v4.07-9448-rtm

src/Cedar/Admin.c

@@ -1113,6 +1113,24 @@ UINT StMakeOpenVpnConfigFile(ADMIN *a, RPC_READ_LOG_FILE *t)
 				x = CloneX(c->ServerX);
 			}
 			Unlock(c->lock);
+
+			if (x != NULL)
+			{
+				// Get the root certificate
+				if (x->root_cert == false)
+				{
+					X *root_x = NULL;
+					LIST *cert_list = NewCertList(true);
+
+					if (TryGetRootCertChain(cert_list, x, true, &root_x))
+					{
+						FreeX(x);
+						x = root_x;
+					}
+
+					FreeCertList(cert_list);
+				}
+			}
 		}
 
 		x_buf = XToBuf(x, true);
@@ -1121,7 +1139,7 @@ UINT StMakeOpenVpnConfigFile(ADMIN *a, RPC_READ_LOG_FILE *t)
 		WriteBufChar(x_buf, 0);
 		SeekBufToBegin(x_buf);
 
-		// Generate dummy certification
+		// Generate a dummy certificate
 		if (x != NULL)
 		{
 			if (RsaGen(&dummy_private_k, &dummy_public_k, x->bits))
@@ -8331,6 +8349,15 @@ UINT StSetServerCert(ADMIN *a, RPC_KEY_PAIR *t)
 		return ERR_PROTOCOL_ERROR;
 	}
 
+	t->Flag1 = 1;
+	if (t->Cert->root_cert == false)
+	{
+		if (DownloadAndSaveIntermediateCertificatesIfNecessary(t->Cert) == false)
+		{
+			t->Flag1 = 0;
+		}
+	}
+
 	SetCedarCert(c, t->Cert, t->Key);
 
 	ALog(a, NULL, "LA_SET_SERVER_CERT");
@@ -12756,6 +12783,7 @@ void InRpcKeyPair(RPC_KEY_PAIR *t, PACK *p)
 
 	t->Cert = PackGetX(p, "Cert");
 	t->Key = PackGetK(p, "Key");
+	t->Flag1 = PackGetInt(p, "Flag1");
 }
 void OutRpcKeyPair(PACK *p, RPC_KEY_PAIR *t)
 {
@@ -12767,6 +12795,7 @@ void OutRpcKeyPair(PACK *p, RPC_KEY_PAIR *t)
 
 	PackAddX(p, "Cert", t->Cert);
 	PackAddK(p, "Key", t->Key);
+	PackAddInt(p, "Flag1", t->Flag1);
 }
 void FreeRpcKeyPair(RPC_KEY_PAIR *t)
 {

src/Cedar/Admin.h

@@ -295,6 +295,7 @@ struct RPC_KEY_PAIR
 {
 	X *Cert;							// Certificate
 	K *Key;								// Secret key
+	UINT Flag1;							// Flag1
 };
 
 // HUB option

src/Cedar/Cedar.h

@@ -120,10 +120,10 @@
 
 
 // Version number
-#define	CEDAR_VER					406
+#define	CEDAR_VER					407
 
 // Build Number
-#define	CEDAR_BUILD					9437
+#define	CEDAR_BUILD					9448
 
 // Beta number
 //#define	BETA_NUMBER					3
@@ -143,11 +143,11 @@
 
 // Specifies the build date
 #define	BUILD_DATE_Y		2014
-#define	BUILD_DATE_M		4
-#define	BUILD_DATE_D		9
-#define	BUILD_DATE_HO		9
-#define	BUILD_DATE_MI		39
-#define	BUILD_DATE_SE		4
+#define	BUILD_DATE_M		6
+#define	BUILD_DATE_D		6
+#define	BUILD_DATE_HO		3
+#define	BUILD_DATE_MI		7
+#define	BUILD_DATE_SE		39
 
