Merge 06e79fd75d into bfaff4fdb0

Fix Virtual DHCP Server: Correct IP reassignment

src/Cedar/Virtual.c

@@ -9349,62 +9349,35 @@ UINT ServeDhcpDiscoverEx(VH *v, UCHAR *mac, UINT request_ip, bool is_static_ip)
 		// check whether it is a request from the same MAC address
 		if (Cmp(mac, d->MacAddress, 6) == 0)
 		{
-			// Examine whether the specified IP address is within the range of assignment
+			// Examine whether the specified IP address is within the range of static assignment
 			if (Endian32(v->DhcpIpStart) > Endian32(request_ip) ||
 				Endian32(request_ip) > Endian32(v->DhcpIpEnd))
 			{
-				// Accept if within the range
+				// Accept if within the range of static assignment
 				ret = request_ip;
 			}
 		}
 		else {
-			// Duplicated IPV4 address found. The DHCP server replies to DHCPREQUEST with DHCP NAK.
+			// Duplicated IPV4 address found. The specified IP address is not available for use
 			char ipstr[MAX_HOST_NAME_LEN + 1] = { 0 };
 			char macstr[128] = { 0 };
 			IPToStr32(ipstr, sizeof(ipstr), request_ip);
-			BinToStr(macstr, sizeof(macstr), d->MacAddress, 6);
-			Debug("Virtual DHC Server: Duplicated IP address detected. Static IP: %s, Used by MAC:%s\n", ipstr, macstr);
-			return ret;
+			MacToStr(macstr, sizeof(macstr), d->MacAddress);
+			Debug("Virtual DHC Server: Duplicated IP address detected. Static IP: %s, with the MAC: %s\n", ipstr, macstr);
 		}
 	}
 	else
 	{
-		// Examine whether the specified IP address is within the range of assignment
+		// Examine whether the specified IP address is within the range of static assignment
 		if (Endian32(v->DhcpIpStart) > Endian32(request_ip) ||
 			Endian32(request_ip) > Endian32(v->DhcpIpEnd))
 		{
-			// Accept if within the range
+			// Accept if within the range of static assignment
 			ret = request_ip;
 		}
 		else
 		{
-			// Propose an IP in the range since it's a Discover although It is out of range
-		}
-	}
-	if (ret == 0)
-	{
-		// If there is any entry with the same MAC address
-		// that are already registered, use it with priority
-		DHCP_LEASE *d = SearchDhcpLeaseByMac(v, mac);
-
-		if (d != NULL)
-		{
-			// Examine whether the found IP address is in the allocation region
-			if (Endian32(v->DhcpIpStart) > Endian32(d->IpAddress) ||
-				Endian32(d->IpAddress) > Endian32(v->DhcpIpEnd))
-			{
-				// Use the IP address if it's found within the range
-				ret = d->IpAddress;
-			}
-		}
-	}
-	if (ret == 0)
-	{
-		// For static IP, the requested IP address must NOT be within the range of the DHCP pool
-		if (Endian32(v->DhcpIpStart) > Endian32(request_ip) ||
-			Endian32(request_ip) > Endian32(v->DhcpIpEnd))
-		{
-			ret = request_ip;
+			// The specified IP address is not available for use
 		}
 	}
 
@@ -9595,6 +9568,11 @@ void VirtualDhcpServer(VH *v, PKT *p)
 			{
 				ip = ServeDhcpRequestEx(v, p->MacAddressSrc, opt->RequestedIp, ip_static);
 			}
+			// If the IP address in user's note is changed, then reply to DHCP_REQUEST with DHCP_NAK
+			if (p->L3.IPv4Header->SrcIP && ip != p->L3.IPv4Header->SrcIP)
+			{
+				ip = 0;
+			}
 		}
 
 		if (ip != 0 || opt->Opcode == DHCP_INFORM)
@@ -9607,6 +9585,14 @@ void VirtualDhcpServer(VH *v, PKT *p)
 				char client_mac[MAX_SIZE];
 				char client_ip[MAX_SIZE];
 
