v4.42-9798-rtm

WARNING.TXT

@@ -585,3 +585,41 @@ functions. Therefore, in such a case, you must disable the P2P Relay Function
 on the VPN Gate Client manually by setting the "DisableRelayServer" flag if
 you reside in such a restricted area, in your own responsibility.
 
+SoftEther VPN and VPN Gate (where applicable) are provided, distributed and
+operated under the responsibility of SoftEther Corporation (Corporate Number:
+1050001016519, Tsukuba, Ibaraki, Japan). These projects were researched and
+developed in collaboration with Tsukuba University, a national university in
+Japan.
+
+THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN, UNDER
+JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY, MERGE, PUBLISH,
+DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS SOFTWARE, THAT ANY
+JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS SOFTWARE OR ITS CONTENTS,
+AGAINST US (SOFTETHER CORPORATION OR OTHER SUPPLIERS), OR ANY JURIDICAL
+DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND OF USING, COPYING, MODIFYING,
+MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, AND/OR SELLING COPIES OF THIS
+SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND CONTROLLED BY JAPANESE LAWS,
+AND YOU MUST FURTHER CONSENT TO EXCLUSIVE JURISDICTION AND VENUE IN THE COURTS
+SITTING IN TOKYO, JAPAN. YOU MUST WAIVE ALL DEFENSES OF LACK OF PERSONAL
+JURISDICTION AND FORUM NON CONVENIENS. PROCESS MAY BE SERVED ON EITHER PARTY
+IN THE MANNER AUTHORIZED BY APPLICABLE LAW OR COURT RULE.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+SUPPLIERS, PROVIDERS, OPERATORS, AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR
+ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT
+OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+IMPORTANT NOTE: USE OF THIS SOFTWARE AND SERVICE BY INDIVIDUALS TO WHOM THE
+CONSUMER CONTRACT ACT APPLIES IS NOT ALLOWED. THIS SOFTWARE IS INTENDED FOR
+PROFESSIONALS AND IS NOT DESIGNED FOR PURELY BUSINESS-UNRELATED CONSUMERS.
+THIS SOFTWARE AND SERVICE MAY BE USED ONLY FOR BUSINESS, COMMERCIAL,
+NON-PROFIT, ORGANIZATIONAL OPERATIONS, RESEARCH AND DEVELOPMENT PURPOSES OR
+OTHER NON-CONSUMPTIVE PURPOSES. THIS SOFTWARE IS NOT INTENDED FOR USE BY
+CONSUMERS. THIS SOFTWARE MAY NOT BE USED BY ANY INDIVIDUAL TO WHOM THE
+CONSUMER RIGHTS PROTECTIONS IN THE CONSUMER CONTRACT ACT OF JAPAN OR
+EQUIVALENT LAWS OF OTHER COUNTRIES APPLY. IF AN INDIVIDUAL USES THE SOFTWARE,
+THE USE OF THE SOFTWARE SHALL BE DEEMED TO BE FOR BUSINESS PURPOSES.
+

src/BuildFiles/Library/OpenSSL_Build_ID.txt

@@ -1 +1 @@
-crosslib_win32_v3_221102_01
+crosslib_win32_v3_230612_02

src/Cedar/Admin.c

@@ -808,6 +808,7 @@ void AdminWebProcPost(CONNECTION *c, SOCK *s, HTTP_HEADER *h, UINT post_data_siz
 	if (RecvAll(s, data, post_data_size, s->SecureMode))
 	{
 		c->JsonRpcAuthed = true;
+		RemoveDosEntry(c->Listener, s);
 
 		// Divide url_target into URL and query string
 		StrCpy(url, sizeof(url), url_target);
@@ -846,6 +847,7 @@ void AdminWebProcGet(CONNECTION *c, SOCK *s, HTTP_HEADER *h, char *url_target)
 	}
 
 	c->JsonRpcAuthed = true;
+	RemoveDosEntry(c->Listener, s);
 
 	// Divide url_target into URL and query string
 	StrCpy(url, sizeof(url), url_target);
@@ -1279,6 +1281,7 @@ void JsonRpcProcOptions(CONNECTION *c, SOCK *s, HTTP_HEADER *h, char *url_target
 
 	c->JsonRpcAuthed = true;
 
+	RemoveDosEntry(c->Listener, s);
 
 	AdminWebSendBody(s, 200, "OK", NULL, 0, NULL, NULL, NULL, h);
 }
@@ -1305,6 +1308,7 @@ void JsonRpcProcGet(CONNECTION *c, SOCK *s, HTTP_HEADER *h, char *url_target)
 
 	c->JsonRpcAuthed = true;
 
+	RemoveDosEntry(c->Listener, s);
 
 	// Divide url_target into URL and query string
 	StrCpy(url, sizeof(url), url_target);
@@ -1431,6 +1435,7 @@ void JsonRpcProcPost(CONNECTION *c, SOCK *s, HTTP_HEADER *h, UINT post_data_size
 
 		c->JsonRpcAuthed = true;
 
+		RemoveDosEntry(c->Listener, s);
 
 		if (json_req == NULL || json_req_object == NULL)
 		{
@@ -4872,7 +4877,7 @@ UINT StDeleteIpTable(ADMIN *a, RPC_DELETE_TABLE *t)
 		return ERR_NOT_ENOUGH_RIGHT;
 	}
 
-	LockList(h->IpTable);
+	LockHashList(h->MacHashTable);
 	{
 		if (IsInListKey(h->IpTable, t->Key))
 		{
@@ -4885,7 +4890,7 @@ UINT StDeleteIpTable(ADMIN *a, RPC_DELETE_TABLE *t)
 			ret = ERR_OBJECT_NOT_FOUND;
 		}
 	}
-	UnlockList(h->IpTable);
+	UnlockHashList(h->MacHashTable);
 
 	if (ret == ERR_OBJECT_NOT_FOUND)
 	{
@@ -4940,7 +4945,7 @@ UINT SiEnumIpTable(SERVER *s, char *hubname, RPC_ENUM_IP_TABLE *t)
 
 	StrCpy(t->HubName, sizeof(t->HubName), hubname);
 
-	LockList(h->IpTable);
+	LockHashList(h->MacHashTable);
 	{
 		t->NumIpTable = LIST_NUM(h->IpTable);
 		t->IpTables = ZeroMalloc(sizeof(RPC_ENUM_IP_TABLE_ITEM) * t->NumIpTable);
@@ -4962,7 +4967,7 @@ UINT SiEnumIpTable(SERVER *s, char *hubname, RPC_ENUM_IP_TABLE *t)
 			GetMachineName(e->RemoteHostname, sizeof(e->RemoteHostname));
 		}
 	}
-	UnlockList(h->IpTable);
+	UnlockHashList(h->MacHashTable);
 
 	ReleaseHub(h);
 
@@ -8951,14 +8956,9 @@ UINT StEnumHub(ADMIN *a, RPC_ENUM_HUB *t)
 				LockHashList(h->MacHashTable);
 				{
 					e->NumMacTables = HASH_LIST_NUM(h->MacHashTable);
-				}
-				UnlockHashList(h->MacHashTable);
-
-				LockList(h->IpTable);
-				{
 					e->NumIpTables = LIST_NUM(h->IpTable);
 				}
-				UnlockList(h->IpTable);
+				UnlockHashList(h->MacHashTable);
 
 				if (h->HubDb != NULL)
 				{

src/Cedar/Cedar.h

@@ -126,10 +126,10 @@
 
 
 // Version number
-#define	CEDAR_VER					441
+#define	CEDAR_VER					442
 
 // Build Number
-#define	CEDAR_BUILD					9787
+#define	CEDAR_BUILD					9798
 
 // Beta number
 //#define	BETA_NUMBER					3
@@ -149,11 +149,11 @@
 
 // Specifies the build date
 #define	BUILD_DATE_Y		2023
-#define	BUILD_DATE_M		3
-#define	BUILD_DATE_D		14
+#define	BUILD_DATE_M		6
+#define	BUILD_DATE_D		30
 #define	BUILD_DATE_HO		10
-#define	BUILD_DATE_MI		40
-#define	BUILD_DATE_SE		41
+#define	BUILD_DATE_MI		47
+#define	BUILD_DATE_SE		4
 
 // Tolerable time difference
 #define	ALLOW_TIMESTAMP_DIFF		(UINT64)(3 * 24 * 60 * 60 * 1000)

src/Cedar/Client.c

@@ -5409,6 +5409,22 @@ void CiRpcAccepted(CLIENT *c, SOCK *s)
 		retcode = 0;
 	}
 
+	if (retcode == 0)
+	{
+		if (s->RemoteIP.addr[0] != 127)
+		{
+			// If the RPC client is from network check whether the password is empty
+			UCHAR empty_password_hash[20];
+			Hash(empty_password_hash, "", 0, true);
+			if (Cmp(empty_password_hash, hashed_password, SHA1_SIZE) == 0 ||
+				IsZero(hashed_password, SHA1_SIZE))
+			{
+				// Regard it as incorrect password
+				retcode = 1;
+			}
+		}
+	}
+
 	Lock(c->lock);
 	{
 		if (c->Config.AllowRemoteConfig == false)
@@ -5512,14 +5528,21 @@ void CiRpcServerThread(THREAD *thread, void *param)
 
 	// Open the port
 	listener = NULL;
-	for (i = CLIENT_CONFIG_PORT;i < (CLIENT_CONFIG_PORT + 5);i++)
+	if (c->Config.DisableRpcDynamicPortListener == false)
 	{
-		listener = Listen(i);
-		if (listener != NULL)
+		for (i = CLIENT_CONFIG_PORT;i < (CLIENT_CONFIG_PORT + 5);i++)
 		{
-			break;
+			listener = ListenEx(i, !c->Config.AllowRemoteConfig);
+			if (listener != NULL)
+			{
+				break;
+			}
 		}
 	}
+	else
+	{
+		listener = ListenEx(CLIENT_CONFIG_PORT, !c->Config.AllowRemoteConfig);
+	}
 
 	if (listener == NULL)
 	{
@@ -9325,6 +9348,12 @@ void CiInitConfiguration(CLIENT *c)
 		c->Config.UseKeepConnect = false;	// Don't use the connection maintenance function by default in the Client
 		// Eraser
 		c->Eraser = NewEraser(c->Logger, 0);
+
+#ifdef	OS_WIN32
+		c->Config.DisableRpcDynamicPortListener = false;
+#else	// OS_WIN32
+		c->Config.DisableRpcDynamicPortListener = true;
+#endif	// OS_WIN32
 	}
 	else
 	{
@@ -9471,6 +9500,19 @@ void CiLoadClientConfig(CLIENT_CONFIG *c, FOLDER *f)
 	c->AllowRemoteConfig = CfgGetBool(f, "AllowRemoteConfig");
 	c->KeepConnectInterval = MAKESURE(CfgGetInt(f, "KeepConnectInterval"), KEEP_INTERVAL_MIN, KEEP_INTERVAL_MAX);
 	c->NoChangeWcmNetworkSettingOnWindows8 = CfgGetBool(f, "NoChangeWcmNetworkSettingOnWindows8");
+
+	if (CfgIsItem(f, "DisableRpcDynamicPortListener"))
+	{
+		c->DisableRpcDynamicPortListener = CfgGetBool(f, "DisableRpcDynamicPortListener");
+	}
+	else
+	{
+#ifdef	OS_WIN32
+		c->DisableRpcDynamicPortListener = false;
+#else	// OS_WIN32
+		c->DisableRpcDynamicPortListener = true;
+#endif	// OS_WIN32
+	}
 }
 
