, UINT ip, UCHAR *mac)
 		return;
 	}
 
+	if (!((f->IpAddress & f->SubnetMask) == (ip & f->SubnetMask)))
+	{
+		// Outside the subnet
+		return;
+	}
+
 	// Delete an ARP query entry to this IP address
 	Zero(&t, sizeof(t));
 	t.IpAddress = ip;

src/Cedar/Logging.c

@@ -1396,22 +1396,38 @@ char *BuildHttpLogStr(HTTPLOG *h)
 
 	b = NewBuf();
 
-	if (StartWith(h->Path, "http://"))
+	if (StartWith(h->Path, "http://") || StartWith(h->Path, "https://"))
 	{
 		StrCpy(url, sizeof(url), h->Path);
 	}
 	else
 	{
 		// URL generation
-		if (h->Port == 80)
+		if (h->IsSsl == false)
 		{
-			Format(url, sizeof(url), "http://%s%s",
-				h->Hostname, h->Path);
+			if (h->Port == 80)
+			{
+				Format(url, sizeof(url), "http://%s%s",
+					h->Hostname, h->Path);
+			}
+			else
+			{
+				Format(url, sizeof(url), "http://%s:%u%s",
+					h->Hostname, h->Port, h->Path);
+			}
 		}
 		else
 		{
-			Format(url, sizeof(url), "http://%s:%u%s",
-				h->Hostname, h->Port, h->Path);
+			if (h->Port == 443)
+			{
+				Format(url, sizeof(url), "https://%s/",
+					h->Hostname);
+			}
+			else
+			{
+				Format(url, sizeof(url), "https://%s:%u/",
+					h->Hostname, h->Port);
+			}
 		}
 	}
 

src/Cedar/Protocol.c

@@ -690,8 +690,11 @@ void UpdateClientThreadMain(UPDATE_CLIENT *c)
 
 	cert_hash = StrToBin(UPDATE_SERVER_CERT_HASH);
 
-	recv = HttpRequestEx2(&data, NULL, UPDATE_CONNECT_TIMEOUT, UPDATE_COMM_TIMEOUT, &ret, false, NULL, NULL,
-		NULL, ((cert_hash != NULL && cert_hash->Size == SHA1_SIZE) ? cert_hash->Buf : NULL),
+	StrCpy(data.SniString, sizeof(data.SniString), DDNS_SNI_VER_STRING);
+
+	recv = HttpRequestEx3(&data, NULL, UPDATE_CONNECT_TIMEOUT, UPDATE_COMM_TIMEOUT, &ret, false, NULL, NULL,
+		NULL, ((cert_hash != NULL && (cert_hash->Size % SHA1_SIZE) == 0) ? cert_hash->Buf : NULL),
+		(cert_hash != NULL ? (cert_hash->Size / SHA1_SIZE) : 0),
 		(bool *)&c->HaltFlag, 0, NULL, NULL);
 
 	FreeBuf(cert_hash);
@@ -1312,7 +1315,6 @@ bool ServerAccept(CONNECTION *c)
 	FARM_MEMBER *f = NULL;
 	SERVER *server = NULL;
 	POLICY ticketed_policy;
-	UINT64 timestamp;
 	UCHAR unique[SHA1_SIZE], unique2[SHA1_SIZE];
 	CEDAR *cedar;
 	RPC_WINVER winver;
@@ -1450,31 +1452,6 @@ bool ServerAccept(CONNECTION *c)
 		}
 	}
 
-	// Time inspection
-	timestamp = PackGetInt64(p, "timestamp");
-	if (timestamp != 0)
-	{
-		UINT64 now = SystemTime64();
-		UINT64 abs;
-		if (now >= timestamp)
-		{
-			abs = now - timestamp;
-		}
-		else
-		{
-			abs = timestamp - now;
-		}
-
-		if (abs > ALLOW_TIMESTAMP_DIFF)
-		{
-			// Time difference is too large
-			FreePack(p);
-			c->Err = ERR_BAD_CLOCK;
-			error_detail = "ERR_BAD_CLOCK";
-			goto CLEANUP;
-		}
-	}
-
 	// Get the client version
 	PackGetStr(p, "client_str", c->ClientStr, sizeof(c->ClientStr));
 	c->ClientVer = PackGetInt(p, "client_ver");
@@ -1655,7 +1632,7 @@ bool ServerAccept(CONNECTION *c)
 			{
 				radius_login_opt.In_CheckVLanId = hub->Option->AssignVLanIdByRadiusAttribute;
 				radius_login_opt.In_DenyNoVlanId = hub->Option->DenyAllRadiusLoginWithNoVlanAssign;
-				if (hub->Option->UseHubNameAsRadiusNasId == true)
+				if (hub->Option->UseHubNameAsRadiusNasId)
 				{
 					StrCpy(radius_login_opt.NasId, sizeof(radius_login_opt.NasId), hubname);
 				}
@@ -4578,7 +4555,7 @@ bool ClientSecureSign(CONNECTION *c, UCHAR *sign, UCHAR *random, X **x)
 
 	if (ret)
 	{
-		Copy(sign, ss->Signature, 128);
+		Copy(sign, ss->Signature, sizeof(ss->Signature));
 		*x = ss->ClientCert;
 	}
 
@@ -5857,7 +5834,7 @@ bool ClientUploadAuth(CONNECTION *c)
 			// Authentication by secure device
 			if (ClientSecureSign(c, sign, c->Random, &x))
 			{
-				p = PackLoginWithCert(o->HubName, a->Username, x, sign, 128);
+				p = PackLoginWithCert(o->HubName, a->Username, x, sign, x->bits / 8);
 				c->ClientX = CloneX(x);
 				FreeX(x);
 			}
@@ -5880,9 +5857,6 @@ bool ClientUploadAuth(CONNECTION *c)
 		PackAddData(p, "ticket", c->Ticket, SHA1_SIZE);
 	}
 
-	// Current time
-	PackAddInt64(p, "timestamp", SystemTime64());
-
 	if (p == NULL)
 	{
 		// Error
@@ -6073,9 +6047,8 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 	SOCK *s;
 	UINT num = 0, max = 19;
 	SERVER *server;
-	char hostname[64];
 	char *vpn_http_target = HTTP_VPN_TARGET2;
-	bool check_hostname = true;
+	bool check_hostname = false;
 	// Validate arguments
 	if (c == NULL)
 	{
@@ -6083,7 +6056,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 	}
 
 
-	strcpy(hostname, "");
+
 	server = c->Cedar->Server;
 
 	s = c->FirstSock;
@@ -6113,6 +6086,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 		if (check_hostname && (StrCmpi(h->Version, "HTTP/1.1") == 0 || StrCmpi(h->Version, "HTTP/1.2") == 0))
 		{
 			HTTP_VALUE *v;
+			char hostname[64];
 
 			Zero(hostname, sizeof(hostname));
 
@@ -6347,12 +6321,6 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 						}
 					}
 
-					if ((b == false) && (StartWith(h->Target, "/wiki"))) 
-					{
-						HttpSendRedirect(s, h->Target, hostname);
-						b = true;
-					}
-
 					if (b == false)
 					{
 						// Not Found

src/Cedar/Protocol.h

@@ -180,7 +180,7 @@ struct UPDATE_CLIENT
 #define	UPDATE_FAMILY_NAME			_SS("PRODUCT_FAMILY_NAME")
 
 // Software update server certificate hash
-#define	UPDATE_SERVER_CERT_HASH		"EFAC5FA0CDD14E0F864EED58A73C35D7E33B62F3"
+#define	UPDATE_SERVER_CERT_HASH		DDNS_CERT_HASH
 
 // URL
 #define	UPDATE_SERVER_URL_GLOBAL	"https://update-check.softether-network.net/update/update.aspx?family=%s&software=%s&mybuild=%u&lang=%s"

src/Cedar/Radius.c

@@ -686,6 +686,11 @@ void EapSetRadiusGeneralAttributes(RADIUS_PACKET *r, EAP_CLIENT *e)
 	ui = Endian32(5);
 	Add(r->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_NAS_PORT_TYPE, 0, 0, &ui, sizeof(UINT)));
 
+	if (IsEmptyStr(e->CalledStationStr) == false)
+	{
+		Add(r->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_CALLED_STATION_ID, 0, 0, e->CalledStationStr, StrLen(e->CalledStationStr)));
+	}
+
 	Add(r->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_CALLING_STATION_ID, 0, 0, e->ClientIpStr, StrLen(e->ClientIpStr)));
 
 	Add(r->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_TUNNEL_CLIENT_ENDPOINT, 0, 0, e->ClientIpStr, StrLen(e->ClientIpStr)));
@@ -1237,7 +1242,7 @@ bool EapSendPacket(EAP_CLIENT *e, RADIUS_PACKET *r)
 }
 
 // New EAP client
-EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username)
+EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username, char *hubname)
 {
 	EAP_CLIENT *e;
 	if (server_ip == NULL)
@@ -1266,6 +1271,7 @@ EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, U
 	e->GiveupTimeout = giveup_timeout;
 	StrCpy(e->SharedSecret, sizeof(e->SharedSecret), shared_secret);
 
+	StrCpy(e->CalledStationStr, sizeof(e->CalledStationStr), hubname);
 	StrCpy(e->ClientIpStr, sizeof(e->ClientIpStr), client_ip_str);
 	StrCpy(e->Username, sizeof(e->Username), username);
 	e->LastRecvEapId = 0;
@@ -1702,8 +1708,8 @@ LABEL_ERROR:
 ////////// Classical implementation
 
 // Attempts Radius authentication (with specifying retry interval and multiple server)
-bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
-				 RADIUS_LOGIN_OPTION *opt)
+bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
+				 RADIUS_LOGIN_OPTION *opt, char *hubname)
 {
 	UCHAR random[MD5_SIZE];
 	UCHAR id;
@@ -1835,7 +1841,7 @@ bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *s
 		BUF *user_password = (is_mschap ? NULL : RadiusCreateUserPassword(encrypted_password->Buf, encrypted_password->Size));
 		BUF *nas_id;
 
-		if (IsEmptyStr(opt->NasId) == true)
+		if (IsEmptyStr(opt->NasId))
 		{
 			nas_id = RadiusCreateNasId(CEDAR_SERVER_STR);
 		}
@@ -1890,8 +1896,11 @@ bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *s
 				ui = Endian32(1);
 				RadiusAddValue(p, 65, 0, 0, &ui, sizeof(ui));
 
-				// Called-Station-Id
-				RadiusAddValue(p, 30, 0, 0, hubname, StrLen(hubname));
+				// Called-Station-ID - VPN Hub Name
+				if (IsEmptyStr(hubname) == false)
+				{
+					RadiusAddValue(p, 30, 0, 0, hubname, StrLen(hubname));
+				}
 
 				// Calling-Station-Id
 				RadiusAddValue(p, 31, 0, 0, client_ip_str, StrLen(client_ip_str));
@@ -1943,8 +1952,11 @@ bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *s
 				ui = Endian32(1);
 				RadiusAddValue(p, 65, 0, 0, &ui, sizeof(ui));
 
-				// Called-Station-Id
-				RadiusAddValue(p, 30, 0, 0, hubname, StrLen(hubname));
+				// Called-Station-ID - VPN Hub Name
+				if (IsEmptyStr(hubname) == false)
+				{
+					RadiusAddValue(p, 30, 0, 0, hubname, StrLen(hubname));
+				}
 
 				// Calling-Station-Id
 				RadiusAddValue(p, 31, 0, 0, client_ip_str, StrLen(client_ip_str));

src/Cedar/Radius.h

@@ -311,6 +311,7 @@ struct EAP_CLIENT
 	UINT ServerPort;
 	char SharedSecret[MAX_SIZE];
 	char ClientIpStr[256];
+	char CalledStationStr[256];
 	char Username[MAX_USERNAME_LEN + 1];
 	UINT ResendTimeout;
 	UINT GiveupTimeout;
@@ -346,7 +347,7 @@ RADIUS_AVP *GetRadiusAvp(RADIUS_PACKET *p, UCHAR type);
 void RadiusTest();
 
 
-EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username);
+EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username, char *hubname);
 void ReleaseEapClient(EAP_CLIENT *e);
 void CleanupEapClient(EAP_CLIENT *e);
 bool EapClientSendMsChapv2AuthRequest(EAP_CLIENT *e);
@@ -376,8 +377,8 @@ struct RADIUS_LOGIN_OPTION
 };
 
 // Function prototype
-bool RadiusLogin(CONNECTION *c, char *hubname, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
-				 RADIUS_LOGIN_OPTION *opt);
+bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
+				 RADIUS_LOGIN_OPTION *opt, char *hubname);
 BUF *RadiusEncryptPassword(char *password, UCHAR *random, UCHAR *secret, UINT secret_size);
 BUF *RadiusCreateUserName(wchar_t *username);
 BUF *RadiusCreateUserPassword(void *data, UINT size);

src/Cedar/SM.c

@@ -876,12 +876,14 @@ static UINT SmDdnsGetKey(char *key, SM_DDNS *d){
 	UINT err;
 	BUF *buf;
 	FOLDER *root, *ddnsfolder;
+	RPC *rpc;
 
 	// Validate arguments
 	if(d == NULL || d->s == NULL || key == NULL){
 		return ERR_INTERNAL_ERROR;
 	}
-	RPC *rpc = d->s->Rpc;
+
+	rpc = d->s->Rpc;
 
 	Zero(&config, sizeof(config));
 	err = ScGetConfig(d->s->Rpc, &config);
@@ -17011,6 +17013,7 @@ void SmSslDlgInit(HWND hWnd, SM_SSL *s)
 
 	// Set the encryption algorithm list
 	cipher_list = GetCipherList();
+	SetFont(hWnd, C_CIPHER, GetFont("Tahoma", 8, false, false, false, false));
 	CbSetHeight(hWnd, C_CIPHER, 18);
 	for (i = 0;i < cipher_list->NumTokens;i++)
 	{

src/Cedar/Sam.c

@@ -214,9 +214,9 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 						if( IsEmptyStr(h->RadiusRealm) == false )
 						{	
 							char name_and_realm[MAX_SIZE];
-							StrCpy(name_and_realm, MAX_SIZE, username);
-							StrCat(name_and_realm, (MAX_SIZE - StrLen(name_and_realm)), "@");
-							StrCat(name_and_realm, (MAX_SIZE - StrLen(name_and_realm)), h->RadiusRealm);
+							StrCpy(name_and_realm, sizeof(name_and_realm), username);
+							StrCat(name_and_realm, sizeof(name_and_realm), "@");
+							StrCat(name_and_realm, sizeof(name_and_realm), h->RadiusRealm);
 							name = CopyStrToUni(name_and_realm);
 						}
 						else
@@ -276,9 +276,9 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 				if (UniIsEmptyStr(suffix_filter_w) || UniEndWith(name, suffix_filter_w))
 				{
 					// Attempt to login
-					b = RadiusLogin(c, hub->Name, radius_server_addr, radius_server_port,
+					b = RadiusLogin(c, radius_server_addr, radius_server_port,
 						radius_secret, StrLen(radius_secret),
-						name, password, interval, mschap_v2_server_response_20, opt);
+						name, password, interval, mschap_v2_server_response_20, opt, hub->Name);
 
 					if (b)
 					{

src/Cedar/Server.c

@@ -2152,7 +2152,7 @@ void SiGenerateDefaultCertEx(X **server_x, K **server_k, char *common_name)
 
 	name = NewName(cn, cn, cn,
 		L"US", NULL, NULL);
-	x = NewRootX(public_key, private_key, name, MAX(GetDaysUntil2038(), SERVER_DEFAULT_CERT_DAYS), NULL);
+	x = NewRootX(public_key, private_key, name, GetDaysUntil2038Ex(), NULL);
 
 	*server_x = x;
 	*server_k = private_key;
@@ -2578,7 +2578,7 @@ void SiLoadInitialConfiguration(SERVER *s)
 	}
 
 	// Default to TLS only; mitigates CVE-2016-0800
-	s->Cedar->AcceptOnlyTls = true;
+	s->Cedar->SslAcceptSettings.AcceptOnlyTls = true;
 
 	// Auto saving interval related
 	s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT;
@@ -2765,9 +2765,6 @@ void SiInitConfiguration(SERVER *s)
 	s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT;
 	s->BackupConfigOnlyWhenModified = true;
 
-	// Default to TLS only; mitigates CVE-2016-0800
-	s->Cedar->AcceptOnlyTls = true;
-
 	// IPsec server
 	if (s->Cedar->Bridge == false)
 	{
@@ -5019,10 +5016,10 @@ void SiWriteHubCfg(FOLDER *f, HUB *h)
 		CfgAddInt(f, "RadiusServerPort", h->RadiusServerPort);
 		CfgAddInt(f, "RadiusRetryInterval", h->RadiusRetryInterval);
 		CfgAddStr(f, "RadiusSuffixFilter", h->RadiusSuffixFilter);
+		CfgAddStr(f, "RadiusRealm", h->RadiusRealm);
 
 		CfgAddBool(f, "RadiusConvertAllMsChapv2AuthRequestToEap", h->RadiusConvertAllMsChapv2AuthRequestToEap);
 		CfgAddBool(f, "RadiusUsePeapInsteadOfEap", h->RadiusUsePeapInsteadOfEap);
-		CfgAddStr(f, "RadiusRealm", h->RadiusRealm);
 	}
 	Unlock(h->RadiusOptionLock);
 
