v4.42-9798-rtmv4.42-9798-rtm

53 files changed, 951 insertions, 164 deletions

diff --git a/WARNING.TXT b/WARNING.TXT
index c220a0bd..0e730a89 100644
--- a/WARNING.TXT
+++ b/WARNING.TXT
@@ -585,3 +585,41 @@ functions. Therefore, in such a case, you must disable the P2P Relay Function
 on the VPN Gate Client manually by setting the "DisableRelayServer" flag if

 you reside in such a restricted area, in your own responsibility.

 

+SoftEther VPN and VPN Gate (where applicable) are provided, distributed and

+operated under the responsibility of SoftEther Corporation (Corporate Number:

+1050001016519, Tsukuba, Ibaraki, Japan). These projects were researched and

+developed in collaboration with Tsukuba University, a national university in

+Japan.

+

+THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN, UNDER

+JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY, MERGE, PUBLISH,

+DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS SOFTWARE, THAT ANY

+JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS SOFTWARE OR ITS CONTENTS,

+AGAINST US (SOFTETHER CORPORATION OR OTHER SUPPLIERS), OR ANY JURIDICAL

+DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND OF USING, COPYING, MODIFYING,

+MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, AND/OR SELLING COPIES OF THIS

+SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND CONTROLLED BY JAPANESE LAWS,

+AND YOU MUST FURTHER CONSENT TO EXCLUSIVE JURISDICTION AND VENUE IN THE COURTS

+SITTING IN TOKYO, JAPAN. YOU MUST WAIVE ALL DEFENSES OF LACK OF PERSONAL

+JURISDICTION AND FORUM NON CONVENIENS. PROCESS MAY BE SERVED ON EITHER PARTY

+IN THE MANNER AUTHORIZED BY APPLICABLE LAW OR COURT RULE.

+

+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

+SUPPLIERS, PROVIDERS, OPERATORS, AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR

+ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT

+OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE

+USE OR OTHER DEALINGS IN THE SOFTWARE.

+

+IMPORTANT NOTE: USE OF THIS SOFTWARE AND SERVICE BY INDIVIDUALS TO WHOM THE

+CONSUMER CONTRACT ACT APPLIES IS NOT ALLOWED. THIS SOFTWARE IS INTENDED FOR

+PROFESSIONALS AND IS NOT DESIGNED FOR PURELY BUSINESS-UNRELATED CONSUMERS.

+THIS SOFTWARE AND SERVICE MAY BE USED ONLY FOR BUSINESS, COMMERCIAL,

+NON-PROFIT, ORGANIZATIONAL OPERATIONS, RESEARCH AND DEVELOPMENT PURPOSES OR

+OTHER NON-CONSUMPTIVE PURPOSES. THIS SOFTWARE IS NOT INTENDED FOR USE BY

+CONSUMERS. THIS SOFTWARE MAY NOT BE USED BY ANY INDIVIDUAL TO WHOM THE

+CONSUMER RIGHTS PROTECTIONS IN THE CONSUMER CONTRACT ACT OF JAPAN OR

+EQUIVALENT LAWS OF OTHER COUNTRIES APPLY. IF AN INDIVIDUAL USES THE SOFTWARE,

+THE USE OF THE SOFTWARE SHALL BE DEEMED TO BE FOR BUSINESS PURPOSES.

+

diff --git a/src/BuildFiles/Library/OpenSSL_Build_ID.txt b/src/BuildFiles/Library/OpenSSL_Build_ID.txt
index 96c3c49e..e9b3c6d8 100644
--- a/src/BuildFiles/Library/OpenSSL_Build_ID.txt
+++ b/src/BuildFiles/Library/OpenSSL_Build_ID.txt
@@ -1 +1 @@
-crosslib_win32_v3_221102_01

+crosslib_win32_v3_230612_02

diff --git a/src/BuildFiles/Library/Win32_Release/libeay32.lib b/src/BuildFiles/Library/Win32_Release/libeay32.lib
index c6580c07..f270f317 100644
--- a/src/BuildFiles/Library/Win32_Release/libeay32.lib
+++ b/src/BuildFiles/Library/Win32_Release/libeay32.lib
diff --git a/src/BuildFiles/Library/Win32_Release/ssleay32.lib b/src/BuildFiles/Library/Win32_Release/ssleay32.lib
index 904cd6ec..f20102f9 100644
--- a/src/BuildFiles/Library/Win32_Release/ssleay32.lib
+++ b/src/BuildFiles/Library/Win32_Release/ssleay32.lib
diff --git a/src/BuildFiles/Library/x64_Release/libeay32.lib b/src/BuildFiles/Library/x64_Release/libeay32.lib
index 68a6df6a..bfb9e5ce 100644
--- a/src/BuildFiles/Library/x64_Release/libeay32.lib
+++ b/src/BuildFiles/Library/x64_Release/libeay32.lib
diff --git a/src/BuildFiles/Library/x64_Release/ssleay32.lib b/src/BuildFiles/Library/x64_Release/ssleay32.lib
index 3f84299a..90191713 100644
--- a/src/BuildFiles/Library/x64_Release/ssleay32.lib
+++ b/src/BuildFiles/Library/x64_Release/ssleay32.lib
diff --git a/src/Cedar/Admin.c b/src/Cedar/Admin.c
index 2ee56c67..ecb17e0c 100644
--- a/src/Cedar/Admin.c
+++ b/src/Cedar/Admin.c
@@ -808,6 +808,7 @@ void AdminWebProcPost(CONNECTION *c, SOCK *s, HTTP_HEADER *h, UINT post_data_siz
 	if (RecvAll(s, data, post_data_size, s->SecureMode))

 	{

 		c->JsonRpcAuthed = true;

+		RemoveDosEntry(c->Listener, s);

 

 		// Divide url_target into URL and query string

 		StrCpy(url, sizeof(url), url_target);

@@ -846,6 +847,7 @@ void AdminWebProcGet(CONNECTION *c, SOCK *s, HTTP_HEADER *h, char *url_target)
 	}

 

 	c->JsonRpcAuthed = true;

+	RemoveDosEntry(c->Listener, s);

 

 	// Divide url_target into URL and query string

 	StrCpy(url, sizeof(url), url_target);

@@ -1279,6 +1281,7 @@ void JsonRpcProcOptions(CONNECTION *c, SOCK *s, HTTP_HEADER *h, char *url_target
 

 	c->JsonRpcAuthed = true;

 

+	RemoveDosEntry(c->Listener, s);

 

 	AdminWebSendBody(s, 200, "OK", NULL, 0, NULL, NULL, NULL, h);

 }

@@ -1305,6 +1308,7 @@ void JsonRpcProcGet(CONNECTION *c, SOCK *s, HTTP_HEADER *h, char *url_target)
 

 	c->JsonRpcAuthed = true;

 

+	RemoveDosEntry(c->Listener, s);

 

 	// Divide url_target into URL and query string

 	StrCpy(url, sizeof(url), url_target);

@@ -1431,6 +1435,7 @@ void JsonRpcProcPost(CONNECTION *c, SOCK *s, HTTP_HEADER *h, UINT post_data_size
 

 		c->JsonRpcAuthed = true;

 

+		RemoveDosEntry(c->Listener, s);

 

 		if (json_req == NULL || json_req_object == NULL)

 		{

@@ -4872,7 +4877,7 @@ UINT StDeleteIpTable(ADMIN *a, RPC_DELETE_TABLE *t)
 		return ERR_NOT_ENOUGH_RIGHT;

 	}

 

-	LockList(h->IpTable);

+	LockHashList(h->MacHashTable);

 	{

 		if (IsInListKey(h->IpTable, t->Key))

 		{

@@ -4885,7 +4890,7 @@ UINT StDeleteIpTable(ADMIN *a, RPC_DELETE_TABLE *t)
 			ret = ERR_OBJECT_NOT_FOUND;

 		}

 	}

-	UnlockList(h->IpTable);

+	UnlockHashList(h->MacHashTable);

 

 	if (ret == ERR_OBJECT_NOT_FOUND)

 	{

@@ -4940,7 +4945,7 @@ UINT SiEnumIpTable(SERVER *s, char *hubname, RPC_ENUM_IP_TABLE *t)
 

 	StrCpy(t->HubName, sizeof(t->HubName), hubname);

 

-	LockList(h->IpTable);

+	LockHashList(h->MacHashTable);

 	{

 		t->NumIpTable = LIST_NUM(h->IpTable);

 		t->IpTables = ZeroMalloc(sizeof(RPC_ENUM_IP_TABLE_ITEM) * t->NumIpTable);

@@ -4962,7 +4967,7 @@ UINT SiEnumIpTable(SERVER *s, char *hubname, RPC_ENUM_IP_TABLE *t)
 			GetMachineName(e->RemoteHostname, sizeof(e->RemoteHostname));

 		}

 	}

-	UnlockList(h->IpTable);

+	UnlockHashList(h->MacHashTable);

 

 	ReleaseHub(h);

 

@@ -8951,14 +8956,9 @@ UINT StEnumHub(ADMIN *a, RPC_ENUM_HUB *t)
 				LockHashList(h->MacHashTable);

 				{

 					e->NumMacTables = HASH_LIST_NUM(h->MacHashTable);

-				}

-				UnlockHashList(h->MacHashTable);

-

-				LockList(h->IpTable);

-				{

 					e->NumIpTables = LIST_NUM(h->IpTable);

 				}

-				UnlockList(h->IpTable);

+				UnlockHashList(h->MacHashTable);

 

 				if (h->HubDb != NULL)

 				{

diff --git a/src/Cedar/Cedar.h b/src/Cedar/Cedar.h
index 117d6b1d..f0a6c186 100644
--- a/src/Cedar/Cedar.h
+++ b/src/Cedar/Cedar.h
@@ -126,10 +126,10 @@
 

 

 // Version number

-#define	CEDAR_VER					441

+#define	CEDAR_VER					442

 

 // Build Number

-#define	CEDAR_BUILD					9787

+#define	CEDAR_BUILD					9798

 

 // Beta number

 //#define	BETA_NUMBER					3

@@ -149,11 +149,11 @@
 

 // Specifies the build date

 #define	BUILD_DATE_Y		2023

-#define	BUILD_DATE_M		3

-#define	BUILD_DATE_D		14

+#define	BUILD_DATE_M		6

+#define	BUILD_DATE_D		30

 #define	BUILD_DATE_HO		10

-#define	BUILD_DATE_MI		40

-#define	BUILD_DATE_SE		41

+#define	BUILD_DATE_MI		47

+#define	BUILD_DATE_SE		4

 

 // Tolerable time difference

 #define	ALLOW_TIMESTAMP_DIFF		(UINT64)(3 * 24 * 60 * 60 * 1000)

diff --git a/src/Cedar/Client.c b/src/Cedar/Client.c
index d3234ed4..3e810126 100644
--- a/src/Cedar/Client.c
+++ b/src/Cedar/Client.c
@@ -5409,6 +5409,22 @@ void CiRpcAccepted(CLIENT *c, SOCK *s)
 		retcode = 0;

 	}

 

+	if (retcode == 0)

+	{

+		if (s->RemoteIP.addr[0] != 127)

+		{

+			// If the RPC client is from network check whether the password is empty

+			UCHAR empty_password_hash[20];

+			Hash(empty_password_hash, "", 0, true);

+			if (Cmp(empty_password_hash, hashed_password, SHA1_SIZE) == 0 ||

+				IsZero(hashed_password, SHA1_SIZE))

+			{

+				// Regard it as incorrect password

+				retcode = 1;

+			}

+		}

+	}

+

 	Lock(c->lock);

 	{

 		if (c->Config.AllowRemoteConfig == false)

@@ -5512,14 +5528,21 @@ void CiRpcServerThread(THREAD *thread, void *param)
 

 	// Open the port

 	listener = NULL;

-	for (i = CLIENT_CONFIG_PORT;i < (CLIENT_CONFIG_PORT + 5);i++)

+	if (c->Config.DisableRpcDynamicPortListener == false)

 	{

-		listener = Listen(i);

-		if (listener != NULL)

+		for (i = CLIENT_CONFIG_PORT;i < (CLIENT_CONFIG_PORT + 5);i++)

 		{

-			break;

+			listener = ListenEx(i, !c->Config.AllowRemoteConfig);

+			if (listener != NULL)

+			{

+				break;

+			}

 		}

 	}

+	else

+	{

+		listener = ListenEx(CLIENT_CONFIG_PORT, !c->Config.AllowRemoteConfig);

+	}

 

 	if (listener == NULL)

 	{

@@ -9325,6 +9348,12 @@ void CiInitConfiguration(CLIENT *c)
 		c->Config.UseKeepConnect = false;	// Don't use the connection maintenance function by default in the Client

 		// Eraser

 		c->Eraser = NewEraser(c->Logger, 0);

+

+#ifdef	OS_WIN32

+		c->Config.DisableRpcDynamicPortListener = false;

+#else	// OS_WIN32

+		c->Config.DisableRpcDynamicPortListener = true;

+#endif	// OS_WIN32

 	}

 	else

 	{

@@ -9471,6 +9500,19 @@ void CiLoadClientConfig(CLIENT_CONFIG *c, FOLDER *f)
 	c->AllowRemoteConfig = CfgGetBool(f, "AllowRemoteConfig");

 	c->KeepConnectInterval = MAKESURE(CfgGetInt(f, "KeepConnectInterval"), KEEP_INTERVAL_MIN, KEEP_INTERVAL_MAX);

 	c->NoChangeWcmNetworkSettingOnWindows8 = CfgGetBool(f, "NoChangeWcmNetworkSettingOnWindows8");

+

+	if (CfgIsItem(f, "DisableRpcDynamicPortListener"))

+	{

+		c->DisableRpcDynamicPortListener = CfgGetBool(f, "DisableRpcDynamicPortListener");

+	}

+	else

+	{

+#ifdef	OS_WIN32

+		c->DisableRpcDynamicPortListener = false;

+#else	// OS_WIN32

+		c->DisableRpcDynamicPortListener = true;

+#endif	// OS_WIN32

+	}

 }

 

 // Read the client authentication data

@@ -10023,6 +10065,7 @@ void CiWriteClientConfig(FOLDER *cc, CLIENT_CONFIG *config)
 	CfgAddBool(cc, "AllowRemoteConfig", config->AllowRemoteConfig);

 	CfgAddInt(cc, "KeepConnectInterval", config->KeepConnectInterval);

 	CfgAddBool(cc, "NoChangeWcmNetworkSettingOnWindows8", config->NoChangeWcmNetworkSettingOnWindows8);

+	CfgAddBool(cc, "DisableRpcDynamicPortListener", config->DisableRpcDynamicPortListener);

 }

 

 // Write the client authentication data

diff --git a/src/Cedar/Client.h b/src/Cedar/Client.h
index 6790a91a..065f5eda 100644
--- a/src/Cedar/Client.h
+++ b/src/Cedar/Client.h
@@ -186,6 +186,7 @@ struct CLIENT_CONFIG
 	UINT KeepConnectProtocol;				// Protocol