 // Read the client authentication data
@@ -10023,6 +10065,7 @@ void CiWriteClientConfig(FOLDER *cc, CLIENT_CONFIG *config)
 	CfgAddBool(cc, "AllowRemoteConfig", config->AllowRemoteConfig);
 	CfgAddInt(cc, "KeepConnectInterval", config->KeepConnectInterval);
 	CfgAddBool(cc, "NoChangeWcmNetworkSettingOnWindows8", config->NoChangeWcmNetworkSettingOnWindows8);
+	CfgAddBool(cc, "DisableRpcDynamicPortListener", config->DisableRpcDynamicPortListener);
 }
 
 // Write the client authentication data

src/Cedar/Client.h

@@ -186,6 +186,7 @@ struct CLIENT_CONFIG
 	UINT KeepConnectProtocol;				// Protocol
 	UINT KeepConnectInterval;				// Interval
 	bool NoChangeWcmNetworkSettingOnWindows8;	// Don't change the WCM network settings on Windows 8
+	bool DisableRpcDynamicPortListener;
 };
 
 // Version acquisition

src/Cedar/DDNS.c

@@ -641,6 +641,7 @@ UINT DCRegister(DDNS_CLIENT *c, bool ipv6, DDNS_REGISTER_PARAM *p, char *replace
 	}
 
 
+	use_https = true;
 
 	Format(url2, sizeof(url2), "%s?v=%I64u", url, Rand64());
 	Format(url3, sizeof(url3), url2, key_hash_str[2], key_hash_str[3]);

src/Cedar/DDNS.h

@@ -110,7 +110,11 @@
 							"439BAFA75A6EE5671FC9F9A02D34FF29881761A0" \
 							"EFAC5FA0CDD14E0F864EED58A73C35D7E33B62F3" \
 							"74DF99D4B1B5F0488A388B50D347D26013DC67A5" \
-							"6EBB39AFCA8C900635CFC11218CF293A612457E4"
+							"6EBB39AFCA8C900635CFC11218CF293A612457E4" \
+							"05A9386C5E2B233F7BAB2479620EAAA2793709ED" \
+							"A811C64BB715351E36B6C1E022648D8BE0ACD128" \
+							"BD264DB3B0B1B3ABA0AF3074AA574ED1EF3B42D7" \
+							"9AB61D691536645DD55A8730FC6D2CDF33C8C73F"
 
 #define	DDNS_SNI_VER_STRING		"DDNS"
 
@@ -135,7 +139,7 @@
 #define	DDNS_URL2_V4_ALT	"http://get-my-ip.ddns.uxcom.jp/ddns/getmyip.ashx"
 #define	DDNS_URL2_V6_ALT	"http://get-my-ip-v6.ddns.uxcom.jp/ddns/getmyip.ashx"
 
-#define	DDNS_RPC_MAX_RECV_SIZE				DYN32(DDNS_RPC_MAX_RECV_SIZE, (128 * 1024 * 1024))
+#define	DDNS_RPC_MAX_RECV_SIZE				DYN32(DDNS_RPC_MAX_RECV_SIZE, (38 * 1024 * 1024))
 
 // Connection Timeout
 #define	DDNS_CONNECT_TIMEOUT		DYN32(DDNS_CONNECT_TIMEOUT, (15 * 1000))

src/Cedar/Listener.c

@@ -267,6 +267,10 @@ void TCPAcceptedThread(THREAD *t, void *param)
 	ConnectionAccept(c);
 	flag1 = c->flag1;
 
+	if (c->JsonRpcAuthed)
+	{
+		RemoveDosEntry(r, s);
+	}
 
 	// Release
 	SLog(r->Cedar, "LS_CONNECTION_END_1", c->Name);
@@ -308,6 +312,46 @@ void TCPAccepted(LISTENER *r, SOCK *s)
 
 	num_clients_from_this_ip = GetNumIpClient(&s->RemoteIP);
 
+#ifdef	USE_DOS_ATTACK_DETECTION
+	if (disable_dos == false && r->DisableDos == false && r->Protocol != LISTENER_INPROC)
+	{
+		UINT max_uec, now_uec;
+		// DOS attack check
+		if (CheckDosAttack(r, s) == false)
+		{
+			Debug("DOS Attack 1 !!\n");
+			IPToStr(tmp, sizeof(tmp), &s->RemoteIP);
+			SLog(r->Cedar, "LS_LISTENER_DOS", r->Port, tmp, s->RemotePort);
+			return;
+		}
+		if (StrCmpi(s->UnderlayProtocol, SOCK_UNDERLAY_NATIVE_V6) == 0 ||
+			StrCmpi(s->UnderlayProtocol, SOCK_UNDERLAY_NATIVE_V4) == 0)
+		{
+			if (IsInNoSsl(r->Cedar, &s->RemoteIP))
+			{
+				Debug("DOS Attack 2 !!\n");
+				IPToStr(tmp, sizeof(tmp), &s->RemoteIP);
+				SLog(r->Cedar, "LS_LISTENER_DOS", r->Port, tmp, s->RemotePort);
+				return;
+			}
+		}
+		if (num_clients_from_this_ip > GetMaxConnectionsPerIp())
+		{
+			Debug("DOS Attack 3 !!\n");
+			IPToStr(tmp, sizeof(tmp), &s->RemoteIP);
+			SLog(r->Cedar, "LS_LISTENER_DOS", r->Port, tmp, s->RemotePort);
+			return;
+		}
+		max_uec = GetMaxUnestablishedConnections();
+		now_uec = GetUnestablishedConnections(cedar);
+		if (now_uec > max_uec)
+		{
+			Debug("DOS Attack 4 !!\n");
+			SLog(r->Cedar, "LS_LISTENER_MAXUEC", max_uec, now_uec);
+			return;
+		}
+	}
+#endif	// USE_DOS_ATTACK_DETECTION
 
 	IPToStr(tmp, sizeof(tmp), &s->RemoteIP);
 
@@ -326,6 +370,169 @@ void TCPAccepted(LISTENER *r, SOCK *s)
 	ReleaseThread(t);
 }
 
+// Remove a DOS entry
+bool RemoveDosEntry(LISTENER *r, SOCK *s)
+{
+	DOS *d;
+	bool ok = false;
+	// Validate arguments
+	if (r == NULL || s == NULL)
+	{
+		return false;
+	}
+
+	LockList(r->DosList);
+	{
+		// Delete old entries from the DOS attack list
+		RefreshDosList(r);
+
+		// Search the table
+		d = SearchDosList(r, &s->RemoteIP);
+
+		if (d != NULL)
+		{
+			Delete(r->DosList, d);
+			Free(d);
+			ok = true;
+		}
+	}
+	UnlockList(r->DosList);
+
+	return ok;
+}
+
+// Check whether this is a DOS attack
+bool CheckDosAttack(LISTENER *r, SOCK *s)
+{
+	DOS *d;
+	bool ok = true;
+	// Validate arguments
+	if (r == NULL || s == NULL)
+	{
+		return false;
+	}
+
+	LockList(r->DosList);
+	{
+		// Delete old entries from the DOS attack list
+		RefreshDosList(r);
+
+		// Search the table
+		d = SearchDosList(r, &s->RemoteIP);
+
+		if (d != NULL)
+		{
+			// There is a entry already
+			// This should mean being under a DOS attack
+			d->LastConnectedTick = Tick64();
+			d->CurrentExpireSpan = MIN(d->CurrentExpireSpan * (UINT64)2, DOS_TABLE_EXPIRES_MAX);
+			d->AccessCount++;
+			if (d->AccessCount > DOS_TABLE_MAX_LIMIT_PER_IP)
+			{
+				ok = false;
+			}
+		}
+		else
+		{
+			// Create a new entry
+			d = ZeroMalloc(sizeof(DOS));
+			d->CurrentExpireSpan = (UINT64)DOS_TABLE_EXPIRES_FIRST;
+			d->FirstConnectedTick = d->LastConnectedTick = Tick64();
+			d->AccessCount = 1;
+			d->DeleteEntryTick = d->FirstConnectedTick + (UINT64)DOS_TABLE_EXPIRES_TOTAL;
+			Copy(&d->IpAddress, &s->RemoteIP, sizeof(IP));
+			Add(r->DosList, d);
+		}
+	}
+	UnlockList(r->DosList);
+
+	return ok;
+}
+
+// Delete old entries from the DOS attack list
+void RefreshDosList(LISTENER *r)
+{
+	// Validate arguments
+	if (r == NULL)
+	{
+		return;
+	}
+
+	if (r->DosListLastRefreshTime == 0 ||
+		(r->DosListLastRefreshTime + (UINT64)DOS_TABLE_REFRESH_INTERVAL) <= Tick64())
+	{
+		UINT i;
+		LIST *o;
+		r->DosListLastRefreshTime = Tick64();
+
+		o = NewListFast(NULL);
+		for (i = 0;i < LIST_NUM(r->DosList);i++)
+		{
+			DOS *d = LIST_DATA(r->DosList, i);
+			if ((d->LastConnectedTick + d->CurrentExpireSpan) <= Tick64() ||
+				(d->DeleteEntryTick <= Tick64()))
+			{
+				Add(o, d);
+			}
+		}
+
+		for (i = 0;i < LIST_NUM(o);i++)
+		{
+			DOS *d = LIST_DATA(o, i);
+			Delete(r->DosList, d);
+			Free(d);
+		}
+
+		ReleaseList(o);
+	}
+}
+
+// Search the DOS attack list by the IP address
+DOS *SearchDosList(LISTENER *r, IP *ip)
+{
+	DOS *d, t;
+	// Validate arguments
+	if (r == NULL || ip == NULL)
+	{
+		return NULL;
+	}
+
+	Copy(&t.IpAddress, ip, sizeof(IP));
+
+	d = Search(r->DosList, &t);
+
+	if (d != NULL)
+	{
+		if ((d->LastConnectedTick + d->CurrentExpireSpan) <= Tick64() ||
+			(d->DeleteEntryTick <= Tick64()))
+		{
+			// Delete old entries
+			Delete(r->DosList, d);
+			Free(d);
+			return NULL;
+		}
+	}
+
+	return d;
+}
+
+// Comparison of DOS attack list entries
+int CompareDos(void *p1, void *p2)
+{
+	DOS *d1, *d2;
+	if (p1 == NULL || p2 == NULL)
+	{
+		return 0;
+	}
+	d1 = *(DOS **)p1;
+	d2 = *(DOS **)p2;
+	if (d1 == NULL || d2 == NULL)
+	{
+		return 0;
+	}
+
+	return CmpIpAddr(&d1->IpAddress, &d2->IpAddress);
+}
 
 // UDP listener main loop
 void ListenerUDPMainLoop(LISTENER *r)
@@ -875,6 +1082,7 @@ LISTENER *NewListenerEx5(CEDAR *cedar, UINT proto, UINT port, THREAD_PROC *proc,
 	r->Port = port;
 	r->Event = NewEvent();
 
+	r->DosList = NewList(CompareDos);
 
 	r->LocalOnly = local_only;
 	r->ShadowIPv6 = shadow_ipv6;

src/Cedar/Listener.h

@@ -109,6 +109,16 @@
 // Function to call when receiving a new connection
 typedef void (NEW_CONNECTION_PROC)(CONNECTION *c);
 