@@ -6170,47 +6167,16 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
 		// AcceptOnlyTls
 		if (CfgIsItem(f, "AcceptOnlyTls"))
 		{
-			c->AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");
+			c->SslAcceptSettings.AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");
 		}
 		else
 		{
-			c->AcceptOnlyTls = true;
-		}
-
-		if (c->AcceptOnlyTls) {
-			c->DisableSslVersions |= SSL_VERSION_SSL_V2;
-			c->DisableSslVersions |= SSL_VERSION_SSL_V3;
-		}
-
-		if (CfgGetStr(f, "DisableSslVersions", tmp, sizeof(tmp))) {
-			TOKEN_LIST *sslVersions= ParseToken(tmp, ", ");
-			UINT i;		
-			for (i = 0;i < sslVersions->NumTokens;i++)
-			{
-				char *sslVersion=sslVersions->Token[i];
-				if (StrCmp(sslVersion, NAME_SSL_VERSION_SSL_V2)==0) {
-					c->DisableSslVersions |= SSL_VERSION_SSL_V2;
-					continue;
-				}
-				if (StrCmp(sslVersion, NAME_SSL_VERSION_SSL_V3)==0) {
-					c->DisableSslVersions |= SSL_VERSION_SSL_V3;
-					continue;
-				}
-				if (StrCmp(sslVersion, NAME_SSL_VERSION_TLS_V1_0)==0) { 
-					c->DisableSslVersions |= SSL_VERSION_TLS_V1_0;
-					continue;
-				}
-				if (StrCmp(sslVersion, NAME_SSL_VERSION_TLS_V1_1)==0) {
-					c->DisableSslVersions |= SSL_VERSION_TLS_V1_1;
-					continue;
-				}
-				if (StrCmp(sslVersion, NAME_SSL_VERSION_TLS_V1_2)==0) {
-					c->DisableSslVersions |= SSL_VERSION_TLS_V1_2;
-					continue;
-				}
-			}
-			FreeToken(sslVersions);
+			// Default to TLS only; mitigates CVE-2016-0800
+			c->SslAcceptSettings.AcceptOnlyTls = true;
 		}
+		c->SslAcceptSettings.Tls_Disable1_0 = CfgGetBool(f, "Tls_Disable1_0");
+		c->SslAcceptSettings.Tls_Disable1_1 = CfgGetBool(f, "Tls_Disable1_1");
+		c->SslAcceptSettings.Tls_Disable1_2 = CfgGetBool(f, "Tls_Disable1_2");
 	}
 	Unlock(c->lock);
 
@@ -6519,42 +6485,10 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
 		CfgAddBool(f, "DisableGetHostNameWhenAcceptTcp", s->DisableGetHostNameWhenAcceptTcp);
 		CfgAddBool(f, "DisableCoreDumpOnUnix", s->DisableCoreDumpOnUnix);
 
-		CfgAddBool(f, "AcceptOnlyTls", c->AcceptOnlyTls);
-
-		{
-			char tmp[MAX_SIZE];
-			tmp[0] = 0;
-			if (c->DisableSslVersions & SSL_VERSION_SSL_V2) {
-				StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_SSL_V2);
-				StrCat(tmp, sizeof(tmp), ",");
-			}
-			if (c->DisableSslVersions & SSL_VERSION_SSL_V3) {
-				StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_SSL_V3);
-				StrCat(tmp, sizeof(tmp), ",");
-			}
-			if (c->DisableSslVersions & SSL_VERSION_TLS_V1_0) {
-				StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_TLS_V1_0);
-				StrCat(tmp, sizeof(tmp), ",");
-			}
-			if (c->DisableSslVersions & SSL_VERSION_TLS_V1_1) {
-				StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_TLS_V1_1);
-				StrCat(tmp, sizeof(tmp), ",");
-			}
-			if (c->DisableSslVersions & SSL_VERSION_TLS_V1_2) {
-				StrCat(tmp, sizeof(tmp), NAME_SSL_VERSION_TLS_V1_2);
-				StrCat(tmp, sizeof(tmp), ",");
-			}
-                        if (StrLen(tmp) >= 1)
-                        {
-                                if (tmp[StrLen(tmp) - 1] == ',')
-                                {
-                                        tmp[StrLen(tmp) - 1] = 0;
-                                }
-                        }
-			CfgAddStr(f, "DisableSslVersions", tmp);
-		}
-
-		
+		CfgAddBool(f, "AcceptOnlyTls", c->SslAcceptSettings.AcceptOnlyTls);
+		CfgAddBool(f, "Tls_Disable1_0", c->SslAcceptSettings.Tls_Disable1_0);
+		CfgAddBool(f, "Tls_Disable1_1", c->SslAcceptSettings.Tls_Disable1_1);
+		CfgAddBool(f, "Tls_Disable1_2", c->SslAcceptSettings.Tls_Disable1_2);
 
 		// Disable session reconnect
 		CfgAddBool(f, "DisableSessionReconnect", GetGlobalServerFlag(GSF_DISABLE_SESSION_RECONNECT));

src/Cedar/UdpAccel.c

@@ -118,12 +118,14 @@ void UdpAccelPoll(UDP_ACCEL *a)
 {
 	IP nat_t_ip;
 	UINT num_ignore_errors = 0;
+	UCHAR *tmp;
 	// Validate arguments
 	if (a == NULL)
 	{
 		return;
 	}
-	UCHAR *tmp = a->TmpBuf;
+
+	tmp = a->TmpBuf;
 
 	Lock(a->NatT_Lock);
 	{

src/Cedar/Virtual.c

@@ -2393,12 +2393,14 @@ bool NnTestConnectivity(NATIVE_STACK *a, TUBE *halt_tube)
 	IP my_priv_ip;
 	UINT num_send_dns = 0;
 	IP using_dns;
+	UINT src_port = 0;
 	// Validate arguments
 	if (a == NULL)
 	{
 		return false;
 	}
-	UINT src_port = NnGenSrcPort(a->IsIpRawMode);
+
+	src_port = NnGenSrcPort(a->IsIpRawMode);
 
 	Copy(&using_dns, &a->DnsServerIP, sizeof(IP));
 
@@ -3999,12 +4001,14 @@ bool NatTransactIcmp(VH *v, NAT_ENTRY *n)
 	BLOCK *block;
 	IP dest_ip;
 	UINT num_ignore_errors = 0;
+	UINT dest_port = 0;
 	// Validate arguments
 	if (v == NULL || n == NULL)
 	{
 		return true;
 	}
-	UINT dest_port = n->DestPort;
+
+	dest_port = n->DestPort;
 
 	if (n->DisconnectNow)
 	{
@@ -4202,12 +4206,14 @@ bool NatTransactUdp(VH *v, NAT_ENTRY *n)
 	BLOCK *block;
 	IP dest_ip;
 	UINT num_ignore_errors;
+	UINT dest_port = 0;
 	// Validate arguments
 	if (v == NULL || n == NULL)
 	{
 		return true;
 	}
-	UINT dest_port = n->DestPort;
+
+	dest_port = n->DestPort;
 
 	if (n->DisconnectNow)
 	{

src/Cedar/WebUI.c

@@ -1725,12 +1725,14 @@ static wchar_t *WuUniReadFile(char *filename)
 static void WuUniReplace(wchar_t **buf, wchar_t *from, wchar_t *to)
 {
 	UINT dstsize;
+	wchar_t *oldbuf;
 
 	if(buf == NULL || from == NULL || to == NULL)
 	{
 		return;
 	}
-	wchar_t *oldbuf = *buf;
+
+	oldbuf = *buf;
 
 	dstsize = (UniCalcReplaceStrEx(*buf, from, to, true) + 1) * sizeof(wchar_t);
 	*buf = (wchar_t*)Malloc(dstsize);

src/Cedar/WinUi.h

@@ -204,7 +204,7 @@ typedef struct WINUI_SECURE_BATCH
 	X *OutputX;										// Output certificate
 	K *InputK;										// Input secret key
 	LIST *EnumList;									// Enumerated list
-	UCHAR OutputSign[128];							// Output signature
+	UCHAR OutputSign[4096 / 8];						// Output signature
 	bool Succeed;									// Success flag
 } WINUI_SECURE_BATCH;
 

src/Cedar/Wpc.c

@@ -163,6 +163,14 @@ PACK *WpcCall(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT t
 PACK *WpcCallEx(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT timeout_comm,
 				char *function_name, PACK *pack, X *cert, K *key, void *sha1_cert_hash, bool *cancel, UINT max_recv_size,
 				char *additional_header_name, char *additional_header_value)
+{
+	return WpcCallEx2(url, setting, timeout_connect, timeout_comm, function_name, pack,
+		cert, key, sha1_cert_hash, (sha1_cert_hash == NULL ? 0 : 1),
+		cancel, max_recv_size, additional_header_name, additional_header_value, NULL);
+}
+PACK *WpcCallEx2(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT timeout_comm,
+				char *function_name, PACK *pack, X *cert, K *key, void *sha1_cert_hash, UINT num_hashes, bool *cancel, UINT max_recv_size,
+				char *additional_header_name, char *additional_header_value, char *sni_string)
 {
 	URL_DATA data;
 	BUF *b, *recv;
@@ -197,8 +205,14 @@ PACK *WpcCallEx(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT
 		StrCpy(data.AdditionalHeaderValue, sizeof(data.AdditionalHeaderValue), additional_header_value);
 	}
 
-	recv = HttpRequestEx(&data, setting, timeout_connect, timeout_comm, &error,
-		false, b->Buf, NULL, NULL, sha1_cert_hash, cancel, max_recv_size);
+	if (sni_string != NULL && IsEmptyStr(sni_string) == false)
+	{
+		StrCpy(data.SniString, sizeof(data.SniString), sni_string);
+	}
+
+	recv = HttpRequestEx3(&data, setting, timeout_connect, timeout_comm, &error,
+		false, b->Buf, NULL, NULL, sha1_cert_hash, num_hashes, cancel, max_recv_size,
+		NULL, NULL);
 
 	FreeBuf(b);
 
@@ -693,6 +707,16 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting,
 				   UINT *error_code, bool check_ssl_trust, char *post_data,
 				   WPC_RECV_CALLBACK *recv_callback, void *recv_callback_param, void *sha1_cert_hash,
 				   bool *cancel, UINT max_recv_size, char *header_name, char *header_value)
+{
+	return HttpRequestEx3(data, setting, timeout_connect, timeout_comm, error_code, check_ssl_trust,
+		post_data, recv_callback, recv_callback_param, sha1_cert_hash, (sha1_cert_hash == NULL ? 0 : 1),
+		cancel, max_recv_size, header_name, header_value);
+}
+BUF *HttpRequestEx3(URL_DATA *data, INTERNET_SETTING *setting,
+					UINT timeout_connect, UINT timeout_comm,
+					UINT *error_code, bool check_ssl_trust, char *post_data,
+					WPC_RECV_CALLBACK *recv_callback, void *recv_callback_param, void *sha1_cert_hash, UINT num_hashes,
+					bool *cancel, UINT max_recv_size, char *header_name, char *header_value)
 {
 	WPC_CONNECT con;
 	SOCK *s;
@@ -728,6 +752,14 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting,
 	{
 		timeout_comm = WPC_TIMEOUT;
 	}
+	if (sha1_cert_hash == NULL)
+	{
+		num_hashes = 0;
+	}
+	if (num_hashes == 0)
+	{
+		sha1_cert_hash = NULL;
+	}
 
 	// Connection
 	Zero(&con, sizeof(con));
@@ -773,7 +805,7 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting,
 	if (data->Secure)
 	{
 		// Start the SSL communication
-		if (StartSSLEx(s, NULL, NULL, true, 0, NULL) == false)
+		if (StartSSLEx(s, NULL, NULL, true, 0, (IsEmptyStr(data->SniString) ? NULL : data->SniString)) == false)
 		{
 			// SSL connection failed
 			*error_code = ERR_PROTOCOL_ERROR;
@@ -782,13 +814,28 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting,
 			return NULL;
 		}
 
-		if (sha1_cert_hash != NULL)
+		if (sha1_cert_hash != NULL && num_hashes >= 1)
 		{
 			UCHAR hash[SHA1_SIZE];
+			UINT i;
+			bool ok = false;
+
 			Zero(hash, sizeof(hash));
 			GetXDigest(s->RemoteX, hash, true);
 
-			if (Cmp(hash, sha1_cert_hash, SHA1_SIZE) != 0)
+			for (i = 0;i < num_hashes;i++)
+			{
+				UCHAR *a = (UCHAR *)sha1_cert_hash;
+				a += (SHA1_SIZE * i);
+
+				if (Cmp(hash, a, SHA1_SIZE) == 0)
+				{
+					ok = true;
+					break;
+				}
+			}
+
+			if (ok == false)
 			{
 				// Destination certificate hash mismatch
 				*error_code = ERR_CERT_NOT_TRUSTED;

src/Cedar/Wpc.h

@@ -159,6 +159,7 @@ struct URL_DATA
 	char Referer[MAX_SIZE * 3];				// Referer
 	char AdditionalHeaderName[128];			// Additional header name
 	char AdditionalHeaderValue[MAX_SIZE];	// Additional header value
+	char SniString[MAX_SIZE];				// SNI String
 };
 
 // WPC entry
@@ -204,6 +205,11 @@ BUF *HttpRequestEx2(URL_DATA *data, INTERNET_SETTING *setting,
 				   UINT *error_code, bool check_ssl_trust, char *post_data,
 				   WPC_RECV_CALLBACK *recv_callback, void *recv_callback_param, void *sha1_cert_hash,
 				   bool *cancel, UINT max_recv_size, char *header_name, char *header_value);
+BUF *HttpRequestEx3(URL_DATA *data, INTERNET_SETTING *setting,
+					UINT timeout_connect, UINT timeout_comm,
+					UINT *error_code, bool check_ssl_trust, char *post_data,
+					WPC_RECV_CALLBACK *recv_callback, void *recv_callback_param, void *sha1_cert_hash, UINT num_hashes,
+					bool *cancel, UINT max_recv_size, char *header_name, char *header_value);
 SOCK *WpcSockConnect(WPC_CONNECT *param, UINT *error_code, UINT timeout);
 SOCK *WpcSockConnectEx(WPC_CONNECT *param, UINT *error_code, UINT timeout, bool *cancel);
 SOCK *WpcSockConnect2(char *hostname, UINT port, INTERNET_SETTING *t, UINT *error_code, UINT timeout);
@@ -223,6 +229,9 @@ PACK *WpcCall(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT t
 PACK *WpcCallEx(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT timeout_comm,
 			  char *function_name, PACK *pack, X *cert, K *key, void *sha1_cert_hash, bool *cancel, UINT max_recv_size,
 			  char *additional_header_name, char *additional_header_value);
+PACK *WpcCallEx2(char *url, INTERNET_SETTING *setting, UINT timeout_connect, UINT timeout_comm,
+				char *function_name, PACK *pack, X *cert, K *key, void *sha1_cert_hash, UINT num_hashes, bool *cancel, UINT max_recv_size,
+				char *additional_header_name, char *additional_header_value, char *sni_string);
 bool IsProxyPrivateIp(INTERNET_SETTING *s);
 
 #endif	// WPC_H

src/CurrentBuild.txt

@@ -1,4 +1,4 @@
-BUILD_NUMBER 9613
-VERSION 421
+BUILD_NUMBER 9634
+VERSION 422
 BUILD_NAME beta
-BUILD_DATE 20160424_153917
+BUILD_DATE 20161127_143359

src/Ham/Ham.vcproj

@@ -46,7 +46,7 @@
 				Name="VCCLCompilerTool"
 				Optimization="0"
 				AdditionalIncludeDirectories="$(SolutionDir)Mayaqua\win32_inc;.;$(SolutionDir);$(SolutionDir)Mayaqua"
-				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE;_USE_32BIT_TIME_T"
+				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"
 				MinimalRebuild="true"
 				ExceptionHandling="0"
 				BasicRuntimeChecks="3"
@@ -232,7 +232,7 @@
 				EnableIntrinsicFunctions="false"
 				FavorSizeOrSpeed="0"
 				AdditionalIncludeDirectories="$(SolutionDir)Mayaqua\win32_inc;.;$(SolutionDir);$(SolutionDir)Mayaqua"
-				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE;_USE_32BIT_TIME_T;VPN_SPEED"
+				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE;VPN_SPEED"
 				StringPooling="false"
 				ExceptionHandling="0"
 				RuntimeLibrary="0"

src/Mayaqua/Cfg.c

@@ -385,6 +385,34 @@ bool FileCopyExW(wchar_t *src, wchar_t *dst, bool read_lock)
 
 	return ret;
 }
+bool FileCopyExWithEofW(wchar_t *src, wchar_t *dst, bool read_lock)
+{
+	BUF *b;
+	bool ret = false;
+	// Validate arguments
+	if (src == NULL || dst == NULL)
+	{
+		return false;
+	}
+
+	b = ReadDumpExW(src, false);
+	if (b == NULL)
+	{
+		return false;
+	}
+
+	SeekBuf(b, b->Size, 0);
+
+	WriteBufChar(b, 0x1A);
+
+	SeekBuf(b, 0, 0);
+
+	ret = DumpBufW(b, dst);
+
+	FreeBuf(b);
+
+	return ret;
+}
 