 // Tolerable time difference
 #define	ALLOW_TIMESTAMP_DIFF		(UINT64)(3 * 24 * 60 * 60 * 1000)

src/Cedar/Client.c

@@ -5852,7 +5852,6 @@ REMOTE_CLIENT *CcConnectRpcEx(char *server_name, char *password, bool *bad_pass,
 #endif	// OS_WIN32
 
 	port_start = CLIENT_CONFIG_PORT - 1;
-
 	if (reg_port != 0)
 	{
 		s = Connect(server_name, reg_port);

src/Cedar/Command.c

@@ -6658,6 +6658,28 @@ void PsMain(PS *ps)
 		}
 	}
 
+	if (ps->HubName == NULL)
+	{
+		RPC_KEY_PAIR t;
+
+		Zero(&t, sizeof(t));
+
+		if (ScGetServerCert(ps->Rpc, &t) == ERR_NO_ERROR)
+		{
+			if (t.Cert != NULL && t.Cert->has_basic_constraints == false)
+			{
+				if (t.Cert->root_cert)
+				{
+					ps->Console->Write(ps->Console, L"");
+					ps->Console->Write(ps->Console, _UU("SM_CERT_MESSAGE_CLI"));
+					ps->Console->Write(ps->Console, L"");
+				}
+			}
+
+			FreeRpcKeyPair(&t);
+		}
+	}
+
 	while (true)
 	{
 		// Definition of command
@@ -7841,6 +7863,14 @@ UINT PsServerCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
 			return ret;
 		}
 
+		if (t.Flag1 == 0)
+		{
+			// Show the warning message
+			c->Write(c, L"");
+			c->Write(c, _UU("SM_CERT_NEED_ROOT"));
+			c->Write(c, L"");
+		}
+
 		FreeRpcKeyPair(&t);
 	}
 	else
@@ -20897,6 +20927,10 @@ UINT PsServerCertRegenerate(CONSOLE *c, char *cmd_name, wchar_t *str, void *para
 		return ret;
 	}
 
+	c->Write(c, L"");
+	c->Write(c, _UU("CM_CERT_SET_MSG"));
+	c->Write(c, L"");
+
 	FreeParamValueList(o);
 
 	return 0;

src/Cedar/Interop_OpenVPN.c

@@ -2058,6 +2058,7 @@ void OvsRecvPacket(OPENVPN_SERVER *s, LIST *recv_packet_list, UINT protocol)
 									}
 									else
 									{
+#if	0	// Currently disabled
 										// If the default gateway is not specified, add the static routing table
 										// entry for the local IP subnet
 										IP local_network;
@@ -2076,6 +2077,7 @@ void OvsRecvPacket(OPENVPN_SERVER *s, LIST *recv_packet_list, UINT protocol)
 											&cao->SubnetMask);
 
 										StrCat(option_str, sizeof(option_str), l3_options);
+#endif
 									}
 
 									// Classless routing table

src/Cedar/Logging.c

@@ -1333,16 +1333,23 @@ char *BuildHttpLogStr(HTTPLOG *h)
 
 	b = NewBuf();
 
-	// URL generation
-	if (h->Port == 80)
+	if (StartWith(h->Path, "http://"))
 	{
-		Format(url, sizeof(url), "http://%s%s",
-			h->Hostname, h->Path);
+		StrCpy(url, sizeof(url), h->Path);
 	}
 	else
 	{
-		Format(url, sizeof(url), "http://%s:%u%s",
-			h->Hostname, h->Port, h->Path);
+		// URL generation
+		if (h->Port == 80)
+		{
+			Format(url, sizeof(url), "http://%s%s",
+				h->Hostname, h->Path);
+		}
+		else
+		{
+			Format(url, sizeof(url), "http://%s:%u%s",
+				h->Hostname, h->Port, h->Path);
+		}
 	}
 
 	AddLogBufToStr(b, "HttpMethod", h->Method);

src/Cedar/Protocol.c

@@ -100,6 +100,461 @@
 
 static UCHAR ssl_packet_start[3] = {0x17, 0x03, 0x00};
 