+// DOS attack list
+struct DOS
+{
+	IP IpAddress;					// IP address
+	UINT64 FirstConnectedTick;		// Time which a client connects at the first time
+	UINT64 LastConnectedTick;		// Time which a client connected at the last time
+	UINT64 CurrentExpireSpan;		// Current time-out period of this record
+	UINT64 DeleteEntryTick;			// Time planned to delete this entry
+	UINT AccessCount;				// The number of accesses
+};
 
 
 // Listener structure
@@ -125,6 +135,8 @@ struct LISTENER
 	volatile bool Halt;				// Halting flag
 	UINT Status;					// State
 
+	LIST *DosList;					// DOS attack list
+	UINT64 DosListLastRefreshTime;	// Time that the DOS list is refreshed at the last
 
 	THREAD_PROC *ThreadProc;		// Thread procedure
 	void *ThreadParam;				// Thread parameters
@@ -199,6 +211,11 @@ void FreeDynamicListener(DYNAMIC_LISTENER *d);
 bool ListenerRUDPRpcRecvProc(RUDP_STACK *r, UDPPACKET *p);
 void ListenerSetProcRecvRpcEnable(bool b);
 
+int CompareDos(void *p1, void *p2);
+DOS *SearchDosList(LISTENER *r, IP *ip);
+void RefreshDosList(LISTENER *r);
+bool CheckDosAttack(LISTENER *r, SOCK *s);
+bool RemoveDosEntry(LISTENER *r, SOCK *s);
 
 #endif	// LISTENER_H
 

src/Cedar/Protocol.c

@@ -5923,6 +5923,8 @@ REDIRECTED:
 
 		Free(ports);
 
+		Zero(ticket, sizeof(ticket));
+
 		if (PackGetDataSize(p, "Ticket") == SHA1_SIZE)
 		{
 			PackGetData(p, "Ticket", ticket);

src/Cedar/Server.c

@@ -1275,9 +1275,14 @@ UINT GetServerCapsInt(SERVER *s, char *name)
 	}
 
 	Zero(&t, sizeof(t));
-	GetServerCaps(s, &t);
 
-	ret = GetCapsInt(&t, name);
+	Lock(s->CapsCacheLock);
+	{
+		GetServerCaps(s, &t);
+
+		ret = GetCapsInt(&t, name);
+	}
+	Unlock(s->CapsCacheLock);
 
 	return ret;
 }
@@ -1346,10 +1351,14 @@ void FlushServerCaps(SERVER *s)
 		return;
 	}
 
-	DestroyServerCapsCache(s);
+	Lock(s->CapsCacheLock);
+	{
+		DestroyServerCapsCache(s);
 
-	Zero(&t, sizeof(t));
-	GetServerCaps(s, &t);
+		Zero(&t, sizeof(t));
+		GetServerCaps(s, &t);
+	}
+	Unlock(s->CapsCacheLock);
 }
 
 // Get the Caps list for this server
@@ -7831,7 +7840,7 @@ void SiCalledDeleteIpTable(SERVER *s, PACK *p)
 		return;
 	}
 
-	LockList(h->IpTable);
+	LockHashList(h->MacHashTable);
 	{
 		if (IsInList(h->IpTable, (void *)key))
 		{
@@ -7840,7 +7849,7 @@ void SiCalledDeleteIpTable(SERVER *s, PACK *p)
 			Free(e);
 		}
 	}
-	UnlockList(h->IpTable);
+	UnlockHashList(h->MacHashTable);
 
 	ReleaseHub(h);
 }
@@ -8643,14 +8652,9 @@ void SiCallEnumHub(SERVER *s, FARM_MEMBER *f)
 							LockHashList(h->MacHashTable);
 							{
 								hh->NumMacTables = HASH_LIST_NUM(h->MacHashTable);
-							}
-							UnlockHashList(h->MacHashTable);
-
-							LockList(h->IpTable);
-							{
 								hh->NumIpTables = LIST_NUM(h->IpTable);
 							}
-							UnlockList(h->IpTable);
+							UnlockHashList(h->MacHashTable);
 						}
 					}
 				}

src/Cedar/Wpc.c

@@ -401,8 +401,16 @@ BUF *WpcDataEntryToBuf(WPC_ENTRY *e)
 	}
 
 	data_size = e->Size + 4096;
-	data = Malloc(data_size);
-	size = DecodeSafe64(data, e->Data, e->Size);
+	data = ZeroMalloc(data_size);
+
+	if (e->Size >= 1)
+	{
+		size = DecodeSafe64(data, e->Data, e->Size);
+	}
+	else
+	{
+		size = 0;
+	}
 
 	b = NewBuf();
 	WriteBuf(b, data, size);

src/CurrentBuild.txt

@@ -1,4 +1,4 @@
-BUILD_NUMBER 9787
-VERSION 441
+BUILD_NUMBER 9798
+VERSION 442
 BUILD_NAME rtm
-BUILD_DATE 20230314_104041
+BUILD_DATE 20230630_104704

src/Mayaqua/Encrypt.c

@@ -1552,7 +1552,8 @@ void CertTest_()
 // Hash a pointer to a 32-bit
 UINT HashPtrToUINT(void *p)
 {
-	UCHAR hash_data[MD5_SIZE];
+	UCHAR hash_data[SHA256_SIZE];
+	UCHAR hash_src[CANARY_RAND_SIZE + sizeof(void *)];
 	UINT ret;
 	// Validate arguments
 	if (p == NULL)
@@ -1560,7 +1561,11 @@ UINT HashPtrToUINT(void *p)
 		return 0;
 	}
 
-	Hash(hash_data, &p, sizeof(p), false);
+	Zero(hash_src, sizeof(hash_src));
+	Copy(hash_src + 0, GetCanaryRand(CANARY_RAND_ID_PTR_KEY_HASH), CANARY_RAND_SIZE);
+	Copy(hash_src + CANARY_RAND_SIZE, p, sizeof(void *));
+
+	HashSha256(hash_data, hash_src, sizeof(hash_src));
 
 	Copy(&ret, hash_data, sizeof(ret));
 
@@ -6967,6 +6972,59 @@ crypto_aead_chacha20poly1305_ietf_encrypt(unsigned char *c,
 	return ret;
 }
 
+// OpenSSL 3.0.0 to 3.0.2 has a bug with RC4-MD5.
+// See: https://github.com/openssl/openssl/issues/13363 https://github.com/openssl/openssl/pull/13378
+
+static bool ssl_is_rc4md5_buggy_version = false;
+static bool ssl_has_cache_is_rc4md5_buggy_version = false;
+
+bool IsSslLibVersionBuggyForRc4Md5()
+{
+	bool ret = false;
+	if (ssl_has_cache_is_rc4md5_buggy_version)
+	{
+		return ssl_is_rc4md5_buggy_version;
+	}
+
+	ret = IsSslLibVersionBuggyForRc4Md5_Internal();
+
+	ssl_is_rc4md5_buggy_version = ret;
+	ssl_has_cache_is_rc4md5_buggy_version = true;
+
+	return ret;
+}
+
+bool IsSslLibVersionBuggyForRc4Md5_Internal()
+{
+	UINT verint = 0;
+	UINT ver_major = 0;
+	UINT ver_minor = 0;
+	UINT ver_fix = 0;
+	UINT ver_patch = 0;
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	DoNothing();
+#else	// OPENSSL_VERSION_NUMBER
+	verint = OpenSSL_version_num();
+
+	ver_major = (verint >> 28) & 0x0F;
+	ver_minor = (verint >> 20) & 0xFF;
+	ver_fix = (verint >> 12) & 0xFF;
+	ver_patch = (verint >> 4) & 0xFF;
+#endif	// OPENSSL_VERSION_NUMBER
+
+	if (ver_major == 3 && ver_minor == 0)
+	{
+		if (ver_patch <= 2)
+		{
+			return true;
+		}
+	}
+
+	return false;
+}
+
+
 static char ssl_version_cache[MAX_PATH] = CLEAN;
 
 void GetSslLibVersion(char *str, UINT size)

src/Mayaqua/Encrypt.h

@@ -144,9 +144,7 @@ void RAND_Free_For_SoftEther();
 // OpenSSL default cipher algorithms
 #define	OPENSSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
 
-// OpenSSL 3.x has a bug. https://github.com/openssl/openssl/issues/13363 https://github.com/openssl/openssl/pull/13378
-// At 2021-09-08 this bug is reported as fixed on Github, but actually still exists on RC4-MD5.
-// So, with OpenSSL 3.0 we manually disable RC4-MD5 by default on both SSL server and SSL client.
+// OpenSSL 3.0.0 to 3.0.2 has a bug with RC4-MD5. https://github.com/openssl/openssl/issues/13363 https://github.com/openssl/openssl/pull/13378
 #define	OPENSSL_DEFAULT_CIPHER_LIST_NO_RC4_MD5  (OPENSSL_DEFAULT_CIPHER_LIST ":!RC4-MD5")
 
 // IANA definitions taken from IKEv1 Phase 1
@@ -668,6 +666,8 @@ void Aead_ChaCha20Poly1305_Ietf_Test();
 void GetSslLibVersion(char *str, UINT size);
 void GetSslLibVersion_Internal(char *str, UINT size);
 
+bool IsSslLibVersionBuggyForRc4Md5();
+bool IsSslLibVersionBuggyForRc4Md5_Internal();
 
 
 

src/Mayaqua/Kernel.c

@@ -2401,10 +2401,34 @@ void AbortExitEx(char *msg)
 		msg = "Unknown Error";
 	}
 
-	f = fopen("abort_error_log.txt", "w");
+	f = fopen("abort_error_log.txt", "a");
 	if (f != NULL)
 	{
+		SYSTEMTIME time = CLEAN;
+		char time_str[128] = CLEAN;
+		char* crlf = "\r\n";
+		char* tag = "---------";
+
+		LocalTime(&time);
+
+		sprintf(time_str, "%04u-%02u-%02u %02u:%02u:%02u",
+			time.wYear, time.wMonth, time.wDay,
+			time.wHour, time.wMinute, time.wSecond);
+
+		fwrite(tag, 1, strlen(tag), f);
+
+		fwrite(crlf, 1, strlen(crlf), f);
+
+		fwrite(time_str, 1, strlen(time_str), f);
+
+		fwrite(crlf, 1, strlen(crlf), f);
+
 		fwrite(msg, 1, strlen(msg), f);
+
+		fwrite(crlf, 1, strlen(crlf), f);
+
+		fwrite(crlf, 1, strlen(crlf), f);
+
 		fclose(f);
 	}
 

src/Mayaqua/MayaType.h

@@ -218,7 +218,7 @@ typedef int (COMPARE)(void *p1, void *p2);
 #define	GET_ABS(a)			((a) >= 0 ? (a) : -(a))
 
 // Convert the pointer to UINT
-#define	POINTER_TO_KEY(p)		((sizeof(void *) == sizeof(UINT)) ? (UINT)(p) : HashPtrToUINT(p))
+#define	POINTER_TO_KEY(p)		(HashPtrToUINT(p))
 // Compare the pointer and UINT
 #define	COMPARE_POINTER_AND_KEY(p, i)	(POINTER_TO_KEY(p) == (i))
 // Convert the pointer to UINT64
@@ -411,7 +411,8 @@ typedef struct TRACKING_LIST TRACKING_LIST;
 typedef struct IO IO;
 