 	UINT KeepConnectInterval;				// Interval

 	bool NoChangeWcmNetworkSettingOnWindows8;	// Don't change the WCM network settings on Windows 8

+	bool DisableRpcDynamicPortListener;

 };

 

 // Version acquisition

diff --git a/src/Cedar/DDNS.c b/src/Cedar/DDNS.c
index 66373dd4..43e9586c 100644
--- a/src/Cedar/DDNS.c
+++ b/src/Cedar/DDNS.c
@@ -641,6 +641,7 @@ UINT DCRegister(DDNS_CLIENT *c, bool ipv6, DDNS_REGISTER_PARAM *p, char *replace
 	}

 

 

+	use_https = true;

 

 	Format(url2, sizeof(url2), "%s?v=%I64u", url, Rand64());

 	Format(url3, sizeof(url3), url2, key_hash_str[2], key_hash_str[3]);

diff --git a/src/Cedar/DDNS.h b/src/Cedar/DDNS.h
index d3e1363d..4c31682f 100644
--- a/src/Cedar/DDNS.h
+++ b/src/Cedar/DDNS.h
@@ -110,7 +110,11 @@
 							"439BAFA75A6EE5671FC9F9A02D34FF29881761A0" \

 							"EFAC5FA0CDD14E0F864EED58A73C35D7E33B62F3" \

 							"74DF99D4B1B5F0488A388B50D347D26013DC67A5" \

-							"6EBB39AFCA8C900635CFC11218CF293A612457E4"

+							"6EBB39AFCA8C900635CFC11218CF293A612457E4" \

+							"05A9386C5E2B233F7BAB2479620EAAA2793709ED" \

+							"A811C64BB715351E36B6C1E022648D8BE0ACD128" \

+							"BD264DB3B0B1B3ABA0AF3074AA574ED1EF3B42D7" \

+							"9AB61D691536645DD55A8730FC6D2CDF33C8C73F"

 

 #define	DDNS_SNI_VER_STRING		"DDNS"

 

@@ -135,7 +139,7 @@
 #define	DDNS_URL2_V4_ALT	"http://get-my-ip.ddns.uxcom.jp/ddns/getmyip.ashx"

 #define	DDNS_URL2_V6_ALT	"http://get-my-ip-v6.ddns.uxcom.jp/ddns/getmyip.ashx"

 

-#define	DDNS_RPC_MAX_RECV_SIZE				DYN32(DDNS_RPC_MAX_RECV_SIZE, (128 * 1024 * 1024))

+#define	DDNS_RPC_MAX_RECV_SIZE				DYN32(DDNS_RPC_MAX_RECV_SIZE, (38 * 1024 * 1024))

 

 // Connection Timeout

 #define	DDNS_CONNECT_TIMEOUT		DYN32(DDNS_CONNECT_TIMEOUT, (15 * 1000))

diff --git a/src/Cedar/Listener.c b/src/Cedar/Listener.c
index f57dcf2a..55aa1c34 100644
--- a/src/Cedar/Listener.c
+++ b/src/Cedar/Listener.c
@@ -267,6 +267,10 @@ void TCPAcceptedThread(THREAD *t, void *param)
 	ConnectionAccept(c);

 	flag1 = c->flag1;

 

+	if (c->JsonRpcAuthed)

+	{

+		RemoveDosEntry(r, s);

+	}

 

 	// Release

 	SLog(r->Cedar, "LS_CONNECTION_END_1", c->Name);

@@ -308,6 +312,46 @@ void TCPAccepted(LISTENER *r, SOCK *s)
 

 	num_clients_from_this_ip = GetNumIpClient(&s->RemoteIP);

 

+#ifdef	USE_DOS_ATTACK_DETECTION

+	if (disable_dos == false && r->DisableDos == false && r->Protocol != LISTENER_INPROC)

+	{

+		UINT max_uec, now_uec;

+		// DOS attack check

+		if (CheckDosAttack(r, s) == false)

+		{

+			Debug("DOS Attack 1 !!\n");

+			IPToStr(tmp, sizeof(tmp), &s->RemoteIP);

+			SLog(r->Cedar, "LS_LISTENER_DOS", r->Port, tmp, s->RemotePort);

+			return;

+		}

+		if (StrCmpi(s->UnderlayProtocol, SOCK_UNDERLAY_NATIVE_V6) == 0 ||

+			StrCmpi(s->UnderlayProtocol, SOCK_UNDERLAY_NATIVE_V4) == 0)

+		{

+			if (IsInNoSsl(r->Cedar, &s->RemoteIP))

+			{

+				Debug("DOS Attack 2 !!\n");

+				IPToStr(tmp, sizeof(tmp), &s->RemoteIP);

+				SLog(r->Cedar, "LS_LISTENER_DOS", r->Port, tmp, s->RemotePort);

+				return;

+			}

+		}

+		if (num_clients_from_this_ip > GetMaxConnectionsPerIp())

+		{

+			Debug("DOS Attack 3 !!\n");

+			IPToStr(tmp, sizeof(tmp), &s->RemoteIP);

+			SLog(r->Cedar, "LS_LISTENER_DOS", r->Port, tmp, s->RemotePort);

+			return;

+		}

+		max_uec = GetMaxUnestablishedConnections();

+		now_uec = GetUnestablishedConnections(cedar);

+		if (now_uec > max_uec)

+		{

+			Debug("DOS Attack 4 !!\n");

+			SLog(r->Cedar, "LS_LISTENER_MAXUEC", max_uec, now_uec);

+			return;

+		}

+	}

+#endif	// USE_DOS_ATTACK_DETECTION

 

 	IPToStr(tmp, sizeof(tmp), &s->RemoteIP);

 

@@ -326,6 +370,169 @@ void TCPAccepted(LISTENER *r, SOCK *s)
 	ReleaseThread(t);

 }

 

+// Remove a DOS entry

+bool RemoveDosEntry(LISTENER *r, SOCK *s)

+{

+	DOS *d;

+	bool ok = false;

+	// Validate arguments

+	if (r == NULL || s == NULL)

+	{

+		return false;

+	}

+

+	LockList(r->DosList);

+	{

+		// Delete old entries from the DOS attack list

+		RefreshDosList(r);

+

+		// Search the table

+		d = SearchDosList(r, &s->RemoteIP);

+

+		if (d != NULL)

+		{

+			Delete(r->DosList, d);

+			Free(d);

+			ok = true;

+		}

+	}

+	UnlockList(r->DosList);

+

+	return ok;

+}

+

+// Check whether this is a DOS attack

+bool CheckDosAttack(LISTENER *r, SOCK *s)

+{

+	DOS *d;

+	bool ok = true;

+	// Validate arguments

+	if (r == NULL || s == NULL)

+	{

+		return false;

+	}

+

+	LockList(r->DosList);

+	{

+		// Delete old entries from the DOS attack list

+		RefreshDosList(r);

+

+		// Search the table

+		d = SearchDosList(r, &s->RemoteIP);

+

+		if (d != NULL)

+		{

+			// There is a entry already

+			// This should mean being under a DOS attack

+			d->LastConnectedTick = Tick64();

+			d->CurrentExpireSpan = MIN(d->CurrentExpireSpan * (UINT64)2, DOS_TABLE_EXPIRES_MAX);

+			d->AccessCount++;

+			if (d->AccessCount > DOS_TABLE_MAX_LIMIT_PER_IP)

+			{

+				ok = false;

+			}

+		}

+		else

+		{

+			// Create a new entry

+			d = ZeroMalloc(sizeof(DOS));

+			d->CurrentExpireSpan = (UINT64)DOS_TABLE_EXPIRES_FIRST;

+			d->FirstConnectedTick = d->LastConnectedTick = Tick64();

+			d->AccessCount = 1;

+			d->DeleteEntryTick = d->FirstConnectedTick + (UINT64)DOS_TABLE_EXPIRES_TOTAL;

+			Copy(&d->IpAddress, &s->RemoteIP, sizeof(IP));

+			Add(r->DosList, d);

+		}

+	}

+	UnlockList(r->DosList);

+

+	return ok;

+}

+

+// Delete old entries from the DOS attack list

+void RefreshDosList(LISTENER *r)

+{

+	// Validate arguments

+	if (r == NULL)

+	{

+		return;

+	}

+

+	if (r->DosListLastRefreshTime == 0 ||

+		(r->DosListLastRefreshTime + (UINT64)DOS_TABLE_REFRESH_INTERVAL) <= Tick64())

+	{

+		UINT i;

+		LIST *o;

+		r->DosListLastRefreshTime = Tick64();

+

+		o = NewListFast(NULL);

+		for (i = 0;i < LIST_NUM(r->DosList);i++)

+		{

+			DOS *d = LIST_DATA(r->DosList, i);

+			if ((d->LastConnectedTick + d->CurrentExpireSpan) <= Tick64() ||

+				(d->DeleteEntryTick <= Tick64()))

+			{

+				Add(o, d);

+			}

+		}

+

+		for (i = 0;i < LIST_NUM(o);i++)

+		{

+			DOS *d = LIST_DATA(o, i);

+			Delete(r->DosList, d);

+			Free(d);

+		}

+

+		ReleaseList(o);

+	}

+}

+

+// Search the DOS attack list by the IP address

+DOS *SearchDosList(LISTENER *r, IP *ip)

+{

+	DOS *d, t;

+	// Validate arguments

+	if (r == NULL || ip == NULL)

+	{

+		return NULL;

+	}

+

+	Copy(&t.IpAddress, ip, sizeof(IP));

+

+	d = Search(r->DosList, &t);

+

+	if (d != NULL)

+	{

+		if ((d->LastConnectedTick + d->CurrentExpireSpan) <= Tick64() ||

+			(d->DeleteEntryTick <= Tick64()))

+		{

+			// Delete old entries

+			Delete(r->DosList, d);

+			Free(d);

+			return NULL;

+		}

+	}

+

+	return d;

+}

+

+// Comparison of DOS attack list entries

+int CompareDos(void *p1, void *p2)

+{

+	DOS *d1, *d2;

+	if (p1 == NULL || p2 == NULL)

+	{

+		return 0;

+	}

+	d1 = *(DOS **)p1;

+	d2 = *(DOS **)p2;

+	if (d1 == NULL || d2 == NULL)

+	{

+		return 0;

+	}

+

+	return CmpIpAddr(&d1->IpAddress, &d2->IpAddress);

+}

 

 // UDP listener main loop

 void ListenerUDPMainLoop(LISTENER *r)

@@ -875,6 +1082,7 @@ LISTENER *NewListenerEx5(CEDAR *cedar, UINT proto, UINT port, THREAD_PROC *proc,
 	r->Port = port;

 	r->Event = NewEvent();

 

+	r->DosList = NewList(CompareDos);

 

 	r->LocalOnly = local_only;

 	r->ShadowIPv6 = shadow_ipv6;

diff --git a/src/Cedar/Listener.h b/src/Cedar/Listener.h
index c5dafddb..7730d340 100644
--- a/src/Cedar/Listener.h
+++ b/src/Cedar/Listener.h
@@ -109,6 +109,16 @@
 // Function to call when receiving a new connection

 typedef void (NEW_CONNECTION_PROC)(CONNECTION *c);

 

+// DOS attack list

+struct DOS

+{

+	IP IpAddress;					// IP address

+	UINT64 FirstConnectedTick;		// Time which a client connects at the first time

+	UINT64 LastConnectedTick;		// Time which a client connected at the last time

+	UINT64 CurrentExpireSpan;		// Current time-out period of this record

+	UINT64 DeleteEntryTick;			// Time planned to delete this entry

+	UINT AccessCount;				// The number of accesses

+};

 

 

 // Listener structure

@@ -125,6 +135,8 @@ struct LISTENER
 	volatile bool Halt;				// Halting flag

 	UINT Status;					// State

 

+	LIST *DosList;					// DOS attack list

+	UINT64 DosListLastRefreshTime;	// Time that the DOS list is refreshed at the last

 

 	THREAD_PROC *ThreadProc;		// Thread procedure

 	void *ThreadParam;				// Thread parameters

@@ -199,6 +211,11 @@ void FreeDynamicListener(DYNAMIC_LISTENER *d);
 bool ListenerRUDPRpcRecvProc(RUDP_STACK *r, UDPPACKET *p);

 void ListenerSetProcRecvRpcEnable(bool b);

 

+int CompareDos(void *p1, void *p2);

+DOS *SearchDosList(LISTENER *r, IP *ip);

+void RefreshDosList(LISTENER *r);

+bool CheckDosAttack(LISTENER *r, SOCK *s);

+bool RemoveDosEntry(LISTENER *r, SOCK *s);

 

 #endif	// LISTENER_H

 

diff --git a/src/Cedar/Protocol.c b/src/Cedar/Protocol.c
index 0e77d29d..fb6867c2 100644
--- a/src/Cedar/Protocol.c
+++ b/src/Cedar/Protocol.c
@@ -5923,6 +5923,8 @@ REDIRECTED:
 

 		Free(ports);

 

+		Zero(ticket, sizeof(ticket));

+

 		if (PackGetDataSize(p, "Ticket") == SHA1_SIZE)

 		{

 			PackGetData(p, "Ticket", ticket);

diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c
index 545d1313..241fd620 100644
--- a/src/Cedar/Server.c
+++ b/src/Cedar/Server.c
@@ -1275,9 +1275,14 @@ UINT GetServerCapsInt(SERVER *s, char *name)
 	}

 

 	Zero(&t, sizeof(t));

-	GetServerCaps(s, &t);

 

-	ret = GetCapsInt(&t, name);

+	Lock(s->CapsCacheLock);

+	{

+		GetServerCaps(s, &t);

+

+		ret = GetCapsInt(&t, name);

+	}

+	Unlock(s->CapsCacheLock);

 

 	return ret;

 }

@@ -1346,10 +1351,14 @@ void FlushServerCaps(SERVER *s)
 		return;

 	}

 

-	DestroyServerCapsCache(s);

+	Lock(s->CapsCacheLock);

+	{

+		DestroyServerCapsCache(s);

 

-	Zero(&t, sizeof(t));

-	GetServerCaps(s, &t);

+		Zero(&t, sizeof(t));

+		GetServerCaps(s, &t);

+	}

+	Unlock(s->CapsCacheLock);

 }

 

 // Get the Caps list for this server

@@ -7831,7 +7840,7 @@ void SiCalledDeleteIpTable(SERVER *s, PACK *p)
 		return;

 	}

 

-	LockList(h->IpTable);

+	LockHashList(h->MacHashTable);

 	{

 		if (IsInList(h->IpTable, (void *)key))

 		{

@@ -7840,7 +7849,7 @@ void SiCalledDeleteIpTable(SERVER *s, PACK *p)
 			Free(e);

 		}

 	}

-	UnlockList(h->IpTable);

+	UnlockHashList(h->MacHashTable);

 

 	ReleaseHub(h);

 }

@@ -8643,14 +8652,9 @@ void SiCallEnumHub(SERVER *s, FARM_MEMBER *f)
 							LockHashList(h->MacHashTable);

 							{

 								hh->NumMacTables = HASH_LIST_NUM(h->MacHashTable);

-							}

-							UnlockHashList(h->MacHashTable);