 // Save the settings to a file
 void CfgSave(FOLDER *f, char *name)
@@ -459,7 +487,8 @@ bool CfgSaveExW3(CFG_RW *rw, FOLDER *f, wchar_t *name, UINT *written_size, bool
 		// Generate a temporary file name
 		UniFormat(tmp, sizeof(tmp), L"%s.log", name);
 		// Copy the file that currently exist to a temporary file
-		FileCopyW(name, tmp);
+		// with appending the EOF
+		FileCopyExWithEofW(name, tmp, true);
 
 		// Save the new file
 		o = FileCreateW(name);
@@ -481,6 +510,7 @@ bool CfgSaveExW3(CFG_RW *rw, FOLDER *f, wchar_t *name, UINT *written_size, bool
 			{
 				// Successful saving file
 				FileClose(o);
+
 				// Delete the temporary file
 				FileDeleteW(tmp);
 			}
@@ -528,6 +558,7 @@ FOLDER *CfgReadW(wchar_t *name)
 	bool binary_file = false;
 	bool invalid_file = false;
 	UCHAR header[8];
+	bool has_eof = false;
 	// Validate arguments
 	if (name == NULL)
 	{
@@ -543,8 +574,31 @@ FOLDER *CfgReadW(wchar_t *name)
 	o = FileOpenW(newfile, false);
 	if (o == NULL)
 	{
+		UINT size;
 		// Read the temporary file
 		o = FileOpenW(tmp, false);
+
+		if (o != NULL)
+		{
+			// Check the EOF
+			size = FileSize(o);
+			if (size >= 2)
+			{
+				char c;
+
+				if (FileSeek(o, FILE_BEGIN, size - 1) && FileRead(o, &c, 1) && c == 0x1A && FileSeek(o, FILE_BEGIN, 0))
+				{
+					// EOF ok
+					has_eof = true;
+				}
+				else
+				{
+					// No EOF: file is corrupted
+					FileClose(o);
+					o = NULL;
+				}
+			}
+		}
 	}
 	else
 	{
@@ -577,6 +631,11 @@ FOLDER *CfgReadW(wchar_t *name)
 
 	// Read into the buffer
 	size = FileSize(o);
+	if (has_eof)
+	{
+		// Ignore EOF
+		size -= 1;
+	}
 	buf = Malloc(size);
 	FileRead(o, buf, size);
 	b = NewBuf();

src/Mayaqua/Encrypt.c

@@ -1818,6 +1818,40 @@ UINT GetDaysUntil2038()
 		return (UINT)((target - now) / (UINT64)(1000 * 60 * 60 * 24));
 	}
 }
+UINT GetDaysUntil2038Ex()
+{
+	SYSTEMTIME now;
+
+	Zero(&now, sizeof(now));
+	SystemTime(&now);
+
+	if (now.wYear >= 2030)
+	{
+		UINT64 now = SystemTime64();
+		UINT64 target;
+		SYSTEMTIME st;
+
+		Zero(&st, sizeof(st));
+		st.wYear = 2049;
+		st.wMonth = 12;
+		st.wDay = 30;
+
+		target = SystemToUINT64(&st);
+
+		if (now >= target)
+		{
+			return 0;
+		}
+		else
+		{
+			return (UINT)((target - now) / (UINT64)(1000 * 60 * 60 * 24));
+		}
+	}
+	else
+	{
+		return GetDaysUntil2038();
+	}
+}
 
 // Issue an X509 certificate
 X *NewX(K *pub, K *priv, X *ca, NAME *name, UINT days, X_SERIAL *serial)
@@ -4885,6 +4919,22 @@ bool DhCompute(DH_CTX *dh, void *dst_priv_key, void *src_pub_key, UINT key_size)
 	return ret;
 }
 
+// Creating a DH 2048bit
+DH_CTX *DhNew2048()
+{
+	return DhNew(DH_SET_2048, 2);
+}
+// Creating a DH 3072bit
+DH_CTX *DhNew3072()
+{
+	return DhNew(DH_SET_3072, 2);
+}
+// Creating a DH 4096bit
+DH_CTX *DhNew4096()
+{
+	return DhNew(DH_SET_4096, 2);
+}
+
 // Creating a DH GROUP1
 DH_CTX *DhNewGroup1()
 {

src/Mayaqua/Encrypt.h

@@ -170,6 +170,61 @@ void RAND_Free_For_SoftEther();
 
 #define	DH_SIMPLE_160	"AEE7561459353C95DDA966AE1FD25D95CD46E935"
 
+#define	DH_SET_2048 \
+	"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
+	"29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \
+	"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \
+	"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
+	"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \
+	"C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \
+	"83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
+	"670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \
+	"E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \
+	"DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \
+	"15728E5A8AACAA68FFFFFFFFFFFFFFFF"
+
+#define	DH_SET_3072	\
+	"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"\
+	"29024E088A67CC74020BBEA63B139B22514A08798E3404DD"\
+	"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"\
+	"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"\
+	"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"\
+	"C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"\
+	"83655D23DCA3AD961C62F356208552BB9ED529077096966D"\
+	"670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"\
+	"E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"\
+	"DE2BCBF6955817183995497CEA956AE515D2261898FA0510"\
+	"15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"\
+	"ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"\
+	"ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"\
+	"F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"\
+	"BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"\
+	"43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF"
+
+#define	DH_SET_4096 \
+	"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
+	"29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \
+	"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \
+	"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
+	"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \
+	"C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \
+	"83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
+	"670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \
+	"E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \
+	"DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \
+	"15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" \
+	"ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" \
+	"ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" \
+	"F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" \
+	"BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" \
+	"43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" \
+	"88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" \
+	"2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" \
+	"287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" \
+	"1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" \
+	"93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" \
+	"FFFFFFFFFFFFFFFF"
+
 // Macro
 #define	HASHED_DATA(p)			(((UCHAR *)p) + 15)
 
@@ -376,6 +431,7 @@ X *NewRootX(K *pub, K *priv, NAME *name, UINT days, X_SERIAL *serial);
 X509 *NewX509(K *pub, K *priv, X *ca, NAME *name, UINT days, X_SERIAL *serial);
 X *NewX(K *pub, K *priv, X *ca, NAME *name, UINT days, X_SERIAL *serial);
 UINT GetDaysUntil2038();
+UINT GetDaysUntil2038Ex();
 X_SERIAL *NewXSerial(void *data, UINT size);
 void FreeXSerial(X_SERIAL *serial);
 char *ByteToStr(BYTE *src, UINT src_size);
@@ -465,6 +521,9 @@ DH_CTX *DhNewGroup1();
 DH_CTX *DhNewGroup2();
 DH_CTX *DhNewGroup5();
 DH_CTX *DhNewSimple160();
+DH_CTX *DhNew2048();
+DH_CTX *DhNew3072();
+DH_CTX *DhNew4096();
 DH_CTX *DhNew(char *prime, UINT g);
 void DhFree(DH_CTX *dh);
 BUF *DhToBuf(DH_CTX *dh);

src/Mayaqua/FileIO.c

@@ -381,12 +381,15 @@ void ZipAddFileStart(ZIP_PACKER *p, char *name, UINT size, UINT64 dt, UINT attri
 UINT ZipAddFileData(ZIP_PACKER *p, void *data, UINT pos, UINT len)
 {
 	UINT ret;
+	UINT total_size;
 	// Validate arguments
 	if (p == NULL)
 	{
 		return 0;
 	}
-	UINT total_size = p->CurrentFile->CurrentSize + len;
+
+	total_size = p->CurrentFile->CurrentSize + len;
+
 	if (total_size > p->CurrentFile->Size)
 	{
 		return 0;

src/Mayaqua/Kernel.c

@@ -172,6 +172,109 @@ static LOCALE current_locale;
 LOCK *tick_manual_lock = NULL;
 UINT g_zero = 0;
 
+#define MONSPERYEAR 12
+#define DAYSPERNYEAR 365
+#define DAYSPERLYEAR 366
+#define SECSPERMIN 60
+#define SECSPERHOUR (60*60)
+#define SECSPERDAY (24*60*60)
+#define DAYSPERWEEK 7
+#define TM_SUNDAY	0
+#define TM_MONDAY	1
+#define TM_TUESDAY	2
+#define TM_WEDNESDAY	3
+#define TM_THURSDAY	4
+#define TM_FRIDAY	5
+#define TM_SATURDAY	6
+
+#define TM_YEAR_BASE	1900
+
+#define EPOCH_YEAR	1970
+#define EPOCH_WDAY	TM_THURSDAY
+
+#define isleap(y) (((y) % 4) == 0 && (((y) % 100) != 0 || ((y) % 400) == 0))
+
+static const int	mon_lengths[2][MONSPERYEAR] = {
+	{ 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 },
+	{ 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 }
+};
+
+static const int	year_lengths[2] = {
+	DAYSPERNYEAR, DAYSPERLYEAR
+};
+
+
+/*
+ * Taken from FreeBSD src / lib / libc / stdtime / localtime.c 1.43 revision.
+ * localtime.c 7.78.
+ * tzfile.h 1.8
+ * adapted to be replacement gmtime_r.
+ */
+static void
+c_timesub(timep, offset, tmp)
+const time_64t * const			timep;
+const long				offset;
+struct tm * const		tmp;
+{
+	INT64			days;
+	INT64			rem;
+	INT64			y;
+	int			yleap;
+	const int *		ip;
+
+	days = *timep / SECSPERDAY;
+	rem = *timep % SECSPERDAY;
+	rem += (offset);
+	while (rem < 0) {
+		rem += SECSPERDAY;
+		--days;
+	}
+	while (rem >= SECSPERDAY) {
+		rem -= SECSPERDAY;
+		++days;
+	}
+	tmp->tm_hour = (int) (rem / SECSPERHOUR);
+	rem = rem % SECSPERHOUR;
+	tmp->tm_min = (int) (rem / SECSPERMIN);
+	/*
+	** A positive leap second requires a special
+	** representation.  This uses "... ??:59:60" et seq.
+	*/
+	tmp->tm_sec = (int) (rem % SECSPERMIN) ;
+	tmp->tm_wday = (int) ((EPOCH_WDAY + days) % DAYSPERWEEK);
+	if (tmp->tm_wday < 0)
+		tmp->tm_wday += DAYSPERWEEK;
+	y = EPOCH_YEAR;
+#define LEAPS_THRU_END_OF(y)	((y) / 4 - (y) / 100 + (y) / 400)
+	while (days < 0 || days >= (long) year_lengths[yleap = isleap(y)]) {
+		INT64	newy;
+
+		newy = y + days / DAYSPERNYEAR;
+		if (days < 0)
+			--newy;
+		days -= (newy - y) * DAYSPERNYEAR +
+			LEAPS_THRU_END_OF(newy - 1) -
+			LEAPS_THRU_END_OF(y - 1);
+		y = newy;
+	}
+	tmp->tm_year = (int)(y - TM_YEAR_BASE);
+	tmp->tm_yday = (int) days;
+	ip = mon_lengths[yleap];
+	for (tmp->tm_mon = 0; days >= (INT64) ip[tmp->tm_mon]; ++(tmp->tm_mon))
+		days = days - (INT64) ip[tmp->tm_mon];
+	tmp->tm_mday = (int) (days + 1);
+	tmp->tm_isdst = 0;
+}
+
+/*
+* Re-entrant version of gmtime.
+*/
+struct tm * c_gmtime_r(const time_64t* timep, struct tm *tm)
+{
+	c_timesub(timep, 0L, tm);
+	return tm;
+}
+
 // Get the real-time system timer
 UINT TickRealtime()
 {
@@ -219,7 +322,14 @@ UINT64 TickGetRealtimeTickValue64()
 
 	gettimeofday(&tv, &tz);
 
-	ret = (UINT64)tv.tv_sec * 1000ULL + (UINT64)tv.tv_usec / 1000ULL;
+	if (sizeof(tv.tv_sec) != 4)
+	{
+		ret = (UINT64)tv.tv_sec * 1000ULL + (UINT64)tv.tv_usec / 1000ULL;
+	}
+	else
+	{
+		ret = (UINT64)((UINT64)((UINT32)tv.tv_sec)) * 1000ULL + (UINT64)tv.tv_usec / 1000ULL;
+	}
 
 	return ret;
 }
@@ -815,7 +925,7 @@ void GetTimeStr64(char *str, UINT size, UINT64 sec64)
 // Convert to a time to be used safely in the current POSIX implementation
 UINT64 SafeTime64(UINT64 sec64)
 {
-	return MAKESURE(sec64, 0, 2115947647000ULL);
+	return MAKESURE(sec64, 0, 4102243323123ULL);
 }
 
 // Thread pool
@@ -1694,7 +1804,7 @@ void TmToSystem(SYSTEMTIME *st, struct tm *t)
 	NormalizeTm(&tmp);
 
 	Zero(st, sizeof(SYSTEMTIME));
-	st->wYear = MAKESURE(tmp.tm_year + 1900, 1970, 2037);
+	st->wYear = MAKESURE(tmp.tm_year + 1900, 1970, 2099);
 	st->wMonth = MAKESURE(tmp.tm_mon + 1, 1, 12);
 	st->wDay = MAKESURE(tmp.tm_mday, 1, 31);
 	st->wDayOfWeek = MAKESURE(tmp.tm_wday, 0, 6);
@@ -1714,7 +1824,7 @@ void SystemToTm(struct tm *t, SYSTEMTIME *st)
 	}
 
 	Zero(t, sizeof(struct tm));
-	t->tm_year = MAKESURE(st->wYear, 1970, 2037) - 1900;
+	t->tm_year = MAKESURE(st->wYear, 1970, 2099) - 1900;
 	t->tm_mon = MAKESURE(st->wMonth, 1, 12) - 1;
 	t->tm_mday = MAKESURE(st->wDay, 1, 31);
 	t->tm_hour = MAKESURE(st->wHour, 0, 23);
@@ -1726,7 +1836,7 @@ void SystemToTm(struct tm *t, SYSTEMTIME *st)
 }
 
 // Convert the time_t to SYSTEMTIME
-void TimeToSystem(SYSTEMTIME *st, time_t t)
+void TimeToSystem(SYSTEMTIME *st, time_64t t)
 {
 	struct tm tmp;
 	// Validate arguments
@@ -1740,7 +1850,7 @@ void TimeToSystem(SYSTEMTIME *st, time_t t)
 }
 
 // Convert the time_t to 64-bit SYSTEMTIME
-UINT64 TimeToSystem64(time_t t)
+UINT64 TimeToSystem64(time_64t t)
 {
 	SYSTEMTIME st;
 
@@ -1750,7 +1860,7 @@ UINT64 TimeToSystem64(time_t t)
 }
 
 // Convert the SYSTEMTIME to time_t
-time_t SystemToTime(SYSTEMTIME *st)
+time_64t SystemToTime(SYSTEMTIME *st)
 {
 	struct tm t;
 	// Validate arguments
@@ -1764,7 +1874,7 @@ time_t SystemToTime(SYSTEMTIME *st)
 }
 
 // Convert a 64-bit SYSTEMTIME to a time_t
-time_t System64ToTime(UINT64 i)
+time_64t System64ToTime(UINT64 i)
 {
 	SYSTEMTIME st;
 
@@ -1774,9 +1884,9 @@ time_t System64ToTime(UINT64 i)
 }
 
 // Convert the tm to time_t
-time_t TmToTime(struct tm *t)
+time_64t TmToTime(struct tm *t)
 {
-	time_t tmp;
+	time_64t tmp;
 	// Validate arguments
 	if (t == NULL)
 	{
@@ -1784,7 +1894,7 @@ time_t TmToTime(struct tm *t)
 	}
 
 	tmp = c_mkgmtime(t);
-	if (tmp == (time_t)-1)
+	if (tmp == (time_64t)-1)
 	{
 		return 0;
 	}
@@ -1792,42 +1902,22 @@ time_t TmToTime(struct tm *t)
 }
 
 // Convert time_t to tm
-void TimeToTm(struct tm *t, time_t time)
+void TimeToTm(struct tm *t, time_64t time)
 {
-	struct tm *ret;
 	// Validate arguments
 	if (t == NULL)
 	{
 		return;
 	}
 
-#ifndef	OS_UNIX
-	ret = gmtime(&time);
-#else	// OS_UNIX
-	ret = malloc(sizeof(struct tm));
-	memset(ret, 0, sizeof(struct tm));
-	gmtime_r(&time, ret);
-#endif	// OS_UNIX
-
-	if (ret == NULL)
-	{
-		Zero(t, sizeof(struct tm));
-	}
-	else
-	{
-		Copy(t, ret, sizeof(struct tm));
-	}
-
-#ifdef	OS_UNIX
-	free(ret);
-#endif	// OS_UNIX
+	Zero(t, sizeof(struct tm));
+	c_gmtime_r(&time, t);
 }
 
 // Normalize the tm
 void NormalizeTm(struct tm *t)
 {
-	struct tm *ret;
-	time_t tmp;
+	time_64t tmp;
 	// Validate arguments
 	if (t == NULL)
 	{
@@ -1835,31 +1925,12 @@ void NormalizeTm(struct tm *t)
 	}
 
 	tmp = c_mkgmtime(t);
-	if (tmp == (time_t)-1)
+	if (tmp == (time_64t)-1)
 	{
 		return;
 	}
 