+// Download and save intermediate certificates if necessary
+bool DownloadAndSaveIntermediateCertificatesIfNecessary(X *x)
+{
+	LIST *o;
+	bool ret = false;
+	// Validate arguments
+	if (x == NULL)
+	{
+		return false;
+	}
+
+	if (x->root_cert)
+	{
+		return true;
+	}
+
+	o = NewCertList(true);
+
+	ret = TryGetRootCertChain(o, x, true, NULL);
+
+	FreeCertList(o);
+
+	return ret;
+}
+
+// Attempt to fetch the full chain of the specified cert
+bool TryGetRootCertChain(LIST *o, X *x, bool auto_save, X **found_root_x)
+{
+	bool ret = false;
+	LIST *chain = NULL;
+	LIST *current_chain_dir = NULL;
+	// Validate arguments
+	if (o == NULL || x == NULL)
+	{
+		return false;
+	}
+
+	chain = NewCertList(false);
+
+	ret = TryGetParentCertFromCertList(o, x, chain);
+
+	if (ret)
+	{
+		UINT i;
+		DIRLIST *dir;
+		wchar_t dirname[MAX_SIZE];
+		wchar_t exedir[MAX_SIZE];
+
+		GetExeDirW(exedir, sizeof(exedir));
+		CombinePathW(dirname, sizeof(dirname), exedir, L"chain_certs");
+		MakeDirExW(dirname);
+
+		if (auto_save)
+		{
+			// delete the current auto_save files
+			dir = EnumDirW(dirname);
+			if (dir != NULL)
+			{
+				for (i = 0;i < dir->NumFiles;i++)
+				{
+					DIRENT *e = dir->File[i];
+
+					if (e->Folder == false)
+					{
+						if (UniStartWith(e->FileNameW, AUTO_DOWNLOAD_CERTS_PREFIX))
+						{
+							wchar_t tmp[MAX_SIZE];
+
+							CombinePathW(tmp, sizeof(tmp), dirname, e->FileNameW);
+
+							FileDeleteW(tmp);
+						}
+					}
+				}
+
+				FreeDir(dir);
+			}
+		}
+
+		current_chain_dir = NewCertList(false);
+		AddAllChainCertsToCertList(current_chain_dir);
+
+		for (i = 0;i < LIST_NUM(chain);i++)
+		{
+			wchar_t tmp[MAX_SIZE];
+			X *xx = LIST_DATA(chain, i);
+
+			GetAllNameFromName(tmp, sizeof(tmp), xx->subject_name);
+
+			Debug("depth = %u, subject = %S\n", i, tmp);
+
+			if (auto_save && CompareX(x, xx) == false && IsXInCertList(current_chain_dir, xx) == false)
+			{
+				wchar_t fn[MAX_PATH];
+				char hex_a[128];
+				wchar_t hex[128];
+				UCHAR hash[SHA1_SIZE];
+				wchar_t tmp[MAX_SIZE];
+				BUF *b;
+
+				GetXDigest(xx, hash, true);
+				BinToStr(hex_a, sizeof(hex_a), hash, SHA1_SIZE);
+				StrToUni(hex, sizeof(hex), hex_a);
+
+				UniStrCpy(fn, sizeof(fn), AUTO_DOWNLOAD_CERTS_PREFIX);
+				UniStrCat(fn, sizeof(fn), hex);
+				UniStrCat(fn, sizeof(fn), L".cer");
+
+				CombinePathW(tmp, sizeof(tmp), dirname, fn);
+
+				b = XToBuf(xx, true);
+
+				DumpBufW(b, tmp);
+
+				FreeBuf(b);
+			}
+
+			if (xx->root_cert)
+			{
+				if (found_root_x != NULL)
+				{
+					*found_root_x = CloneX(xx);
+				}
+			}
+		}
+	}
+
+	FreeCertList(chain);
+
+	FreeCertList(current_chain_dir);
+
+	return ret;
+}
+
+// Try get the parent cert
+bool TryGetParentCertFromCertList(LIST *o, X *x, LIST *found_chain)
+{
+	bool ret = false;
+	X *r;
+	bool do_free = false;
+	// Validate arguments
+	if (o == NULL || x == NULL || found_chain == NULL)
+	{
+		return false;
+	}
+
+	if (LIST_NUM(found_chain) >= FIND_CERT_CHAIN_MAX_DEPTH)
+	{
+		return false;
+	}
+
+	Add(found_chain, CloneX(x));
+
+	if (x->root_cert)
+	{
+		return true;
+	}
+
+	r = FindCertIssuerFromCertList(o, x);
+
+	if (r == NULL)
+	{
+		if (IsEmptyStr(x->issuer_url) == false)
+		{
+			r = DownloadCert(x->issuer_url);
+
+			if (CheckXEx(x, r, true, true) && CompareX(x, r) == false)
+			{
+				// found
+				do_free = true;
+			}
+			else
+			{
+				// invalid
+				FreeX(r);
+				r = NULL;
+			}
+		}
+	}
+
+	if (r != NULL)
+	{
+		ret = TryGetParentCertFromCertList(o, r, found_chain);
+	}
+
+	if (do_free)
+	{
+		FreeX(r);
+	}
+
+	return ret;
+}
+
+// Find the issuer of the cert from the cert list
+X *FindCertIssuerFromCertList(LIST *o, X *x)
+{
+	UINT i;
+	// Validate arguments