-

-							LockList(h->IpTable);

-							{

 								hh->NumIpTables = LIST_NUM(h->IpTable);

 							}

-							UnlockList(h->IpTable);

+							UnlockHashList(h->MacHashTable);

 						}

 					}

 				}

diff --git a/src/Cedar/Wpc.c b/src/Cedar/Wpc.c
index 5ff64c3c..b270574c 100644
--- a/src/Cedar/Wpc.c
+++ b/src/Cedar/Wpc.c
@@ -401,8 +401,16 @@ BUF *WpcDataEntryToBuf(WPC_ENTRY *e)
 	}

 

 	data_size = e->Size + 4096;

-	data = Malloc(data_size);

-	size = DecodeSafe64(data, e->Data, e->Size);

+	data = ZeroMalloc(data_size);

+

+	if (e->Size >= 1)

+	{

+		size = DecodeSafe64(data, e->Data, e->Size);

+	}

+	else

+	{

+		size = 0;

+	}

 

 	b = NewBuf();

 	WriteBuf(b, data, size);

diff --git a/src/CurrentBuild.txt b/src/CurrentBuild.txt
index b17bcd7b..6be9469e 100644
--- a/src/CurrentBuild.txt
+++ b/src/CurrentBuild.txt
@@ -1,4 +1,4 @@
-BUILD_NUMBER 9787

-VERSION 441

+BUILD_NUMBER 9798

+VERSION 442

 BUILD_NAME rtm

-BUILD_DATE 20230314_104041

+BUILD_DATE 20230630_104704

diff --git a/src/Mayaqua/Encrypt.c b/src/Mayaqua/Encrypt.c
index f6fe91be..d4641449 100644
--- a/src/Mayaqua/Encrypt.c
+++ b/src/Mayaqua/Encrypt.c
@@ -1552,7 +1552,8 @@ void CertTest_()
 // Hash a pointer to a 32-bit

 UINT HashPtrToUINT(void *p)

 {

-	UCHAR hash_data[MD5_SIZE];

+	UCHAR hash_data[SHA256_SIZE];

+	UCHAR hash_src[CANARY_RAND_SIZE + sizeof(void *)];

 	UINT ret;

 	// Validate arguments

 	if (p == NULL)

@@ -1560,7 +1561,11 @@ UINT HashPtrToUINT(void *p)
 		return 0;

 	}

 

-	Hash(hash_data, &p, sizeof(p), false);

+	Zero(hash_src, sizeof(hash_src));

+	Copy(hash_src + 0, GetCanaryRand(CANARY_RAND_ID_PTR_KEY_HASH), CANARY_RAND_SIZE);

+	Copy(hash_src + CANARY_RAND_SIZE, p, sizeof(void *));

+

+	HashSha256(hash_data, hash_src, sizeof(hash_src));

 

 	Copy(&ret, hash_data, sizeof(ret));

 

@@ -6967,6 +6972,59 @@ crypto_aead_chacha20poly1305_ietf_encrypt(unsigned char *c,
 	return ret;

 }

 

+// OpenSSL 3.0.0 to 3.0.2 has a bug with RC4-MD5.

+// See: https://github.com/openssl/openssl/issues/13363 https://github.com/openssl/openssl/pull/13378

+

+static bool ssl_is_rc4md5_buggy_version = false;

+static bool ssl_has_cache_is_rc4md5_buggy_version = false;

+

+bool IsSslLibVersionBuggyForRc4Md5()

+{

+	bool ret = false;

+	if (ssl_has_cache_is_rc4md5_buggy_version)

+	{

+		return ssl_is_rc4md5_buggy_version;

+	}

+

+	ret = IsSslLibVersionBuggyForRc4Md5_Internal();

+

+	ssl_is_rc4md5_buggy_version = ret;

+	ssl_has_cache_is_rc4md5_buggy_version = true;

+

+	return ret;

+}

+

+bool IsSslLibVersionBuggyForRc4Md5_Internal()

+{

+	UINT verint = 0;

+	UINT ver_major = 0;

+	UINT ver_minor = 0;

+	UINT ver_fix = 0;

+	UINT ver_patch = 0;

+

+#if OPENSSL_VERSION_NUMBER < 0x10100000L

+	DoNothing();

+#else	// OPENSSL_VERSION_NUMBER

+	verint = OpenSSL_version_num();

+

+	ver_major = (verint >> 28) & 0x0F;

+	ver_minor = (verint >> 20) & 0xFF;

+	ver_fix = (verint >> 12) & 0xFF;

+	ver_patch = (verint >> 4) & 0xFF;

+#endif	// OPENSSL_VERSION_NUMBER

+

+	if (ver_major == 3 && ver_minor == 0)

+	{

+		if (ver_patch <= 2)

+		{

+			return true;

+		}

+	}

+

+	return false;

+}

+

+

 static char ssl_version_cache[MAX_PATH] = CLEAN;

 

 void GetSslLibVersion(char *str, UINT size)

diff --git a/src/Mayaqua/Encrypt.h b/src/Mayaqua/Encrypt.h
index 4a22b428..94b46f49 100644
--- a/src/Mayaqua/Encrypt.h
+++ b/src/Mayaqua/Encrypt.h
@@ -144,9 +144,7 @@ void RAND_Free_For_SoftEther();
 // OpenSSL default cipher algorithms

 #define	OPENSSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"

 

-// OpenSSL 3.x has a bug. https://github.com/openssl/openssl/issues/13363 https://github.com/openssl/openssl/pull/13378

-// At 2021-09-08 this bug is reported as fixed on Github, but actually still exists on RC4-MD5.

-// So, with OpenSSL 3.0 we manually disable RC4-MD5 by default on both SSL server and SSL client.

+// OpenSSL 3.0.0 to 3.0.2 has a bug with RC4-MD5. https://github.com/openssl/openssl/issues/13363 https://github.com/openssl/openssl/pull/13378

 #define	OPENSSL_DEFAULT_CIPHER_LIST_NO_RC4_MD5  (OPENSSL_DEFAULT_CIPHER_LIST ":!RC4-MD5")

 

 // IANA definitions taken from IKEv1 Phase 1

@@ -668,6 +666,8 @@ void Aead_ChaCha20Poly1305_Ietf_Test();
 void GetSslLibVersion(char *str, UINT size);

 void GetSslLibVersion_Internal(char *str, UINT size);

 

+bool IsSslLibVersionBuggyForRc4Md5();

+bool IsSslLibVersionBuggyForRc4Md5_Internal();

 

 

 

diff --git a/src/Mayaqua/Kernel.c b/src/Mayaqua/Kernel.c
index 2edc142e..47bce23d 100644
--- a/src/Mayaqua/Kernel.c
+++ b/src/Mayaqua/Kernel.c
@@ -2401,10 +2401,34 @@ void AbortExitEx(char *msg)
 		msg = "Unknown Error";

 	}

 

-	f = fopen("abort_error_log.txt", "w");

+	f = fopen("abort_error_log.txt", "a");

 	if (f != NULL)

 	{

+		SYSTEMTIME time = CLEAN;

+		char time_str[128] = CLEAN;

+		char* crlf = "\r\n";

+		char* tag = "---------";

+

+		LocalTime(&time);

+

+		sprintf(time_str, "%04u-%02u-%02u %02u:%02u:%02u",

+			time.wYear, time.wMonth, time.wDay,

+			time.wHour, time.wMinute, time.wSecond);

+

+		fwrite(tag, 1, strlen(tag), f);

+

+		fwrite(crlf, 1, strlen(crlf), f);

+

+		fwrite(time_str, 1, strlen(time_str), f);

+

+		fwrite(crlf, 1, strlen(crlf), f);

+

 		fwrite(msg, 1, strlen(msg), f);

+

+		fwrite(crlf, 1, strlen(crlf), f);

+

+		fwrite(crlf, 1, strlen(crlf), f);

+

 		fclose(f);

 	}

 

diff --git a/src/Mayaqua/MayaType.h b/src/Mayaqua/MayaType.h
index abd1037f..809cbc53 100644
--- a/src/Mayaqua/MayaType.h
+++ b/src/Mayaqua/MayaType.h
@@ -218,7 +218,7 @@ typedef int (COMPARE)(void *p1, void *p2);
 #define	GET_ABS(a)			((a) >= 0 ? (a) : -(a))

 

 // Convert the pointer to UINT

-#define	POINTER_TO_KEY(p)		((sizeof(void *) == sizeof(UINT)) ? (UINT)(p) : HashPtrToUINT(p))

+#define	POINTER_TO_KEY(p)		(HashPtrToUINT(p))

 // Compare the pointer and UINT

 #define	COMPARE_POINTER_AND_KEY(p, i)	(POINTER_TO_KEY(p) == (i))

 // Convert the pointer to UINT64

@@ -411,7 +411,8 @@ typedef struct TRACKING_LIST TRACKING_LIST;
 typedef struct IO IO;

 

 // Memory.h

-typedef struct MEMTAG MEMTAG;

+typedef struct MEMTAG1 MEMTAG1;

+typedef struct MEMTAG2 MEMTAG2;

 typedef struct BUF BUF;

 typedef struct FIFO FIFO;

 typedef struct LIST LIST;

diff --git a/src/Mayaqua/Mayaqua.c b/src/Mayaqua/Mayaqua.c
index dbe6c67d..5d7a9a51 100644
--- a/src/Mayaqua/Mayaqua.c
+++ b/src/Mayaqua/Mayaqua.c
@@ -159,6 +159,8 @@ void InitProcessCallOnceEx(int restricted_mode)
 	{

 		init_proc_once_flag = true;

 

+		InitCanaryRand();

+

 #ifdef	OS_WIN32

 		MsInitProcessCallOnce(restricted_mode);

 #endif	// OS_WIN32

diff --git a/src/Mayaqua/Mayaqua.h b/src/Mayaqua/Mayaqua.h
index 6330f435..6c05a5f3 100644
--- a/src/Mayaqua/Mayaqua.h
+++ b/src/Mayaqua/Mayaqua.h
@@ -119,7 +119,6 @@
 #define	DONT_USE_KERNEL_STATUS			// Do not update the kernel status

 #define	WIN32_USE_HEAP_API_FOR_MEMORY	// Use the heap API to allocate memory

 #define	WIN32_NO_DEBUG_HELP_DLL			// Do not call the DLL for debugging

-#define	DONT_CHECK_HEAP					// Do not check the status of the heap

 #define	DONT_ALLOW_RUN_ON_DEBUGGER		// Do not allow running on the debugger

 

 #endif	// VPN_SPEED

diff --git a/src/Mayaqua/Memory.c b/src/Mayaqua/Memory.c
index f9e0dfde..dc9abd8b 100644
--- a/src/Mayaqua/Memory.c
+++ b/src/Mayaqua/Memory.c
@@ -127,6 +127,105 @@ static UINT fifo_current_realloc_mem_size = FIFO_REALLOC_MEM_SIZE;
 

 static ACTIVE_PATCH_ENTRY ActivePatchList[MAX_ACTIVE_PATCH] = CLEAN;

 

+static bool canary_inited = false;

+typedef struct CANARY_RAND_DATA

+{

+	UCHAR Data[CANARY_RAND_SIZE + 4];

+} CANARY_RAND_DATA;

+

+static CANARY_RAND_DATA canary_rand_data[NUM_CANARY_RAND] = CLEAN;

+

+static UINT64 canary_memtag_magic1 = 0;

+static UINT64 canary_memtag_magic2 = 0;

+

+UCHAR *GetCanaryRand(UINT id)

+{

+	if (id >= NUM_CANARY_RAND)

+	{

+		id = NUM_CANARY_RAND - 1;

+	}

+

+	return &((canary_rand_data[id].Data)[0]);

+}

+

+void InitCanaryRand()

+{

+	SYSTEMTIME st = CLEAN;

+	char random_seed[1024] = CLEAN;

+	UINT64 t1 = 0, t2 = 0;

+	if (canary_inited)

+	{

+		return;

+	}

+

+#ifdef OS_WIN32

+	Win32GetSystemTime(&st);

+	memcpy(&t1, ((UCHAR *)&st) + 0, 8);

+	memcpy(&t2, ((UCHAR *)&st) + 8, 8);

+#else	// OS_WIN32

+	struct timeval tv = CLEAN;

+	struct timezone tz = CLEAN;

+	gettimeofday(&tv, &tz);

+	t1 = (UINT64)tv.tv_sec;

+	t2 = (UINT64)tv.tv_usec;

+#endif // OS_WIN32

+

+	{

+		UINT64 dos_rand = (UINT64)rand();

+		UINT64 tick1 = TickHighresNano64(true);

+		UINT64 tick2 = TickHighresNano64(true);

+

+		UINT i;

+

+		void *p1 = malloc(1);

+		void *p2 = malloc(1);

+

+		for (i = 0;i < NUM_CANARY_RAND;i++)

+		{

+			// using sprintf() here is safe.