-#ifndef	OS_UNIX
-	ret = gmtime(&tmp);
-#else	// OS_UNIX
-	ret = malloc(sizeof(struct tm));
-	memset(ret, 0, sizeof(struct tm));
-	gmtime_r(&tmp, ret);
-#endif	// OS_UNIX
-
-	if (ret == NULL)
-	{
-		Zero(t, sizeof(struct tm));
-	}
-	else
-	{
-		Copy(t, ret, sizeof(struct tm));
-	}
-
-#ifdef	OS_UNIX
-	free(ret);
-#endif	// OS_UNIX
+	c_gmtime_r(&tmp, t);
 }
 
 // Normalize the SYSTEMTIME
@@ -1934,10 +2005,19 @@ INT64 GetTimeDiffEx(SYSTEMTIME *basetime, bool local_time)
 
 	Copy(&snow, basetime, sizeof(SYSTEMTIME));
 
+	if (sizeof(time_t) == 4)
+	{
+		if (snow.wYear >= 2038)
+		{
+			// For old systems: avoid the 2038-year problem
+			snow.wYear = 2037;
+		}
+	}
+
 	SystemToTm(&now, &snow);
 	if (local_time == false)
 	{
-		tmp = c_mkgmtime(&now);
+		tmp = (time_t)c_mkgmtime(&now);
 	}
 	else
 	{
@@ -1965,54 +2045,12 @@ INT64 GetTimeDiffEx(SYSTEMTIME *basetime, bool local_time)
 	return ret;
 }
 
-// Get the time difference between the local time and system time
-INT64 GetTimeDiff()
-{
-	time_t tmp;
-	struct tm t1, t2;
-	SYSTEMTIME snow;
-	struct tm now;
-	SYSTEMTIME s1, s2;
-	INT64 ret;
-
-	static INT64 cache = INFINITE;
-
-	if (cache != INFINITE)
-	{
-		// Returns the cache data after measured once
-		return cache;
-	}
-
-	SystemTime(&snow);
-	SystemToTm(&now, &snow);
-	tmp = c_mkgmtime(&now);
-	if (tmp == (time_t)-1)
-	{
-		return 0;
-	}
-
-#ifndef	OS_UNIX
-	Copy(&t1, localtime(&tmp), sizeof(struct tm));
-	Copy(&t2, gmtime(&tmp), sizeof(struct tm));
-#else	// OS_UNIX
-	localtime_r(&tmp, &t1);
-	gmtime_r(&tmp, &t2);
-#endif	// OS_UNIX
-
-	TmToSystem(&s1, &t1);
-	TmToSystem(&s2, &t2);
-
-	cache = ret = (INT)SystemToUINT64(&s1) - (INT)SystemToUINT64(&s2);
-
-	return ret;
-}
-
 // Convert UINT64 to the SYSTEMTIME
 void UINT64ToSystem(SYSTEMTIME *st, UINT64 sec64)
 {
 	UINT64 tmp64;
 	UINT sec, millisec;
-	time_t time;
+	time_64t time;
 	// Validate arguments
 	if (st == NULL)
 	{
@@ -2023,7 +2061,7 @@ void UINT64ToSystem(SYSTEMTIME *st, UINT64 sec64)
 	tmp64 = sec64 / (UINT64)1000;
 	millisec = (UINT)(sec64 - tmp64 * (UINT64)1000);
 	sec = (UINT)tmp64;
-	time = (time_t)sec;
+	time = (time_64t)sec;
 	TimeToSystem(st, time);
 	st->wMilliseconds = (WORD)millisec;
 }
@@ -2032,7 +2070,7 @@ void UINT64ToSystem(SYSTEMTIME *st, UINT64 sec64)
 UINT64 SystemToUINT64(SYSTEMTIME *st)
 {
 	UINT64 sec64;
-	time_t time;
+	time_64t time;
 	// Validate arguments
 	if (st == NULL)
 	{
@@ -2091,7 +2129,7 @@ void SystemTime(SYSTEMTIME *st)
 	KS_INC(KS_GETTIME_COUNT);
 }
 
-time_t c_mkgmtime(struct tm *tm)
+time_64t c_mkgmtime(struct tm *tm)
 {
 	int years, months, days, hours, minutes, seconds;
 
@@ -2142,7 +2180,7 @@ time_t c_mkgmtime(struct tm *tm)
 		tm->tm_isdst = 0;
 
 		if (years < 1970)
-			return (time_t)-1;
+			return (time_64t)-1;
 
 #if (defined(TM_YEAR_MAX) && defined(TM_MON_MAX) && defined(TM_MDAY_MAX))
 #if (defined(TM_HOUR_MAX) && defined(TM_MIN_MAX) && defined(TM_SEC_MAX))
@@ -2156,11 +2194,11 @@ time_t c_mkgmtime(struct tm *tm)
 			(hours == TM_HOUR_MAX &&
 			(minutes > TM_MIN_MAX ||
 			(minutes == TM_MIN_MAX && seconds > TM_SEC_MAX) )))))))
-			return (time_t)-1;
+			return (time_64t)-1;
 #endif
 #endif
 
-		return (time_t)(86400L * (unsigned long)(unsigned)days +
+		return (time_64t)(86400L * (unsigned long)(unsigned)days +
 			3600L * (unsigned long)hours +
 			(unsigned long)(60 * minutes + seconds));
 }

src/Mayaqua/Kernel.h

@@ -194,15 +194,16 @@ void FreeThreading();
 void ThreadPoolProc(THREAD *t, void *param);
 void SetThreadName(UINT thread_id, char *name, void *param);
 
-time_t c_mkgmtime(struct tm *tm);
-time_t System64ToTime(UINT64 i);
+struct tm * c_gmtime_r(const time_64t* timep, struct tm *tm);
+time_64t c_mkgmtime(struct tm *tm);
+time_64t System64ToTime(UINT64 i);
 void TmToSystem(SYSTEMTIME *st, struct tm *t);
 void SystemToTm(struct tm *t, SYSTEMTIME *st);
-void TimeToSystem(SYSTEMTIME *st, time_t t);
-UINT64 TimeToSystem64(time_t t);
-time_t SystemToTime(SYSTEMTIME *st);
-time_t TmToTime(struct tm *t);
-void TimeToTm(struct tm *t, time_t time);
+void TimeToSystem(SYSTEMTIME *st, time_64t t);
+UINT64 TimeToSystem64(time_64t t);
+time_64t SystemToTime(SYSTEMTIME *st);
+time_64t TmToTime(struct tm *t);
+void TimeToTm(struct tm *t, time_64t time);
 void NormalizeTm(struct tm *t);
 void NormalizeSystem(SYSTEMTIME *st);
 void LocalToSystem(SYSTEMTIME *system, SYSTEMTIME *local);

src/Mayaqua/MayaType.h

@@ -145,7 +145,7 @@ typedef struct x509_crl_st X509_CRL;
 #define	BUF_SIZE			512
 
 // Support Windows OS list
-#define	SUPPORTED_WINDOWS_LIST		"Windows 98 / 98 SE / ME / NT 4.0 SP6a / 2000 SP4 / XP SP2, SP3 / Vista SP1, SP2 / 7 SP1 / 8 / 8.1 / 10 / Server 2003 SP2 / Server 2008 SP1, SP2 / Hyper-V Server 2008 / Server 2008 R2 SP1 / Hyper-V Server 2008 R2 / Server 2012 / Hyper-V Server 2012 / Server 2012 R2 / Hyper-V Server 2012 R2"
+#define	SUPPORTED_WINDOWS_LIST		"Windows 98 / 98 SE / ME / NT 4.0 SP6a / 2000 SP4 / XP SP2, SP3 / Vista SP1, SP2 / 7 SP1 / 8 / 8.1 / 10 / Server 2003 SP2 / Server 2008 SP1, SP2 / Hyper-V Server 2008 / Server 2008 R2 SP1 / Hyper-V Server 2008 R2 / Server 2012 / Hyper-V Server 2012 / Server 2012 R2 / Hyper-V Server 2012 R2 / Server 2016"
 
 // Infinite
 #ifndef	WINDOWS_H
@@ -299,6 +299,8 @@ typedef signed char			CHAR;
 typedef	unsigned long long	UINT64;
 typedef signed long long	INT64;
 
+typedef signed long long	time_64t;
+
 #ifdef	OS_UNIX
 // Avoiding compile error
 #define	__cdecl
@@ -523,6 +525,7 @@ typedef struct SAFE_BLOCK SAFE_BLOCK;
 typedef struct SAFE_REQUEST_LOG SAFE_REQUEST_LOG;
 typedef struct DYN_VALUE DYN_VALUE;
 typedef struct RELAY_PARAMETER RELAY_PARAMETER;
+typedef struct SSL_ACCEPT_SETTINGS SSL_ACCEPT_SETTINGS;
 
 // Tick64.h
 typedef struct ADJUST_TIME ADJUST_TIME;

src/Mayaqua/Mayaqua.vcproj

@@ -46,7 +46,7 @@
 				Name="VCCLCompilerTool"
 				Optimization="0"
 				AdditionalIncludeDirectories="$(SolutionDir)Mayaqua\win32_inc;.;$(SolutionDir)"
-				PreprocessorDefinitions="WIN32;_DEBUG;_LIB;_USE_32BIT_TIME_T"
+				PreprocessorDefinitions="WIN32;_DEBUG;_LIB"
 				MinimalRebuild="true"
 				ExceptionHandling="0"
 				BasicRuntimeChecks="3"
@@ -188,7 +188,7 @@
 				EnableIntrinsicFunctions="false"
 				FavorSizeOrSpeed="0"
 				AdditionalIncludeDirectories="$(SolutionDir)Mayaqua\win32_inc;.;$(SolutionDir)"
-				PreprocessorDefinitions="WIN32;NDEBUG;_LIB;_USE_32BIT_TIME_T;VPN_SPEED"
+				PreprocessorDefinitions="WIN32;NDEBUG;_LIB;VPN_SPEED"
 				StringPooling="false"
 				ExceptionHandling="0"
 				RuntimeLibrary="0"

src/Mayaqua/Microsoft.c

@@ -204,6 +204,7 @@ static SERVICE_FUNCTION *g_start, *g_stop;
 static bool exiting = false;
 static bool wnd_end;
 static bool is_usermode = false;
+static bool wts_is_locked_flag = false;
 static HICON tray_icon;
 static NOTIFYICONDATA nid;
 static NOTIFYICONDATAW nid_nt;
@@ -9193,6 +9194,11 @@ bool MsCloseWarningWindow(NO_WARNING *nw, UINT thread_id)
 	for (i = 0;i < LIST_NUM(o);i++)
 	{
 		HWND hWnd;
+
+		if (nw->Halt)
+		{
+			break;
+		}
 		
 		if (MsIsVista() == false)
 		{
@@ -12341,6 +12347,175 @@ bool MsIsPasswordEmpty(wchar_t *username)
 	return false;
 }
 
+// Determine if the workstation is locked by using WTS API
+bool MsDetermineIsLockedByWtsApi()
+{
+	return wts_is_locked_flag;
+}
+
+// IsLocked Window Proc
+LRESULT CALLBACK MsIsLockedWindowHandlerWindowProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam)
+{
+	MS_ISLOCKED *d = NULL;
+	CREATESTRUCT *cs;
+	// Validate arguments
+	if (hWnd == NULL)
+	{
+		return 0;
+	}
+
+	d = (MS_ISLOCKED *)GetWindowLongPtrA(hWnd, GWLP_USERDATA);
+	if (d == NULL && msg != WM_CREATE)
+	{
+		goto LABEL_END;
+	}
+
+	switch (msg)
+	{
+	case WM_CREATE:
+		cs = (CREATESTRUCT *)lParam;
+		d = (MS_ISLOCKED *)cs->lpCreateParams;
+		SetWindowLongPtrA(hWnd, GWLP_USERDATA, (LONG_PTR)d);
+
+		ms->nt->WTSRegisterSessionNotification(hWnd, NOTIFY_FOR_THIS_SESSION);
+
+		wts_is_locked_flag = false;
+
+		break;
+
+	case WM_WTSSESSION_CHANGE:
+		{
+			char tmp[MAX_SIZE];
+
+			GetDateTimeStr64(tmp, sizeof(tmp), LocalTime64());
+
+			switch (wParam)
+			{
+			case WTS_SESSION_LOCK:
+				Debug("%s: Enter Lock\n", tmp);
+				d->IsLockedFlag = true;
+				wts_is_locked_flag = true;
+				break;
+
+			case WTS_SESSION_UNLOCK:
+				Debug("%s: Enter Unlock\n", tmp);
+				d->IsLockedFlag = false;
+				wts_is_locked_flag = false;
+				break;
+			}
+		}
+
+		break;
+
+	case WM_DESTROY:
+		Debug("Unregister\n");
+		ms->nt->WTSUnRegisterSessionNotification(hWnd);
+		PostQuitMessage(0);
+		break;
+	}
+
+LABEL_END:
+	return DefWindowProc(hWnd, msg, wParam, lParam);
+}
+
+// IsLocked thread proc
+void MsIsLockedThreadProc(THREAD *thread, void *param)
+{
+	MS_ISLOCKED *d = (MS_ISLOCKED *)param;
+	char wndclass_name[MAX_PATH];
+	WNDCLASS wc;
+	HWND hWnd;
+	MSG msg;
+	// Validate arguments
+	if (d == NULL || thread == NULL)
+	{
+		return;
+	}
+
+	Format(wndclass_name, sizeof(wndclass_name), "WNDCLASS_%X", Rand32());
+
+	Zero(&wc, sizeof(wc));
+	wc.hbrBackground = (HBRUSH)GetStockObject(WHITE_BRUSH);
+	wc.hCursor = LoadCursor(NULL, IDC_ARROW);
+	wc.hIcon = NULL;
+	wc.hInstance = ms->hInst;
+	wc.lpfnWndProc = MsIsLockedWindowHandlerWindowProc;
+	wc.lpszClassName = wndclass_name;
+	if (RegisterClassA(&wc) == 0)
+	{
+		NoticeThreadInit(thread);
+		return;
+	}
+
+	hWnd = CreateWindowA(wndclass_name, wndclass_name, WS_OVERLAPPEDWINDOW,
+		CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT,
+		NULL, NULL, ms->hInst, d);
+
+	d->hWnd = hWnd;
+
+	NoticeThreadInit(thread);
+
+	if (hWnd == NULL)
+	{
+		UnregisterClassA(wndclass_name, ms->hInst);
+		return;
+	}
+
+	while (GetMessage(&msg, NULL, 0, 0))
+	{
+		TranslateMessage(&msg);
+		DispatchMessage(&msg);
+	}
+
+	DestroyWindow(hWnd);
+
+	UnregisterClassA(wndclass_name, ms->hInst);
+}
+
+// Create new IsLocked thread
+MS_ISLOCKED *MsNewIsLocked()
+{
+	MS_ISLOCKED *d;
+	THREAD *t;
+
+	SleepThread(5000);
+
+	if (IsNt() == false || ms->nt->WTSRegisterSessionNotification == NULL ||
+		ms->nt->WTSUnRegisterSessionNotification == NULL)
+	{
+		return NULL;
+	}
+
+	d = ZeroMalloc(sizeof(MS_ISLOCKED));
+
+	t = NewThread(MsIsLockedThreadProc, d);
+
+	WaitThreadInit(t);
+
+	d->Thread = t;
+
+	return d;
+}
+
+// Stop and free the IsLocked thread
+void MsFreeIsLocked(MS_ISLOCKED *d)
+{
+	if (d == NULL)
+	{
+		return;
+	}
+
+	if (d->hWnd != NULL)
+	{
+		PostMessageA(d->hWnd, WM_CLOSE, 0, 0);
+	}
+
+	WaitThread(d->Thread, INFINITE);
+	ReleaseThread(d->Thread);
+
+	Free(d);
+}
+
 // Execution of shutdown (NT)
 bool MsShutdownEx(bool reboot, bool force, UINT time_limit, char *message)
 {
@@ -12689,6 +12864,12 @@ NT_API *MsLoadNtApiFunctions()
 		nt->WTSEnumerateSessionsA =
 			(BOOL (__stdcall *)(HANDLE,DWORD,DWORD,PWTS_SESSION_INFOA *,DWORD *))
 			GetProcAddress(nt->hWtsApi32, "WTSEnumerateSessionsA");
+		nt->WTSRegisterSessionNotification =
+			(BOOL (__stdcall *)(HWND,DWORD))
+			GetProcAddress(nt->hWtsApi32, "WTSRegisterSessionNotification");
+		nt->WTSUnRegisterSessionNotification =
+			(BOOL (__stdcall *)(HWND))
+			GetProcAddress(nt->hWtsApi32, "WTSUnRegisterSessionNotification");
 	}
 