+	if (o == NULL || x == NULL)
+	{
+		return NULL;
+	}
+
+	if (x->root_cert)
+	{
+		return NULL;
+	}
+
+	for (i = 0;i < LIST_NUM(o);i++)
+	{
+		X *xx = LIST_DATA(o, i);
+
+		if (CheckXEx(x, xx, true, true))
+		{
+			if (CompareX(x, xx) == false)
+			{
+				return xx;
+			}
+		}
+	}
+
+	return NULL;
+}
+
+// Download a cert by using HTTP
+X *DownloadCert(char *url)
+{
+	BUF *b;
+	URL_DATA url_data;
+	X *ret = NULL;
+	// Validate arguments
+	if (IsEmptyStr(url))
+	{
+		return NULL;
+	}
+
+	Debug("Trying to download a cert from %s ...\n", url);
+
+	if (ParseUrl(&url_data, url, false, NULL) == false)
+	{
+		Debug("Download failed.\n");
+		return NULL;
+	}
+
+	b = HttpRequestEx(&url_data, NULL, CERT_HTTP_DOWNLOAD_TIMEOUT, CERT_HTTP_DOWNLOAD_TIMEOUT,
+		NULL, false, NULL, NULL, NULL, NULL, NULL, CERT_HTTP_DOWNLOAD_MAXSIZE);
+
+	if (b == NULL)
+	{
+		Debug("Download failed.\n");
+		return NULL;
+	}
+
+	ret = BufToX(b, IsBase64(b));
+
+	FreeBuf(b);
+
+	Debug("Download ok.\n");
+	return ret;
+}
+
+// New cert list
+LIST *NewCertList(bool load_root_and_chain)
+{
+	LIST *o;
+
+	o = NewList(NULL);
+
+	if (load_root_and_chain)
+	{
+		AddAllRootCertsToCertList(o);
+		AddAllChainCertsToCertList(o);
+	}
+
+	return o;
+}
+
+// Free cert list
+void FreeCertList(LIST *o)
+{
+	UINT i;
+	// Validate arguments
+	if (o == NULL)
+	{
+		return;
+	}
+
+	for (i = 0;i < LIST_NUM(o);i++)
+	{
+		X *x = LIST_DATA(o, i);
+
+		FreeX(x);
+	}
+
+	ReleaseList(o);
+}
+
+// Check whether the cert is in the cert list
+bool IsXInCertList(LIST *o, X *x)
+{
+	UINT i;
+	// Validate arguments
+	if (o == NULL || x == NULL)
+	{
+		return false;
+	}
+
+	for (i = 0;i < LIST_NUM(o);i++)
+	{
+		X *xx = LIST_DATA(o, i);
+
+		if (CompareX(x, xx))
+		{
+			return true;
+		}
+	}
+
+	return false;
+}
+
+// Add a cert to the cert list
+void AddXToCertList(LIST *o, X *x)
+{
+	// Validate arguments
+	if (o == NULL || x == NULL)
+	{
+		return;
+	}
+
+	if (IsXInCertList(o, x))
+	{
+		return;
+	}
+
+	if (CheckXDateNow(x) == false)
+	{
+		return;
+	}
+
+	Add(o, CloneX(x));
+}
+
+// Add all chain certs to the cert list
+void AddAllChainCertsToCertList(LIST *o)
+{
+	wchar_t dirname[MAX_SIZE];
+	wchar_t exedir[MAX_SIZE];
+	DIRLIST *dir;
+	// Validate arguments
+	if (o == NULL)
+	{
+		return;
+	}
+
+	GetExeDirW(exedir, sizeof(exedir));
+
+	CombinePathW(dirname, sizeof(dirname), exedir, L"chain_certs");
+
+	MakeDirExW(dirname);
+
+	dir = EnumDirW(dirname);
+
+	if (dir != NULL)
+	{
+		UINT i;
+
+		for (i = 0;i < dir->NumFiles;i++)
+		{
+			DIRENT *e = dir->File[i];
+
+			if (e->Folder == false)
+			{
+				wchar_t tmp[MAX_SIZE];
+				X *x;
+
+				CombinePathW(tmp, sizeof(tmp), dirname, e->FileNameW);
+
+				x = FileToXW(tmp);
+
+				if (x != NULL)
+				{
+					AddXToCertList(o, x);
+
+					FreeX(x);
+				}
+			}
+		}
+
+		FreeDir(dir);
+	}
+}
+
+// Add all root certs to the cert list
+void AddAllRootCertsToCertList(LIST *o)
+{
+	BUF *buf;
+	PACK *p;
+	UINT num_ok = 0, num_error = 0;
+	// Validate arguments
+	if (o == NULL)
+	{
+		return;
+	}
+
+	buf = ReadDump(ROOT_CERTS_FILENAME);
+	if (buf == NULL)
+	{
+		return;
+	}
+
+	p = BufToPack(buf);
+
+	if (p != NULL)
+	{
+		UINT num = PackGetIndexCount(p, "cert");
+		UINT i;
+
+		for (i = 0;i < num;i++)
+		{
+			bool ok = false;
+			BUF *b = PackGetBufEx(p, "cert", i);
+
+			if (b != NULL)
+			{
+				X *x = BufToX(b, false);
+
+				if (x != NULL)
+				{
+					AddXToCertList(o, x);
+
+					ok = true;
+
+					FreeX(x);
+				}
+
+				FreeBuf(b);
+			}
+
+			if (ok)
+			{
+				num_ok++;
+			}
+			else
+			{
+				num_error++;
+			}
+		}
+
+		FreePack(p);
+	}
+
+	FreeBuf(buf);
+
+	Debug("AddAllRootCertsToCertList: ok=%u error=%u total_list_len=%u\n", num_ok, num_error, LIST_NUM(o));
+}
 