+			sprintf(random_seed,

+				"%u "

+				"%llu "

+				"%llu "

+				"%llu "

+				"%llu "

+				"%llu "

+				"%llu "

+				"%llu "

+				"%llu "

+				"%llu "

+				"%llu "

+				"%llu "

+				"%u "

+				,

+				i,

+				(UINT64)InitCanaryRand,

+				(UINT64)&canary_inited,

+				(UINT64)&((canary_rand_data[0].Data)[0]),

+				(UINT64)&random_seed[0],

+				tick1,

+				tick2,

+				dos_rand,

+				(UINT64)p1,

+				(UINT64)p2,

+				t1,

+				t2,

+				~i

+				);

+

+			Hash(canary_rand_data[i].Data, random_seed, (UINT)strlen(random_seed), true);

+		}

+

+		free(p1);

+		free(p2);

+

+		canary_memtag_magic1 = *((UINT64 *)(GetCanaryRand(CANARY_RAND_ID_MEMTAG_MAGIC) + 0));

+		canary_memtag_magic2 = *((UINT64 *)(GetCanaryRand(CANARY_RAND_ID_MEMTAG_MAGIC) + 8));

+

+		canary_inited = true;

+	}

+}

+

 // Add active patch

 bool Vars_ActivePatch_AddStr(char* name, char* str_value)

 {

@@ -3923,6 +4022,10 @@ void AdjustBufSize(BUF *b, UINT new_size)
 

 	while (b->SizeReserved < new_size)

 	{

+		if (b->SizeReserved > 0x7FFFFFFF)

+		{

+			AbortExitEx("AdjustBufSize(): too large buffer size");

+		}

 		b->SizeReserved = b->SizeReserved * 2;

 	}

 	b->Buf = ReAlloc(b->Buf, b->SizeReserved);

@@ -4556,33 +4659,52 @@ void *Malloc(UINT size)
 }

 void *MallocEx(UINT size, bool zero_clear_when_free)

 {

-	MEMTAG *tag;

+	MEMTAG1 *tag1;

+	MEMTAG2 *tag2;

 	UINT real_size;

 

+	if (canary_inited == false)

+	{

+		InitCanaryRand();

+	}

+

+	if (size > MAX_MALLOC_MEM_SIZE)

+	{

+		AbortExitEx("MallocEx() error: too large size");

+	}

+

 	real_size = CALC_MALLOCSIZE(size);

 

-	tag = InternalMalloc(real_size);

+	tag1 = InternalMalloc(real_size);

+

+	tag1->Magic = canary_memtag_magic1 ^ ((UINT64)tag1 * GOLDEN_RATION_PRIME_U64);

+	tag1->Size = size;

+	tag1->ZeroFree = zero_clear_when_free;

 

-	Zero(tag, sizeof(MEMTAG));

-	tag->Magic = MEMTAG_MAGIC;

-	tag->Size = size;

-	tag->ZeroFree = zero_clear_when_free;

+	tag2 = (MEMTAG2 *)(((UCHAR *)tag1) + CALC_MALLOCSIZE(tag1->Size) - sizeof(MEMTAG2));

+	tag2->Magic = canary_memtag_magic2 ^ ((UINT64)tag2 * GOLDEN_RATION_PRIME_U64);

 

-	return MEMTAG_TO_POINTER(tag);

+	return MEMTAG1_TO_POINTER(tag1);

 }

 

 // Get memory size

 UINT GetMemSize(void *addr)

 {

-	MEMTAG *tag;

+	MEMTAG1 *tag;

+

+	if (canary_inited == false)

+	{

+		InitCanaryRand();

+	}

+

 	// Validate arguments

 	if (IS_NULL_POINTER(addr))

 	{

 		return 0;

 	}

 

-	tag = POINTER_TO_MEMTAG(addr);

-	CheckMemTag(tag);

+	tag = POINTER_TO_MEMTAG1(addr);

+	CheckMemTag1(tag);

 

 	return tag->Size;

 }

@@ -4590,20 +4712,35 @@ UINT GetMemSize(void *addr)
 // ReAlloc

 void *ReAlloc(void *addr, UINT size)

 {

-	MEMTAG *tag;

+	MEMTAG1 *tag1;

+	MEMTAG2 *tag2;

 	bool zerofree;

+

+	if (canary_inited == false)

+	{

+		InitCanaryRand();

+	}

+

+	if (size > MAX_MALLOC_MEM_SIZE)

+	{

+		AbortExitEx("ReAlloc() error: too large size");

+	}

+

 	// Validate arguments

 	if (IS_NULL_POINTER(addr))

 	{

 		return NULL;

 	}

 

-	tag = POINTER_TO_MEMTAG(addr);

-	CheckMemTag(tag);

+	tag1 = POINTER_TO_MEMTAG1(addr);

+	CheckMemTag1(tag1);

+

+	tag2 = (MEMTAG2 *)(((UCHAR *)tag1) + CALC_MALLOCSIZE(tag1->Size) - sizeof(MEMTAG2));

+	CheckMemTag2(tag2);

 

-	zerofree = tag->ZeroFree;

+	zerofree = tag1->ZeroFree;

 

-	if (tag->Size == size)

+	if (tag1->Size == size)

 	{

 		// No size change

 		return addr;

@@ -4615,10 +4752,10 @@ void *ReAlloc(void *addr, UINT size)
 			// Size changed (zero clearing required)

 			void *new_p = MallocEx(size, true);

 

-			if (tag->Size <= size)

+			if (tag1->Size <= size)

 			{

 				// Size expansion

-				Copy(new_p, addr, tag->Size);

+				Copy(new_p, addr, tag1->Size);

 			}

 			else

 			{

@@ -4634,13 +4771,22 @@ void *ReAlloc(void *addr, UINT size)
 		else

 		{

 			// Size changed

-			MEMTAG *tag2 = InternalReAlloc(tag, CALC_MALLOCSIZE(size));

+			MEMTAG1 *tag1_new;

+			MEMTAG2 *tag2_new;

+

+			tag1->Magic = 0;

+			tag2->Magic = 0;

+

+			tag1_new = InternalReAlloc(tag1, CALC_MALLOCSIZE(size));

 

-			Zero(tag2, sizeof(MEMTAG));

-			tag2->Magic = MEMTAG_MAGIC;

-			tag2->Size = size;

+			tag1_new->Magic = canary_memtag_magic1 ^ ((UINT64)tag1_new * GOLDEN_RATION_PRIME_U64);

+			tag1_new->Size = size;

+			tag1_new->ZeroFree = 0;

 

-			return MEMTAG_TO_POINTER(tag2);

+			tag2_new = (MEMTAG2 *)(((UCHAR *)tag1_new) + CALC_MALLOCSIZE(size) - sizeof(MEMTAG2));

+			tag2_new->Magic = canary_memtag_magic2 ^ ((UINT64)tag2_new * GOLDEN_RATION_PRIME_U64);

+

+			return MEMTAG1_TO_POINTER(tag1_new);

 		}

 	}

 }

@@ -4648,44 +4794,69 @@ void *ReAlloc(void *addr, UINT size)
 // Free

 void Free(void *addr)

 {

-	MEMTAG *tag;

+	MEMTAG1 *tag1;

+	MEMTAG2 *tag2;

 	// Validate arguments

 	if (IS_NULL_POINTER(addr))

 	{

 		return;

 	}

 

-	tag = POINTER_TO_MEMTAG(addr);

-	CheckMemTag(tag);

+	if (canary_inited == false)

+	{

+		InitCanaryRand();

+	}

+

+	tag1 = POINTER_TO_MEMTAG1(addr);

+	CheckMemTag1(tag1);

+

+	tag2 = (MEMTAG2 *)(((UCHAR *)tag1) + CALC_MALLOCSIZE(tag1->Size) - sizeof(MEMTAG2));

+	CheckMemTag2(tag2);

 

-	if (tag->ZeroFree)

+	if (tag1->ZeroFree)

 	{

 		// Zero clear

-		Zero(addr, tag->Size);

+		Zero(addr, tag1->Size);

 	}

 

 	// Memory release

-	tag->Magic = 0;

-	InternalFree(tag);

+	tag1->Magic = 0;

+	tag2->Magic = 0;

+	InternalFree(tag1);

+}

+

+// Check the memtag1

+void CheckMemTag1(MEMTAG1 *tag)

+{

+	// Validate arguments

+	if (tag == NULL)

+	{

+		AbortExitEx("CheckMemTag1: tag1 == NULL");

+		return;

+	}

+

+	if (tag->Magic != (canary_memtag_magic1 ^ ((UINT64)tag * GOLDEN_RATION_PRIME_U64)))

+	{

+		AbortExitEx("CheckMemTag1: tag1->Magic != canary_memtag_magic1");

+		return;

+	}

 }

 

-// Check the memtag

-void CheckMemTag(MEMTAG *tag)

+// Check the memtag2

+void CheckMemTag2(MEMTAG2 *tag)

 {

-#ifndef	DONT_CHECK_HEAP

 	// Validate arguments

 	if (tag == NULL)

 	{

-		AbortExitEx("CheckMemTag: tag == NULL");

+		AbortExitEx("CheckMemTag2: tag2 == NULL");

 		return;

 	}

 

-	if (tag->Magic != MEMTAG_MAGIC)

+	if (tag->Magic != (canary_memtag_magic2 ^ ((UINT64)tag * GOLDEN_RATION_PRIME_U64)))

 	{

-		AbortExitEx("CheckMemTag: tag->Magic != MEMTAG_MAGIC");

+		AbortExitEx("CheckMemTag2: tag2->Magic != canary_memtag_magic2");

 		return;

 	}

-#endif	// DONT_CHECK_HEAP

 }

 

 // ZeroMalloc

diff --git a/src/Mayaqua/Memory.h b/src/Mayaqua/Memory.h
index 1e71b72d..7ee137b3 100644
--- a/src/Mayaqua/Memory.h
+++ b/src/Mayaqua/Memory.h
@@ -109,16 +109,20 @@
 #define	MallocFast		Malloc

 #define	ZeroMallocFast	ZeroMalloc

 

+#define MAX_MALLOC_MEM_SIZE					(0xffffffff - 64)

+

 // Memory size that can be passed to the kernel at a time

 #define	MAX_SEND_BUF_MEM_SIZE				(10 * 1024 * 1024)

 

-// The magic number for memory tag

-#define	MEMTAG_MAGIC						0x49414449

+#define	CALC_MALLOCSIZE(size)				(((MAX(size, 1) + 7) / 8) * 8 + sizeof(MEMTAG1) + sizeof(MEMTAG2))

+#define	MEMTAG1_TO_POINTER(p)				((void *)(((UCHAR *)(p)) + sizeof(MEMTAG1)))

+#define	POINTER_TO_MEMTAG1(p)				((MEMTAG1 *)(((UCHAR *)(p)) - sizeof(MEMTAG1)))

+#define	IS_NULL_POINTER(p)					(((p) == NULL) || ((POINTER_TO_UINT64(p) == (UINT64)sizeof(MEMTAG1))))

 

-#define	CALC_MALLOCSIZE(size)				((MAX(size, 1)) + sizeof(MEMTAG))

-#define	MEMTAG_TO_POINTER(p)				((void *)(((UCHAR *)(p)) + sizeof(MEMTAG)))

-#define	POINTER_TO_MEMTAG(p)				((MEMTAG *)(((UCHAR *)(p)) - sizeof(MEMTAG)))

-#define	IS_NULL_POINTER(p)					(((p) == NULL) || ((POINTER_TO_UINT64(p) == (UINT64)sizeof(MEMTAG))))

+// Golden Ratio Prime

+// From https://github.com/torvalds/linux/blob/88c5083442454e5e8a505b11fa16f32d2879651e/include/linux/hash.h

+#define GOLDEN_RATION_PRIME_U32				((UINT32)0x61C88647)

+#define GOLDEN_RATION_PRIME_U64				((UINT64)7046029254386353131ULL) // 0x61C8864680B583EB

 

 // Fixed size of a block of memory pool

 #define	MEMPOOL_MAX_SIZE					3000

@@ -126,14 +130,18 @@
 // Active patch

 #define MAX_ACTIVE_PATCH					1024

 

-

-// Memory tag

-struct MEMTAG

+// Memory tag 1

+struct MEMTAG1

 {

-	UINT Magic;

+	UINT64 Magic;

 	UINT Size;

 	bool ZeroFree;

-	UINT Padding;

+};

+

+// Memory tag 2

+struct MEMTAG2

+{

+	UINT64 Magic;

 };

 

 // Buffer

@@ -299,7 +307,8 @@ void *ZeroMalloc(UINT size);
 void *ZeroMallocEx(UINT size, bool zero_clear_when_free);

 void *ReAlloc(void *addr, UINT size);

 void Free(void *addr);

-void CheckMemTag(MEMTAG *tag);

+void CheckMemTag1(MEMTAG1 *tag);

+void CheckMemTag2(MEMTAG2 *tag);

 UINT GetMemSize(void *addr);

 

 void *InternalMalloc(UINT size);

@@ -540,5 +549,15 @@ UINT* GenerateShuffleListWithSeed(UINT num, void* seed, UINT seed_size);
 void Shuffle(UINT* array, UINT size);

 void ShuffleWithSeed(UINT* array, UINT size, void* seed, UINT seed_size);

 

+#define NUM_CANARY_RAND					32

+#define CANARY_RAND_ID_MEMTAG_MAGIC		0

+#define CANARY_RAND_ID_PTR_KEY_HASH		1

+#define CANARY_RAND_SIZE				20

+

+

+

+void InitCanaryRand();

+UCHAR *GetCanaryRand(UINT id);

+

 #endif	// MEMORY_H

 

diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c
index 9a3b8f00..b3cbab7e 100644
--- a/src/Mayaqua/Network.c
+++ b/src/Mayaqua/Network.c
@@ -178,10 +178,10 @@ struct ROUTE_CHANGE_DATA
 

 

 // HTTP constant

-static char http_404_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>404 Not Found</TITLE>\r\n</HEAD><BODY>\r\n<H1>Not Found</H1>\r\nThe requested URL $TARGET$ was not found on this server.<P>\r\n<HR>\r\n<ADDRESS>HTTP Server at $HOST$ Port $PORT$</ADDRESS>\r\n</BODY></HTML>\r\n";

-static char http_403_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>403 Forbidden</TITLE>\r\n</HEAD><BODY>\r\n<H1>Forbidden</H1>\r\nYou don't have permission to access $TARGET$\r\non this server.<P>\r\n<HR>\r\n<ADDRESS>HTTP Server at $HOST$ Port $PORT$</ADDRESS>\r\n</BODY></HTML>\r\n";

-static char http_500_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>500 Server Error</TITLE>\r\n</HEAD><BODY>\r\n<H1>Server Error</H1>\r\nServer Error<P>\r\n<HR>\r\n<ADDRESS>HTTP Server at $HOST$ Port $PORT$</ADDRESS>\r\n</BODY></HTML>\r\n";

-static char http_501_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>501 Method Not Implemented</TITLE>\r\n</HEAD><BODY>\r\n<H1>Method Not Implemented</H1>\r\n$METHOD$ to $TARGET$ not supported.<P>\r\nInvalid method in request $METHOD$ $TARGET$ $VERSION$<P>\r\n<HR>\r\n<ADDRESS>HTTP Server at $HOST$ Port $PORT$</ADDRESS>\r\n</BODY></HTML>\r\n";

+static char http_404_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>404 Not Found</TITLE>\r\n</HEAD><BODY>\r\n<H1>Not Found</H1>\r\nThe requested URL $TARGET$ was not found on this server.<P>\r\n<HR>\r\n<ADDRESS>HTTPS Server</ADDRESS>\r\n</BODY></HTML>\r\n";

+static char http_403_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>403 Forbidden</TITLE>\r\n</HEAD><BODY>\r\n<H1>Forbidden</H1>\r\nYou don't have permission to access $TARGET$\r\non this server.<P>\r\n<HR>\r\n<ADDRESS>HTTPS Server</ADDRESS>\r\n</BODY></HTML>\r\n";

+static char http_500_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>500 Server Error</TITLE>\r\n</HEAD><BODY>\r\n<H1>Server Error</H1>\r\nServer Error<P>\r\n<HR>\r\n<ADDRESS>HTTPS Server</ADDRESS>\r\n</BODY></HTML>\r\n";

+static char http_501_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>501 Method Not Implemented</TITLE>\r\n</HEAD><BODY>\r\n<H1>Method Not Implemented</H1>\r\n$METHOD$ to $TARGET$ not supported.<P>\r\nInvalid method in request $METHOD$ $TARGET$ $VERSION$<P>\r\n<HR>\r\n<ADDRESS>HTTPS Server</ADDRESS>\r\n</BODY></HTML>\r\n";

 static char http_detect_server_startwith[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>403 Forbidden</TITLE>\r\n</HEAD><BODY>\r\n<H1>Forbidden</H1>\r\nYou don't have permission to access ";

 static char http_detect_server_tag_future[] = "9C37197CA7C2428388C2E6E59B829B30";

 

@@ -1474,7 +1474,9 @@ void RUDPProcess_NatT_Recv(RUDP_STACK *r, UDPPACKET *udp)
 		bool is_ok = PackGetBool(p, "ok");

 		UINT64 tran_id = PackGetInt64(p, "tran_id");

 

-		ExtractAndApplyDynList(p);

+		// This ExtractAndApplyDynList() calling was removed because it is not actually used and could be abused by

+		// illegal UDP packets that spoof the source IP address. 2023-6-14 Daiyuu Nobori

+		// ExtractAndApplyDynList(p);

 

 		if (r->ServerMode)

 		{

@@ -5995,10 +5997,13 @@ int SslCertVerifyCallback(int preverify_ok, X509_STORE_CTX *ctx)
 			if (cert != NULL)

 			{

 				X *tmpX = X509ToX(cert); // this only wraps cert, but we need to make a copy

-				X *copyX = CloneX(tmpX);

-				tmpX->do_not_free = true; // do not release inner X509 object

-				FreeX(tmpX);

-				clientcert->X = copyX;

+				if (tmpX != NULL)

+				{

+					X *copyX = CloneX(tmpX);

+					tmpX->do_not_free = true; // do not release inner X509 object

+					FreeX(tmpX);

+					clientcert->X = copyX;

+				}

 			}

 		}

 	}

@@ -13051,16 +13056,15 @@ void SetWantToUseCipher(SOCK *sock, char *name)
 	StrCat(tmp, sizeof(tmp), " ");

 	StrCat(tmp, sizeof(tmp), cipher_list);

 

-#if OPENSSL_VERSION_NUMBER >= 0x30000000L

-	// OpenSSL 3.x has a bug. https://github.com/openssl/openssl/issues/13363 https://github.com/openssl/openssl/pull/13378

-	// At 2021-09-08 this bug is reported as fixed on Github, but actually still exists on RC4-MD5.