 	// Service related API

src/Mayaqua/Microsoft.h

@@ -431,6 +431,8 @@ typedef struct NT_API
 	void (WINAPI *WTSFreeMemory)(void *);
 	BOOL (WINAPI *WTSDisconnectSession)(HANDLE, DWORD, BOOL);
 	BOOL (WINAPI *WTSEnumerateSessions)(HANDLE, DWORD, DWORD, PWTS_SESSION_INFO *, DWORD *);
+	BOOL (WINAPI *WTSRegisterSessionNotification)(HWND, DWORD);
+	BOOL (WINAPI *WTSUnRegisterSessionNotification)(HWND);
 	SC_HANDLE (WINAPI *OpenSCManager)(LPCTSTR, LPCTSTR, DWORD);
 	SC_HANDLE (WINAPI *CreateServiceA)(SC_HANDLE, LPCTSTR, LPCTSTR, DWORD, DWORD, DWORD, DWORD, LPCTSTR, LPCTSTR, LPDWORD, LPCTSTR, LPCTSTR, LPCTSTR);
 	SC_HANDLE (WINAPI *CreateServiceW)(SC_HANDLE, LPCWSTR, LPCWSTR, DWORD, DWORD, DWORD, DWORD, LPCWSTR, LPCWSTR, LPDWORD, LPCWSTR, LPCWSTR, LPCWSTR);
@@ -590,6 +592,13 @@ typedef struct MS_ADAPTER_LIST
 	MS_ADAPTER **Adapters;			// Content
 } MS_ADAPTER_LIST;
 
+typedef struct MS_ISLOCKED
+{
+	HWND hWnd;
+	THREAD *Thread;
+	volatile bool IsLockedFlag;
+} MS_ISLOCKED;
+
 // TCP setting
 typedef struct MS_TCP
 {
@@ -741,6 +750,14 @@ char *MsGetExeFileName();
 char *MsGetExeDirName();
 wchar_t *MsGetExeDirNameW();
 
+void MsIsLockedThreadProc(THREAD *thread, void *param);
+MS_ISLOCKED *MsNewIsLocked();
+void MsFreeIsLocked(MS_ISLOCKED *d);
+void MsStartIsLockedThread();
+void MsStopIsLockedThread();
+bool MsDetermineIsLockedByWtsApi();
+
+
 bool MsShutdown(bool reboot, bool force);
 bool MsShutdownEx(bool reboot, bool force, UINT time_limit, char *message);
 bool MsCheckLogon(wchar_t *username, char *password);

src/Mayaqua/Network.c

@@ -155,7 +155,6 @@
 #ifdef	UNIX_MACOS
 #include <sys/event.h>
 #endif	// UNIX_MACOS
-#include <Cedar/Cedar.h>
 
 #ifdef	OS_WIN32
 NETWORK_WIN32_FUNCTIONS *w32net;
@@ -188,8 +187,6 @@ struct ROUTE_CHANGE_DATA
 
 
 // HTTP constant
-//static char http_301_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>301 Moved Permanently</TITLE>\r\n</HEAD><BODY>\r\n<H1>Moved</H1>\r\nThis páge has moved to <A HREF=\"https://$HOST$:4443$TARGET$\">new address</A>.<P>\r\n<HR>\r\n</BODY></HTML>\r\n";
-static char http_301_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>301 Moved Permanently</TITLE>\r\n</HEAD><BODY>\r\n<H1>Moved</H1>\r\nThis páge has moved to <A HREF=\"https://$HOSTNAME$:4443$TARGET$\">new address</A>.<P>\r\n<HR>\r\n</BODY></HTML>\r\n";
 static char http_404_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>404 Not Found</TITLE>\r\n</HEAD><BODY>\r\n<H1>Not Found</H1>\r\nThe requested URL $TARGET$ was not found on this server.<P>\r\n<HR>\r\n<ADDRESS>HTTP Server at $HOST$ Port $PORT$</ADDRESS>\r\n</BODY></HTML>\r\n";
 static char http_403_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>403 Forbidden</TITLE>\r\n</HEAD><BODY>\r\n<H1>Forbidden</H1>\r\nYou don't have permission to access $TARGET$\r\non this server.<P>\r\n<HR>\r\n<ADDRESS>HTTP Server at $HOST$ Port $PORT$</ADDRESS>\r\n</BODY></HTML>\r\n";
 static char http_500_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>500 Server Error</TITLE>\r\n</HEAD><BODY>\r\n<H1>Server Error</H1>\r\nServer Error<P>\r\n<HR>\r\n<ADDRESS>HTTP Server at $HOST$ Port $PORT$</ADDRESS>\r\n</BODY></HTML>\r\n";
@@ -236,7 +233,7 @@ static COUNTER *getip_thread_counter = NULL;
 static UINT max_getip_thread = 0;
 
 
-static char *cipher_list = "RC4-MD5 RC4-SHA AES128-SHA AES256-SHA DES-CBC-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA";
+static char *cipher_list = "RC4-MD5 RC4-SHA AES128-SHA AES256-SHA DES-CBC-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES256-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384";
 static LIST *ip_clients = NULL;
 
 static LIST *local_mac_list = NULL;
@@ -248,7 +245,7 @@ static UINT rand_port_numbers[256] = {0};
 static bool g_use_privateip_file = false;
 static bool g_source_ip_validation_force_disable = false;
 
-static DH_CTX *dh_1024 = NULL;
+static DH_CTX *dh_2048 = NULL;
 
 typedef struct PRIVATE_IP_SUBNET
 {
@@ -5824,7 +5821,8 @@ SSL_PIPE *NewSslPipe(bool server_mode, X *x, K *k, DH_CTX *dh)
 	{
 		if (server_mode)
 		{
-			SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_server_method());
+			SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());
+			SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
 
 			AddChainSslCertOnDirectory(ssl_ctx);
 
@@ -5835,7 +5833,7 @@ SSL_PIPE *NewSslPipe(bool server_mode, X *x, K *k, DH_CTX *dh)
 		}
 		else
 		{
-			SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_client_method());
+			SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method());
 		}
 
 		//SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, cb_test);
@@ -12773,7 +12771,7 @@ bool SendAll(SOCK *sock, void *data, UINT size, bool secure)
 // Set the cipher algorithm name to want to use
 void SetWantToUseCipher(SOCK *sock, char *name)
 {
-	char tmp[254];
+	char tmp[1024];
 	// Validate arguments
 	if (sock == NULL || name == NULL)
 	{
@@ -12913,7 +12911,7 @@ bool AddChainSslCert(struct ssl_ctx_st *ctx, X *x)
 // Start a TCP-SSL communication
 bool StartSSL(SOCK *sock, X *x, K *priv)
 {
-	return StartSSLEx(sock, x, priv, false, 0, NULL);
+	return StartSSLEx(sock, x, priv, true, 0, NULL);
 }
 bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, char *sni_hostname)
 {
@@ -12976,23 +12974,39 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
 		if (sock->ServerMode)
 		{
 			SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());
-			long ssl_opt_flags=0x0L;
-			if (sock->DisableSslVersions & SSL_VERSION_SSL_V2) {
-				ssl_opt_flags |= SSL_OP_NO_SSLv2;
-			}
-			if (sock->DisableSslVersions & SSL_VERSION_SSL_V3) {
-				ssl_opt_flags |= SSL_OP_NO_SSLv3;
+
+#ifdef	SSL_OP_NO_SSLv2
+			SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
+#endif	// SSL_OP_NO_SSLv2
+
+			if (sock->SslAcceptSettings.AcceptOnlyTls)
+			{
+#ifdef	SSL_OP_NO_SSLv3
+				SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
+#endif	// SSL_OP_NO_SSLv3
 			}
-			if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_0) {
-				ssl_opt_flags |= SSL_OP_NO_TLSv1;
+
+			if (sock->SslAcceptSettings.Tls_Disable1_0)
+			{
+#ifdef	SSL_OP_NO_TLSv1
+				SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
+#endif	// SSL_OP_NO_TLSv1
 			}
-			if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_1) {
-				ssl_opt_flags |= SSL_OP_NO_TLSv1_1;
+
+			if (sock->SslAcceptSettings.Tls_Disable1_1)
+			{
+#ifdef	SSL_OP_NO_TLSv1_1
+				SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
+#endif	// SSL_OP_NO_TLSv1_1
 			}
-			if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_2) {
-				ssl_opt_flags |= SSL_OP_NO_TLSv1_2;
+
+			if (sock->SslAcceptSettings.Tls_Disable1_2)
+			{
+#ifdef	SSL_OP_NO_TLSv1_2
+				SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
+#endif	// SSL_OP_NO_TLSv1_2
 			}
-			SSL_CTX_set_options(ssl_ctx, ssl_opt_flags);
+
 			Unlock(openssl_lock);
 			AddChainSslCertOnDirectory(ssl_ctx);
 			Lock(openssl_lock);
@@ -13005,7 +13019,7 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
 			}
 			else
 			{
-				SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_client_method());
+				SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method());
 			}
 		}
 		sock->ssl = SSL_new(ssl_ctx);
@@ -13021,6 +13035,7 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
 			}
 		}
 #endif	// SSL_CTRL_SET_TLSEXT_HOSTNAME
+
 	}
 	Unlock(openssl_lock);
 
@@ -13206,6 +13221,8 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
 	return true;
 }
 
+
+
 #ifdef	ENABLE_SSL_LOGGING
 
 // Enable SSL logging
@@ -13838,6 +13855,10 @@ void DisableGetHostNameWhenAcceptInit()
 
 // Initialize the connection acceptance
 void AcceptInit(SOCK *s)
+{
+	AcceptInitEx(s, false);
+}
+void AcceptInitEx(SOCK *s, bool no_lookup_hostname)
 {
 	char tmp[MAX_SIZE];
 	// Validate arguments
@@ -13848,7 +13869,7 @@ void AcceptInit(SOCK *s)
 
 	Zero(tmp, sizeof(tmp));
 
-	if (disable_gethostname_by_accept == false)
+	if (disable_gethostname_by_accept == false && no_lookup_hostname == false)
 	{
 		if (GetHostName(tmp, sizeof(tmp), &s->RemoteIP) == false ||
 			IsEmptyStr(tmp))
@@ -17760,9 +17781,9 @@ DH *TmpDhCallback(SSL *ssl, int is_export, int keylength)
 {
 	DH *ret = NULL;
 
-	if (dh_1024 != NULL)
+	if (dh_2048 != NULL)
 	{
-		ret = dh_1024->dh;
+		ret = dh_2048->dh;
 	}
 
 	return ret;
@@ -17786,6 +17807,10 @@ struct ssl_ctx_st *NewSSLCtx(bool server_mode)
 
 	SSL_CTX_set_tmp_dh_callback(ctx, TmpDhCallback);
 
+#ifdef	SSL_CTX_set_ecdh_auto
+	SSL_CTX_set_ecdh_auto(ctx, 1);
+#endif	// SSL_CTX_set_ecdh_auto
+
 	return ctx;
 }
 
@@ -17879,7 +17904,7 @@ void InitNetwork()
 	disable_cache = false;
 
 
-	dh_1024 = DhNewGroup2();
+	dh_2048 = DhNew2048();
 
 	Zero(rand_port_numbers, sizeof(rand_port_numbers));
 
@@ -18313,10 +18338,10 @@ void SetCurrentGlobalIP(IP *ip, bool ipv6)
 void FreeNetwork()
 {
 
-	if (dh_1024 != NULL)
+	if (dh_2048 != NULL)
 	{
-		DhFree(dh_1024);
-		dh_1024 = NULL;
+		DhFree(dh_2048);
+		dh_2048 = NULL;
 	}
 
 	// Release of thread-related
@@ -21875,69 +21900,6 @@ bool HttpSendNotImplemented(SOCK *s, char *method, char *target, char *version)
 	return ret;
 }
 
-// Sending the 301 Moved Permanently: Redirect
-bool HttpSendRedirect(SOCK *s, char *target, char *hostname)
-{
-        HTTP_HEADER *h;
-        char *str;
-	//char *redirect_to_static="https://$HOSTNAME$:4443$TARGET$";
-	char *redirect_to_static="https://%s:4443%s";
-	char *redirect_to;
-        UINT redir_size;
-        UINT str_size;
-        bool ret;
-        char host[MAX_SIZE];
-        UINT port;
-        // Validate arguments
-        if (s == NULL || target == NULL || hostname == NULL)
-        {
-                return false;
-        }
-
-        // Get the host name
-        //GetMachineName(host, MAX_SIZE);
-        Zero(host, sizeof(host));
-        IPToStr(host, sizeof(host), &s->LocalIP);
-
-        // Creating a header
-        h = NewHttpHeader("HTTP/1.1", "301", "Moved Permanently");
-
-        redir_size = strlen(redirect_to_static) * 2 + StrLen(target) + StrLen(hostname);
-	redirect_to = Malloc(redir_size);
-	snprintf(redirect_to, redir_size, redirect_to_static, hostname, target);
-        //StrCpy(redirect_to, redir_size, redirect_to_static);
-	//ReplaceStri(redirect_to, redir_size, redirect_to, "$TARGET$", target);
-	//ReplaceStri(redirect_to, redir_size, redirect_to, "$HOSTNAME$", hostname);
-
-        AddHttpValue(h, NewHttpValue("Location", redirect_to));
-        AddHttpValue(h, NewHttpValue("Content-Type", HTTP_CONTENT_TYPE));
-
-        // Creating a Data
-        str_size = sizeof(http_301_str) * 2 + StrLen(target) + StrLen(hostname);
-        str = Malloc(str_size);
-        StrCpy(str, str_size, http_301_str);
-
-        // TARGET
-        ReplaceUnsafeCharInTarget(target);
-        ReplaceStri(str, str_size, str, "$TARGET$", target);
-
-        // HOST
-        //ReplaceStri(str, str_size, str, "$HOST$", host);
-
-        // HOSTNAME
-        ReplaceStri(str, str_size, str, "$HOSTNAME$", hostname);
-
-        // Transmission
-        ret = PostHttp(s, h, str, StrLen(str));
-
-        FreeHttpHeader(h);
-        Free(redirect_to);
-        Free(str);
-
-        return ret;
-}
-
-
 // Sending a 404 Not Found error
 bool HttpSendNotFound(SOCK *s, char *target)
 {
@@ -22744,7 +22706,14 @@ bool GetSniNameFromSslPacket(UCHAR *packet_buf, UINT packet_size, char *sni, UIN
 	USHORT handshake_length;
 
 	// Validate arguments
-	if (packet_buf == NULL || packet_size == 0)
+	if (packet_buf == NULL || packet_size <= 11)
+	{
+		return false;
+	}
+
+	if (!(packet_buf[0] == 0x16 && packet_buf[1] >= 0x03 &&
+		packet_buf[5] == 0x01 && packet_buf[6] == 0x00 &&
+		packet_buf[9] >= 0x03))
 	{
 		return false;
 	}
@@ -22758,7 +22727,7 @@ bool GetSniNameFromSslPacket(UCHAR *packet_buf, UINT packet_size, char *sni, UIN
 		version = Endian16(version);
 		handshake_length = Endian16(handshake_length);
 
-		if (version >= 0x0301)
+		if (content_type == 0x16 && version >= 0x0301)
 		{
 			UCHAR *handshake_data = Malloc(handshake_length);
 
@@ -22875,9 +22844,12 @@ bool GetSniNameFromSslPacket(UCHAR *packet_buf, UINT packet_size, char *sni, UIN
 
 																							if (ReadBuf(dbuf, name_buf, name_len) == name_len)
 																							{
-																								ret = true;
+																								if (StrLen(name_buf) >= 1)
+																								{
+																									ret = true;
 
-																								StrCpy(sni, sni_size, name_buf);
+																									StrCpy(sni, sni_size, name_buf);
+																								}
 																							}
 
 																							Free(name_buf);

src/Mayaqua/Network.h

@@ -246,6 +246,15 @@ struct SOCK_EVENT
 #define	SOCK_RUDP_LISTEN		5
 #define	SOCK_REVERSE_LISTEN		6
 
+// SSL Accept Settings
+struct SSL_ACCEPT_SETTINGS
+{
+	bool AcceptOnlyTls;
+	bool Tls_Disable1_0;
+	bool Tls_Disable1_1;
+	bool Tls_Disable1_2;
+};
+
 // Socket
 struct SOCK
 {
@@ -312,8 +321,7 @@ struct SOCK
 	IP Reverse_MyServerGlobalIp;	// Self global IP address when using the reverse socket
 	UINT Reverse_MyServerPort;		// Self port number when using the reverse socket
 	UCHAR Ssl_Init_Async_SendAlert[2];	// Initial state of SSL send_alert
-	bool AcceptOnlyTls;			// Accept only TLS (disable SSLv3)
-	UINT DisableSslVersions;	// Bitmap of SSL Version to disable
+	SSL_ACCEPT_SETTINGS SslAcceptSettings;	// SSL Accept Settings
 	bool RawIP_HeaderIncludeFlag;
 
 #ifdef	ENABLE_SSL_LOGGING
@@ -1044,7 +1052,6 @@ char *HttpHeaderToStr(HTTP_HEADER *header);
 bool PostHttp(SOCK *s, HTTP_HEADER *header, void *post_data, UINT post_size);
 UINT GetContentLength(HTTP_HEADER *header);
 void GetHttpDateStr(char *str, UINT size, UINT64 t);
-bool HttpSendRedirect(SOCK *s, char *target, char* hostname);
 bool HttpSendForbidden(SOCK *s, char *target, char *server_id);
 bool HttpSendNotFound(SOCK *s, char *target);
 bool HttpSendNotImplemented(SOCK *s, char *method, char *target, char *version);
@@ -1370,6 +1377,7 @@ bool GetDomainName(char *name, UINT size);
 bool UnixGetDomainName(char *name, UINT size);
 void RenewDhcp();
 void AcceptInit(SOCK *s);
+void AcceptInitEx(SOCK *s, bool no_lookup_hostname);
 void DisableGetHostNameWhenAcceptInit();
 bool CheckCipherListName(char *name);
 TOKEN_LIST *GetCipherList();

src/Mayaqua/Secure.c

@@ -424,12 +424,18 @@ bool SignSecByObject(SECURE *sec, SEC_OBJ *obj, void *dst, void *src, UINT size)
 