 // Convert the date of YYYYMMDD format to a number
 UINT64 ShortStrToDate64(char *str)
@@ -5345,8 +5800,26 @@ bool ClientUploadAuth(CONNECTION *c)
 	// UDP acceleration function using flag
 	if (o->NoUdpAcceleration == false && c->Session->UdpAccel != NULL)
 	{
+		IP my_ip;
+
+		Zero(&my_ip, sizeof(my_ip));
+
 		PackAddBool(p, "use_udp_acceleration", true);
-		PackAddIp(p, "udp_acceleration_client_ip", &c->Session->UdpAccel->MyIp);
+
+		Copy(&my_ip, &c->Session->UdpAccel->MyIp, sizeof(IP));
+		if (IsLocalHostIP(&my_ip))
+		{
+			if (IsIP4(&my_ip))
+			{
+				ZeroIP4(&my_ip);
+			}
+			else
+			{
+				ZeroIP6(&my_ip);
+			}
+		}
+
+		PackAddIp(p, "udp_acceleration_client_ip", &my_ip);
 		PackAddInt(p, "udp_acceleration_client_port", c->Session->UdpAccel->MyPort);
 		PackAddData(p, "udp_acceleration_client_key", c->Session->UdpAccel->MyKey, UDP_ACCELERATION_COMMON_KEY_SIZE);
 		PackAddBool(p, "support_hmac_on_udp_acceleration", true);
@@ -6186,6 +6659,8 @@ SOCK *ProxyConnectEx2(CONNECTION *c, char *proxy_host_name, UINT proxy_port,
 	char basic_str[MAX_SIZE * 2];
 	UINT http_error_code;
 	HTTP_HEADER *h;
+	char server_host_name_tmp[256];
+	UINT i, len;
 	// Validate arguments
 	if (c == NULL || proxy_host_name == NULL || proxy_port == 0 || server_host_name == NULL ||
 		server_port == 0)
@@ -6206,6 +6681,19 @@ SOCK *ProxyConnectEx2(CONNECTION *c, char *proxy_host_name, UINT proxy_port,
 		return NULL;
 	}
 