-	// So, with OpenSSL 3.0 we manually disable RC4-MD5 by default on both SSL server and SSL client.

+	if (IsSslLibVersionBuggyForRc4Md5())

+	{

+		// OpenSSL 3.0.0 to 3.0.2 has a bug with RC4-MD5. https://github.com/openssl/openssl/issues/13363 https://github.com/openssl/openssl/pull/13378

 

-	// If the user specify "RC4-MD5", then "RC4-SHA" will be used manually.

+		// If the user specify "RC4-MD5", then "RC4-SHA" will be used manually.

 

-	// Note: We can remove this code after OpenSSL 3.x will be fixed on this bug.

-	ReplaceStrEx(tmp, sizeof(tmp), tmp, "RC4-MD5", "RC4-SHA", true);

-#endif

+		// Note: We can remove this code after OpenSSL 3.x will be fixed on this bug.

+		ReplaceStrEx(tmp, sizeof(tmp), tmp, "RC4-MD5", "RC4-SHA", true);

+	}

 

 	sock->WaitToUseCipher = CopyStr(tmp);

 }

@@ -13386,6 +13390,13 @@ SSL_CTX_SHARED* NewSslCtxSharedInternal(SSL_CTX_SHARED_SETTINGS* settings)
 	SSL_CTX_set_security_level(ssl_ctx, 0);

 #endif

 

+#if OPENSSL_VERSION_NUMBER >= 0x30000000L

+	// For compatibility with OpenSSL 0.9.8l or older

+	// See https://www.openssl.org/docs/man1.0.2/man3/SSL_get_secure_renegotiation_support.html

+	SSL_CTX_set_options(ssl_ctx, SSL_OP_LEGACY_SERVER_CONNECT);

+	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);

+#endif

+

 	if (settings->Settings2.IsClient == false)

 	{

 		SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());

@@ -13874,14 +13885,11 @@ bool StartSSLWithSettings(SOCK* sock, UINT ssl_timeout, char* sni_hostname, SSL_
 		{

 			char* set_value = OPENSSL_DEFAULT_CIPHER_LIST;

 

-#if OPENSSL_VERSION_NUMBER >= 0x30000000L

-			// OpenSSL 3.x has a bug. https://github.com/openssl/openssl/issues/13363 https://github.com/openssl/openssl/pull/13378

-			// At 2021-09-08 this bug is reported as fixed on Github, but actually still exists on RC4-MD5.

-			// So, with OpenSSL 3.0 we manually disable RC4-MD5 by default on both SSL server and SSL client.

-

-			// Note: We can remove this code after OpenSSL 3.x will be fixed on this bug.

-			set_value = OPENSSL_DEFAULT_CIPHER_LIST_NO_RC4_MD5;

-#endif

+			if (IsSslLibVersionBuggyForRc4Md5())

+			{

+				// OpenSSL 3.0.0 to 3.0.2 has a bug with RC4-MD5. https://github.com/openssl/openssl/issues/13363 https://github.com/openssl/openssl/pull/13378

+				set_value = OPENSSL_DEFAULT_CIPHER_LIST_NO_RC4_MD5;

+			}

 

 			SSL_set_cipher_list(sock->ssl, set_value);

 		}

@@ -14013,9 +14021,16 @@ bool StartSSLWithSettings(SOCK* sock, UINT ssl_timeout, char* sni_hostname, SSL_
 		X *local_x;

 		// Got a certificate

 		local_x = X509ToX(x509);

-		local_x->do_not_free = true;

-		sock->LocalX = CloneX(local_x);

-		FreeX(local_x);

+		if (local_x != NULL)

+		{

+			local_x->do_not_free = true;

+			sock->LocalX = CloneX(local_x);

+			FreeX(local_x);

+		}

+		else

+		{

+			sock->LocalX = NULL;

+		}

 	}

 

 	// Automatic retry mode

@@ -18754,6 +18769,13 @@ struct ssl_ctx_st *NewSSLCtx(bool server_mode)
 	SSL_CTX_set_security_level(ctx, 0);

 #endif

 

+#if OPENSSL_VERSION_NUMBER >= 0x30000000L

+	// For compatibility with OpenSSL 0.9.8l or older

+	// See https://www.openssl.org/docs/man1.0.2/man3/SSL_get_secure_renegotiation_support.html

+	SSL_CTX_set_options(ctx, SSL_OP_LEGACY_SERVER_CONNECT);

+	SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);

+#endif

+

 	return ctx;

 }

 

diff --git a/src/Mayaqua/Tick64.c b/src/Mayaqua/Tick64.c
index ffaabde5..d3b1cb02 100644
--- a/src/Mayaqua/Tick64.c
+++ b/src/Mayaqua/Tick64.c
@@ -139,6 +139,23 @@ UINT64 TickHighres64()
 	return ret;

 }

 

+UINT64 TickHighresNano64(bool raw)

+{

+	UINT64 ret = 0;

+

+#ifdef	OS_WIN32

+

+	ret = (UINT64)(MsGetHiResTimeSpan(MsGetHiResCounter()) * 1000000000.0f);

+

+#else	// OS_WIN32

+

+	ret = UnixGetHighresTickNano64(raw);

+

+#endif	// OS_WIN32

+

+	return ret;

+}

+

 // Convert the Tick value to time

 UINT64 Tick64ToTime64(UINT64 tick)

 {

diff --git a/src/Mayaqua/Tick64.h b/src/Mayaqua/Tick64.h
index 1925191d..32c66cf4 100644
--- a/src/Mayaqua/Tick64.h
+++ b/src/Mayaqua/Tick64.h
@@ -144,6 +144,7 @@ UINT64 Diff64(UINT64 a, UINT64 b);
 UINT64 Tick64ToTime64(UINT64 tick);

 UINT64 TickToTime(UINT64 tick);

 UINT64 TickHighres64();

+UINT64 TickHighresNano64(bool raw);

 

 #endif	// TICK64_H

 

diff --git a/src/Mayaqua/Unix.c b/src/Mayaqua/Unix.c
index ff84d35d..c988ea26 100644
--- a/src/Mayaqua/Unix.c
+++ b/src/Mayaqua/Unix.c
@@ -2114,6 +2114,68 @@ void UnixGetSystemTime(SYSTEMTIME *system_time)
 	pthread_mutex_unlock(&get_time_lock);

 }

 

+UINT64 UnixGetHighresTickNano64(bool raw)

+{

+#if	defined(OS_WIN32) || defined(CLOCK_REALTIME) || defined(CLOCK_MONOTONIC) || defined(CLOCK_HIGHRES)

+	struct timespec t;

+	UINT64 ret;

+	static bool akirame = false;

+

+	if (akirame)

+	{

+		return UnixGetTick64() * 1000000ULL;

+	}

+

+	Zero(&t, sizeof(t));

+

+	if (raw == false)

+	{

+		// Function to get the boot time of the system

+		// Be careful. The Implementation is depend on the system.

+#ifdef	CLOCK_HIGHRES

+		clock_gettime(CLOCK_HIGHRES, &t);

+#else	// CLOCK_HIGHRES

+#ifdef	CLOCK_MONOTONIC

+		clock_gettime(CLOCK_MONOTONIC, &t);

+#else	// CLOCK_MONOTONIC

+		clock_gettime(CLOCK_REALTIME, &t);

+#endif	// CLOCK_MONOTONIC

+#endif	// CLOCK_HIGHRES

+	}

+	else

+	{

+		// Function to get the boot time of the system

+		// Be careful. The Implementation is depend on the system.

+#ifdef	CLOCK_HIGHRES

+		clock_gettime(CLOCK_HIGHRES, &t);

+#else	// CLOCK_HIGHRES

+#ifdef	CLOCK_MONOTONIC_RAW

+		clock_gettime(CLOCK_MONOTONIC_RAW, &t);

+#else	// CLOCK_MONOTONIC_RAW

+#ifdef	CLOCK_MONOTONIC

+		clock_gettime(CLOCK_MONOTONIC, &t);

+#else	// CLOCK_MONOTONIC

+		clock_gettime(CLOCK_REALTIME, &t);

+#endif	// CLOCK_MONOTONIC

+#endif	// CLOCK_MONOTONIC_RAW

+#endif	// CLOCK_HIGHRES

+	}

+

+	ret = ((UINT64)((UINT32)t.tv_sec)) * 1000000000LL + (UINT64)t.tv_nsec;

+

+	if (akirame == false && ret == 0)

+	{

+		ret = UnixGetTick64() * 1000000ULL;

+		akirame = true;

+	}

+

+	return ret;

+

+#else	

+	return UnixGetTick64() * 1000000ULL;

+#endif

+}

+

 // Get the system timer (64bit)

 UINT64 UnixGetTick64()

 {

diff --git a/src/Mayaqua/Unix.h b/src/Mayaqua/Unix.h
index b8f2351f..aed9e6cf 100644
--- a/src/Mayaqua/Unix.h
+++ b/src/Mayaqua/Unix.h
@@ -214,6 +214,7 @@ void UnixRestoreThreadPriority();
 void UnixSetResourceLimit(UINT id, UINT64 value);

 bool UnixIs64BitRlimSupported();

 UINT64 UnixGetTick64();

+UINT64 UnixGetHighresTickNano64(bool raw);

 void UnixSigChldHandler(int sig);

 void UnixCloseIO();

 void UnixDaemon(bool debug_mode);

diff --git a/src/Mayaqua/win32_inc/openssl/cmp.h b/src/Mayaqua/win32_inc/openssl/cmp.h
index e28c9ac1..7bc98500 100644
--- a/src/Mayaqua/win32_inc/openssl/cmp.h
+++ b/src/Mayaqua/win32_inc/openssl/cmp.h
@@ -2,7 +2,7 @@
  * WARNING: do not edit!

  * Generated by makefile from include\openssl\cmp.h.in

  *

- * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.

+ * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.

  * Copyright Nokia 2007-2019

  * Copyright Siemens AG 2015-2019

  *

@@ -193,13 +193,16 @@ typedef ASN1_BIT_STRING OSSL_CMP_PKIFAILUREINFO;
  *       -- CertReqMsg

  *   }

  */

-#  define OSSL_CMP_PKISTATUS_accepted 0

-#  define OSSL_CMP_PKISTATUS_grantedWithMods 1

-#  define OSSL_CMP_PKISTATUS_rejection 2

-#  define OSSL_CMP_PKISTATUS_waiting 3

-#  define OSSL_CMP_PKISTATUS_revocationWarning 4

+#  define OSSL_CMP_PKISTATUS_request                -3

+#  define OSSL_CMP_PKISTATUS_trans                  -2

+#  define OSSL_CMP_PKISTATUS_unspecified            -1

+#  define OSSL_CMP_PKISTATUS_accepted               0

+#  define OSSL_CMP_PKISTATUS_grantedWithMods        1

+#  define OSSL_CMP_PKISTATUS_rejection              2

+#  define OSSL_CMP_PKISTATUS_waiting                3

+#  define OSSL_CMP_PKISTATUS_revocationWarning      4

 #  define OSSL_CMP_PKISTATUS_revocationNotification 5

-#  define OSSL_CMP_PKISTATUS_keyUpdateWarning 6

+#  define OSSL_CMP_PKISTATUS_keyUpdateWarning       6

 

 typedef ASN1_INTEGER OSSL_CMP_PKISTATUS;

 DECLARE_ASN1_ITEM(OSSL_CMP_PKISTATUS)

@@ -439,11 +442,12 @@ int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted,
 int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey);

 int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,

                                      const unsigned char *ref, int len);

-int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,

-                                  const int len);

+int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx,

+                                  const unsigned char *sec, int len);

 /* CMP message header and extra certificates: */

 int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name);

 int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav);

+int OSSL_CMP_CTX_reset_geninfo_ITAVs(OSSL_CMP_CTX *ctx);

 int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,

                                     STACK_OF(X509) *extraCertsOut);

 /* certificate template: */

@@ -499,6 +503,7 @@ ASN1_OCTET_STRING *OSSL_CMP_HDR_get0_recipNonce(const OSSL_CMP_PKIHEADER *hdr);
 OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg);

 int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg);

 int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);

+int OSSL_CMP_MSG_update_recipNonce(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);

 OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid);

 OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx,

                                 const char *propq);

diff --git a/src/Mayaqua/win32_inc/openssl/cmperr.h b/src/Mayaqua/win32_inc/openssl/cmperr.h
index a0dbea28..081551b2 100644
--- a/src/Mayaqua/win32_inc/openssl/cmperr.h
+++ b/src/Mayaqua/win32_inc/openssl/cmperr.h
@@ -1,6 +1,6 @@
 /*

  * Generated by util/mkerr.pl DO NOT EDIT

- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.

+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.