 	// Perform Signing
 	size = 128;
+	// First try with 1024 bit
 	ret = sec->Api->C_Sign(sec->SessionId, hash, sizeof(hash), dst, &size);
-	if (ret != CKR_OK || size != 128)
+	if (ret != CKR_OK && 128 < size && size <= 4096/8)
+	{
+		// Retry with expanded bits
+		ret = sec->Api->C_Sign(sec->SessionId, hash, sizeof(hash), dst, &size);
+	}
+	if (ret != CKR_OK || size == 0 || size > 4096/8)
 	{
 		// Failure
 		sec->Error = SEC_ERROR_HARDWARE_ERROR;
-		Debug("C_Sign Error: 0x%x\n", ret);
+		Debug("C_Sign Error: 0x%x  size:%d\n", ret, size);
 		return false;
 	}
 
@@ -782,6 +788,11 @@ bool WriteSecCert(SECURE *sec, bool private_obj, char *name, X *x)
 		b_private_obj = false;
 	}
 
+	// CryptoID PKCS#11 requires CKA_ID attiribute instead of CKA_LABEL.
+	if(sec->Dev->Id == 22) {
+		a[7].type = CKA_ID;
+	}
+
 	// Remove objects which have the same name
 	if (CheckSecObject(sec, name, SEC_X))
 	{
@@ -2007,7 +2018,7 @@ void TestSecMain(SECURE *sec)
 	}
 
 	Print("Generating Key...\n");
-	if (RsaGen(&private_key, &public_key, 1024) == false)
+	if (RsaGen(&private_key, &public_key, 2048) == false)
 	{
 		Print("RsaGen() Failed.\n");
 	}
@@ -2077,9 +2088,10 @@ void TestSecMain(SECURE *sec)
 						}
 						else
 						{
-							UCHAR sign_cpu[128];
-							UCHAR sign_sec[128];
+							UCHAR sign_cpu[512];
+							UCHAR sign_sec[512];
 							K *pub = GetKFromX(cert);
+							UINT keybtytes = (cert->bits)/8;
 							Print("Ok.\n");
 							Print("Signing Data by CPU...\n");
 							if (RsaSign(sign_cpu, test_str, StrLen(test_str), private_key) == false)
@@ -2090,7 +2102,7 @@ void TestSecMain(SECURE *sec)
 							{
 								Print("Ok.\n");
 								Print("sign_cpu: ");
-								PrintBin(sign_cpu, sizeof(sign_cpu));
+								PrintBin(sign_cpu, keybtytes);
 								Print("Signing Data by %s..\n", sec->Dev->DeviceName);
 								if (SignSec(sec, "test_key", sign_sec, test_str, StrLen(test_str)) == false)
 								{
@@ -2100,14 +2112,14 @@ void TestSecMain(SECURE *sec)
 								{
 									Print("Ok.\n");
 									Print("sign_sec: ");
-									PrintBin(sign_sec, sizeof(sign_sec));
+									PrintBin(sign_sec, keybtytes);
 									Print("Compare...");
-									if (Cmp(sign_sec, sign_cpu, sizeof(sign_cpu)) == 0)
+									if (Cmp(sign_sec, sign_cpu, keybtytes) == 0)
 									{
 										Print("Ok.\n");
 										Print("Verify...");
-										if (RsaVerify(test_str, StrLen(test_str),
-											sign_sec, pub) == false)
+										if (RsaVerifyEx(test_str, StrLen(test_str),
+											sign_sec, pub, cert->bits) == false)
 										{
 											Print("[FAILED]\n");
 										}

src/Mayaqua/Secure.h

@@ -307,7 +307,8 @@ SECURE_DEVICE SupportedList[] =
 	{18,	SECURE_IC_CARD,		"Gemalto .NET",			"Gemalto",				"gtop11dotnet.dll"},
 	{19,	SECURE_IC_CARD,		"Gemalto .NET 64bit",	"Gemalto",				"gtop11dotnet64.dll"},
 	{20,	SECURE_USB_TOKEN,	"ePass 2003",			"Feitian Technologies",	"eps2003csp11.dll"},
-	{20,	SECURE_USB_TOKEN,	"ePass 1000ND/2000/3000",			"Feitian Technologies",	"ngp11v211.dll"},
+	{21,	SECURE_USB_TOKEN,	"ePass 1000ND/2000/3000",			"Feitian Technologies",	"ngp11v211.dll"},
+	{22,	SECURE_USB_TOKEN,	"CryptoID",				"Longmai Technology",	"cryptoida_pkcs11.dll"},
 };
 
 #ifdef	OS_WIN32

src/Mayaqua/TcpIp.c

@@ -1829,19 +1829,26 @@ PKT *ParsePacketEx4(UCHAR *buf, UINT size, bool no_l3, UINT vlan_type_id, bool b
 	{
 		USHORT port_raw = Endian16(80);
 		USHORT port_raw2 = Endian16(8080);
+		USHORT port_raw3 = Endian16(443);
 
 		// Analyze if the packet is a part of HTTP
 		if ((p->TypeL3 == L3_IPV4 || p->TypeL3 == L3_IPV6) && p->TypeL4 == L4_TCP)
 		{
 			TCP_HEADER *tcp = p->L4.TCPHeader;
-			if (tcp != NULL && (!((tcp->Flag & TCP_SYN) || (tcp->Flag & TCP_RST) || (tcp->Flag & TCP_FIN))))
+			if (tcp != NULL && (tcp->DstPort == port_raw || tcp->DstPort == port_raw2) &&
+				(!((tcp->Flag & TCP_SYN) || (tcp->Flag & TCP_RST) || (tcp->Flag & TCP_FIN))))
 			{
-				if (tcp->DstPort == port_raw || tcp->DstPort == port_raw2)
+				if (p->PayloadSize >= 1)
 				{
-					if (p->PayloadSize >= 1)
-					{
-						p->HttpLog = ParseHttpAccessLog(p);
-					}
+					p->HttpLog = ParseHttpAccessLog(p);
+				}
+			}
+			if (tcp != NULL && tcp->DstPort == port_raw3 &&
+				(!((tcp->Flag & TCP_SYN) || (tcp->Flag & TCP_RST) || (tcp->Flag & TCP_FIN))))
+			{
+				if (p->PayloadSize >= 1)
+				{
+					p->HttpLog = ParseHttpsAccessLog(p);
 				}
 			}
 		}
@@ -2014,6 +2021,33 @@ void CorrectChecksum(PKT *p)
 }
 
 
+// Parse the HTTPS access log
+HTTPLOG *ParseHttpsAccessLog(PKT *pkt)
+{
+	HTTPLOG h;
+	char sni[MAX_PATH];
+	// Validate arguments
+	if (pkt == NULL)
+	{
+		return NULL;
+	}
+
+	if (GetSniNameFromSslPacket(pkt->Payload, pkt->PayloadSize, sni, sizeof(sni)) == false)
+	{
+		return NULL;
+	}
+
+	Zero(&h, sizeof(h));
+
+	StrCpy(h.Method, sizeof(h.Method), "SSL_Connect");
+	StrCpy(h.Hostname, sizeof(h.Hostname), sni);
+	h.Port = Endian16(pkt->L4.TCPHeader->DstPort);
+	StrCpy(h.Path, sizeof(h.Path), "/");
+	h.IsSsl = true;
+
+	return Clone(&h, sizeof(h));
+}
+
 // Parse the HTTP access log
 HTTPLOG *ParseHttpAccessLog(PKT *pkt)
 {

src/Mayaqua/TcpIp.h

@@ -651,6 +651,7 @@ struct HTTPLOG
 	char Protocol[64];						// Protocol
 	char UserAgent[MAX_SIZE];				// User Agent value
 	char Referer[MAX_SIZE];					// Referer
+	bool IsSsl;								// Is SSL
 };
 
 // Packet
@@ -919,6 +920,7 @@ void FreeDhcpOptions(LIST *o);
 LIST *ParseDhcpOptions(void *data, UINT size);
 BUF *BuildDhcpOptionsBuf(LIST *o);
 HTTPLOG *ParseHttpAccessLog(PKT *pkt);
+HTTPLOG *ParseHttpsAccessLog(PKT *pkt);
 
 BUF *DhcpModify(DHCP_MODIFY_OPTION *m, void *data, UINT size);
 BUF *DhcpModifyIPv4(DHCP_MODIFY_OPTION *m, void *data, UINT size);

src/Mayaqua/Unix.c

@@ -2031,6 +2031,7 @@ void UnixInc32(UINT *value)
 void UnixGetSystemTime(SYSTEMTIME *system_time)
 {
 	time_t now = 0;
+	time_64t now2 = 0;
 	struct tm tm;
 	struct timeval tv;
 	struct timezone tz;
@@ -2048,7 +2049,16 @@ void UnixGetSystemTime(SYSTEMTIME *system_time)
 
 	time(&now);
 
-	gmtime_r(&now, &tm);
+	if (sizeof(time_t) == 4)
+	{
+		now2 = (time_64t)((UINT64)((UINT32)now));
+	}
+	else
+	{
+		now2 = now;
+	}
+
+	c_gmtime_r(&now2, &tm);
 
 	TmToSystem(system_time, &tm);
 
@@ -2087,7 +2097,7 @@ UINT64 UnixGetTick64()
 #endif	// CLOCK_MONOTONIC
 #endif	// CLOCK_HIGHRES
 
-	ret = (UINT64)t.tv_sec * 1000LL + (UINT64)t.tv_nsec / 1000000LL;
+	ret = ((UINT64)((UINT32)t.tv_sec)) * 1000LL + (UINT64)t.tv_nsec / 1000000LL;
 
 	if (akirame == false && ret == 0)
 	{
@@ -2106,7 +2116,7 @@ UINT64 UnixGetTick64()
 		host_get_clock_service(mach_host_self(), SYSTEM_CLOCK, &clock_serv);
 	}
 	clock_get_time(clock_serv, &t);
-	ret = (UINT64)t.tv_sec * 1000LL + (UINT64)t.tv_nsec / 1000000LL;
+	ret = ((UINT64)((UINT32)t.tv_sec)) * 1000LL + (UINT64)t.tv_nsec / 1000000LL;
 	return ret;
 #else
 	return TickRealtimeManual();

src/Mayaqua/win32_inc/openssl/aes.h

@@ -1,4 +1,4 @@
-/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/aes/aes.h */
 /* ====================================================================
  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
  *

src/Mayaqua/win32_inc/openssl/bio.h

@@ -291,7 +291,7 @@ void BIO_clear_flags(BIO *b, int flags);
  * BIO_CB_RETURN flag indicates if it is after the call
  */
 # define BIO_CB_RETURN   0x80
-# define BIO_CB_return(a) ((a)|BIO_CB_RETURN))
+# define BIO_CB_return(a) ((a)|BIO_CB_RETURN)
 # define BIO_cb_pre(a)   (!((a)&BIO_CB_RETURN))
 # define BIO_cb_post(a)  ((a)&BIO_CB_RETURN)
 
@@ -479,11 +479,11 @@ struct bio_dgram_sctp_prinfo {
 # define BIO_get_conn_hostname(b)  BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0)
 # define BIO_get_conn_port(b)      BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1)
 # define BIO_get_conn_ip(b)               BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2)
-# define BIO_get_conn_int_port(b) BIO_int_ctrl(b,BIO_C_GET_CONNECT,3,0)
+# define BIO_get_conn_int_port(b) BIO_ctrl(b,BIO_C_GET_CONNECT,3,NULL)
 
 # define BIO_set_nbio(b,n)       BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL)
 
-/* BIO_s_accept_socket() */
+/* BIO_s_accept() */
 # define BIO_set_accept_port(b,name) BIO_ctrl(b,BIO_C_SET_ACCEPT,0,(char *)name)
 # define BIO_get_accept_port(b)  BIO_ptr_ctrl(b,BIO_C_GET_ACCEPT,0)
 /* #define BIO_set_nbio(b,n)    BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL) */
@@ -496,6 +496,7 @@ struct bio_dgram_sctp_prinfo {
 # define BIO_set_bind_mode(b,mode) BIO_ctrl(b,BIO_C_SET_BIND_MODE,mode,NULL)
 # define BIO_get_bind_mode(b,mode) BIO_ctrl(b,BIO_C_GET_BIND_MODE,0,NULL)
 
+/* BIO_s_accept() and BIO_s_connect() */
 # define BIO_do_connect(b)       BIO_do_handshake(b)
 # define BIO_do_accept(b)        BIO_do_handshake(b)
 # define BIO_do_handshake(b)     BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL)
@@ -515,12 +516,15 @@ struct bio_dgram_sctp_prinfo {
 # define BIO_get_url(b,url)      BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,2,(char *)(url))
 # define BIO_get_no_connect_return(b)    BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,5,NULL)
 
+/* BIO_s_datagram(), BIO_s_fd(), BIO_s_socket(), BIO_s_accept() and BIO_s_connect() */
 # define BIO_set_fd(b,fd,c)      BIO_int_ctrl(b,BIO_C_SET_FD,c,fd)
 # define BIO_get_fd(b,c)         BIO_ctrl(b,BIO_C_GET_FD,0,(char *)c)
 
+/* BIO_s_file() */
 # define BIO_set_fp(b,fp,c)      BIO_ctrl(b,BIO_C_SET_FILE_PTR,c,(char *)fp)
 # define BIO_get_fp(b,fpp)       BIO_ctrl(b,BIO_C_GET_FILE_PTR,0,(char *)fpp)
 
+/* BIO_s_fd() and BIO_s_file() */
 # define BIO_seek(b,ofs) (int)BIO_ctrl(b,BIO_C_FILE_SEEK,ofs,NULL)
 # define BIO_tell(b)     (int)BIO_ctrl(b,BIO_C_FILE_TELL,0,NULL)
 
@@ -555,11 +559,11 @@ int BIO_read_filename(BIO *b, const char *name);
 # define BIO_get_ssl(b,sslp)     BIO_ctrl(b,BIO_C_GET_SSL,0,(char *)sslp)
 # define BIO_set_ssl_mode(b,client)      BIO_ctrl(b,BIO_C_SSL_MODE,client,NULL)
 # define BIO_set_ssl_renegotiate_bytes(b,num) \
-        BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL);
+        BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL)
 # define BIO_get_num_renegotiates(b) \
-        BIO_ctrl(b,BIO_C_GET_SSL_NUM_RENEGOTIATES,0,NULL);
+        BIO_ctrl(b,BIO_C_GET_SSL_NUM_RENEGOTIATES,0,NULL)
 # define BIO_set_ssl_renegotiate_timeout(b,seconds) \
-        BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL);
+        BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL)
 
 /* defined in evp.h */
 /* #define BIO_set_md(b,md)     BIO_ctrl(b,BIO_C_SET_MD,1,(char *)md) */
@@ -685,7 +689,7 @@ long BIO_debug_callback(BIO *bio, int cmd, const char *argp, int argi,
                         long argl, long ret);
 
 BIO_METHOD *BIO_s_mem(void);
-BIO *BIO_new_mem_buf(void *buf, int len);
+BIO *BIO_new_mem_buf(const void *buf, int len);
 BIO_METHOD *BIO_s_socket(void);
 BIO_METHOD *BIO_s_connect(void);
 BIO_METHOD *BIO_s_accept(void);

src/Mayaqua/win32_inc/openssl/bn.h

@@ -125,6 +125,7 @@
 #ifndef HEADER_BN_H
 # define HEADER_BN_H
 
+# include <limits.h>
 # include <openssl/e_os2.h>
 # ifndef OPENSSL_NO_FP_API
 #  include <stdio.h>            /* FILE */
@@ -721,8 +722,17 @@ const BIGNUM *BN_get0_nist_prime_521(void);
 
 /* library internal functions */
 
-# define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
-        (a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2))
+# define bn_expand(a,bits) \
+    ( \
+        bits > (INT_MAX - BN_BITS2 + 1) ? \
+            NULL \
+        : \
+            (((bits+BN_BITS2-1)/BN_BITS2) <= (a)->dmax) ? \
+                (a) \
+            : \
+                bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2) \
+    )
+
 # define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words)))
 BIGNUM *bn_expand2(BIGNUM *a, int words);
 # ifndef OPENSSL_NO_DEPRECATED
@@ -779,6 +789,7 @@ int RAND_pseudo_bytes(unsigned char *buf, int num);
                          * wouldn't be constructed with top!=dmax. */ \
                         BN_ULONG *_not_const; \
                         memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \
+                        /* Debug only - safe to ignore error return */ \
                         RAND_pseudo_bytes(&_tmp_char, 1); \
                         memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \
                                 (_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \
@@ -831,6 +842,8 @@ int RAND_pseudo_bytes(unsigned char *buf, int num);
                         if (*(ftl--)) break; \
                 (a)->top = tmp_top; \
                 } \
+        if ((a)->top == 0) \
+            (a)->neg = 0; \
         bn_pollute(a); \
         }
 