+	Zero(server_host_name_tmp, sizeof(server_host_name_tmp));
+	StrCpy(server_host_name_tmp, sizeof(server_host_name_tmp), server_host_name);
+
+	len = StrLen(server_host_name_tmp);
+
+	for (i = 0;i < len;i++)
+	{
+		if (server_host_name_tmp[i] == '/')
+		{
+			server_host_name_tmp[i] = 0;
+		}
+	}
+
 	// Connection
 	s = TcpConnectEx3(proxy_host_name, proxy_port, timeout, cancel_flag, hWnd, true, NULL, false, false);
 	if (s == NULL)
@@ -6224,24 +6712,24 @@ SOCK *ProxyConnectEx2(CONNECTION *c, char *proxy_host_name, UINT proxy_port,
 	}
 
 	// HTTP header generation
-	if (IsStrIPv6Address(server_host_name))
+	if (IsStrIPv6Address(server_host_name_tmp))
 	{
 		IP ip;
 		char iptmp[MAX_PATH];
 
-		StrToIP(&ip, server_host_name);
+		StrToIP(&ip, server_host_name_tmp);
 		IPToStr(iptmp, sizeof(iptmp), &ip);
 
 		Format(tmp, sizeof(tmp), "[%s]:%u", iptmp, server_port);
 	}
 	else
 	{
-		Format(tmp, sizeof(tmp), "%s:%u", server_host_name, server_port);
+		Format(tmp, sizeof(tmp), "%s:%u", server_host_name_tmp, server_port);
 	}
 
 	h = NewHttpHeader("CONNECT", tmp, "HTTP/1.0");
 	AddHttpValue(h, NewHttpValue("User-Agent", (c->Cedar == NULL ? DEFAULT_USER_AGENT : c->Cedar->HttpUserAgent)));
-	AddHttpValue(h, NewHttpValue("Host", server_host_name));
+	AddHttpValue(h, NewHttpValue("Host", server_host_name_tmp));
 	AddHttpValue(h, NewHttpValue("Content-Length", "0"));
 	AddHttpValue(h, NewHttpValue("Proxy-Connection", "Keep-Alive"));
 	AddHttpValue(h, NewHttpValue("Pragma", "no-cache"));
@@ -6249,7 +6737,7 @@ SOCK *ProxyConnectEx2(CONNECTION *c, char *proxy_host_name, UINT proxy_port,
 	if (use_auth)
 	{
 		wchar_t tmp[MAX_SIZE];
-		UniFormat(tmp, sizeof(tmp), _UU("STATUS_3"), server_host_name);
+		UniFormat(tmp, sizeof(tmp), _UU("STATUS_3"), server_host_name_tmp);
 		// Generate the authentication string
 		Format(auth_tmp_str, sizeof(auth_tmp_str), "%s:%s",
 			username, password);

src/Cedar/Protocol.h

@@ -179,6 +179,12 @@ struct UPDATE_CLIENT
 #define	UPDATE_CONNECT_TIMEOUT			5000
 #define	UPDATE_COMM_TIMEOUT				5000
 
+// Dynamic root cert fetch function
+#define	CERT_HTTP_DOWNLOAD_MAXSIZE	65536
+#define	CERT_HTTP_DOWNLOAD_TIMEOUT	(10 * 1000)
+#define	ROOT_CERTS_FILENAME			"|root_certs.dat"
+#define	AUTO_DOWNLOAD_CERTS_PREFIX	L".autodownload_"
+#define	FIND_CERT_CHAIN_MAX_DEPTH	16
 
 
 // Function prototype
@@ -277,6 +283,18 @@ void PackAddClientVersion(PACK *p, CONNECTION *c);
 void NodeInfoToStr(wchar_t *str, UINT size, NODE_INFO *info);
 void GenerateMachineUniqueHash(void *data);
 
+LIST *NewCertList(bool load_root_and_chain);
+void FreeCertList(LIST *o);
+bool IsXInCertList(LIST *o, X *x);
+void AddXToCertList(LIST *o, X *x);
+void AddAllRootCertsToCertList(LIST *o);
+void AddAllChainCertsToCertList(LIST *o);
+X *DownloadCert(char *url);
+X *FindCertIssuerFromCertList(LIST *o, X *x);
+bool TryGetRootCertChain(LIST *o, X *x, bool auto_save, X **found_root_x);
+bool TryGetParentCertFromCertList(LIST *o, X *x, LIST *found_chain);
+bool DownloadAndSaveIntermediateCertificatesIfNecessary(X *x);
+
 
 #endif	// PROTOCOL_H
 

src/Cedar/SM.c

@@ -16929,6 +16929,13 @@ void SmSslDlgOnOk(HWND hWnd, SM_SSL *s)
 		{
 			return;
 		}
+
+		if (t.Flag1 == 0)
+		{
+			// Show the warning message
+			MsgBox(hWnd, MB_ICONWARNING, _UU("SM_CERT_NEED_ROOT"));
+		}
+
 		FreeRpcKeyPair(&t);
 