  *

  * Licensed under the Apache License 2.0 (the "License").  You may not use

  * this file except in compliance with the License.  You can obtain a copy

@@ -67,9 +67,13 @@
 #  define CMP_R_MISSING_P10CSR                             121

 #  define CMP_R_MISSING_PBM_SECRET                         166

 #  define CMP_R_MISSING_PRIVATE_KEY                        131

+#  define CMP_R_MISSING_PRIVATE_KEY_FOR_POPO               190

 #  define CMP_R_MISSING_PROTECTION                         143

+#  define CMP_R_MISSING_PUBLIC_KEY                         183

 #  define CMP_R_MISSING_REFERENCE_CERT                     168

+#  define CMP_R_MISSING_SECRET                             178

 #  define CMP_R_MISSING_SENDER_IDENTIFICATION              111

+#  define CMP_R_MISSING_TRUST_ANCHOR                       179

 #  define CMP_R_MISSING_TRUST_STORE                        144

 #  define CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED            161

 #  define CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED           170

diff --git a/src/Mayaqua/win32_inc/openssl/cmserr.h b/src/Mayaqua/win32_inc/openssl/cmserr.h
index 90115144..9cfa1445 100644
--- a/src/Mayaqua/win32_inc/openssl/cmserr.h
+++ b/src/Mayaqua/win32_inc/openssl/cmserr.h
@@ -105,6 +105,7 @@
 #  define CMS_R_UNKNOWN_DIGEST_ALGORITHM                   149

 #  define CMS_R_UNKNOWN_ID                                 150

 #  define CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM          151

+#  define CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM   194

 #  define CMS_R_UNSUPPORTED_CONTENT_TYPE                   152

 #  define CMS_R_UNSUPPORTED_ENCRYPTION_TYPE                192

 #  define CMS_R_UNSUPPORTED_KEK_ALGORITHM                  153

diff --git a/src/Mayaqua/win32_inc/openssl/dsaerr.h b/src/Mayaqua/win32_inc/openssl/dsaerr.h
index efe63910..c88b0ac8 100644
--- a/src/Mayaqua/win32_inc/openssl/dsaerr.h
+++ b/src/Mayaqua/win32_inc/openssl/dsaerr.h
@@ -1,6 +1,6 @@
 /*

  * Generated by util/mkerr.pl DO NOT EDIT

- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.

+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.

  *

  * Licensed under the Apache License 2.0 (the "License").  You may not use

  * this file except in compliance with the License.  You can obtain a copy

@@ -38,6 +38,7 @@
 #  define DSA_R_P_NOT_PRIME                                115

 #  define DSA_R_Q_NOT_PRIME                                113

 #  define DSA_R_SEED_LEN_SMALL                             110

+#  define DSA_R_TOO_MANY_RETRIES                           116

 

 # endif

 #endif

diff --git a/src/Mayaqua/win32_inc/openssl/ecerr.h b/src/Mayaqua/win32_inc/openssl/ecerr.h
index 579c47ca..d5895586 100644
--- a/src/Mayaqua/win32_inc/openssl/ecerr.h
+++ b/src/Mayaqua/win32_inc/openssl/ecerr.h
@@ -1,6 +1,6 @@
 /*

  * Generated by util/mkerr.pl DO NOT EDIT

- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.

+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.

  *

  * Licensed under the Apache License 2.0 (the "License").  You may not use

  * this file except in compliance with the License.  You can obtain a copy

@@ -90,6 +90,7 @@
 #  define EC_R_RANDOM_NUMBER_GENERATION_FAILED             158

 #  define EC_R_SHARED_INFO_ERROR                           150

 #  define EC_R_SLOT_FULL                                   108

+#  define EC_R_TOO_MANY_RETRIES                            176

 #  define EC_R_UNDEFINED_GENERATOR                         113

 #  define EC_R_UNDEFINED_ORDER                             128

 #  define EC_R_UNKNOWN_COFACTOR                            164

diff --git a/src/Mayaqua/win32_inc/openssl/opensslv.h b/src/Mayaqua/win32_inc/openssl/opensslv.h
index 4d8af160..5de8dcd6 100644
--- a/src/Mayaqua/win32_inc/openssl/opensslv.h
+++ b/src/Mayaqua/win32_inc/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */

 # define OPENSSL_VERSION_MAJOR  3

 # define OPENSSL_VERSION_MINOR  0

-# define OPENSSL_VERSION_PATCH  7

+# define OPENSSL_VERSION_PATCH  9

 

 /*

  * Additional version information

@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and

  * OPENSSL_VERSION_BUILD_METADATA_STR appended.

  */

-# define OPENSSL_VERSION_STR "3.0.7"

-# define OPENSSL_FULL_VERSION_STR "3.0.7"

+# define OPENSSL_VERSION_STR "3.0.9"

+# define OPENSSL_FULL_VERSION_STR "3.0.9"

 

 /*

  * SECTION 3: ADDITIONAL METADATA

  *

  * These strings are defined separately to allow them to be parsable.

  */

-# define OPENSSL_RELEASE_DATE "1 Nov 2022"

+# define OPENSSL_RELEASE_DATE "30 May 2023"

 

 /*

  * SECTION 4: BACKWARD COMPATIBILITY

  */

 

-# define OPENSSL_VERSION_TEXT "OpenSSL 3.0.7 1 Nov 2022"

+# define OPENSSL_VERSION_TEXT "OpenSSL 3.0.9 30 May 2023"

 

 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */

 # ifdef OPENSSL_VERSION_PRE_RELEASE

diff --git a/src/Mayaqua/win32_inc/openssl/sslerr.h b/src/Mayaqua/win32_inc/openssl/sslerr.h
index c8269f0a..a55e17bb 100644
--- a/src/Mayaqua/win32_inc/openssl/sslerr.h
+++ b/src/Mayaqua/win32_inc/openssl/sslerr.h
@@ -150,6 +150,7 @@
 # define SSL_R_INVALID_SRP_USERNAME                       357

 # define SSL_R_INVALID_STATUS_RESPONSE                    328

 # define SSL_R_INVALID_TICKET_KEYS_LENGTH                 325

+# define SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED    333

 # define SSL_R_LENGTH_MISMATCH                            159

 # define SSL_R_LENGTH_TOO_LONG                            404

 # define SSL_R_LENGTH_TOO_SHORT                           160

diff --git a/src/Mayaqua/win32_inc/openssl/trace.h b/src/Mayaqua/win32_inc/openssl/trace.h
index aaaa6962..dda1fa6b 100644
--- a/src/Mayaqua/win32_inc/openssl/trace.h
+++ b/src/Mayaqua/win32_inc/openssl/trace.h
@@ -1,5 +1,5 @@
 /*

- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.

+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.

  *

  * Licensed under the Apache License 2.0 (the "License").  You may not use

  * this file except in compliance with the License.  You can obtain a copy

@@ -43,10 +43,8 @@ extern "C" {
 # define OSSL_TRACE_CATEGORY_TLS                 3

 # define OSSL_TRACE_CATEGORY_TLS_CIPHER          4

 # define OSSL_TRACE_CATEGORY_CONF                5

-# ifndef OPENSSL_NO_ENGINE

-#  define OSSL_TRACE_CATEGORY_ENGINE_TABLE       6

-#  define OSSL_TRACE_CATEGORY_ENGINE_REF_COUNT   7

-# endif

+# define OSSL_TRACE_CATEGORY_ENGINE_TABLE        6

+# define OSSL_TRACE_CATEGORY_ENGINE_REF_COUNT    7

 # define OSSL_TRACE_CATEGORY_PKCS5V2             8

 # define OSSL_TRACE_CATEGORY_PKCS12_KEYGEN       9

 # define OSSL_TRACE_CATEGORY_PKCS12_DECRYPT     10

diff --git a/src/Mayaqua/win32_inc/openssl/x509v3.h b/src/Mayaqua/win32_inc/openssl/x509v3.h
index 97a6a6f2..b07ae3f9 100644
--- a/src/Mayaqua/win32_inc/openssl/x509v3.h
+++ b/src/Mayaqua/win32_inc/openssl/x509v3.h
@@ -2,7 +2,7 @@
  * WARNING: do not edit!

  * Generated by makefile from include\openssl\x509v3.h.in

  *

- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.

+ * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.

  *

  * Licensed under the Apache License 2.0 (the "License").  You may not use

  * this file except in compliance with the License.  You can obtain a copy

@@ -177,7 +177,7 @@ typedef struct GENERAL_NAME_st {
         OTHERNAME *otherName;   /* otherName */

         ASN1_IA5STRING *rfc822Name;

         ASN1_IA5STRING *dNSName;

-        ASN1_TYPE *x400Address;

+        ASN1_STRING *x400Address;

         X509_NAME *directoryName;

         EDIPARTYNAME *ediPartyName;

         ASN1_IA5STRING *uniformResourceIdentifier;

diff --git a/src/WARNING.TXT b/src/WARNING.TXT
index c220a0bd..0e730a89 100644
--- a/src/WARNING.TXT
+++ b/src/WARNING.TXT
@@ -585,3 +585,41 @@ functions. Therefore, in such a case, you must disable the P2P Relay Function
 on the VPN Gate Client manually by setting the "DisableRelayServer" flag if

 you reside in such a restricted area, in your own responsibility.

 

+SoftEther VPN and VPN Gate (where applicable) are provided, distributed and

+operated under the responsibility of SoftEther Corporation (Corporate Number:

+1050001016519, Tsukuba, Ibaraki, Japan). These projects were researched and

+developed in collaboration with Tsukuba University, a national university in

+Japan.

+

+THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN, UNDER

+JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY, MERGE, PUBLISH,

+DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS SOFTWARE, THAT ANY

+JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS SOFTWARE OR ITS CONTENTS,

+AGAINST US (SOFTETHER CORPORATION OR OTHER SUPPLIERS), OR ANY JURIDICAL

+DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND OF USING, COPYING, MODIFYING,

+MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, AND/OR SELLING COPIES OF THIS

+SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND CONTROLLED BY JAPANESE LAWS,

+AND YOU MUST FURTHER CONSENT TO EXCLUSIVE JURISDICTION AND VENUE IN THE COURTS

+SITTING IN TOKYO, JAPAN. YOU MUST WAIVE ALL DEFENSES OF LACK OF PERSONAL

+JURISDICTION AND FORUM NON CONVENIENS. PROCESS MAY BE SERVED ON EITHER PARTY

+IN THE MANNER AUTHORIZED BY APPLICABLE LAW OR COURT RULE.

+

+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

+SUPPLIERS, PROVIDERS, OPERATORS, AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR

+ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT

+OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE

+USE OR OTHER DEALINGS IN THE SOFTWARE.

+

+IMPORTANT NOTE: USE OF THIS SOFTWARE AND SERVICE BY INDIVIDUALS TO WHOM THE

+CONSUMER CONTRACT ACT APPLIES IS NOT ALLOWED. THIS SOFTWARE IS INTENDED FOR

+PROFESSIONALS AND IS NOT DESIGNED FOR PURELY BUSINESS-UNRELATED CONSUMERS.

+THIS SOFTWARE AND SERVICE MAY BE USED ONLY FOR BUSINESS, COMMERCIAL,

+NON-PROFIT, ORGANIZATIONAL OPERATIONS, RESEARCH AND DEVELOPMENT PURPOSES OR

+OTHER NON-CONSUMPTIVE PURPOSES. THIS SOFTWARE IS NOT INTENDED FOR USE BY

+CONSUMERS. THIS SOFTWARE MAY NOT BE USED BY ANY INDIVIDUAL TO WHOM THE

+CONSUMER RIGHTS PROTECTIONS IN THE CONSUMER CONTRACT ACT OF JAPAN OR

+EQUIVALENT LAWS OF OTHER COUNTRIES APPLY. IF AN INDIVIDUAL USES THE SOFTWARE,

+THE USE OF THE SOFTWARE SHALL BE DEEMED TO BE FOR BUSINESS PURPOSES.

+

diff --git a/src/bin/hamcore/eula.txt b/src/bin/hamcore/eula.txt
index a7dec475..1e7346de 100644
--- a/src/bin/hamcore/eula.txt
+++ b/src/bin/hamcore/eula.txt
@@ -11,15 +11,25 @@ Unless required by applicable law or agreed to in writing, software distributed
 See the License for the specific language governing permissions and limitations under the License.

 

 

+RESPONSIBLE ENTITY

+==================

+

+PacketiX VPN and VPN Gate (where applicable) are provided, distributed and operated under the responsibility of SoftEther Corporation (Corporate Number: 1050001016519, Tsukuba, Ibaraki, Japan). These projects were researched and developed in collaboration with Tsukuba University, a national university in Japan.

+

+THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN, UNDER JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY, MERGE, PUBLISH, DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS SOFTWARE, THAT ANY JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS SOFTWARE OR ITS CONTENTS, AGAINST US (SOFTETHER CORPORATION OR OTHER SUPPLIERS), OR ANY JURIDICAL DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND OF USING, COPYING, MODIFYING, MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, AND/OR SELLING COPIES OF THIS SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND CONTROLLED BY JAPANESE LAWS, AND YOU MUST FURTHER CONSENT TO EXCLUSIVE JURISDICTION AND VENUE IN THE COURTS SITTING IN TOKYO, JAPAN. YOU MUST WAIVE ALL DEFENSES OF LACK OF PERSONAL JURISDICTION AND FORUM NON CONVENIENS. PROCESS MAY BE SERVED ON EITHER PARTY IN THE MANNER AUTHORIZED BY APPLICABLE LAW OR COURT RULE.

+

+

 DISCLAIMER

 ==========

 

-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE SUPPLIERS, PROVIDERS, OPERATORS, AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

 

-THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN, UNDER JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY, MERGE, PUBLISH, DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS SOFTWARE, THAT ANY JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS SOFTWARE OR ITS CONTENTS, AGAINST US (SOFTETHER PROJECT, SOFTETHER CORPORATION, DAIYUU NOBORI OR OTHER SUPPLIERS), OR ANY JURIDICAL DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND OF USING, COPYING, MODIFYING, MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, AND/OR SELLING COPIES OF THIS SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND CONTROLLED BY JAPANESE LAWS, AND YOU MUST FURTHER CONSENT TO EXCLUSIVE JURISDICTION AND VENUE IN THE COURTS SITTING IN TOKYO, JAPAN. YOU MUST WAIVE ALL DEFENSES OF LACK OF PERSONAL JURISDICTION AND FORUM NON CONVENIENS. PROCESS MAY BE SERVED ON EITHER PARTY IN THE MANNER AUTHORIZED BY APPLICABLE LAW OR COURT RULE.

+THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN, UNDER JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY, MERGE, PUBLISH, DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS SOFTWARE, THAT ANY JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS SOFTWARE OR ITS CONTENTS, AGAINST US (SOFTETHER CORPORATION OR OTHER SUPPLIERS), OR ANY JURIDICAL DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND OF USING, COPYING, MODIFYING, MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, AND/OR SELLING COPIES OF THIS SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND CONTROLLED BY JAPANESE LAWS, AND YOU MUST FURTHER CONSENT TO EXCLUSIVE JURISDICTION AND VENUE IN THE COURTS SITTING IN TOKYO, JAPAN. YOU MUST WAIVE ALL DEFENSES OF LACK OF PERSONAL JURISDICTION AND FORUM NON CONVENIENS. PROCESS MAY BE SERVED ON EITHER PARTY IN THE MANNER AUTHORIZED BY APPLICABLE LAW OR COURT RULE.