 // Memory.h
-typedef struct MEMTAG MEMTAG;
+typedef struct MEMTAG1 MEMTAG1;
+typedef struct MEMTAG2 MEMTAG2;
 typedef struct BUF BUF;
 typedef struct FIFO FIFO;
 typedef struct LIST LIST;

src/Mayaqua/Mayaqua.c

@@ -159,6 +159,8 @@ void InitProcessCallOnceEx(int restricted_mode)
 	{
 		init_proc_once_flag = true;
 
+		InitCanaryRand();
+
 #ifdef	OS_WIN32
 		MsInitProcessCallOnce(restricted_mode);
 #endif	// OS_WIN32

src/Mayaqua/Mayaqua.h

@@ -119,7 +119,6 @@
 #define	DONT_USE_KERNEL_STATUS			// Do not update the kernel status
 #define	WIN32_USE_HEAP_API_FOR_MEMORY	// Use the heap API to allocate memory
 #define	WIN32_NO_DEBUG_HELP_DLL			// Do not call the DLL for debugging
-#define	DONT_CHECK_HEAP					// Do not check the status of the heap
 #define	DONT_ALLOW_RUN_ON_DEBUGGER		// Do not allow running on the debugger
 
 #endif	// VPN_SPEED

src/Mayaqua/Memory.c

@@ -127,6 +127,105 @@ static UINT fifo_current_realloc_mem_size = FIFO_REALLOC_MEM_SIZE;
 
 static ACTIVE_PATCH_ENTRY ActivePatchList[MAX_ACTIVE_PATCH] = CLEAN;
 
+static bool canary_inited = false;
+typedef struct CANARY_RAND_DATA
+{
+	UCHAR Data[CANARY_RAND_SIZE + 4];
+} CANARY_RAND_DATA;
+
+static CANARY_RAND_DATA canary_rand_data[NUM_CANARY_RAND] = CLEAN;
+
+static UINT64 canary_memtag_magic1 = 0;
+static UINT64 canary_memtag_magic2 = 0;
+
+UCHAR *GetCanaryRand(UINT id)
+{
+	if (id >= NUM_CANARY_RAND)
+	{
+		id = NUM_CANARY_RAND - 1;
+	}
+
+	return &((canary_rand_data[id].Data)[0]);
+}
+
+void InitCanaryRand()
+{
+	SYSTEMTIME st = CLEAN;
+	char random_seed[1024] = CLEAN;
+	UINT64 t1 = 0, t2 = 0;
+	if (canary_inited)
+	{
+		return;
+	}
+
+#ifdef OS_WIN32
+	Win32GetSystemTime(&st);
+	memcpy(&t1, ((UCHAR *)&st) + 0, 8);
+	memcpy(&t2, ((UCHAR *)&st) + 8, 8);
+#else	// OS_WIN32
+	struct timeval tv = CLEAN;
+	struct timezone tz = CLEAN;
+	gettimeofday(&tv, &tz);
+	t1 = (UINT64)tv.tv_sec;
+	t2 = (UINT64)tv.tv_usec;
+#endif // OS_WIN32
+
+	{
+		UINT64 dos_rand = (UINT64)rand();
+		UINT64 tick1 = TickHighresNano64(true);
+		UINT64 tick2 = TickHighresNano64(true);
+
+		UINT i;
+
+		void *p1 = malloc(1);
+		void *p2 = malloc(1);
+
+		for (i = 0;i < NUM_CANARY_RAND;i++)
+		{
+			// using sprintf() here is safe.
+			sprintf(random_seed,
+				"%u "
+				"%llu "
+				"%llu "
+				"%llu "
+				"%llu "
+				"%llu "
+				"%llu "
+				"%llu "
+				"%llu "
+				"%llu "
+				"%llu "
+				"%llu "
+				"%u "
+				,
+				i,
+				(UINT64)InitCanaryRand,
+				(UINT64)&canary_inited,
+				(UINT64)&((canary_rand_data[0].Data)[0]),
+				(UINT64)&random_seed[0],
+				tick1,
+				tick2,
+				dos_rand,
+				(UINT64)p1,
+				(UINT64)p2,
+				t1,
+				t2,
+				~i
+				);
+
+			Hash(canary_rand_data[i].Data, random_seed, (UINT)strlen(random_seed), true);
+		}
+
+		free(p1);
+		free(p2);
+
+		canary_memtag_magic1 = *((UINT64 *)(GetCanaryRand(CANARY_RAND_ID_MEMTAG_MAGIC) + 0));
+		canary_memtag_magic2 = *((UINT64 *)(GetCanaryRand(CANARY_RAND_ID_MEMTAG_MAGIC) + 8));
+
+		canary_inited = true;
+	}
+}
+
 // Add active patch
 bool Vars_ActivePatch_AddStr(char* name, char* str_value)
 {
@@ -3923,6 +4022,10 @@ void AdjustBufSize(BUF *b, UINT new_size)
 
 	while (b->SizeReserved < new_size)
 	{
+		if (b->SizeReserved > 0x7FFFFFFF)
+		{
+			AbortExitEx("AdjustBufSize(): too large buffer size");
+		}
 		b->SizeReserved = b->SizeReserved * 2;
 	}
 	b->Buf = ReAlloc(b->Buf, b->SizeReserved);
@@ -4556,33 +4659,52 @@ void *Malloc(UINT size)
 }
 void *MallocEx(UINT size, bool zero_clear_when_free)
 {
-	MEMTAG *tag;
+	MEMTAG1 *tag1;
+	MEMTAG2 *tag2;
 	UINT real_size;
 
+	if (canary_inited == false)
+	{
+		InitCanaryRand();
+	}
+
+	if (size > MAX_MALLOC_MEM_SIZE)
+	{
+		AbortExitEx("MallocEx() error: too large size");
+	}
+
 	real_size = CALC_MALLOCSIZE(size);
 
-	tag = InternalMalloc(real_size);
+	tag1 = InternalMalloc(real_size);
+
+	tag1->Magic = canary_memtag_magic1 ^ ((UINT64)tag1 * GOLDEN_RATION_PRIME_U64);
+	tag1->Size = size;
+	tag1->ZeroFree = zero_clear_when_free;
 
-	Zero(tag, sizeof(MEMTAG));
-	tag->Magic = MEMTAG_MAGIC;
-	tag->Size = size;
-	tag->ZeroFree = zero_clear_when_free;
+	tag2 = (MEMTAG2 *)(((UCHAR *)tag1) + CALC_MALLOCSIZE(tag1->Size) - sizeof(MEMTAG2));
+	tag2->Magic = canary_memtag_magic2 ^ ((UINT64)tag2 * GOLDEN_RATION_PRIME_U64);
 
-	return MEMTAG_TO_POINTER(tag);
+	return MEMTAG1_TO_POINTER(tag1);
 }
 
 // Get memory size
 UINT GetMemSize(void *addr)
 {
-	MEMTAG *tag;
+	MEMTAG1 *tag;
+
+	if (canary_inited == false)
+	{
+		InitCanaryRand();
+	}
+
 	// Validate arguments
 	if (IS_NULL_POINTER(addr))
 	{
 		return 0;
 	}
 
-	tag = POINTER_TO_MEMTAG(addr);
-	CheckMemTag(tag);
+	tag = POINTER_TO_MEMTAG1(addr);
+	CheckMemTag1(tag);
 
 	return tag->Size;
 }
@@ -4590,20 +4712,35 @@ UINT GetMemSize(void *addr)
 // ReAlloc
 void *ReAlloc(void *addr, UINT size)
 {
-	MEMTAG *tag;
+	MEMTAG1 *tag1;
+	MEMTAG2 *tag2;
 	bool zerofree;
+
+	if (canary_inited == false)
+	{
+		InitCanaryRand();
+	}
+
+	if (size > MAX_MALLOC_MEM_SIZE)
+	{
+		AbortExitEx("ReAlloc() error: too large size");
+	}
+
 	// Validate arguments
 	if (IS_NULL_POINTER(addr))
 	{
 		return NULL;
 	}
 
-	tag = POINTER_TO_MEMTAG(addr);
-	CheckMemTag(tag);
+	tag1 = POINTER_TO_MEMTAG1(addr);
+	CheckMemTag1(tag1);
+
+	tag2 = (MEMTAG2 *)(((UCHAR *)tag1) + CALC_MALLOCSIZE(tag1->Size) - sizeof(MEMTAG2));
+	CheckMemTag2(tag2);
 
-	zerofree = tag->ZeroFree;
+	zerofree = tag1->ZeroFree;
 
-	if (tag->Size == size)
+	if (tag1->Size == size)
 	{
 		// No size change
 		return addr;
@@ -4615,10 +4752,10 @@ void *ReAlloc(void *addr, UINT size)
 			// Size changed (zero clearing required)
 			void *new_p = MallocEx(size, true);
 
-			if (tag->Size <= size)
+			if (tag1->Size <= size)
 			{
 				// Size expansion
-				Copy(new_p, addr, tag->Size);
+				Copy(new_p, addr, tag1->Size);
 			}
 			else
 			{
@@ -4634,13 +4771,22 @@ void *ReAlloc(void *addr, UINT size)
 		else
 		{
 			// Size changed
-			MEMTAG *tag2 = InternalReAlloc(tag, CALC_MALLOCSIZE(size));
+			MEMTAG1 *tag1_new;
+			MEMTAG2 *tag2_new;
+
+			tag1->Magic = 0;
+			tag2->Magic = 0;
+
+			tag1_new = InternalReAlloc(tag1, CALC_MALLOCSIZE(size));
 
-			Zero(tag2, sizeof(MEMTAG));
-			tag2->Magic = MEMTAG_MAGIC;
-			tag2->Size = size;
+			tag1_new->Magic = canary_memtag_magic1 ^ ((UINT64)tag1_new * GOLDEN_RATION_PRIME_U64);
+			tag1_new->Size = size;
+			tag1_new->ZeroFree = 0;
 
-			return MEMTAG_TO_POINTER(tag2);
+			tag2_new = (MEMTAG2 *)(((UCHAR *)tag1_new) + CALC_MALLOCSIZE(size) - sizeof(MEMTAG2));
+			tag2_new->Magic = canary_memtag_magic2 ^ ((UINT64)tag2_new * GOLDEN_RATION_PRIME_U64);
+
+			return MEMTAG1_TO_POINTER(tag1_new);
 		}
 	}
 }
@@ -4648,44 +4794,69 @@ void *ReAlloc(void *addr, UINT size)
 // Free
 void Free(void *addr)
 {
-	MEMTAG *tag;
+	MEMTAG1 *tag1;
+	MEMTAG2 *tag2;
 	// Validate arguments
 	if (IS_NULL_POINTER(addr))
 	{
 		return;
 	}
 
-	tag = POINTER_TO_MEMTAG(addr);
-	CheckMemTag(tag);
+	if (canary_inited == false)
+	{
+		InitCanaryRand();
+	}
+
+	tag1 = POINTER_TO_MEMTAG1(addr);
+	CheckMemTag1(tag1);
+
+	tag2 = (MEMTAG2 *)(((UCHAR *)tag1) + CALC_MALLOCSIZE(tag1->Size) - sizeof(MEMTAG2));
+	CheckMemTag2(tag2);
 