 		MsgBox(hWnd, MB_ICONINFORMATION, _UU("CM_CERT_SET_MSG"));
@@ -18930,6 +18937,8 @@ UINT SmServerDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *pa
 
 			SmShowIPSecMessageIfNecessary(hWnd, p);
 
+			SmShowCertRegenerateMessageIfNecessary(hWnd, p);
+
 			SetTimer(hWnd, 3, 150, NULL);
 			break;
 
@@ -18954,6 +18963,73 @@ UINT SmServerDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *pa
 	return 0;
 }
 
+// Display the message about the cert
+void SmShowCertRegenerateMessageIfNecessary(HWND hWnd, SM_SERVER *p)
+{
+	// Validate arguments
+	if (p == NULL)
+	{
+		return;
+	}
+
+	if (p->ServerAdminMode && p->Bridge == false)
+	{
+		RPC_KEY_PAIR t;
+
+		Zero(&t, sizeof(t));
+
+		if (ScGetServerCert(p->Rpc, &t) == ERR_NO_ERROR)
+		{
+			if (t.Cert != NULL && t.Cert->has_basic_constraints == false)
+			{
+				if (t.Cert->root_cert)
+				{
+					if (MsRegReadInt(REG_CURRENT_USER, SM_HIDE_CERT_UPDATE_MSG_KEY, p->ServerName) == 0)
+					{
+						if (MsgBox(hWnd, MB_ICONQUESTION | MB_YESNO, _UU("SM_CERT_MESSAGE")) == IDYES)
+						{
+							X *x;
+							K *k;
+
+							// Regenerating the certificate
+							if (SmRegenerateServerCert(hWnd, p, NULL, &x, &k, false))
+							{
+								// Confirmation message
+								if (MsgBox(hWnd, MB_ICONEXCLAMATION | MB_YESNO, _UU("SM_REGENERATE_CERT_MSG")) == IDYES)
+								{
+									// Set the new certificate and private key
+									RPC_KEY_PAIR t2;
+
+									Zero(&t2, sizeof(t2));
+
+									t2.Cert = CloneX(x);
+									t2.Key = CloneK(k);
+
+									if (CALL(hWnd, ScSetServerCert(p->Rpc, &t2)))
+									{
+										FreeRpcKeyPair(&t2);
+
+										MsgBox(hWnd, MB_ICONINFORMATION, _UU("CM_CERT_SET_MSG"));
+									}
+								}
+
+								FreeX(x);
+								FreeK(k);
+							}
+						}
+						else
+						{
+							MsRegWriteInt(REG_CURRENT_USER, SM_HIDE_CERT_UPDATE_MSG_KEY, p->ServerName, 1);
+						}
+					}
+				}
+			}
+
+			FreeRpcKeyPair(&t);
+		}
+	}
+}
+
 // Display messages about IPsec, and prompt for the setting
 void SmShowIPSecMessageIfNecessary(HWND hWnd, SM_SERVER *p)
 {

src/Cedar/SMInner.h

@@ -101,6 +101,7 @@
 #define	SM_CERT_REG_KEY		"Software\\SoftEther Corporation\\PacketiX VPN\\Server Manager\\Cert Tool"
 #define	SM_SETTING_REG_KEY	"Software\\SoftEther Corporation\\PacketiX VPN\\Server Manager\\Settings"
 #define	SM_LASTHUB_REG_KEY	"Software\\SoftEther Corporation\\PacketiX VPN\\Server Manager\\Last HUB Name"
+#define	SM_HIDE_CERT_UPDATE_MSG_KEY	"Software\\SoftEther Corporation\\PacketiX VPN\\Server Manager\\Hide Cert Update Msg"
 
 #define	NAME_OF_VPN_SERVER_MANAGER	"vpnsmgr"
 #define	NAME_OF_VPN_SERVER_TARGET	"vpnserver@%s"
@@ -799,6 +800,7 @@ UINT SmSpecialListenerDlg(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, voi
 void SmSpecialListenerDlgInit(HWND hWnd, SM_SERVER *s);
 void SmSpecialListenerDlgOnOk(HWND hWnd, SM_SERVER *s);
 void SmShowIPSecMessageIfNecessary(HWND hWnd, SM_SERVER *p);
+void SmShowCertRegenerateMessageIfNecessary(HWND hWnd, SM_SERVER *p);
 UINT SmVmBridgeDlg(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *param);
 void SmAzure(HWND hWnd, SM_SERVER *s, bool on_setup);
 UINT SmAzureDlg(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *param);

src/Cedar/Server.h

@@ -414,6 +414,7 @@ struct LOG_FILE
 #define	GSF_SHOW_OSS_MSG				7
 
 
+
 // Virtual HUB creation history
 struct SERVER_HUB_CREATE_HISTORY
 {

src/Cedar/Session.c

@@ -2142,6 +2142,23 @@ SESSION *NewServerSessionEx(CEDAR *cedar, CONNECTION *c, HUB *h, char *username,
 	return s;
 }
 