 

 USE ONLY IN JAPAN. DO NOT USE THIS SOFTWARE IN ANOTHER COUNTRY UNLESS YOU HAVE A CONFIRMATION THAT THIS SOFTWARE DOES NOT VIOLATE ANY CRIMINAL LAWS OR CIVIL RIGHTS IN THAT PARTICULAR COUNTRY. USING THIS SOFTWARE IN OTHER COUNTRIES IS COMPLETELY AT YOUR OWN RISK. THE SOFTETHER VPN PROJECT HAS DEVELOPED AND DISTRIBUTED THIS SOFTWARE TO COMPLY ONLY WITH THE JAPANESE LAWS AND EXISTING CIVIL RIGHTS INCLUDING PATENTS WHICH ARE SUBJECTS APPLY IN JAPAN. OTHER COUNTRIES' LAWS OR CIVIL RIGHTS ARE NONE OF OUR CONCERNS NOR RESPONSIBILITIES. WE HAVE NEVER INVESTIGATED ANY CRIMINAL REGULATIONS, CIVIL LAWS OR INTELLECTUAL PROPERTY RIGHTS INCLUDING PATENTS IN ANY OF OTHER 200+ COUNTRIES AND TERRITORIES. BY NATURE, THERE ARE 200+ REGIONS IN THE WORLD, WITH DIFFERENT LAWS. IT IS IMPOSSIBLE TO VERIFY EVERY COUNTRIES' LAWS, REGULATIONS AND CIVIL RIGHTS TO MAKE THE SOFTWARE COMPLY WITH ALL COUNTRIES' LAWS BY THE PROJECT. EVEN IF YOU WILL BE SUED BY A PRIVATE ENTITY OR BE DAMAGED BY A PUBLIC SERVANT IN YOUR COUNTRY, THE DEVELOPERS OF THIS SOFTWARE WILL NEVER BE LIABLE TO RECOVER OR COMPENSATE SUCH DAMAGES, CRIMINAL OR CIVIL

 RESPONSIBILITIES. NOTE THAT THIS LINE IS NOT LICENSE RESTRICTION BUT JUST A STATEMENT FOR WARNING AND DISCLAIMER.

 

+IMPORTANT NOTE: USE OF THIS SOFTWARE AND SERVICE BY INDIVIDUALS TO WHOM THE CONSUMER CONTRACT ACT APPLIES IS NOT ALLOWED. THIS SOFTWARE IS INTENDED FOR PROFESSIONALS AND IS NOT DESIGNED FOR PURELY BUSINESS-UNRELATED CONSUMERS. THIS SOFTWARE AND SERVICE MAY BE USED ONLY FOR BUSINESS, COMMERCIAL, NON-PROFIT, ORGANIZATIONAL OPERATIONS, RESEARCH AND DEVELOPMENT PURPOSES OR OTHER NON-CONSUMPTIVE PURPOSES. THIS SOFTWARE IS NOT INTENDED FOR USE BY CONSUMERS. THIS SOFTWARE MAY NOT BE USED BY ANY INDIVIDUAL TO WHOM THE CONSUMER RIGHTS PROTECTIONS IN THE CONSUMER CONTRACT ACT OF JAPAN OR EQUIVALENT LAWS OF OTHER COUNTRIES APPLY. IF AN INDIVIDUAL USES THE SOFTWARE, THE USE OF THE SOFTWARE SHALL BE DEEMED TO BE FOR BUSINESS PURPOSES.

+

 READ AND UNDERSTAND THE 'src/WARNING.TXT' FILE BEFORE USING THIS SOFTWARE. SOME SOFTWARE PROGRAMS FROM THIRD PARTIES ARE INCLUDED ON THIS SOFTWARE WITH LICENSE CONDITIONS WHICH ARE DESCRIBED ON THE 'src/THIRD_PARTY.TXT' FILE.

 

diff --git a/src/bin/hamcore/strtable_cn.stb b/src/bin/hamcore/strtable_cn.stb
index 597c8e9c..4031eb8b 100644
--- a/src/bin/hamcore/strtable_cn.stb
+++ b/src/bin/hamcore/strtable_cn.stb
@@ -2437,7 +2437,7 @@ STATIC1						您可以更改 VPN Client 的设置
 STATIC2						远程管理(&E)

 STATIC3						您可以通过使用 VPN Client 管理器远程模式从另一台计算机上远程管理 VPN Client 服务程序。

 R_ALLOW_REMOTE_CONFIG		允许 VPN Client 服务的远程管理(&R)

-S_WARNING					建议您在允许远程管理时设置密码。在菜单里选择“工具” >“设置密码”来设置密码。

+S_WARNING					如果你允许远程管理，你必须设置一个密码。在菜单里选择“工具” >“设置密码”来设置密码。必须重新启动 VPN Client 服务，以应用远程管理可用性的配置变化。

 STATIC4						在通讯闲置一段时间后自动断开互联网连接的环境下，可以通过向互联网上任意主机发送假数据包的方式来保持互联网连接。

 R_USE_KEEP_CONNECT			使用保持 Internet 连接功能(&K)

 S_HOSTNAME					主机名(&H):

@@ -6800,13 +6800,13 @@ CMD_AccountImport_OK		连接设置 "%s" 已导入。
 

 # RemoteEnable 命令

 CMD_RemoteEnable			允许 VPN 客户服务的远程管理

-CMD_RemoteEnable_Help		对 VPN Client 服务，从本地主机以外的远程计算机上，允许通过命令行管理设施或 VPN Client 管理器员进行连接和管理。

+CMD_RemoteEnable_Help		对 VPN Client 服务，从本地主机以外的远程计算机上，允许通过命令行管理设施或 VPN Client 管理器员进行连接和管理。必须重新启动 VPN Client 服务，以应用远程管理可用性的配置变化。如果你允许远程管理，你必须设置一个密码。

 CMD_RemoteEnable_Args		RemoteEnable

 

 

 # RemoteDisable 命令

 CMD_RemoteDisable			禁止 VPN 客户服务的远程管理

-CMD_RemoteDisable_Help		对 VPN Client 服务，从本地主机以外的远程计算机上，禁止通过命令行管理设施或 VPN Client 管理器员进行连接和管理。

+CMD_RemoteDisable_Help		对 VPN Client 服务，从本地主机以外的远程计算机上，禁止通过命令行管理设施或 VPN Client 管理器员进行连接和管理。必须重新启动 VPN 客户端服务，以应用远程管理可用性的配置变化。

 CMD_RemoteDisable_Args		RemoteDisable

 

 

diff --git a/src/bin/hamcore/strtable_en.stb b/src/bin/hamcore/strtable_en.stb
index 6ea6b58c..c34b05ba 100644
--- a/src/bin/hamcore/strtable_en.stb
+++ b/src/bin/hamcore/strtable_en.stb
@@ -2417,7 +2417,7 @@ STATIC1					You can modify the settings for VPN Client.
 STATIC2					R&emote Management:

 STATIC3					You can remotely manage the VPN Client Service Program from another computer by using VPN Client Manager Remote Mode.

 R_ALLOW_REMOTE_CONFIG	Allow &Remote Management of VPN Client Service

-S_WARNING				It is recommended to set a password if you allow remote management. From the menu bar, choose Tools -> Set Password to set the password.

+S_WARNING				You must set a password if you allow remote management. From the menu bar, choose Tools -> Set Password to set the password. The VPN Client service must be restarted to apply the change of remote management availability.

 STATIC4					For environments where Internet connections will automatically be disconnected when idle, you can keep alive the Internet connection by sending dummy packets to any host on the Internet.

 R_USE_KEEP_CONNECT		Use &Keep Alive Internet Connection Function

 S_HOSTNAME				&Host Name:

@@ -6786,13 +6786,13 @@ CMD_AccountImport_OK	The VPN Connection Setting "%s" has been imported.
 

 # RemoteEnable command

 CMD_RemoteEnable		Allow Remote Management of VPN Client Service

-CMD_RemoteEnable_Help	Use this to allow management of a VPN Client service from a remote computer that is not localhost, via a remote connection by Command Line Management Utility or VPN Client Manager.

+CMD_RemoteEnable_Help	Use this to allow management of a VPN Client service from a remote computer that is not localhost, via a remote connection by Command Line Management Utility or VPN Client Manager. The VPN Client service must be restarted to apply the change of remote management availability. You must set a password if you allow remote management.

 CMD_RemoteEnable_Args	RemoteEnable

 

 

 # RemoteDisable command

 CMD_RemoteDisable		Deny Remote Management of VPN Client Service

-CMD_RemoteDisable_Help	Use this to deny management of a VPN Client service from a remote computer that is not localhost, via a remote connection by Command Line Management Utility or VPN Client Manager.

+CMD_RemoteDisable_Help	Use this to deny management of a VPN Client service from a remote computer that is not localhost, via a remote connection by Command Line Management Utility or VPN Client Manager. The VPN Client service must be restarted to apply the change of remote management availability.

 CMD_RemoteDisable_Args	RemoteDisable

 

 

diff --git a/src/bin/hamcore/strtable_ja.stb b/src/bin/hamcore/strtable_ja.stb
index 19144048..741bf566 100644
--- a/src/bin/hamcore/strtable_ja.stb
+++ b/src/bin/hamcore/strtable_ja.stb
@@ -2424,7 +2424,7 @@ STATIC1					VPN Client の動作に関する設定を変更できます。
 STATIC2					リモート管理の設定(&E)

 STATIC3					VPN Client サービスプログラムを別のコンピュータ上から VPN クライアント接続マネージャによってリモート管理することが可能です。

 R_ALLOW_REMOTE_CONFIG	VPN Client サービスのリモート管理を許可する(&R)

-S_WARNING				リモート管理を許可する場合、パスワードを設定しておくことを強くお勧めします。パスワードは [ツール] メニューの [パスワードの設定] をクリックして設定することができます。

+S_WARNING				リモート管理を許可する場合、パスワードを設定する必要があります。パスワードは [ツール] メニューの [パスワードの設定] をクリックして設定することができます。リモート管理の可否の変更の設定適用には、VPN Client サービスを再起動する必要があります。

 STATIC4					一定期間無通信状態が続くと接続が自動的に切断されるようなネットワーク接続環境の場合、インターネット上の任意のサーバーに対して一定間隔ごとにパケットを送信することにより、インターネット接続を維持することができます。

 R_USE_KEEP_CONNECT		インターネット接続の維持機能を使用する(&K)

 S_HOSTNAME				ホスト名(&H):

@@ -6794,13 +6794,13 @@ CMD_AccountImport_OK	接続設定 "%s" としてインポートしました。
 

 # RemoteEnable コマンド

 CMD_RemoteEnable		VPN Client サービスのリモート管理の許可

-CMD_RemoteEnable_Help	VPN Client サービスに、localhost 以外のリモートコンピュータから、コマンドライン管理ユーティリティまたは VPN クライアント接続マネージャでリモート接続して管理することを許可します。

+CMD_RemoteEnable_Help	VPN Client サービスに、localhost 以外のリモートコンピュータから、コマンドライン管理ユーティリティまたは VPN クライアント接続マネージャでリモート接続して管理することを許可します。注意: リモート管理の可否の変更の設定適用には、VPN Client サービスを再起動する必要があります。リモート管理を許可する場合、パスワードを設定する必要があります。

 CMD_RemoteEnable_Args	RemoteEnable

 

 

 # RemoteDisable コマンド

 CMD_RemoteDisable		VPN Client サービスのリモート管理の禁止

-CMD_RemoteDisable_Help	VPN Client サービスに、localhost 以外のリモートコンピュータからコマンドライン管理ユーティリティまたは VPN クライアント接続マネージャでリモート接続して管理することを禁止します。

+CMD_RemoteDisable_Help	VPN Client サービスに、localhost 以外のリモートコンピュータからコマンドライン管理ユーティリティまたは VPN クライアント接続マネージャでリモート接続して管理することを禁止します。注意: リモート管理の可否の変更の設定適用には、VPN Client サービスを再起動する必要があります。

 CMD_RemoteDisable_Args	RemoteDisable

 

 

diff --git a/src/bin/hamcore/warning_cn.txt b/src/bin/hamcore/warning_cn.txt
index 07ccdc15..05b523e9 100644
--- a/src/bin/hamcore/warning_cn.txt
+++ b/src/bin/hamcore/warning_cn.txt
@@ -141,3 +141,11 @@ VPN Gate 仅仅是学术目的的一个研究项目。VPN Gate 是作为 SoftEth
 5.13. VPN Gate 客户端的 P2P 中继功能可加强针对防火墙管控的规避能力

 P2P 中继功能是为了加强规避防火墙管控的能力。如果 P2P 中继功能在您的 VPN Gate 客户端被启用，那么 P2P 中继功能将接受来自 VPN Gate 用户的 VPN 连接，提供中继功能给外部远程 VPN Gate 的服务器，这是由第三方在免费的互联网环境下托管的。此 P2P 中继功能从来不提供共享 NAT 功能，也不更换 VPN Gate 用户的传出 IP 地址为你的 IP 地址，因为这个 P2P 中继功能只提供 "反射服务" (发夹中继) ，从进入的 VPN Gate 用户中继到一个外部的 VPN Gate 服务器。在这种情况下，经由您的 P2P 中继功能的 VPN 隧道将终止于外部的 VPN Gate 服务器，而不是你的 VPN Gate 客户端。然而， VPN Gate 服务器作为最终目的地将记录您的 IP 地址作为通过您的 P2P 中继功能发起的 VPN 隧道的源 IP 地址。此外，经由你的 P2P 中继功能传输的用户数据包将被记录在您的计算机的数据包日志上，如 5.8 章所述。当您安装了 VPN Gate 客户端之后，如果将 P2P 中继功能设置为自动启用，那么在 5.2，5.3，5.4，5.5，5.6，5.7，5.8，5.9，5.10，5.11 和 5.12 章节中的所有事项将被应用于你的电脑，与您启用 VPN Gate 服务 (VPN Gate 服务器功能) 时的情况相同。如果你的 P2P 功能被启用，那么在第 5.5 章节中描述的您的计算机 IP 地址和默认运营商名字将被列在由 VPN Gate 项目提供的 VPN Gate 服务器列表上。您可以通过手动编辑 "vpn_gate_relay.config" 文件更改这些字符串。需要注意的是，在编辑之前您需要停止 VPN 客户端服务。如果 VPN Gate 客户端检测到您的计算机位于存在审查制度的防火墙区域， VPN 客户端会自动启用您的计算机上的 P2P 中继功能。如果您希望禁用 P2P 中继功能，您必须在 VPN 客户端的配置文件 "vpn_client.config" 上设置 "DisableRelayServer" 标志为 "true" 。需要注意的是，编辑它之前您需要停止 VPN 客户端服务。即使您的国家或地区有法律限制运行 P2P 中继功能， VPN Gate 客户端仍会激活 P2P 中继功能。如果您身处于存在这些法律限制的区域，请您遵守相关法律法规，通过设置 "DisableRelayServer" 标志手动禁用 VPN Gate 客户端的 P2P 中继功能。

 

+SoftEther VPN and VPN Gate (where applicable) are provided, distributed and operated under the responsibility of SoftEther Corporation (Corporate Number: 1050001016519, Tsukuba, Ibaraki, Japan). These projects were researched and developed in collaboration with Tsukuba University, a national university in Japan.