@@ -892,6 +905,7 @@ void ERR_load_BN_strings(void);
 # define BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR                  135
 # define BN_F_BN_GF2M_MOD_SQR                             136
 # define BN_F_BN_GF2M_MOD_SQRT                            137
+# define BN_F_BN_LSHIFT                                   145
 # define BN_F_BN_MOD_EXP2_MONT                            118
 # define BN_F_BN_MOD_EXP_MONT                             109
 # define BN_F_BN_MOD_EXP_MONT_CONSTTIME                   124
@@ -907,12 +921,14 @@ void ERR_load_BN_strings(void);
 # define BN_F_BN_NEW                                      113
 # define BN_F_BN_RAND                                     114
 # define BN_F_BN_RAND_RANGE                               122
+# define BN_F_BN_RSHIFT                                   146
 # define BN_F_BN_USUB                                     115
 
 /* Reason codes. */
 # define BN_R_ARG2_LT_ARG3                                100
 # define BN_R_BAD_RECIPROCAL                              101
 # define BN_R_BIGNUM_TOO_LONG                             114
+# define BN_R_BITS_TOO_SMALL                              118
 # define BN_R_CALLED_WITH_EVEN_MODULUS                    102
 # define BN_R_DIV_BY_ZERO                                 103
 # define BN_R_ENCODING_ERROR                              104
@@ -920,6 +936,7 @@ void ERR_load_BN_strings(void);
 # define BN_R_INPUT_NOT_REDUCED                           110
 # define BN_R_INVALID_LENGTH                              106
 # define BN_R_INVALID_RANGE                               115
+# define BN_R_INVALID_SHIFT                               119
 # define BN_R_NOT_A_SQUARE                                111
 # define BN_R_NOT_INITIALIZED                             107
 # define BN_R_NO_INVERSE                                  108

src/Mayaqua/win32_inc/openssl/buffer.h

@@ -86,7 +86,13 @@ int BUF_MEM_grow(BUF_MEM *str, size_t len);
 int BUF_MEM_grow_clean(BUF_MEM *str, size_t len);
 size_t BUF_strnlen(const char *str, size_t maxlen);
 char *BUF_strdup(const char *str);
+
+/*
+ * Like strndup, but in addition, explicitly guarantees to never read past the
+ * first |siz| bytes of |str|.
+ */
 char *BUF_strndup(const char *str, size_t siz);
+
 void *BUF_memdup(const void *data, size_t siz);
 void BUF_reverse(unsigned char *out, const unsigned char *in, size_t siz);
 

src/Mayaqua/win32_inc/openssl/camellia.h

@@ -1,4 +1,4 @@
-/* crypto/camellia/camellia.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/camellia/camellia.h */
 /* ====================================================================
  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
  *

src/Mayaqua/win32_inc/openssl/comp.h

@@ -4,13 +4,17 @@
 
 # include <openssl/crypto.h>
 
+# ifdef OPENSSL_NO_COMP
+#  error COMP is disabled.
+# endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
 typedef struct comp_ctx_st COMP_CTX;
 
-typedef struct comp_method_st {
+struct comp_method_st {
     int type;                   /* NID for compression library */
     const char *name;           /* A text string to identify the library */
     int (*init) (COMP_CTX *ctx);
@@ -26,7 +30,7 @@ typedef struct comp_method_st {
      */
     long (*ctrl) (void);
     long (*callback_ctrl) (void);
-} COMP_METHOD;
+};
 
 struct comp_ctx_st {
     COMP_METHOD *meth;

src/Mayaqua/win32_inc/openssl/crypto.h

@@ -628,7 +628,7 @@ void OPENSSL_init(void);
  * into a defined order as the return value when a != b is undefined, other
  * than to be non-zero.
  */
-int CRYPTO_memcmp(const void *a, const void *b, size_t len);
+int CRYPTO_memcmp(const volatile void *a, const volatile void *b, size_t len);
 
 /* BEGIN ERROR CODES */
 /*

src/Mayaqua/win32_inc/openssl/des_old.h

@@ -1,4 +1,4 @@
-/* crypto/des/des_old.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/des/des_old.h */
 
 /*-
  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING

src/Mayaqua/win32_inc/openssl/dh.h

@@ -142,7 +142,7 @@ struct dh_st {
     BIGNUM *p;
     BIGNUM *g;
     long length;                /* optional */
-    BIGNUM *pub_key;            /* g^x */
+    BIGNUM *pub_key;            /* g^x % p */
     BIGNUM *priv_key;           /* x */
     int flags;
     BN_MONT_CTX *method_mont_p;
@@ -174,6 +174,7 @@ struct dh_st {
 /* DH_check_pub_key error codes */
 # define DH_CHECK_PUBKEY_TOO_SMALL       0x01
 # define DH_CHECK_PUBKEY_TOO_LARGE       0x02
+# define DH_CHECK_PUBKEY_INVALID         0x04
 
 /*
  * primes p where (p-1)/2 is prime too are called "safe"; we define this for

src/Mayaqua/win32_inc/openssl/dso.h

@@ -1,4 +1,4 @@
-/* dso.h -*- mode:C; c-file-style: "eay" -*- */
+/* dso.h */
 /*
  * Written by Geoff Thorpe ([email protected]) for the OpenSSL project
  * 2000.

src/Mayaqua/win32_inc/openssl/e_os2.h

@@ -109,6 +109,12 @@ extern "C" {
 #    undef OPENSSL_SYS_UNIX
 #    define OPENSSL_SYS_WIN32
 #   endif
+#   if defined(_WIN64) || defined(OPENSSL_SYSNAME_WIN64)
+#    undef OPENSSL_SYS_UNIX
+#    if !defined(OPENSSL_SYS_WIN64)
+#     define OPENSSL_SYS_WIN64
+#    endif
+#   endif
 #   if defined(OPENSSL_SYSNAME_WINNT)
 #    undef OPENSSL_SYS_UNIX
 #    define OPENSSL_SYS_WINNT
@@ -121,7 +127,7 @@ extern "C" {
 # endif
 
 /* Anything that tries to look like Microsoft is "Windows" */
-# if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINNT) || defined(OPENSSL_SYS_WINCE)
+# if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN64) || defined(OPENSSL_SYS_WINNT) || defined(OPENSSL_SYS_WINCE)
 #  undef OPENSSL_SYS_UNIX
 #  define OPENSSL_SYS_WINDOWS
 #  ifndef OPENSSL_SYS_MSDOS
@@ -325,4 +331,3 @@ extern "C" {
 #undef	OPENSSL_SYS_WIN32
 #undef	OPENSSL_SYS_WINDOWS
 #endif	// _MSC_VER
-

src/Mayaqua/win32_inc/openssl/ec.h

@@ -106,7 +106,7 @@ typedef enum {
         /** the point is encoded as z||x, where the octet z specifies
          *  which solution of the quadratic equation y is  */
     POINT_CONVERSION_COMPRESSED = 2,
-        /** the point is encoded as z||x||y, where z is the octet 0x02  */
+        /** the point is encoded as z||x||y, where z is the octet 0x04  */
     POINT_CONVERSION_UNCOMPRESSED = 4,
         /** the point is encoded as z||x||y, where the octet z specifies
          *  which solution of the quadratic equation y is  */
@@ -1097,6 +1097,12 @@ void ERR_load_EC_strings(void);
 # define EC_F_ECPARAMETERS_PRINT_FP                       148
 # define EC_F_ECPKPARAMETERS_PRINT                        149
 # define EC_F_ECPKPARAMETERS_PRINT_FP                     150
+# define EC_F_ECP_NISTZ256_GET_AFFINE                     240
+# define EC_F_ECP_NISTZ256_MULT_PRECOMPUTE                243
+# define EC_F_ECP_NISTZ256_POINTS_MUL                     241
+# define EC_F_ECP_NISTZ256_PRE_COMP_NEW                   244
+# define EC_F_ECP_NISTZ256_SET_WORDS                      245
+# define EC_F_ECP_NISTZ256_WINDOWED_MUL                   242
 # define EC_F_ECP_NIST_MOD_192                            203
 # define EC_F_ECP_NIST_MOD_224                            204
 # define EC_F_ECP_NIST_MOD_256                            205
@@ -1208,11 +1214,6 @@ void ERR_load_EC_strings(void);
 # define EC_F_NISTP224_PRE_COMP_NEW                       227
 # define EC_F_NISTP256_PRE_COMP_NEW                       236
 # define EC_F_NISTP521_PRE_COMP_NEW                       237
-# define EC_F_ECP_NISTZ256_GET_AFFINE                     240
-# define EC_F_ECP_NISTZ256_POINTS_MUL                     241
-# define EC_F_ECP_NISTZ256_WINDOWED_MUL                   242
-# define EC_F_ECP_NISTZ256_MULT_PRECOMPUTE                243
-# define EC_F_ECP_NISTZ256_PRE_COMP_NEW                   244
 # define EC_F_O2I_ECPUBLICKEY                             152
 # define EC_F_OLD_EC_PRIV_DECODE                          222
 # define EC_F_PKEY_EC_CTRL                                197

src/Mayaqua/win32_inc/openssl/ecdsa.h

@@ -233,7 +233,7 @@ void *ECDSA_get_ex_data(EC_KEY *d, int idx);
  *  \return pointer to a ECDSA_METHOD structure or NULL if an error occurred
  */
 
-ECDSA_METHOD *ECDSA_METHOD_new(ECDSA_METHOD *ecdsa_method);
+ECDSA_METHOD *ECDSA_METHOD_new(const ECDSA_METHOD *ecdsa_method);
 
 /** frees a ECDSA_METHOD structure
  *  \param  ecdsa_method  pointer to the ECDSA_METHOD structure

src/Mayaqua/win32_inc/openssl/evp.h

@@ -103,7 +103,6 @@
 # define EVP_PKS_RSA     0x0100
 # define EVP_PKS_DSA     0x0200
 # define EVP_PKS_EC      0x0400
-# define EVP_PKT_EXP     0x1000 /* <= 512 bit key */
 
 # define EVP_PKEY_NONE   NID_undef
 # define EVP_PKEY_RSA    NID_rsaEncryption
@@ -424,6 +423,9 @@ struct evp_cipher_st {
 # define         EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT      0x1b
 # define         EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE  0x1c
 
+/* RFC 5246 defines additional data to be 13 bytes in length */
+# define         EVP_AEAD_TLS1_AAD_LEN           13
+
 typedef struct {
     unsigned char *out;
     const unsigned char *inp;
@@ -1121,6 +1123,19 @@ void EVP_PKEY_asn1_set_free(EVP_PKEY_ASN1_METHOD *ameth,
 void EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth,
                             int (*pkey_ctrl) (EVP_PKEY *pkey, int op,
                                               long arg1, void *arg2));
+void EVP_PKEY_asn1_set_item(EVP_PKEY_ASN1_METHOD *ameth,
+                            int (*item_verify) (EVP_MD_CTX *ctx,
+                                                const ASN1_ITEM *it,
+                                                void *asn,
+                                                X509_ALGOR *a,
+                                                ASN1_BIT_STRING *sig,
+                                                EVP_PKEY *pkey),
+                            int (*item_sign) (EVP_MD_CTX *ctx,
+                                              const ASN1_ITEM *it,
+                                              void *asn,
+                                              X509_ALGOR *alg1,
+                                              X509_ALGOR *alg2,
+                                              ASN1_BIT_STRING *sig));
 
 # define EVP_PKEY_OP_UNDEFINED           0
 # define EVP_PKEY_OP_PARAMGEN            (1<<1)

src/Mayaqua/win32_inc/openssl/kssl.h

@@ -1,4 +1,4 @@
-/* ssl/kssl.h -*- mode: C; c-file-style: "eay" -*- */
+/* ssl/kssl.h */
 /*
  * Written by Vern Staats <[email protected]> for the OpenSSL project
  * 2000. project 2000.

src/Mayaqua/win32_inc/openssl/opensslconf.h

@@ -41,12 +41,18 @@ extern "C" {
 #ifndef OPENSSL_NO_SSL_TRACE
 # define OPENSSL_NO_SSL_TRACE
 #endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
 #ifndef OPENSSL_NO_STORE
 # define OPENSSL_NO_STORE
 #endif
 #ifndef OPENSSL_NO_UNIT_TEST
 # define OPENSSL_NO_UNIT_TEST
 #endif
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+# define OPENSSL_NO_WEAK_SSL_CIPHERS
+#endif
 
 #endif /* OPENSSL_DOING_MAKEDEPEND */
 
@@ -89,12 +95,18 @@ extern "C" {
 # if defined(OPENSSL_NO_SSL_TRACE) && !defined(NO_SSL_TRACE)
 #  define NO_SSL_TRACE
 # endif
+# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
+#  define NO_SSL2
+# endif
 # if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
 #  define NO_STORE
 # endif
 # if defined(OPENSSL_NO_UNIT_TEST) && !defined(NO_UNIT_TEST)
 #  define NO_UNIT_TEST
 # endif
+# if defined(OPENSSL_NO_WEAK_SSL_CIPHERS) && !defined(NO_WEAK_SSL_CIPHERS)
+#  define NO_WEAK_SSL_CIPHERS
+# endif
 #endif
 
 #define OPENSSL_CPUID_OBJ
@@ -203,7 +215,7 @@ extern "C" {
 #endif
 
 #if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
+#error YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
 #endif
 
 /* Unroll the inner loop, this sometimes helps, sometimes hinders.
@@ -222,7 +234,7 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
    optimization options.  Older Sparc's work better with only UNROLL, but
    there's no way to tell at compile time what it is you're running on */
  
-#if defined( sun )		/* Newer Sparc's */
+#if defined( __sun ) || defined ( sun )		/* Newer Sparc's */
 #  define DES_PTR
 #  define DES_RISC1
 #  define DES_UNROLL

src/Mayaqua/win32_inc/openssl/opensslv.h

@@ -30,11 +30,11 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x1000201fL
+# define OPENSSL_VERSION_NUMBER  0x100020afL
 # ifdef OPENSSL_FIPS
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2a-fips 19 Mar 2015"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2j-fips  26 Sep 2016"
 # else
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2a 19 Mar 2015"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2j  26 Sep 2016"
 # endif
 # define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 

src/Mayaqua/win32_inc/openssl/ossl_typ.h

@@ -178,6 +178,8 @@ typedef struct engine_st ENGINE;
 typedef struct ssl_st SSL;
 typedef struct ssl_ctx_st SSL_CTX;
 
+typedef struct comp_method_st COMP_METHOD;
+
 typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
 typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
 typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;

src/Mayaqua/win32_inc/openssl/pem.h

@@ -531,6 +531,7 @@ int i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel,
  * The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+
 void ERR_load_PEM_strings(void);
 
 /* Error codes for the PEM functions. */
@@ -592,6 +593,7 @@ void ERR_load_PEM_strings(void);
 # define PEM_R_ERROR_CONVERTING_PRIVATE_KEY               115
 # define PEM_R_EXPECTING_PRIVATE_KEY_BLOB                 119
 # define PEM_R_EXPECTING_PUBLIC_KEY_BLOB                  120
+# define PEM_R_HEADER_TOO_LONG                            128
 # define PEM_R_INCONSISTENT_HEADER                        121
 # define PEM_R_KEYBLOB_HEADER_PARSE_ERROR                 122
 # define PEM_R_KEYBLOB_TOO_SHORT                          123
@@ -609,7 +611,7 @@ void ERR_load_PEM_strings(void);
 # define PEM_R_UNSUPPORTED_ENCRYPTION                     114
 # define PEM_R_UNSUPPORTED_KEY_COMPONENTS                 126
 
-#ifdef  __cplusplus
+# ifdef  __cplusplus
 }
-#endif
+# endif
 #endif

src/Mayaqua/win32_inc/openssl/pkcs12.h

@@ -270,7 +270,7 @@ int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12);
 int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12);
 PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12);
 PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12);
-int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass);
+int PKCS12_newpass(PKCS12 *p12, const char *oldpass, const char *newpass);
 
 /* BEGIN ERROR CODES */
 /*

src/Mayaqua/win32_inc/openssl/srp.h

@@ -82,16 +82,21 @@ typedef struct SRP_gN_cache_st {
 DECLARE_STACK_OF(SRP_gN_cache)
 
 typedef struct SRP_user_pwd_st {
+    /* Owned by us. */
     char *id;
     BIGNUM *s;
     BIGNUM *v;
+    /* Not owned by us. */
     const BIGNUM *g;
     const BIGNUM *N;
+    /* Owned by us. */
     char *info;
 } SRP_user_pwd;
 
 DECLARE_STACK_OF(SRP_user_pwd)
 