-	if (tag->ZeroFree)
+	if (tag1->ZeroFree)
 	{
 		// Zero clear
-		Zero(addr, tag->Size);
+		Zero(addr, tag1->Size);
 	}
 
 	// Memory release
-	tag->Magic = 0;
-	InternalFree(tag);
+	tag1->Magic = 0;
+	tag2->Magic = 0;
+	InternalFree(tag1);
+}
+
+// Check the memtag1
+void CheckMemTag1(MEMTAG1 *tag)
+{
+	// Validate arguments
+	if (tag == NULL)
+	{
+		AbortExitEx("CheckMemTag1: tag1 == NULL");
+		return;
+	}
+
+	if (tag->Magic != (canary_memtag_magic1 ^ ((UINT64)tag * GOLDEN_RATION_PRIME_U64)))
+	{
+		AbortExitEx("CheckMemTag1: tag1->Magic != canary_memtag_magic1");
+		return;
+	}
 }
 
-// Check the memtag
-void CheckMemTag(MEMTAG *tag)
+// Check the memtag2
+void CheckMemTag2(MEMTAG2 *tag)
 {
-#ifndef	DONT_CHECK_HEAP
 	// Validate arguments
 	if (tag == NULL)
 	{
-		AbortExitEx("CheckMemTag: tag == NULL");
+		AbortExitEx("CheckMemTag2: tag2 == NULL");
 		return;
 	}
 
-	if (tag->Magic != MEMTAG_MAGIC)
+	if (tag->Magic != (canary_memtag_magic2 ^ ((UINT64)tag * GOLDEN_RATION_PRIME_U64)))
 	{
-		AbortExitEx("CheckMemTag: tag->Magic != MEMTAG_MAGIC");
+		AbortExitEx("CheckMemTag2: tag2->Magic != canary_memtag_magic2");
 		return;
 	}
-#endif	// DONT_CHECK_HEAP
 }
 
 // ZeroMalloc

src/Mayaqua/Memory.h

@@ -109,16 +109,20 @@
 #define	MallocFast		Malloc
 #define	ZeroMallocFast	ZeroMalloc
 
+#define MAX_MALLOC_MEM_SIZE					(0xffffffff - 64)
+
 // Memory size that can be passed to the kernel at a time
 #define	MAX_SEND_BUF_MEM_SIZE				(10 * 1024 * 1024)
 
-// The magic number for memory tag
-#define	MEMTAG_MAGIC						0x49414449
+#define	CALC_MALLOCSIZE(size)				(((MAX(size, 1) + 7) / 8) * 8 + sizeof(MEMTAG1) + sizeof(MEMTAG2))
+#define	MEMTAG1_TO_POINTER(p)				((void *)(((UCHAR *)(p)) + sizeof(MEMTAG1)))
+#define	POINTER_TO_MEMTAG1(p)				((MEMTAG1 *)(((UCHAR *)(p)) - sizeof(MEMTAG1)))
+#define	IS_NULL_POINTER(p)					(((p) == NULL) || ((POINTER_TO_UINT64(p) == (UINT64)sizeof(MEMTAG1))))
 
-#define	CALC_MALLOCSIZE(size)				((MAX(size, 1)) + sizeof(MEMTAG))
-#define	MEMTAG_TO_POINTER(p)				((void *)(((UCHAR *)(p)) + sizeof(MEMTAG)))
-#define	POINTER_TO_MEMTAG(p)				((MEMTAG *)(((UCHAR *)(p)) - sizeof(MEMTAG)))
-#define	IS_NULL_POINTER(p)					(((p) == NULL) || ((POINTER_TO_UINT64(p) == (UINT64)sizeof(MEMTAG))))
+// Golden Ratio Prime
+// From https://github.com/torvalds/linux/blob/88c5083442454e5e8a505b11fa16f32d2879651e/include/linux/hash.h
+#define GOLDEN_RATION_PRIME_U32				((UINT32)0x61C88647)
+#define GOLDEN_RATION_PRIME_U64				((UINT64)7046029254386353131ULL) // 0x61C8864680B583EB
 
 // Fixed size of a block of memory pool
 #define	MEMPOOL_MAX_SIZE					3000
@@ -126,14 +130,18 @@
 // Active patch
 #define MAX_ACTIVE_PATCH					1024
 
-
-// Memory tag
-struct MEMTAG
+// Memory tag 1
+struct MEMTAG1
 {
-	UINT Magic;
+	UINT64 Magic;
 	UINT Size;
 	bool ZeroFree;
-	UINT Padding;
+};
+
+// Memory tag 2
+struct MEMTAG2
+{
+	UINT64 Magic;
 };
 
 // Buffer
@@ -299,7 +307,8 @@ void *ZeroMalloc(UINT size);
 void *ZeroMallocEx(UINT size, bool zero_clear_when_free);
 void *ReAlloc(void *addr, UINT size);
 void Free(void *addr);
-void CheckMemTag(MEMTAG *tag);
+void CheckMemTag1(MEMTAG1 *tag);
+void CheckMemTag2(MEMTAG2 *tag);
 UINT GetMemSize(void *addr);
 
 void *InternalMalloc(UINT size);
@@ -540,5 +549,15 @@ UINT* GenerateShuffleListWithSeed(UINT num, void* seed, UINT seed_size);
 void Shuffle(UINT* array, UINT size);
 void ShuffleWithSeed(UINT* array, UINT size, void* seed, UINT seed_size);
 
+#define NUM_CANARY_RAND					32
+#define CANARY_RAND_ID_MEMTAG_MAGIC		0
+#define CANARY_RAND_ID_PTR_KEY_HASH		1
+#define CANARY_RAND_SIZE				20
+
+
+
+void InitCanaryRand();
+UCHAR *GetCanaryRand(UINT id);
+
 #endif	// MEMORY_H
 

src/Mayaqua/Network.c

@@ -178,10 +178,10 @@ struct ROUTE_CHANGE_DATA
 
 
 // HTTP constant
-static char http_404_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>404 Not Found</TITLE>\r\n</HEAD><BODY>\r\n<H1>Not Found</H1>\r\nThe requested URL $TARGET$ was not found on this server.<P>\r\n<HR>\r\n<ADDRESS>HTTP Server at $HOST$ Port $PORT$</ADDRESS>\r\n</BODY></HTML>\r\n";
-static char http_403_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>403 Forbidden</TITLE>\r\n</HEAD><BODY>\r\n<H1>Forbidden</H1>\r\nYou don't have permission to access $TARGET$\r\non this server.<P>\r\n<HR>\r\n<ADDRESS>HTTP Server at $HOST$ Port $PORT$</ADDRESS>\r\n</BODY></HTML>\r\n";
-static char http_500_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>500 Server Error</TITLE>\r\n</HEAD><BODY>\r\n<H1>Server Error</H1>\r\nServer Error<P>\r\n<HR>\r\n<ADDRESS>HTTP Server at $HOST$ Port $PORT$</ADDRESS>\r\n</BODY></HTML>\r\n";
-static char http_501_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>501 Method Not Implemented</TITLE>\r\n</HEAD><BODY>\r\n<H1>Method Not Implemented</H1>\r\n$METHOD$ to $TARGET$ not supported.<P>\r\nInvalid method in request $METHOD$ $TARGET$ $VERSION$<P>\r\n<HR>\r\n<ADDRESS>HTTP Server at $HOST$ Port $PORT$</ADDRESS>\r\n</BODY></HTML>\r\n";
+static char http_404_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>404 Not Found</TITLE>\r\n</HEAD><BODY>\r\n<H1>Not Found</H1>\r\nThe requested URL $TARGET$ was not found on this server.<P>\r\n<HR>\r\n<ADDRESS>HTTPS Server</ADDRESS>\r\n</BODY></HTML>\r\n";
+static char http_403_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>403 Forbidden</TITLE>\r\n</HEAD><BODY>\r\n<H1>Forbidden</H1>\r\nYou don't have permission to access $TARGET$\r\non this server.<P>\r\n<HR>\r\n<ADDRESS>HTTPS Server</ADDRESS>\r\n</BODY></HTML>\r\n";
+static char http_500_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>500 Server Error</TITLE>\r\n</HEAD><BODY>\r\n<H1>Server Error</H1>\r\nServer Error<P>\r\n<HR>\r\n<ADDRESS>HTTPS Server</ADDRESS>\r\n</BODY></HTML>\r\n";
+static char http_501_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>501 Method Not Implemented</TITLE>\r\n</HEAD><BODY>\r\n<H1>Method Not Implemented</H1>\r\n$METHOD$ to $TARGET$ not supported.<P>\r\nInvalid method in request $METHOD$ $TARGET$ $VERSION$<P>\r\n<HR>\r\n<ADDRESS>HTTPS Server</ADDRESS>\r\n</BODY></HTML>\r\n";
 static char http_detect_server_startwith[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>403 Forbidden</TITLE>\r\n</HEAD><BODY>\r\n<H1>Forbidden</H1>\r\nYou don't have permission to access ";
 static char http_detect_server_tag_future[] = "9C37197CA7C2428388C2E6E59B829B30";
 
@@ -1474,7 +1474,9 @@ void RUDPProcess_NatT_Recv(RUDP_STACK *r, UDPPACKET *udp)
 		bool is_ok = PackGetBool(p, "ok");
 		UINT64 tran_id = PackGetInt64(p, "tran_id");
 
-		ExtractAndApplyDynList(p);
+		// This ExtractAndApplyDynList() calling was removed because it is not actually used and could be abused by
+		// illegal UDP packets that spoof the source IP address. 2023-6-14 Daiyuu Nobori
+		// ExtractAndApplyDynList(p);
 
 		if (r->ServerMode)
 		{
@@ -5995,10 +5997,13 @@ int SslCertVerifyCallback(int preverify_ok, X509_STORE_CTX *ctx)
 			if (cert != NULL)
 			{
 				X *tmpX = X509ToX(cert); // this only wraps cert, but we need to make a copy
-				X *copyX = CloneX(tmpX);
-				tmpX->do_not_free = true; // do not release inner X509 object
-				FreeX(tmpX);
-				clientcert->X = copyX;
+				if (tmpX != NULL)
+				{
+					X *copyX = CloneX(tmpX);
+					tmpX->do_not_free = true; // do not release inner X509 object
+					FreeX(tmpX);
+					clientcert->X = copyX;
+				}
 			}
 		}
 	}
@@ -13051,16 +13056,15 @@ void SetWantToUseCipher(SOCK *sock, char *name)
 	StrCat(tmp, sizeof(tmp), " ");
 	StrCat(tmp, sizeof(tmp), cipher_list);
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-	// OpenSSL 3.x has a bug. https://github.com/openssl/openssl/issues/13363 https://github.com/openssl/openssl/pull/13378
-	// At 2021-09-08 this bug is reported as fixed on Github, but actually still exists on RC4-MD5.
-	// So, with OpenSSL 3.0 we manually disable RC4-MD5 by default on both SSL server and SSL client.
+	if (IsSslLibVersionBuggyForRc4Md5())
+	{
+		// OpenSSL 3.0.0 to 3.0.2 has a bug with RC4-MD5. https://github.com/openssl/openssl/issues/13363 https://github.com/openssl/openssl/pull/13378
 
-	// If the user specify "RC4-MD5", then "RC4-SHA" will be used manually.
+		// If the user specify "RC4-MD5", then "RC4-SHA" will be used manually.
 