+

+THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN, UNDER JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY, MERGE, PUBLISH, DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS SOFTWARE, THAT ANY JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS SOFTWARE OR ITS CONTENTS, AGAINST US (SOFTETHER CORPORATION OR OTHER SUPPLIERS), OR ANY JURIDICAL DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND OF USING, COPYING, MODIFYING, MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, AND/OR SELLING COPIES OF THIS SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND CONTROLLED BY JAPANESE LAWS, AND YOU MUST FURTHER CONSENT TO EXCLUSIVE JURISDICTION AND VENUE IN THE COURTS SITTING IN TOKYO, JAPAN. YOU MUST WAIVE ALL DEFENSES OF LACK OF PERSONAL JURISDICTION AND FORUM NON CONVENIENS. PROCESS MAY BE SERVED ON EITHER PARTY IN THE MANNER AUTHORIZED BY APPLICABLE LAW OR COURT RULE.

+

+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE SUPPLIERS, PROVIDERS, OPERATORS, AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

+

+IMPORTANT NOTE: USE OF THIS SOFTWARE AND SERVICE BY INDIVIDUALS TO WHOM THE CONSUMER CONTRACT ACT APPLIES IS NOT ALLOWED. THIS SOFTWARE IS INTENDED FOR PROFESSIONALS AND IS NOT DESIGNED FOR PURELY BUSINESS-UNRELATED CONSUMERS. THIS SOFTWARE AND SERVICE MAY BE USED ONLY FOR BUSINESS, COMMERCIAL, NON-PROFIT, ORGANIZATIONAL OPERATIONS, RESEARCH AND DEVELOPMENT PURPOSES OR OTHER NON-CONSUMPTIVE PURPOSES. THIS SOFTWARE IS NOT INTENDED FOR USE BY CONSUMERS. THIS SOFTWARE MAY NOT BE USED BY ANY INDIVIDUAL TO WHOM THE CONSUMER RIGHTS PROTECTIONS IN THE CONSUMER CONTRACT ACT OF JAPAN OR EQUIVALENT LAWS OF OTHER COUNTRIES APPLY. IF AN INDIVIDUAL USES THE SOFTWARE, THE USE OF THE SOFTWARE SHALL BE DEEMED TO BE FOR BUSINESS PURPOSES.

+

diff --git a/src/bin/hamcore/warning_en.txt b/src/bin/hamcore/warning_en.txt
index 2dc3e0dc..ed2d404e 100644
--- a/src/bin/hamcore/warning_en.txt
+++ b/src/bin/hamcore/warning_en.txt
@@ -140,3 +140,11 @@ VPN Gate is a research project for just academic purpose only. VPN Gate was deve
 5.13. The P2P Relay Function in the VPN Gate Client to strengthen the capability of circumvention of censorship firewalls

 VPN Gate Clients, which are published since January 2015, include the P2P Relay Function. The P2P Relay Function is implemented in order to strengthen the capability of circumvention of censorship firewalls. If the P2P Relay Function in your VPN Gate Client is enabled, then the P2P Relay Function will accept the incoming VPN connections from the VPN Gate users, which are located on mainly same regions around you, and will provide the relay function to the external remote VPN Gate Servers, which are hosted by third parties in the free Internet environment. This P2P Relay Function never provides the shared NAT functions nor replaces the outgoing IP address of the VPN Gate users to your IP addresses because this P2P Relay Function only provides the "reflection service" (hair-pin relaying), relaying from incoming VPN Gate users to an external VPN Gate Server. In this situation, VPN tunnels via your P2P Relay Function will be finally terminated on the external VPN Gate Server, not your VPN Gate Client. However, the VPN Gate Server as the final destination will record your IP address as the source IP address of VPN tunnels which will be initiated by your P2P Relay Function. Additionally, user packets which are transmitted via your P2P Relay Function will be recorded on your computer as packet logs as described on the section 5.8. After you installed the VPN Gate Client, and if the P2P Relay Function will be enabled automatically, then all matters on the 5.2, 5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 5.10, 5.11 and 5.12 sections will be applied to you and your computer, as same to the situation when you enabled the VPN Gate Service (the VPN Gate Server function). If your P2P Function is enabled, then your computer's IP address and the default operator's name which is described on the section 5.5 will be listed on the VPN Gate Server List which is provided by the VPN Gate Project. You can change these strings by editing the "vpn_gate_relay.config" file manually. Note that you need to stop the VPN Client service before editing it. The VPN Gate Client will automatically enable the P2P Relay Function on your computer if the VPN Gate Client detects that your computer might be located in regions where there are existing censorship firewalls. If you want to disable the P2P Relay Function, you must set the "DisableRelayServer" flag to "true" on the "vpn_client.config" file which is the configuration file of the VPN Client. Note that you need to stop the VPN Client service before editing it. The VPN Gate Client does not recognize the particular regulation of your country or your region. The VPN Gate Client activates the P2P Relay Function even if your country or your region has the law to restrict running P2P relay functions. Therefore, in such a case, you must disable the P2P Relay Function on the VPN Gate Client manually by setting the "DisableRelayServer" flag if you reside in such a restricted area, in your own responsibility.

 

+SoftEther VPN and VPN Gate (where applicable) are provided, distributed and operated under the responsibility of SoftEther Corporation (Corporate Number: 1050001016519, Tsukuba, Ibaraki, Japan). These projects were researched and developed in collaboration with Tsukuba University, a national university in Japan.

+

+THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN, UNDER JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY, MERGE, PUBLISH, DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS SOFTWARE, THAT ANY JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS SOFTWARE OR ITS CONTENTS, AGAINST US (SOFTETHER CORPORATION OR OTHER SUPPLIERS), OR ANY JURIDICAL DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND OF USING, COPYING, MODIFYING, MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, AND/OR SELLING COPIES OF THIS SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND CONTROLLED BY JAPANESE LAWS, AND YOU MUST FURTHER CONSENT TO EXCLUSIVE JURISDICTION AND VENUE IN THE COURTS SITTING IN TOKYO, JAPAN. YOU MUST WAIVE ALL DEFENSES OF LACK OF PERSONAL JURISDICTION AND FORUM NON CONVENIENS. PROCESS MAY BE SERVED ON EITHER PARTY IN THE MANNER AUTHORIZED BY APPLICABLE LAW OR COURT RULE.

+

+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE SUPPLIERS, PROVIDERS, OPERATORS, AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

+

+IMPORTANT NOTE: USE OF THIS SOFTWARE AND SERVICE BY INDIVIDUALS TO WHOM THE CONSUMER CONTRACT ACT APPLIES IS NOT ALLOWED. THIS SOFTWARE IS INTENDED FOR PROFESSIONALS AND IS NOT DESIGNED FOR PURELY BUSINESS-UNRELATED CONSUMERS. THIS SOFTWARE AND SERVICE MAY BE USED ONLY FOR BUSINESS, COMMERCIAL, NON-PROFIT, ORGANIZATIONAL OPERATIONS, RESEARCH AND DEVELOPMENT PURPOSES OR OTHER NON-CONSUMPTIVE PURPOSES. THIS SOFTWARE IS NOT INTENDED FOR USE BY CONSUMERS. THIS SOFTWARE MAY NOT BE USED BY ANY INDIVIDUAL TO WHOM THE CONSUMER RIGHTS PROTECTIONS IN THE CONSUMER CONTRACT ACT OF JAPAN OR EQUIVALENT LAWS OF OTHER COUNTRIES APPLY. IF AN INDIVIDUAL USES THE SOFTWARE, THE USE OF THE SOFTWARE SHALL BE DEEMED TO BE FOR BUSINESS PURPOSES.

+

diff --git a/src/bin/hamcore/warning_ja.txt b/src/bin/hamcore/warning_ja.txt
index 4ea93f07..af979de0 100644
--- a/src/bin/hamcore/warning_ja.txt
+++ b/src/bin/hamcore/warning_ja.txt
@@ -141,3 +141,12 @@ VPN 通信が禁止されている国・地域では VPN Gate を使用しない
 5.13. VPN Gate Client に組み込まれている検閲用ファイアウォールの回避のための P2P 中継機能について

 2015 年 1 月以降にリリースされた VPN Gate Client には P2P 中継機能が搭載されています。この P2P 中継機能は検閲用ファイアウォールの回避の強化を目的としています。あなたの VPN Gate Client で P2P 中継機能が有効となっている場合は、P2P 中継機能は、専らあなたと同じ地域に居住する他の VPN Gate のユーザーからの VPN 接続を受け付け、当該 VPN 通信を、検閲用ファイアウォールの外側にある、自由な (検閲のない) インターネット接続環境にある他人が遠隔地に設置した VPN Gate Server に対して中継します。この中継機能においては、あなたの VPN Gate Client の P2P 中継機能に接続した VPN Gate ユーザーの VPN Gate 使用中における NAT の出口 IP アドレスはあなたのコンピュータに置き換わることはありません。なぜならば、当該中継機能は VPN トンネルを反射状に中継するものであり、VPN トンネルの最終的な終端点は当該他人が設置した VPN Gate Server となるためです。しかしながら、当該他人が設置した VPN Gate Server における VPN トンネルの接続元 IP アドレスとしては、あなたのコンピュータの IP アドレスが記録されます。また、あなたのコンピュータの P2P 中継機能を経由して行われたパケットは、5.8 に準じてあなたのコンピュータに記録されます。P2P 中継機能を有する VPN Gate Client をインストールした後に当該 P2P 中継機能が動作する状態となった場合には、5.2, 5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 5.10, 5.11 および 5.12 において VPN Gate サービス (VPN サーバー機能) を明示的に有効にした場合と同じ注意事項が適用されます。P2P 中継機能が有効な場合、あなたのコンピュータの IP アドレスおよび 5.5 で述べられているデフォルトの運営者名は、VPN Gate Project が配布する VPN Gate のサーバーリストに自動的に追加されます。5.5 で述べられている情報は、"vpn_gate_relay.config" ファイルを編集することで変更することができます。設定を変更する際には、最初に VPN Client サービスを停止する必要があります。VPN Gate Client は、あなたのコンピュータの P2P 中継機能を、あなたのコンピュータが検閲用ファイアウォールが存在する地域に存在している可能性を検出した場合に自動的に有効にします。もし P2P 中継機能を無効にしたい場合は、VPN Client の設定ファイルである "vpn_client.config" ファイル内の "DisableRelayServer" フラグを "true" に設定しなければなりません。設定を変更する際には、最初に VPN Client サービスを停止する必要があります。P2P 中継機能は、法令によって検閲用ファイアウォールの回避のための P2P 中継機能の提供が禁止されている国または地域であっても、自動的に有効になる可能性があります。そのため、法令によって検閲用ファイアウォールの回避のための P2P 中継機能の提供が禁止されている国または地域のユーザーは手動で "DisableRelayServer" フラグを変更し、P2P 中継機能を自己の責任で直ちに無効にしなければなりません。

 

+

+SoftEther VPN および VPN Gate (適用される場合) は、ソフトイーサ株式会社（日本国、茨城県つくば市、法人番号: 1050001016519）の責任で提供・配布・運営されています。これらのプロジェクトは、筑波大学との共同研究により研究開発されたものです。

+

+本ソフトウェアは、日本国法に基づき、日本国内で開発され、日本国内から頒布されるものです。利用者は、本ソフトウェアの使用、複製、変更、結合、公開、頒布、再使用許諾、および / または販売に際して、本ソフトウェアまたはその内容に関連する当社 (ソフトイーサ株式会社またはその他の供給者) に対する一切の法的紛争、または本ソフトウェアの使用に起因する当社に対する一切の法的紛争について、日本法により解釈され、処理されることに同意するものとし、利用者はさらに、東京 (日本) に所在する裁判所を専属管轄裁判所とすることに同意しなければなりません。利用者は、対人管轄権の欠如およびフォーラム・ノン・コンビニエンスに関するすべての抗弁を放棄しなければなりません。

+本ソフトウェアは「現状のまま」提供され、明示または黙示を問わず、商品性、特定目的への適合性、および非侵害の保証を含むがこれに限定されない、いかなる種類の保証もありません。いかなる場合においても、提供者または著作権所有者は、契約、不法行為、その他を問わず、本ソフトウェアまたは本ソフトウェアの使用またはその他の取引に起因または関連して生じたいかなる請求、損害、またはその他の責任についても責任を負いません。

+

+重要な注意: 本ソフトウェアまたはサービスは、プロフェッショナル向けのものであり、ビジネスと無関係の純粋な消費者を想定して作られていません。消費者契約法が適用される個人による純粋消費的使用様態での本ソフトウェアの利用を禁止します。本ソフトウェアおよびサービスは、ビジネス、商用活動、非営利活動、組織運営、研究開発目的その他の非消費目的でのみ、利用することが可能です。本ソフトウェアは、個人が消費者として使用することを想定していません。本ソフトウェアは、日本国の消費者契約法または他国の同等の法律における消費者の権利保護が適用される個人が利用することを禁止します。個人が本ソフトウェアを利用する場合、その使途は、事業目的であるとみなされます。

+

+

diff --git a/src/bin/vpnweb.cab b/src/bin/vpnweb.cab
index daf0eabc..0aaaa059 100644
--- a/src/bin/vpnweb.cab
+++ b/src/bin/vpnweb.cab
diff --git a/src/bin/vpnweb.ocx b/src/bin/vpnweb.ocx
index a10b1da9..8345d5d8 100644
--- a/src/bin/vpnweb.ocx
+++ b/src/bin/vpnweb.ocx
diff --git a/src/vpnweb/vpnweb.h b/src/vpnweb/vpnweb.h
index 1be29102..5dde0236 100644
--- a/src/vpnweb/vpnweb.h
+++ b/src/vpnweb/vpnweb.h
@@ -4,7 +4,7 @@
 

 

  /* File created by MIDL compiler version 7.00.0500 */

-/* at Tue Mar 14 10:40:57 2023

+/* at Fri Jun 30 10:47:21 2023

  */

 /* Compiler settings for .\vpnweb.idl:

     Oicf, W1, Zp8, env=Win32 (32b run)

diff --git a/src/vpnweb/vpnweb_i.c b/src/vpnweb/vpnweb_i.c
index 3c3ebfe1..808d347a 100644
--- a/src/vpnweb/vpnweb_i.c
+++ b/src/vpnweb/vpnweb_i.c
@@ -6,7 +6,7 @@
 

 

  /* File created by MIDL compiler version 7.00.0500 */

-/* at Tue Mar 14 10:40:57 2023

+/* at Fri Jun 30 10:47:21 2023

  */

 /* Compiler settings for .\vpnweb.idl:

     Oicf, W1, Zp8, env=Win32 (32b run)

diff --git a/src/vpnweb/vpnweb_p.c b/src/vpnweb/vpnweb_p.c
index fa4361c4..1041305a 100644
--- a/src/vpnweb/vpnweb_p.c
+++ b/src/vpnweb/vpnweb_p.c
@@ -4,7 +4,7 @@
 

 

  /* File created by MIDL compiler version 7.00.0500 */

-/* at Tue Mar 14 10:40:57 2023

+/* at Fri Jun 30 10:47:21 2023

  */

 /* Compiler settings for .\vpnweb.idl:

     Oicf, W1, Zp8, env=Win32 (32b run)