+				// If there is any entry with the same MAC address, then remove it
+				d = SearchDhcpLeaseByMac(v, p->MacAddressSrc);
+				if (d != NULL)
+				{
+					FreeDhcpLease(d);
+					Delete(v->DhcpLeaseList, d);
+				}
+
 				// Remove old records with the same IP address
 				d = SearchDhcpLeaseByIp(v, ip);
 				if (d != NULL)
@@ -9765,7 +9751,7 @@ void VirtualDhcpServer(VH *v, PKT *p)
 		}
 		else
 		{
-			// Reply of DHCP_REQUEST must be either DHCP_ACK or DHCP_NAK.
+			// Reply of DHCP_REQUEST must be either DHCP_ACK or DHCP_NAK
 			if (opt->Opcode == DHCP_REQUEST)
 			{
 				// There is no IP address that can be provided

src/Mayaqua/Network.c

@@ -12288,6 +12288,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 			ret = SSL_peek(ssl, &c, sizeof(c));
 		}
 		Unlock(sock->ssl_lock);
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+		// 2021/09/10: After OpenSSL 3.x.x, both 0 and negative values might mean retryable.
+		// See: https://github.com/openssl/openssl/blob/435981cbadad2c58c35bacd30ca5d8b4c9bea72f/doc/man3/SSL_read.pod
+		// > Old documentation indicated a difference between 0 and -1, and that -1 was retryable.
+		// > You should instead call SSL_get_error() to find out if it's retryable.
 		if (ret == 0)
 		{
 			// The communication have been disconnected
@@ -12295,7 +12300,8 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 			Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
 			return 0;
 		}
-		if (ret < 0)
+#endif
+		if (ret <= 0)
 		{
 			// An error has occurred
 			e = SSL_get_error(ssl, ret);
@@ -12303,14 +12309,16 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 			{
 				if (e == SSL_ERROR_SSL
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
-				        &&
-				        sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL &&
-				        sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] &&
-				        sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1]
+					&&
+					sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL &&
+					sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] &&
+					sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1]
 #endif
-				   )
+					)
 				{
-					Debug("%s %u SSL Fatal Error on ASYNC socket !!!\n", __FILE__, __LINE__);
+					UINT ssl_err_no = ERR_get_error();
+
+					Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
 					Disconnect(sock);
 					return 0;
 				}
@@ -12337,14 +12345,14 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 		}
 #endif	// OS_UNIX
 
-// Run the time-out thread for SOLARIS
+		// Run the time-out thread for SOLARIS
 #ifdef UNIX_SOLARIS
 		ttparam = NewSocketTimeout(sock);
 #endif // UNIX_SOLARIS
 
 		ret = SSL_read(ssl, data, size);
 
-// Stop the timeout thread
+		// Stop the timeout thread
 #ifdef UNIX_SOLARIS
 		FreeSocketTimeout(ttparam);
 #endif // UNIX_SOLARIS
@@ -12357,7 +12365,11 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 		}
 #endif	// OS_UNIX
 
-		if (ret < 0)
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+		if (ret < 0) // OpenSSL version < 3.0.0
+#else
+		if (ret <= 0) // OpenSSL version >= 3.0.0
+#endif
 		{
 			e = SSL_get_error(ssl, ret);
 		}
@@ -12380,6 +12392,12 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 
 		return (UINT)ret;
 	}
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+	// 2021/09/10: After OpenSSL 3.x.x, both 0 and negative values might mean retryable.
+	// See: https://github.com/openssl/openssl/blob/435981cbadad2c58c35bacd30ca5d8b4c9bea72f/doc/man3/SSL_read.pod
+	// > Old documentation indicated a difference between 0 and -1, and that -1 was retryable.
+	// > You should instead call SSL_get_error() to find out if it's retryable.
 	if (ret == 0)
 	{
 		// Disconnect the communication
@@ -12387,20 +12405,24 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size)
 		//Debug("%s %u SecureRecv() Disconnect\n", __FILE__, __LINE__);
 		return 0;
 	}
+#endif
+
 	if (sock->AsyncMode)
 	{
 		if (e == SSL_ERROR_WANT_READ || e == SSL_ERROR_WANT_WRITE || e == SSL_ERROR_SSL)
 		{
 			if (e == SSL_ERROR_SSL
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
-			        &&
-			        sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL &&
-			        sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] &&
-			        sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1]
+				&&
+				sock->ssl->s3->send_alert[0] == SSL3_AL_FATAL &&
+				sock->ssl->s3->send_alert[0] != sock->Ssl_Init_Async_SendAlert[0] &&
+				sock->ssl->s3->send_alert[1] != sock->Ssl_Init_Async_SendAlert[1]
 #endif
-			   )
+				)
 			{
-				Debug("%s %u SSL Fatal Error on ASYNC socket !!!\n", __FILE__, __LINE__);
+				UINT ssl_err_no = ERR_get_error();
+
+				Debug("%s %u SSL_ERROR_SSL on ASYNC socket !!! ssl_err_no = %u: '%s'\n", __FILE__, __LINE__, ssl_err_no, ERR_error_string(ssl_err_no, NULL));
 				Disconnect(sock);
 				return 0;
 			}
@@ -12438,7 +12460,11 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
 		}
 