-	// Note: We can remove this code after OpenSSL 3.x will be fixed on this bug.
-	ReplaceStrEx(tmp, sizeof(tmp), tmp, "RC4-MD5", "RC4-SHA", true);
-#endif
+		// Note: We can remove this code after OpenSSL 3.x will be fixed on this bug.
+		ReplaceStrEx(tmp, sizeof(tmp), tmp, "RC4-MD5", "RC4-SHA", true);
+	}
 
 	sock->WaitToUseCipher = CopyStr(tmp);
 }
@@ -13386,6 +13390,13 @@ SSL_CTX_SHARED* NewSslCtxSharedInternal(SSL_CTX_SHARED_SETTINGS* settings)
 	SSL_CTX_set_security_level(ssl_ctx, 0);
 #endif
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	// For compatibility with OpenSSL 0.9.8l or older
+	// See https://www.openssl.org/docs/man1.0.2/man3/SSL_get_secure_renegotiation_support.html
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_LEGACY_SERVER_CONNECT);
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+#endif
+
 	if (settings->Settings2.IsClient == false)
 	{
 		SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());
@@ -13874,14 +13885,11 @@ bool StartSSLWithSettings(SOCK* sock, UINT ssl_timeout, char* sni_hostname, SSL_
 		{
 			char* set_value = OPENSSL_DEFAULT_CIPHER_LIST;
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-			// OpenSSL 3.x has a bug. https://github.com/openssl/openssl/issues/13363 https://github.com/openssl/openssl/pull/13378
-			// At 2021-09-08 this bug is reported as fixed on Github, but actually still exists on RC4-MD5.
-			// So, with OpenSSL 3.0 we manually disable RC4-MD5 by default on both SSL server and SSL client.
-
-			// Note: We can remove this code after OpenSSL 3.x will be fixed on this bug.
-			set_value = OPENSSL_DEFAULT_CIPHER_LIST_NO_RC4_MD5;
-#endif
+			if (IsSslLibVersionBuggyForRc4Md5())
+			{
+				// OpenSSL 3.0.0 to 3.0.2 has a bug with RC4-MD5. https://github.com/openssl/openssl/issues/13363 https://github.com/openssl/openssl/pull/13378
+				set_value = OPENSSL_DEFAULT_CIPHER_LIST_NO_RC4_MD5;
+			}
 
 			SSL_set_cipher_list(sock->ssl, set_value);
 		}
@@ -14013,9 +14021,16 @@ bool StartSSLWithSettings(SOCK* sock, UINT ssl_timeout, char* sni_hostname, SSL_
 		X *local_x;
 		// Got a certificate
 		local_x = X509ToX(x509);
-		local_x->do_not_free = true;
-		sock->LocalX = CloneX(local_x);
-		FreeX(local_x);
+		if (local_x != NULL)
+		{
+			local_x->do_not_free = true;
+			sock->LocalX = CloneX(local_x);
+			FreeX(local_x);
+		}
+		else
+		{
+			sock->LocalX = NULL;
+		}
 	}
 
 	// Automatic retry mode
@@ -18754,6 +18769,13 @@ struct ssl_ctx_st *NewSSLCtx(bool server_mode)
 	SSL_CTX_set_security_level(ctx, 0);
 #endif
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	// For compatibility with OpenSSL 0.9.8l or older
+	// See https://www.openssl.org/docs/man1.0.2/man3/SSL_get_secure_renegotiation_support.html
+	SSL_CTX_set_options(ctx, SSL_OP_LEGACY_SERVER_CONNECT);
+	SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+#endif
+
 	return ctx;
 }
 

src/Mayaqua/Tick64.c

@@ -139,6 +139,23 @@ UINT64 TickHighres64()
 	return ret;
 }
 
+UINT64 TickHighresNano64(bool raw)
+{
+	UINT64 ret = 0;
+
+#ifdef	OS_WIN32
+
+	ret = (UINT64)(MsGetHiResTimeSpan(MsGetHiResCounter()) * 1000000000.0f);
+
+#else	// OS_WIN32
+
+	ret = UnixGetHighresTickNano64(raw);
+
+#endif	// OS_WIN32
+
+	return ret;
+}
+
 // Convert the Tick value to time
 UINT64 Tick64ToTime64(UINT64 tick)
 {

src/Mayaqua/Tick64.h

@@ -144,6 +144,7 @@ UINT64 Diff64(UINT64 a, UINT64 b);
 UINT64 Tick64ToTime64(UINT64 tick);
 UINT64 TickToTime(UINT64 tick);
 UINT64 TickHighres64();
+UINT64 TickHighresNano64(bool raw);
 
 #endif	// TICK64_H
 

src/Mayaqua/Unix.c

@@ -2114,6 +2114,68 @@ void UnixGetSystemTime(SYSTEMTIME *system_time)
 	pthread_mutex_unlock(&get_time_lock);
 }
 
+UINT64 UnixGetHighresTickNano64(bool raw)
+{
+#if	defined(OS_WIN32) || defined(CLOCK_REALTIME) || defined(CLOCK_MONOTONIC) || defined(CLOCK_HIGHRES)
+	struct timespec t;
+	UINT64 ret;
+	static bool akirame = false;
+
+	if (akirame)
+	{
+		return UnixGetTick64() * 1000000ULL;
+	}
+
+	Zero(&t, sizeof(t));
+
+	if (raw == false)
+	{
+		// Function to get the boot time of the system
+		// Be careful. The Implementation is depend on the system.
+#ifdef	CLOCK_HIGHRES
+		clock_gettime(CLOCK_HIGHRES, &t);
+#else	// CLOCK_HIGHRES
+#ifdef	CLOCK_MONOTONIC
+		clock_gettime(CLOCK_MONOTONIC, &t);
+#else	// CLOCK_MONOTONIC
+		clock_gettime(CLOCK_REALTIME, &t);
+#endif	// CLOCK_MONOTONIC
+#endif	// CLOCK_HIGHRES
+	}
+	else
+	{
+		// Function to get the boot time of the system
+		// Be careful. The Implementation is depend on the system.
+#ifdef	CLOCK_HIGHRES
+		clock_gettime(CLOCK_HIGHRES, &t);
+#else	// CLOCK_HIGHRES
+#ifdef	CLOCK_MONOTONIC_RAW
+		clock_gettime(CLOCK_MONOTONIC_RAW, &t);
+#else	// CLOCK_MONOTONIC_RAW
+#ifdef	CLOCK_MONOTONIC
+		clock_gettime(CLOCK_MONOTONIC, &t);
+#else	// CLOCK_MONOTONIC
+		clock_gettime(CLOCK_REALTIME, &t);
+#endif	// CLOCK_MONOTONIC
+#endif	// CLOCK_MONOTONIC_RAW
+#endif	// CLOCK_HIGHRES
+	}
+
+	ret = ((UINT64)((UINT32)t.tv_sec)) * 1000000000LL + (UINT64)t.tv_nsec;
+
+	if (akirame == false && ret == 0)
+	{
+		ret = UnixGetTick64() * 1000000ULL;
+		akirame = true;
+	}
+
+	return ret;
+
+#else	
+	return UnixGetTick64() * 1000000ULL;
+#endif
+}
+
 // Get the system timer (64bit)
 UINT64 UnixGetTick64()
 {

src/Mayaqua/Unix.h

@@ -214,6 +214,7 @@ void UnixRestoreThreadPriority();
 void UnixSetResourceLimit(UINT id, UINT64 value);
 bool UnixIs64BitRlimSupported();
 UINT64 UnixGetTick64();
+UINT64 UnixGetHighresTickNano64(bool raw);
 void UnixSigChldHandler(int sig);
 void UnixCloseIO();
 void UnixDaemon(bool debug_mode);

src/Mayaqua/win32_inc/openssl/cmp.h

@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * Generated by makefile from include\openssl\cmp.h.in
  *
- * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright Nokia 2007-2019
  * Copyright Siemens AG 2015-2019
  *
@@ -193,13 +193,16 @@ typedef ASN1_BIT_STRING OSSL_CMP_PKIFAILUREINFO;
  *       -- CertReqMsg
  *   }
  */
-#  define OSSL_CMP_PKISTATUS_accepted 0
-#  define OSSL_CMP_PKISTATUS_grantedWithMods 1
-#  define OSSL_CMP_PKISTATUS_rejection 2
-#  define OSSL_CMP_PKISTATUS_waiting 3
-#  define OSSL_CMP_PKISTATUS_revocationWarning 4
+#  define OSSL_CMP_PKISTATUS_request                -3
+#  define OSSL_CMP_PKISTATUS_trans                  -2
+#  define OSSL_CMP_PKISTATUS_unspecified            -1
+#  define OSSL_CMP_PKISTATUS_accepted               0
+#  define OSSL_CMP_PKISTATUS_grantedWithMods        1
+#  define OSSL_CMP_PKISTATUS_rejection              2
+#  define OSSL_CMP_PKISTATUS_waiting                3
+#  define OSSL_CMP_PKISTATUS_revocationWarning      4
 #  define OSSL_CMP_PKISTATUS_revocationNotification 5
-#  define OSSL_CMP_PKISTATUS_keyUpdateWarning 6
+#  define OSSL_CMP_PKISTATUS_keyUpdateWarning       6
 
 typedef ASN1_INTEGER OSSL_CMP_PKISTATUS;
 DECLARE_ASN1_ITEM(OSSL_CMP_PKISTATUS)
@@ -439,11 +442,12 @@ int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted,
 int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey);
 int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
                                      const unsigned char *ref, int len);
-int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,
-                                  const int len);
+int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx,
+                                  const unsigned char *sec, int len);
 /* CMP message header and extra certificates: */
 int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name);
 int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav);
+int OSSL_CMP_CTX_reset_geninfo_ITAVs(OSSL_CMP_CTX *ctx);
 int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
                                     STACK_OF(X509) *extraCertsOut);
 /* certificate template: */
@@ -499,6 +503,7 @@ ASN1_OCTET_STRING *OSSL_CMP_HDR_get0_recipNonce(const OSSL_CMP_PKIHEADER *hdr);
 OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg);
 int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg);
 int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
+int OSSL_CMP_MSG_update_recipNonce(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
 OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid);
 OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx,
                                 const char *propq);

src/Mayaqua/win32_inc/openssl/cmperr.h

@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -67,9 +67,13 @@
 #  define CMP_R_MISSING_P10CSR                             121
 #  define CMP_R_MISSING_PBM_SECRET                         166
 #  define CMP_R_MISSING_PRIVATE_KEY                        131
+#  define CMP_R_MISSING_PRIVATE_KEY_FOR_POPO               190
 #  define CMP_R_MISSING_PROTECTION                         143
+#  define CMP_R_MISSING_PUBLIC_KEY                         183
 #  define CMP_R_MISSING_REFERENCE_CERT                     168
+#  define CMP_R_MISSING_SECRET                             178
 #  define CMP_R_MISSING_SENDER_IDENTIFICATION              111
+#  define CMP_R_MISSING_TRUST_ANCHOR                       179
 #  define CMP_R_MISSING_TRUST_STORE                        144
 #  define CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED            161
 #  define CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED           170

src/Mayaqua/win32_inc/openssl/cmserr.h

@@ -105,6 +105,7 @@
 #  define CMS_R_UNKNOWN_DIGEST_ALGORITHM                   149
 #  define CMS_R_UNKNOWN_ID                                 150
 #  define CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM          151
+#  define CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM   194
 #  define CMS_R_UNSUPPORTED_CONTENT_TYPE                   152
 #  define CMS_R_UNSUPPORTED_ENCRYPTION_TYPE                192
 #  define CMS_R_UNSUPPORTED_KEK_ALGORITHM                  153

src/Mayaqua/win32_inc/openssl/dsaerr.h

@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -38,6 +38,7 @@
 #  define DSA_R_P_NOT_PRIME                                115
 #  define DSA_R_Q_NOT_PRIME                                113
 #  define DSA_R_SEED_LEN_SMALL                             110
+#  define DSA_R_TOO_MANY_RETRIES                           116
 