+// Check whether the specified MAC address is IPC address
+bool IsIpcMacAddress(UCHAR *mac)
+{
+	// Validate arguments
+	if (mac == NULL)
+	{
+		return false;
+	}
+
+	if (mac[0] == 0xCA)
+	{
+		return true;
+	}
+
+	return false;
+}
+
 // Display the session key for debugging
 void DebugPrintSessionKey(UCHAR *session_key)
 {

src/Cedar/Session.h

@@ -397,6 +397,7 @@ void NewSessionKey(CEDAR *cedar, UCHAR *session_key, UINT *session_key_32);
 SESSION *GetSessionFromKey(CEDAR *cedar, UCHAR *session_key);
 SESSION *GetSessionFromKey32(CEDAR *cedar, UINT key32);
 void DebugPrintSessionKey(UCHAR *session_key);
+bool IsIpcMacAddress(UCHAR *mac);
 void ClientAdditionalConnectChance(SESSION *s);
 void SessionAdditionalConnect(SESSION *s);
 void ClientAdditionalThread(THREAD *t, void *param);

src/Cedar/Virtual.c

@@ -9436,6 +9436,53 @@ void VirtualDhcpServer(VH *v, PKT *p)
 				if (GetGlobalServerFlag(GSF_DISABLE_PUSH_ROUTE) == 0)
 				{
 					Copy(&ret.ClasslessRoute, &v->PushRoute, sizeof(DHCP_CLASSLESS_ROUTE_TABLE));
+
+					if (IsIpcMacAddress(p->MacAddressSrc))
+					{
+						if (ret.Gateway == 0)
+						{
+							// If the default gateway is not specified, add the static routing table
+							// entry for the local IP subnet
+							// (for PPP clients)
+							IP dhcp_ip;
+							IP dhcp_mask;
+							IP dhcp_network;
+
+							UINTToIP(&dhcp_ip, ip);
+
+							if (ip == 0)
+							{
+								UINTToIP(&dhcp_ip, p->L3.IPv4Header->SrcIP);
+							}
+
+							UINTToIP(&dhcp_mask, v->DhcpMask);
+
+							IPAnd4(&dhcp_network, &dhcp_ip, &dhcp_mask);
+
+							if (GetBestClasslessRoute(&ret.ClasslessRoute, &dhcp_ip) == NULL)
+							{
+								if (ret.ClasslessRoute.NumExistingRoutes < MAX_DHCP_CLASSLESS_ROUTE_ENTRIES)
+								{
+									DHCP_CLASSLESS_ROUTE *cr = &ret.ClasslessRoute.Entries[ret.ClasslessRoute.NumExistingRoutes];
+
+									cr->Exists = true;
+
+									UINTToIP(&cr->Gateway, v->HostIP);
+
+									if (v->UseNat == false && ret.ClasslessRoute.NumExistingRoutes >= 1)
+									{
+										Copy(&cr->Gateway, &ret.ClasslessRoute.Entries[0].Gateway, sizeof(IP));
+									}
+
+									Copy(&cr->Network, &dhcp_network, sizeof(IP));
+									Copy(&cr->SubnetMask, &dhcp_mask, sizeof(IP));
+									cr->SubnetMaskLen = SubnetMaskToInt(&dhcp_mask);
+
+									ret.ClasslessRoute.NumExistingRoutes++;
+								}
+							}
+						}
+					}
 				}
 
 				if (opt->Opcode != DHCP_INFORM)

src/Cedar/WinUi.h

@@ -485,6 +485,7 @@ typedef struct BAD_PROCESS
 static BAD_PROCESS bad_processes[] =
 {
 	{"nod32krn.exe", "NOD32 Antivirus",},
+	{"avp.exe", "Kaspersky",},
 };
 
 static UINT num_bad_processes = sizeof(bad_processes) / sizeof(bad_processes[0]);