 		ret = SSL_write(ssl, data, size);
-		if (ret < 0)
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+		if (ret < 0) // OpenSSL version < 3.0.0
+#else
+		if (ret <= 0) // OpenSSL version >= 3.0.0
+#endif
 		{
 			e = SSL_get_error(ssl, ret);
 		}
@@ -12460,6 +12486,8 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
 		sock->WriteBlocked = false;
 		return (UINT)ret;
 	}
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	if (ret == 0)
 	{
 		// Disconnect
@@ -12467,6 +12495,7 @@ UINT SecureSend(SOCK *sock, void *data, UINT size)
 		Disconnect(sock);
 		return 0;
 	}
+#endif
 
 	if (sock->AsyncMode)
 	{

src/bin/hamcore/strtable_cn.stb

@@ -4854,7 +4854,7 @@ CMD_ConnectionList_Help		现在，先获取与 VPN Server 连接的 TCP/IP 一
 CMD_ConnectionList_Args		ConnectionList
 
 
-# ConnectionList 命令
+# ConnectionGet 命令
 CMD_ConnectionGet			获取连接到 VPN Server 的 TCP 信息一览表
 CMD_ConnectionGet_Help		获取与 VPN Server 连接的 TCP/IP 连接的详细信息。\n可以获得 [连接名]，[连接种类]，[连接主机名]，[连接主机 IP]，[联机主机端口 TCP]，[连接时间]，[服务器品牌]，[服务器版本]，[服务器铭牌号]，[客户机品牌]，[客户机版本]，[客户机铭牌号] 等信息。 \n要运行此命令，需要管理员权限。
 CMD_ConnectionGet_Args		ConnectionGet [name]
@@ -7044,7 +7044,7 @@ CMD_RemoteDisable_Args		RemoteDisable
 
 ###################################################
 #                                                 #
-# 下面这是VPN工具用的指令             #
+# 下面这是VPN Tools用的指令             #
 #                                                 #
 ###################################################
 

src/bin/hamcore/strtable_en.stb

@@ -4839,7 +4839,7 @@ CMD_ConnectionList_Help	Use this to get a list of TCP/IP connections that are cu
 CMD_ConnectionList_Args	ConnectionList
 
 
-# ConnectionList command
+# ConnectionGet command
 CMD_ConnectionGet		Get Information of TCP Connections Connecting to the VPN Server
 CMD_ConnectionGet_Help	Use this to get detailed information of a specific TCP/IP connection that is connecting to the VPN Server. \nYou can get the following information: Connection Name, Connection Type, Source Hostname, Source IP Address, Source Port Number (TCP), Connection Start, Server Product Name, Server Version, Server Build Number, Client Product Name, Client Version, and Client Build Number. \nTo execute this command, you must have VPN Server administrator privileges.
 CMD_ConnectionGet_Args	ConnectionGet [name]

src/bin/hamcore/strtable_pt_br.stb

@@ -4558,7 +4558,7 @@ CMD_SyslogGet_COLUMN_2	syslog Server Host Name
 CMD_SyslogGet_COLUMN_3	syslog Server Port Number
 