 # endif
 #endif

src/Mayaqua/win32_inc/openssl/ecerr.h

@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -90,6 +90,7 @@
 #  define EC_R_RANDOM_NUMBER_GENERATION_FAILED             158
 #  define EC_R_SHARED_INFO_ERROR                           150
 #  define EC_R_SLOT_FULL                                   108
+#  define EC_R_TOO_MANY_RETRIES                            176
 #  define EC_R_UNDEFINED_GENERATOR                         113
 #  define EC_R_UNDEFINED_ORDER                             128
 #  define EC_R_UNKNOWN_COFACTOR                            164

src/Mayaqua/win32_inc/openssl/opensslv.h

@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  0
-# define OPENSSL_VERSION_PATCH  7
+# define OPENSSL_VERSION_PATCH  9
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.0.7"
-# define OPENSSL_FULL_VERSION_STR "3.0.7"
+# define OPENSSL_VERSION_STR "3.0.9"
+# define OPENSSL_FULL_VERSION_STR "3.0.9"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Nov 2022"
+# define OPENSSL_RELEASE_DATE "30 May 2023"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.0.7 1 Nov 2022"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.0.9 30 May 2023"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE

src/Mayaqua/win32_inc/openssl/sslerr.h

@@ -150,6 +150,7 @@
 # define SSL_R_INVALID_SRP_USERNAME                       357
 # define SSL_R_INVALID_STATUS_RESPONSE                    328
 # define SSL_R_INVALID_TICKET_KEYS_LENGTH                 325
+# define SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED    333
 # define SSL_R_LENGTH_MISMATCH                            159
 # define SSL_R_LENGTH_TOO_LONG                            404
 # define SSL_R_LENGTH_TOO_SHORT                           160

src/Mayaqua/win32_inc/openssl/trace.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -43,10 +43,8 @@ extern "C" {
 # define OSSL_TRACE_CATEGORY_TLS                 3
 # define OSSL_TRACE_CATEGORY_TLS_CIPHER          4
 # define OSSL_TRACE_CATEGORY_CONF                5
-# ifndef OPENSSL_NO_ENGINE
-#  define OSSL_TRACE_CATEGORY_ENGINE_TABLE       6
-#  define OSSL_TRACE_CATEGORY_ENGINE_REF_COUNT   7
-# endif
+# define OSSL_TRACE_CATEGORY_ENGINE_TABLE        6
+# define OSSL_TRACE_CATEGORY_ENGINE_REF_COUNT    7
 # define OSSL_TRACE_CATEGORY_PKCS5V2             8
 # define OSSL_TRACE_CATEGORY_PKCS12_KEYGEN       9
 # define OSSL_TRACE_CATEGORY_PKCS12_DECRYPT     10

src/Mayaqua/win32_inc/openssl/x509v3.h

@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * Generated by makefile from include\openssl\x509v3.h.in
  *
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -177,7 +177,7 @@ typedef struct GENERAL_NAME_st {
         OTHERNAME *otherName;   /* otherName */
         ASN1_IA5STRING *rfc822Name;
         ASN1_IA5STRING *dNSName;
-        ASN1_TYPE *x400Address;
+        ASN1_STRING *x400Address;
         X509_NAME *directoryName;
         EDIPARTYNAME *ediPartyName;
         ASN1_IA5STRING *uniformResourceIdentifier;

src/WARNING.TXT

@@ -585,3 +585,41 @@ functions. Therefore, in such a case, you must disable the P2P Relay Function
 on the VPN Gate Client manually by setting the "DisableRelayServer" flag if
 you reside in such a restricted area, in your own responsibility.
 
+SoftEther VPN and VPN Gate (where applicable) are provided, distributed and
+operated under the responsibility of SoftEther Corporation (Corporate Number:
+1050001016519, Tsukuba, Ibaraki, Japan). These projects were researched and
+developed in collaboration with Tsukuba University, a national university in
+Japan.
+
+THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN, UNDER
+JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY, MERGE, PUBLISH,
+DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS SOFTWARE, THAT ANY
+JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS SOFTWARE OR ITS CONTENTS,
+AGAINST US (SOFTETHER CORPORATION OR OTHER SUPPLIERS), OR ANY JURIDICAL
+DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND OF USING, COPYING, MODIFYING,
+MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, AND/OR SELLING COPIES OF THIS
+SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND CONTROLLED BY JAPANESE LAWS,
+AND YOU MUST FURTHER CONSENT TO EXCLUSIVE JURISDICTION AND VENUE IN THE COURTS
+SITTING IN TOKYO, JAPAN. YOU MUST WAIVE ALL DEFENSES OF LACK OF PERSONAL
+JURISDICTION AND FORUM NON CONVENIENS. PROCESS MAY BE SERVED ON EITHER PARTY
+IN THE MANNER AUTHORIZED BY APPLICABLE LAW OR COURT RULE.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+SUPPLIERS, PROVIDERS, OPERATORS, AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR
+ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT
+OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+IMPORTANT NOTE: USE OF THIS SOFTWARE AND SERVICE BY INDIVIDUALS TO WHOM THE
+CONSUMER CONTRACT ACT APPLIES IS NOT ALLOWED. THIS SOFTWARE IS INTENDED FOR
+PROFESSIONALS AND IS NOT DESIGNED FOR PURELY BUSINESS-UNRELATED CONSUMERS.
+THIS SOFTWARE AND SERVICE MAY BE USED ONLY FOR BUSINESS, COMMERCIAL,
+NON-PROFIT, ORGANIZATIONAL OPERATIONS, RESEARCH AND DEVELOPMENT PURPOSES OR
+OTHER NON-CONSUMPTIVE PURPOSES. THIS SOFTWARE IS NOT INTENDED FOR USE BY
+CONSUMERS. THIS SOFTWARE MAY NOT BE USED BY ANY INDIVIDUAL TO WHOM THE
+CONSUMER RIGHTS PROTECTIONS IN THE CONSUMER CONTRACT ACT OF JAPAN OR
+EQUIVALENT LAWS OF OTHER COUNTRIES APPLY. IF AN INDIVIDUAL USES THE SOFTWARE,
+THE USE OF THE SOFTWARE SHALL BE DEEMED TO BE FOR BUSINESS PURPOSES.
+

src/bin/hamcore/eula.txt

@@ -11,15 +11,25 @@ Unless required by applicable law or agreed to in writing, software distributed
 See the License for the specific language governing permissions and limitations under the License.
 
 
+RESPONSIBLE ENTITY
+==================
+
+PacketiX VPN and VPN Gate (where applicable) are provided, distributed and operated under the responsibility of SoftEther Corporation (Corporate Number: 1050001016519, Tsukuba, Ibaraki, Japan). These projects were researched and developed in collaboration with Tsukuba University, a national university in Japan.
+
+THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN, UNDER JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY, MERGE, PUBLISH, DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS SOFTWARE, THAT ANY JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS SOFTWARE OR ITS CONTENTS, AGAINST US (SOFTETHER CORPORATION OR OTHER SUPPLIERS), OR ANY JURIDICAL DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND OF USING, COPYING, MODIFYING, MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, AND/OR SELLING COPIES OF THIS SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND CONTROLLED BY JAPANESE LAWS, AND YOU MUST FURTHER CONSENT TO EXCLUSIVE JURISDICTION AND VENUE IN THE COURTS SITTING IN TOKYO, JAPAN. YOU MUST WAIVE ALL DEFENSES OF LACK OF PERSONAL JURISDICTION AND FORUM NON CONVENIENS. PROCESS MAY BE SERVED ON EITHER PARTY IN THE MANNER AUTHORIZED BY APPLICABLE LAW OR COURT RULE.
+
+
 DISCLAIMER
 ==========
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE SUPPLIERS, PROVIDERS, OPERATORS, AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
-THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN, UNDER JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY, MERGE, PUBLISH, DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS SOFTWARE, THAT ANY JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS SOFTWARE OR ITS CONTENTS, AGAINST US (SOFTETHER PROJECT, SOFTETHER CORPORATION, DAIYUU NOBORI OR OTHER SUPPLIERS), OR ANY JURIDICAL DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND OF USING, COPYING, MODIFYING, MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, AND/OR SELLING COPIES OF THIS SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND CONTROLLED BY JAPANESE LAWS, AND YOU MUST FURTHER CONSENT TO EXCLUSIVE JURISDICTION AND VENUE IN THE COURTS SITTING IN TOKYO, JAPAN. YOU MUST WAIVE ALL DEFENSES OF LACK OF PERSONAL JURISDICTION AND FORUM NON CONVENIENS. PROCESS MAY BE SERVED ON EITHER PARTY IN THE MANNER AUTHORIZED BY APPLICABLE LAW OR COURT RULE.
+THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN, UNDER JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY, MERGE, PUBLISH, DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS SOFTWARE, THAT ANY JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS SOFTWARE OR ITS CONTENTS, AGAINST US (SOFTETHER CORPORATION OR OTHER SUPPLIERS), OR ANY JURIDICAL DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND OF USING, COPYING, MODIFYING, MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, AND/OR SELLING COPIES OF THIS SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND CONTROLLED BY JAPANESE LAWS, AND YOU MUST FURTHER CONSENT TO EXCLUSIVE JURISDICTION AND VENUE IN THE COURTS SITTING IN TOKYO, JAPAN. YOU MUST WAIVE ALL DEFENSES OF LACK OF PERSONAL JURISDICTION AND FORUM NON CONVENIENS. PROCESS MAY BE SERVED ON EITHER PARTY IN THE MANNER AUTHORIZED BY APPLICABLE LAW OR COURT RULE.
 
 USE ONLY IN JAPAN. DO NOT USE THIS SOFTWARE IN ANOTHER COUNTRY UNLESS YOU HAVE A CONFIRMATION THAT THIS SOFTWARE DOES NOT VIOLATE ANY CRIMINAL LAWS OR CIVIL RIGHTS IN THAT PARTICULAR COUNTRY. USING THIS SOFTWARE IN OTHER COUNTRIES IS COMPLETELY AT YOUR OWN RISK. THE SOFTETHER VPN PROJECT HAS DEVELOPED AND DISTRIBUTED THIS SOFTWARE TO COMPLY ONLY WITH THE JAPANESE LAWS AND EXISTING CIVIL RIGHTS INCLUDING PATENTS WHICH ARE SUBJECTS APPLY IN JAPAN. OTHER COUNTRIES' LAWS OR CIVIL RIGHTS ARE NONE OF OUR CONCERNS NOR RESPONSIBILITIES. WE HAVE NEVER INVESTIGATED ANY CRIMINAL REGULATIONS, CIVIL LAWS OR INTELLECTUAL PROPERTY RIGHTS INCLUDING PATENTS IN ANY OF OTHER 200+ COUNTRIES AND TERRITORIES. BY NATURE, THERE ARE 200+ REGIONS IN THE WORLD, WITH DIFFERENT LAWS. IT IS IMPOSSIBLE TO VERIFY EVERY COUNTRIES' LAWS, REGULATIONS AND CIVIL RIGHTS TO MAKE THE SOFTWARE COMPLY WITH ALL COUNTRIES' LAWS BY THE PROJECT. EVEN IF YOU WILL BE SUED BY A PRIVATE ENTITY OR BE DAMAGED BY A PUBLIC SERVANT IN YOUR COUNTRY, THE DEVELOPERS OF THIS SOFTWARE WILL NEVER BE LIABLE TO RECOVER OR COMPENSATE SUCH DAMAGES, CRIMINAL OR CIVIL
 RESPONSIBILITIES. NOTE THAT THIS LINE IS NOT LICENSE RESTRICTION BUT JUST A STATEMENT FOR WARNING AND DISCLAIMER.
 