+void SRP_user_pwd_free(SRP_user_pwd *user_pwd);
+
 typedef struct SRP_VBASE_st {
     STACK_OF(SRP_user_pwd) *users_pwd;
     STACK_OF(SRP_gN_cache) *gN_cache;
@@ -115,7 +120,12 @@ DECLARE_STACK_OF(SRP_gN)
 SRP_VBASE *SRP_VBASE_new(char *seed_key);
 int SRP_VBASE_free(SRP_VBASE *vb);
 int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file);
+
+/* This method ignores the configured seed and fails for an unknown user. */
 SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username);
+/* NOTE: unlike in SRP_VBASE_get_by_user, caller owns the returned pointer.*/
+SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username);
+
 char *SRP_create_verifier(const char *user, const char *pass, char **salt,
                           char **verifier, const char *N, const char *g);
 int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt,

src/Mayaqua/win32_inc/openssl/ssl.h

@@ -338,7 +338,7 @@ extern "C" {
  * The following cipher list is used by default. It also is substituted when
  * an application-defined cipher list string starts with 'DEFAULT'.
  */
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
 /*
  * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
  * starts with a reasonable order, and all we have to do for DEFAULT is
@@ -625,7 +625,7 @@ struct ssl_session_st {
 # define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION        0x00040000L
 /* If set, always create a new key when using tmp_ecdh parameters */
 # define SSL_OP_SINGLE_ECDH_USE                          0x00080000L
-/* If set, always create a new key when using tmp_dh parameters */
+/* Does nothing: retained for compatibility */
 # define SSL_OP_SINGLE_DH_USE                            0x00100000L
 /* Does nothing: retained for compatibiity */
 # define SSL_OP_EPHEMERAL_RSA                            0x0
@@ -1727,6 +1727,7 @@ extern "C" {
 # define SSL_ST_BEFORE                   0x4000
 # define SSL_ST_OK                       0x03
 # define SSL_ST_RENEGOTIATE              (0x04|SSL_ST_INIT)
+# define SSL_ST_ERR                      0x05
 
 # define SSL_CB_LOOP                     0x01
 # define SSL_CB_EXIT                     0x02
@@ -2091,7 +2092,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 # define SSL_CTX_set1_sigalgs_list(ctx, s) \
         SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)s)
 # define SSL_set1_sigalgs(ctx, slist, slistlen) \
-        SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS,clistlen,(int *)slist)
+        SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS,slistlen,(int *)slist)
 # define SSL_set1_sigalgs_list(ctx, s) \
         SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)s)
 # define SSL_CTX_set1_client_sigalgs(ctx, slist, slistlen) \
@@ -2344,7 +2345,7 @@ const char *SSL_get_version(const SSL *s);
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
 
-# ifndef OPENSSL_NO_SSL2
+# ifndef OPENSSL_NO_SSL2_METHOD
 const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
 const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
 const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
@@ -2531,7 +2532,6 @@ void SSL_set_tmp_ecdh_callback(SSL *ssl,
                                                 int keylength));
 # endif
 
-# ifndef OPENSSL_NO_COMP
 const COMP_METHOD *SSL_get_current_compression(SSL *s);
 const COMP_METHOD *SSL_get_current_expansion(SSL *s);
 const char *SSL_COMP_get_name(const COMP_METHOD *comp);
@@ -2540,13 +2540,6 @@ STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
                                                       *meths);
 void SSL_COMP_free_compression_methods(void);
 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);
-# else
-const void *SSL_get_current_compression(SSL *s);
-const void *SSL_get_current_expansion(SSL *s);
-const char *SSL_COMP_get_name(const void *comp);
-void *SSL_COMP_get_compression_methods(void);
-int SSL_COMP_add_compression_method(int id, void *cm);
-# endif
 
 const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr);
 
@@ -2622,6 +2615,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_DTLS1_HEARTBEAT                            305
 # define SSL_F_DTLS1_OUTPUT_CERT_CHAIN                    255
 # define SSL_F_DTLS1_PREPROCESS_FRAGMENT                  288
+# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS             424
 # define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE           256
 # define SSL_F_DTLS1_PROCESS_RECORD                       257
 # define SSL_F_DTLS1_READ_BYTES                           258
@@ -2640,6 +2634,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_GET_CLIENT_MASTER_KEY                      107
 # define SSL_F_GET_SERVER_FINISHED                        108
 # define SSL_F_GET_SERVER_HELLO                           109
+# define SSL_F_GET_SERVER_STATIC_DH_KEY                   340
 # define SSL_F_GET_SERVER_VERIFY                          110
 # define SSL_F_I2D_SSL_SESSION                            111
 # define SSL_F_READ_N                                     112
@@ -2670,6 +2665,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_SSL3_CHANGE_CIPHER_STATE                   129
 # define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM              130
 # define SSL_F_SSL3_CHECK_CLIENT_HELLO                    304
+# define SSL_F_SSL3_CHECK_FINISHED                        339
 # define SSL_F_SSL3_CLIENT_HELLO                          131
 # define SSL_F_SSL3_CONNECT                               132
 # define SSL_F_SSL3_CTRL                                  213
@@ -2678,6 +2674,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC                 292
 # define SSL_F_SSL3_ENC                                   134
 # define SSL_F_SSL3_GENERATE_KEY_BLOCK                    238
+# define SSL_F_SSL3_GENERATE_MASTER_SECRET                388
 # define SSL_F_SSL3_GET_CERTIFICATE_REQUEST               135
 # define SSL_F_SSL3_GET_CERT_STATUS                       289
 # define SSL_F_SSL3_GET_CERT_VERIFY                       136
@@ -2784,6 +2781,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_SSL_RSA_PUBLIC_ENCRYPT                     188
 # define SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT                320
 # define SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT                321
+# define SSL_F_SSL_SESSION_DUP                            348
 # define SSL_F_SSL_SESSION_NEW                            189
 # define SSL_F_SSL_SESSION_PRINT_FP                       190
 # define SSL_F_SSL_SESSION_SET1_ID_CONTEXT                312
@@ -2842,8 +2840,11 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK              106
 # define SSL_R_BAD_DECOMPRESSION                          107
 # define SSL_R_BAD_DH_G_LENGTH                            108
+# define SSL_R_BAD_DH_G_VALUE                             375
 # define SSL_R_BAD_DH_PUB_KEY_LENGTH                      109
+# define SSL_R_BAD_DH_PUB_KEY_VALUE                       393
 # define SSL_R_BAD_DH_P_LENGTH                            110
+# define SSL_R_BAD_DH_P_VALUE                             395
 # define SSL_R_BAD_DIGEST_LENGTH                          111
 # define SSL_R_BAD_DSA_SIGNATURE                          112
 # define SSL_R_BAD_ECC_CERT                               304
@@ -2904,6 +2905,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_DATA_LENGTH_TOO_LONG                       146
 # define SSL_R_DECRYPTION_FAILED                          147
 # define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC        281
+# define SSL_R_DH_KEY_TOO_SMALL                           372
 # define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG            148
 # define SSL_R_DIGEST_CHECK_FAILED                        149
 # define SSL_R_DTLS_MESSAGE_TOO_BIG                       334
@@ -3047,6 +3049,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_SERVERHELLO_TLSEXT                         275
 # define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED           277
 # define SSL_R_SHORT_READ                                 219
+# define SSL_R_SHUTDOWN_WHILE_IN_INIT                     407
 # define SSL_R_SIGNATURE_ALGORITHMS_ERROR                 360
 # define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE      220
 # define SSL_R_SRP_A_CALC                                 361
@@ -3104,6 +3107,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST             157
 # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
 # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG    234
+# define SSL_R_TOO_MANY_WARN_ALERTS                       409
 # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER            235
 # define SSL_R_UNABLE_TO_DECODE_DH_CERTS                  236
 # define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS                313

src/Mayaqua/win32_inc/openssl/tls1.h

@@ -231,13 +231,12 @@ extern "C" {
 /* ExtensionType value from RFC5620 */
 # define TLSEXT_TYPE_heartbeat   15
 
-/* ExtensionType value from draft-ietf-tls-applayerprotoneg-00 */
+/* ExtensionType value from RFC7301 */
 # define TLSEXT_TYPE_application_layer_protocol_negotiation 16
 
 /*
  * ExtensionType value for TLS padding extension.
- * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
- * http://tools.ietf.org/html/draft-agl-tls-padding-03
+ * http://tools.ietf.org/html/draft-agl-tls-padding
  */
 # define TLSEXT_TYPE_padding     21
 
@@ -262,20 +261,19 @@ extern "C" {
 #  define TLSEXT_TYPE_next_proto_neg              13172
 # endif
 
-/* NameType value from RFC 3546 */
+/* NameType value from RFC3546 */
 # define TLSEXT_NAMETYPE_host_name 0
-/* status request value from RFC 3546 */
+/* status request value from RFC3546 */
 # define TLSEXT_STATUSTYPE_ocsp 1
 
-/* ECPointFormat values from draft-ietf-tls-ecc-12 */
+/* ECPointFormat values from RFC4492 */
 # define TLSEXT_ECPOINTFORMAT_first                      0
 # define TLSEXT_ECPOINTFORMAT_uncompressed               0
 # define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime  1
 # define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2  2
 # define TLSEXT_ECPOINTFORMAT_last                       2
 
-/* Signature and hash algorithms from RFC 5246 */
-
+/* Signature and hash algorithms from RFC5246 */
 # define TLSEXT_signature_anonymous                      0
 # define TLSEXT_signature_rsa                            1
 # define TLSEXT_signature_dsa                            2
@@ -430,7 +428,6 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 # define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA                0x03000066
 
 /* AES ciphersuites from RFC3268 */
-
 # define TLS1_CK_RSA_WITH_AES_128_SHA                    0x0300002F
 # define TLS1_CK_DH_DSS_WITH_AES_128_SHA                 0x03000030
 # define TLS1_CK_DH_RSA_WITH_AES_128_SHA                 0x03000031
@@ -595,7 +592,7 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 # define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA               "DHE-RSA-AES256-SHA"
 # define TLS1_TXT_ADH_WITH_AES_256_SHA                   "ADH-AES256-SHA"
 
-/* ECC ciphersuites from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) */
+/* ECC ciphersuites from RFC4492 */
 # define TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA               "ECDH-ECDSA-NULL-SHA"
 # define TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA            "ECDH-ECDSA-RC4-SHA"
 # define TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA       "ECDH-ECDSA-DES-CBC3-SHA"

src/Mayaqua/win32_inc/openssl/ts.h

@@ -565,6 +565,9 @@ int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx,
 /* At most we accept usec precision. */
 # define TS_MAX_CLOCK_PRECISION_DIGITS   6
 
+/* Maximum status message length */
+# define TS_MAX_STATUS_LENGTH   (1024 * 1024)
+
 /* No flags are set by default. */
 void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags);
 

src/Mayaqua/win32_inc/openssl/ui.h

@@ -1,4 +1,4 @@
-/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/ui/ui.h */
 /*
  * Written by Richard Levitte ([email protected]) for the OpenSSL project
  * 2001.

src/Mayaqua/win32_inc/openssl/ui_compat.h

@@ -1,4 +1,4 @@
-/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/ui/ui.h */
 /*
  * Written by Richard Levitte ([email protected]) for the OpenSSL project
  * 2001.

src/Mayaqua/win32_inc/openssl/x509.h

@@ -1234,6 +1234,7 @@ int X509_TRUST_get_trust(X509_TRUST *xp);
  * The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+
 void ERR_load_X509_strings(void);
 
 /* Error codes for the X509 functions. */
@@ -1241,6 +1242,7 @@ void ERR_load_X509_strings(void);
 /* Function codes. */
 # define X509_F_ADD_CERT_DIR                              100
 # define X509_F_BY_FILE_CTRL                              101
+# define X509_F_CHECK_NAME_CONSTRAINTS                    106
 # define X509_F_CHECK_POLICY                              145
 # define X509_F_DIR_CTRL                                  102
 # define X509_F_GET_CERT_BY_SUBJECT                       103
@@ -1305,6 +1307,7 @@ void ERR_load_X509_strings(void);
 # define X509_R_LOADING_CERT_DIR                          103
 # define X509_R_LOADING_DEFAULTS                          104
 # define X509_R_METHOD_NOT_SUPPORTED                      124
+# define X509_R_NAME_TOO_LONG                             134
 # define X509_R_NEWER_CRL_NOT_NEWER                       132
 # define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY              105
 # define X509_R_NO_CRL_NUMBER                             130
@@ -1321,7 +1324,7 @@ void ERR_load_X509_strings(void);
 # define X509_R_WRONG_LOOKUP_TYPE                         112
 # define X509_R_WRONG_TYPE                                122
 
-#ifdef  __cplusplus
+# ifdef  __cplusplus
 }
-#endif
+# endif
 #endif

src/Mayaqua/win32_inc/openssl/x509_vfy.h

@@ -313,7 +313,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
                 X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL)
 
 # define         X509_V_OK                                       0
-/* illegal error (for uninitialized values, to avoid X509_V_OK): 1 */
+# define         X509_V_ERR_UNSPECIFIED                          1
 
 # define         X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT            2
 # define         X509_V_ERR_UNABLE_TO_GET_CRL                    3
@@ -368,6 +368,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 # define         X509_V_ERR_PERMITTED_VIOLATION                  47
 # define         X509_V_ERR_EXCLUDED_VIOLATION                   48
 # define         X509_V_ERR_SUBTREE_MINMAX                       49
+# define         X509_V_ERR_APPLICATION_VERIFICATION             50
 # define         X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE          51
 # define         X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX        52
 # define         X509_V_ERR_UNSUPPORTED_NAME_SYNTAX              53
@@ -386,8 +387,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 # define         X509_V_ERR_EMAIL_MISMATCH                       63
 # define         X509_V_ERR_IP_ADDRESS_MISMATCH                  64
 
-/* The application is not happy */
-# define         X509_V_ERR_APPLICATION_VERIFICATION             50
+/* Caller error */
+# define         X509_V_ERR_INVALID_CALL                         65
+/* Issuer lookup error */
+# define         X509_V_ERR_STORE_LOOKUP                         66
+
+# define         X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION         67
 
 /* Certificate verify flags */
 
@@ -432,6 +437,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 
 /* Allow partial chains if at least one certificate is in trusted store */
 # define X509_V_FLAG_PARTIAL_CHAIN               0x80000
+/*
+ * If the initial chain is not trusted, do not attempt to build an alternative
+ * chain. Alternate chain checking was introduced in 1.0.2b. Setting this flag
+ * will force the behaviour to match that of previous versions.
+ */
+# define X509_V_FLAG_NO_ALT_CHAINS               0x100000
 
 # define X509_VP_FLAG_DEFAULT                    0x1
 # define X509_VP_FLAG_OVERWRITE                  0x2

src/PenCore/PenCore.vcproj

@@ -46,7 +46,7 @@
 				EnableIntrinsicFunctions="false"
 				FavorSizeOrSpeed="0"
 				AdditionalIncludeDirectories="$(SolutionDir)Mayaqua\win32_inc;.;$(SolutionDir)"
-				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USE_32BIT_TIME_T;VPN_SPEED"
+				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;VPN_SPEED"
 				StringPooling="false"
 				ExceptionHandling="0"
 				RuntimeLibrary="0"

src/SeeDll/SeeDll.vcproj

@@ -49,7 +49,7 @@
 				EnableIntrinsicFunctions="false"
 				FavorSizeOrSpeed="0"
 				AdditionalIncludeDirectories="$(SolutionDir)Mayaqua\win32_inc;.;$(SolutionDir)"
-				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;_USE_32BIT_TIME_T;PCDDLL_EXPORTS"
+				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;PCDDLL_EXPORTS"
 				StringPooling="false"
 				ExceptionHandling="0"
 				RuntimeLibrary="0"

src/VGate/VGate.vcproj

@@ -49,7 +49,7 @@
 				EnableIntrinsicFunctions="false"
 				FavorSizeOrSpeed="0"
 				AdditionalIncludeDirectories="$(SolutionDir)Mayaqua\win32_inc;.;$(SolutionDir)"
-				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;_USE_32BIT_TIME_T;PCDDLL_EXPORTS"
+				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;PCDDLL_EXPORTS"
 				StringPooling="false"
 				ExceptionHandling="0"
 				RuntimeLibrary="0"
@@ -249,7 +249,7 @@
 				EnableIntrinsicFunctions="false"
 				FavorSizeOrSpeed="0"
 				AdditionalIncludeDirectories="$(SolutionDir)Mayaqua\win32_inc;.;$(SolutionDir)"
-				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;_USE_32BIT_TIME_T;PCDDLL_EXPORTS"
+				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;PCDDLL_EXPORTS"
 				StringPooling="false"
 				ExceptionHandling="0"
 				RuntimeLibrary="0"

src/WARNING.TXT

@@ -2,7 +2,7 @@ THE IMPORTANT NOTICES ABOUT SOFTETHER VPN
 
 FUNCTIONS OF VPN COMMUNICATIONS EMBEDDED ON THIS SOFTWARE ARE VERY POWERFUL
 THAN EVER. THIS STRONG VPN ABILITY WILL BRING YOU HUGE BENEFITS. HOWEVER, IF
-YOU MISUSE THIS SOFTWARE, IT MIGHT DAMAGES YOURSELF. IN ORDER TO AVOID SUCH
+YOU MISUSE THIS SOFTWARE, IT MIGHT DAMAGE YOURSELF. IN ORDER TO AVOID SUCH
 RISKS, THIS DOCUMENT ACCOUNTS IMPORTANT NOTICES FOR CUSTOMERS WHO ARE WILLING
 TO USE THIS SOFTWARE. THE FOLLOWING INSTRUCTIONS ARE VERY IMPORTANT. READ AND
 UNDERSTAND IT CAREFULLY. ADDITIONALLY, IF YOU ARE PLANNING TO USE THE DYNAMIC