 
-# ConnectionList command
+# ConnectionGet command
 CMD_ConnectionList	Get List of TCP Connections Connecting to the VPN Server
 CMD_ConnectionList_Help	Use this to get a list of TCP/IP connections that are currently connecting to the VPN Server. It does not display the TCP connections that have been established as VPN sessions. To get the list of TCP/IP connections that have been established as VPN sessions, you can use the SessionList command. \nYou can get the following: Connection Name, Connection Source, Connection Start and Type.\nTo execute this command, you must have VPN Server administrator privileges.
 CMD_ConnectionList_Args	ConnectionList
@@ -4851,7 +4851,7 @@ CMD_HubList_Args	ListaHub
 # Hub command
 CMD_Hub	Select Virtual Hub to Manage
 CMD_Hub_Help	Use this to select the Virtual Hub to be the target of administration. For an administration utility with the status of being connected to a VPN Server, before executing a command to set or manage a Virtual Hub, you must use the Hub command to select the Virtual Hub to manage. \nWhen in the status of being connected to a VPN Server in Virtual Hub Admin Mode, you can select a single Virtual Hub to be the target of administration but you cannot select other Virtual Hubs. When having the status of being connected to the VPN Server in Server Admin Mode, you can make all Virtual Hubs the target of administration. \nTo get a list of Virtual Hubs that currently exist on the VPN Server, use the HubList command. \nFor the VPN Bridge, you can only select the Virtual Hub that has the name "BRIDGE".
-CMD_Hub_Args	Hub [nome]
+CMD_Hub_Args	Hub [name]
 CMD_Hub_[name]	Specify the name of the Virtual Hub to manage. If this parameter is left unspecified, the Select Virtual Hub to Manage will be cancelled.
 CMD_Hub_Unselected	The Virtual Hub selection has been unselected.
 CMD_Hub_Selected	The Virtual Hub "%S" has been selected.
@@ -5619,7 +5619,7 @@ CMD_UserRadiusSet_ALIAS	When this parameter is set, it is possible to make the u
 CMD_UserRadiusSet_Prompt_ALIAS	Alias Name for Authentication (Optional): 
 
 
-# UserNTLMSet コマンド
+# UserNTLMSet command
 CMD_UserNTLMSet	Set NT Domain Authentication for User Auth Type
 CMD_UserNTLMSet_Help	Use this to set NT Domain Authentication as the auth type for a user that is registered on the security account database of the currently managed Virtual Hub. When a user connects to a Virtual Hub using a user name that is set for NT Domain authentication, the user name and the user input password is sent to the Windows NT / 2000 / Server 2003 / Server 2008 / Server 2008 R2 / Server 2012 Domain Controller or Active Directory Server where the server checks the user name and password, then if the verification is successful, that user is allowed VPN connection. \nTo use NT Domain authentication, the VPN Server must be operating on a Windows NT 4.0, Windows 2000, Windows XP, Windows Vista, Windows Server 2008, Windows Server 2008 R2 or Windows Server 2012 operating system that is connected to that domain. For details please contact the VPN Server's administrator. \nTo get the list of currently registered users, use the UserList command. \nThis command cannot be run on VPN Bridge. \nYou cannot execute this command for Virtual Hubs of VPN Servers operating as a member server on a cluster.
 CMD_UserNTLMSet_Args	UserNTLMSet [name] [/ALIAS:alias_name]
@@ -6193,7 +6193,7 @@ CMD_VpnAzureGetStatus_PRINT_CONNECTED	Connection to VPN Azure Cloud Server is Es
 CMD_VpnAzureGetStatus_PRINT_HOSTNAME	Hostname of this VPN Server on VPN Azure Service
 
 
-# VpnAzureSetStatus command
+# VpnAzureSetEnable command
 CMD_VpnAzureSetEnable	Enable / Disable VPN Azure Function
 CMD_VpnAzureSetEnable_Help	Enable or disable the VPN Azure function.\n\nVPN Azure makes it easier to establish a VPN Session from your home PC to your office PC. While a VPN connection is established, you can access to any other servers on the private network of your company.\nYou don't need a global IP address on the office PC (VPN Server). It can work behind firewalls or NATs. No network administrator's configuration required. You can use the built-in SSTP-VPN Client of Windows in your home PC.\nVPN Azure is a cloud VPN service operated by SoftEther VPN Project. VPN Azure is free of charge and available to anyone. Visit http://www.vpnazure.net/ to see details and how-to-use instructions.\n\nThe VPN Azure hostname is same to the hostname of the Dynamic DNS setting, but altering the domain suffix to "vpnazure.net". To change the hostname use the DynamicDnsSetHostname command.\n\nTo execute this command, you must have VPN Server administrator privileges. \nThis command cannot be run on VPN Bridge.\nYou cannot execute this command for Virtual Hubs of VPN Servers operating as a cluster.
 CMD_VpnAzureSetEnable_Args	VpnAzureSetEnable [yes|no]
@@ -6702,7 +6702,7 @@ CMD_AccountOpensslCertSet_PROMPT_KEYNAME Specify the openssl engine specific key
 CMD_AccountOpensslCertSet_PROMPT_ENGINENAME Specify the openssl engine name: 
 