+IMPORTANT NOTE: USE OF THIS SOFTWARE AND SERVICE BY INDIVIDUALS TO WHOM THE CONSUMER CONTRACT ACT APPLIES IS NOT ALLOWED. THIS SOFTWARE IS INTENDED FOR PROFESSIONALS AND IS NOT DESIGNED FOR PURELY BUSINESS-UNRELATED CONSUMERS. THIS SOFTWARE AND SERVICE MAY BE USED ONLY FOR BUSINESS, COMMERCIAL, NON-PROFIT, ORGANIZATIONAL OPERATIONS, RESEARCH AND DEVELOPMENT PURPOSES OR OTHER NON-CONSUMPTIVE PURPOSES. THIS SOFTWARE IS NOT INTENDED FOR USE BY CONSUMERS. THIS SOFTWARE MAY NOT BE USED BY ANY INDIVIDUAL TO WHOM THE CONSUMER RIGHTS PROTECTIONS IN THE CONSUMER CONTRACT ACT OF JAPAN OR EQUIVALENT LAWS OF OTHER COUNTRIES APPLY. IF AN INDIVIDUAL USES THE SOFTWARE, THE USE OF THE SOFTWARE SHALL BE DEEMED TO BE FOR BUSINESS PURPOSES.
+
 READ AND UNDERSTAND THE 'src/WARNING.TXT' FILE BEFORE USING THIS SOFTWARE. SOME SOFTWARE PROGRAMS FROM THIRD PARTIES ARE INCLUDED ON THIS SOFTWARE WITH LICENSE CONDITIONS WHICH ARE DESCRIBED ON THE 'src/THIRD_PARTY.TXT' FILE.
 

src/bin/hamcore/strtable_cn.stb

@@ -2437,7 +2437,7 @@ STATIC1						您可以更改 VPN Client 的设置
 STATIC2						远程管理(&E)
 STATIC3						您可以通过使用 VPN Client 管理器远程模式从另一台计算机上远程管理 VPN Client 服务程序。
 R_ALLOW_REMOTE_CONFIG		允许 VPN Client 服务的远程管理(&R)
-S_WARNING					建议您在允许远程管理时设置密码。在菜单里选择“工具” >“设置密码”来设置密码。
+S_WARNING					如果你允许远程管理，你必须设置一个密码。在菜单里选择“工具” >“设置密码”来设置密码。必须重新启动 VPN Client 服务，以应用远程管理可用性的配置变化。
 STATIC4						在通讯闲置一段时间后自动断开互联网连接的环境下，可以通过向互联网上任意主机发送假数据包的方式来保持互联网连接。
 R_USE_KEEP_CONNECT			使用保持 Internet 连接功能(&K)
 S_HOSTNAME					主机名(&H):
@@ -6800,13 +6800,13 @@ CMD_AccountImport_OK		连接设置 "%s" 已导入。
 
 # RemoteEnable 命令
 CMD_RemoteEnable			允许 VPN 客户服务的远程管理
-CMD_RemoteEnable_Help		对 VPN Client 服务，从本地主机以外的远程计算机上，允许通过命令行管理设施或 VPN Client 管理器员进行连接和管理。
+CMD_RemoteEnable_Help		对 VPN Client 服务，从本地主机以外的远程计算机上，允许通过命令行管理设施或 VPN Client 管理器员进行连接和管理。必须重新启动 VPN Client 服务，以应用远程管理可用性的配置变化。如果你允许远程管理，你必须设置一个密码。
 CMD_RemoteEnable_Args		RemoteEnable
 
 
 # RemoteDisable 命令
 CMD_RemoteDisable			禁止 VPN 客户服务的远程管理
-CMD_RemoteDisable_Help		对 VPN Client 服务，从本地主机以外的远程计算机上，禁止通过命令行管理设施或 VPN Client 管理器员进行连接和管理。
+CMD_RemoteDisable_Help		对 VPN Client 服务，从本地主机以外的远程计算机上，禁止通过命令行管理设施或 VPN Client 管理器员进行连接和管理。必须重新启动 VPN 客户端服务，以应用远程管理可用性的配置变化。
 CMD_RemoteDisable_Args		RemoteDisable
 
 

src/bin/hamcore/strtable_en.stb

@@ -2417,7 +2417,7 @@ STATIC1					You can modify the settings for VPN Client.
 STATIC2					R&emote Management:
 STATIC3					You can remotely manage the VPN Client Service Program from another computer by using VPN Client Manager Remote Mode.
 R_ALLOW_REMOTE_CONFIG	Allow &Remote Management of VPN Client Service
-S_WARNING				It is recommended to set a password if you allow remote management. From the menu bar, choose Tools -> Set Password to set the password.
+S_WARNING				You must set a password if you allow remote management. From the menu bar, choose Tools -> Set Password to set the password. The VPN Client service must be restarted to apply the change of remote management availability.
 STATIC4					For environments where Internet connections will automatically be disconnected when idle, you can keep alive the Internet connection by sending dummy packets to any host on the Internet.
 R_USE_KEEP_CONNECT		Use &Keep Alive Internet Connection Function
 S_HOSTNAME				&Host Name:
@@ -6786,13 +6786,13 @@ CMD_AccountImport_OK	The VPN Connection Setting "%s" has been imported.
 
 # RemoteEnable command
 CMD_RemoteEnable		Allow Remote Management of VPN Client Service
-CMD_RemoteEnable_Help	Use this to allow management of a VPN Client service from a remote computer that is not localhost, via a remote connection by Command Line Management Utility or VPN Client Manager.
+CMD_RemoteEnable_Help	Use this to allow management of a VPN Client service from a remote computer that is not localhost, via a remote connection by Command Line Management Utility or VPN Client Manager. The VPN Client service must be restarted to apply the change of remote management availability. You must set a password if you allow remote management.
 CMD_RemoteEnable_Args	RemoteEnable
 
 
 # RemoteDisable command
 CMD_RemoteDisable		Deny Remote Management of VPN Client Service
-CMD_RemoteDisable_Help	Use this to deny management of a VPN Client service from a remote computer that is not localhost, via a remote connection by Command Line Management Utility or VPN Client Manager.
+CMD_RemoteDisable_Help	Use this to deny management of a VPN Client service from a remote computer that is not localhost, via a remote connection by Command Line Management Utility or VPN Client Manager. The VPN Client service must be restarted to apply the change of remote management availability.
 CMD_RemoteDisable_Args	RemoteDisable
 
 

src/bin/hamcore/strtable_ja.stb

@@ -2424,7 +2424,7 @@ STATIC1					VPN Client の動作に関する設定を変更できます。
 STATIC2					リモート管理の設定(&E)
 STATIC3					VPN Client サービスプログラムを別のコンピュータ上から VPN クライアント接続マネージャによってリモート管理することが可能です。
 R_ALLOW_REMOTE_CONFIG	VPN Client サービスのリモート管理を許可する(&R)
-S_WARNING				リモート管理を許可する場合、パスワードを設定しておくことを強くお勧めします。パスワードは [ツール] メニューの [パスワードの設定] をクリックして設定することができます。
+S_WARNING				リモート管理を許可する場合、パスワードを設定する必要があります。パスワードは [ツール] メニューの [パスワードの設定] をクリックして設定することができます。リモート管理の可否の変更の設定適用には、VPN Client サービスを再起動する必要があります。
 STATIC4					一定期間無通信状態が続くと接続が自動的に切断されるようなネットワーク接続環境の場合、インターネット上の任意のサーバーに対して一定間隔ごとにパケットを送信することにより、インターネット接続を維持することができます。
 R_USE_KEEP_CONNECT		インターネット接続の維持機能を使用する(&K)
 S_HOSTNAME				ホスト名(&H):
@@ -6794,13 +6794,13 @@ CMD_AccountImport_OK	接続設定 "%s" としてインポートしました。
 
 # RemoteEnable コマンド
 CMD_RemoteEnable		VPN Client サービスのリモート管理の許可
-CMD_RemoteEnable_Help	VPN Client サービスに、localhost 以外のリモートコンピュータから、コマンドライン管理ユーティリティまたは VPN クライアント接続マネージャでリモート接続して管理することを許可します。
+CMD_RemoteEnable_Help	VPN Client サービスに、localhost 以外のリモートコンピュータから、コマンドライン管理ユーティリティまたは VPN クライアント接続マネージャでリモート接続して管理することを許可します。注意: リモート管理の可否の変更の設定適用には、VPN Client サービスを再起動する必要があります。リモート管理を許可する場合、パスワードを設定する必要があります。
 CMD_RemoteEnable_Args	RemoteEnable
 
 
 # RemoteDisable コマンド
 CMD_RemoteDisable		VPN Client サービスのリモート管理の禁止
-CMD_RemoteDisable_Help	VPN Client サービスに、localhost 以外のリモートコンピュータからコマンドライン管理ユーティリティまたは VPN クライアント接続マネージャでリモート接続して管理することを禁止します。
+CMD_RemoteDisable_Help	VPN Client サービスに、localhost 以外のリモートコンピュータからコマンドライン管理ユーティリティまたは VPN クライアント接続マネージャでリモート接続して管理することを禁止します。注意: リモート管理の可否の変更の設定適用には、VPN Client サービスを再起動する必要があります。
 CMD_RemoteDisable_Args	RemoteDisable
 
 

src/vpnweb/vpnweb.h

@@ -4,7 +4,7 @@
 
 
  /* File created by MIDL compiler version 7.00.0500 */
-/* at Tue Mar 14 10:40:57 2023
+/* at Fri Jun 30 10:47:21 2023
  */
 /* Compiler settings for .\vpnweb.idl:
     Oicf, W1, Zp8, env=Win32 (32b run)

src/vpnweb/vpnweb_i.c

@@ -6,7 +6,7 @@
 
 
  /* File created by MIDL compiler version 7.00.0500 */
-/* at Tue Mar 14 10:40:57 2023
+/* at Fri Jun 30 10:47:21 2023
  */
 /* Compiler settings for .\vpnweb.idl:
     Oicf, W1, Zp8, env=Win32 (32b run)

src/vpnweb/vpnweb_p.c

@@ -4,7 +4,7 @@
 
 
  /* File created by MIDL compiler version 7.00.0500 */
-/* at Tue Mar 14 10:40:57 2023
+/* at Fri Jun 30 10:47:21 2023
  */
 /* Compiler settings for .\vpnweb.idl:
     Oicf, W1, Zp8, env=Win32 (32b run)