 
-# AccountRetrySet コマンド
+# AccountRetrySet command
 CMD_AccountRetrySet	Set Interval between Connection Retries for Connection Failures or Disconnections of VPN Connection Setting
 CMD_AccountRetrySet_Help	When a VPN Connection Setting registered on the VPN Client is specified and that VPN Connection Setting attempts to connect to a VPN Server, use this to specify the interval to wait between connection attempts and the limit of how many times to retry connecting when communication with the VPN Server has been disconnected or when the connection process failed. \nIf the user authentication type is Smart Card Authentication, no connection retry will be performed regardless of the Number of Connection Attempts setting.
 CMD_AccountRetrySet_Args	AccountRetrySet [name] [/NUM:num_retry] [/INTERVAL:retry_interval]

src/bin/hamcore/strtable_ru.stb

@@ -4839,7 +4839,7 @@ CMD_ConnectionList_Help	Use this to get a list of TCP/IP connections that are cu
 CMD_ConnectionList_Args	ConnectionList
 
 
-# ConnectionList command
+# ConnectionGet command
 CMD_ConnectionGet		Get Information of TCP Connections Connecting to the VPN Server
 CMD_ConnectionGet_Help	Use this to get detailed information of a specific TCP/IP connection that is connecting to the VPN Server. \nYou can get the following information: Connection Name, Connection Type, Source Hostname, Source IP Address, Source Port Number (TCP), Connection Start, Server Product Name, Server Version, Server Build Number, Client Product Name, Client Version, and Client Build Number. \nTo execute this command, you must have VPN Server administrator privileges.
 CMD_ConnectionGet_Args	ConnectionGet [name]
@@ -7122,7 +7122,7 @@ CMD_TrafficClient_ERROR_HOSTPORT	The host name or port number is incorrectly spe
 # TrafficServer command
 CMD_TrafficServer		Запустить средство тестирования скорости сетевого трафика в режиме сервера
 CMD_TrafficServer_Help	Используется для запуска инструмента измерения пропускной способности в режиме сервера. \nДве команды, TrafficClient и TrafficServer, используются для измерения пропускной способности между двумя компьютерами, соединенными сетью IP. \nУкажите номер порта и запустите серверную часть с помощью команды TrafficServer, чтобы прослушивать подключение от TrafficClient другого компьютера. \nВы можете отобразить более подробную информацию об инструменте измерения пропускной способности, введя "TrafficClient ?". \n\nПримечание. Эту команду можно вызвать из утилиты управления командной строкой SoftEther VPN. Вы также можете выполнить эту команду при подключении к текущему VPN-серверу или VPN клиенту в режиме администрирования, но фактически осуществляет связь и измеряет пропускную способность тот компьютер, на котором выполняется команда, а не компьютер с которого выполнено подключение в режиме администрирования.
-CMD_TrafficServer_Args	TrafficServer [порт] [/NOHUP:да|нет]
+CMD_TrafficServer_Args	TrafficServer [port] [/NOHUP:yes|no]
 CMD_TrafficServer_[port]	Укажите номер порта для прослушивания соединения. Если указанный порт уже используется другой программой или порт не может быть открыт, произойдет ошибка
 CMD_TrafficServer_NOHUP	Если указано «да», серверная часть игнорирует любой ввод с консоли и никогда не останавливается. Это удобно, если вы хотите запустить TrafficServer в бесконечном режиме.
 

src/bin/hamcore/strtable_tw.stb

@@ -4855,7 +4855,7 @@ CMD_ConnectionList_Help		現在，先獲取與 VPN Server 連接的 TCP/IP 一
 CMD_ConnectionList_Args		ConnectionList
 
 
-# ConnectionList 命令
+# ConnectionGet 命令
 CMD_ConnectionGet			獲取連接到 VPN Server 的 TCP 資訊一覽表
 CMD_ConnectionGet_Help		獲取與 VPN Server 連接的 TCP/IP 連接的詳細資訊。\n可以獲得 [連接名]，[連接種類]，[連接主機名稱]，[連接主機 IP]，[連線主機埠 TCP]，[連線時間]，[伺服器品牌]，[伺服器版本]，[伺服器銘牌號]，[客戶機品牌]，[客戶機版本]，[客戶機銘牌號] 等資訊。 \n要運行此命令，需要管理員許可權。
 CMD_ConnectionGet_Args		ConnectionGet [name]
@@ -7046,7 +7046,7 @@ CMD_RemoteDisable_Args		RemoteDisable
 
 ###################################################
 #                                                 #
-# 下面這是VPN工具用的指令                         #
+# 下面這是VPN Tools用的指令                         #
 #                                                 #
 ###################################################