Merge a366bdbf02 into d4dbf3cdc5

add "vcpkg_installed" to gitignore

.gitignore

@@ -209,4 +209,4 @@ developer_tools/stbchecker/**/ASALocalRun/
 developer_tools/stbchecker/**/*.binlog
 developer_tools/stbchecker/**/*.nvuser
 developer_tools/stbchecker/**/.mfractor/
-
+/vcpkg_installed

developer_tools/vpnserver-jsonrpc-clients/README.html

@@ -30,6 +30,7 @@
 <ul>
 <li>Older versions of SoftEther VPN before June 2019 don't support JSON-RPC APIs.</li>
 <li>If you want to completely disable the JSON-RPC on your VPN Server, set the <code>DisableJsonRpcWebApi</code> variable to <code>true</code> on the <code>vpn_server.config</code>.</li>
+<li>You may also restrict access to JSON-RPC API to a specific subnet, e.g. your internal network, by setting the <code>JsonRpcWebApiAllowedSubnet</code> variable to, for example, <code>192.168.0.0/16</code>.</li>
 </ul>
 <h3 id="json-rpc-specification">JSON-RPC specification</h3>
 <p>You must use HTTPS 1.1 <code>POST</code> method to call each of JSON-RPC APIs.<br />

developer_tools/vpnserver-jsonrpc-clients/README.md

@@ -25,6 +25,7 @@ https://<vpn_server_hostname>:<port>/api/
 
   - Older versions of SoftEther VPN before June 2019 don't support JSON-RPC APIs.
   - If you want to completely disable the JSON-RPC on your VPN Server, set the `DisableJsonRpcWebApi` variable to `true` on the `vpn_server.config`.
+  - You may also restrict access to JSON-RPC API to a specific subnet, e.g. your internal network, by setting the `JsonRpcWebApiAllowedSubnet` variable to, for example, `192.168.0.0/16`.
 
 
 ### JSON-RPC specification

developer_tools/vpnserver-jsonrpc-codegen/Templates/doc.txt

@@ -25,6 +25,7 @@ https://<vpn_server_hostname>:<port>/api/
 
   - Older versions of SoftEther VPN before June 2019 don't support JSON-RPC APIs.
   - If you want to completely disable the JSON-RPC on your VPN Server, set the `DisableJsonRpcWebApi` variable to `true` on the `vpn_server.config`.
+  - You may also restrict access to JSON-RPC API to a specific subnet, e.g. your internal network, by setting the `JsonRpcWebApiAllowedSubnet` variable to, for example, `192.168.0.0/16`.
 
 
 ### JSON-RPC specification

src/Cedar/Protocol.c

@@ -5740,6 +5740,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 	UINT num = 0, max = 19;
 	SERVER *server;
 	char *vpn_http_target = HTTP_VPN_TARGET2;
+	bool disableJsonRpcWebApi;
 	// Validate arguments
 	if (c == NULL)
 	{
@@ -5750,6 +5751,15 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 
 	s = c->FirstSock;
 
+	disableJsonRpcWebApi = server->DisableJsonRpcWebApi;
+	if (!disableJsonRpcWebApi && !IsZeroIP(&server->JsonRpcWebApiAllowedSubnetAddr)
+				&& !IsZeroIP(&server->JsonRpcWebApiAllowedSubnetMask)) {
+		// restrict JSON-RPC Web API to specified subnet only
+		if (!IsInSameNetwork(&s->RemoteIP, &server->JsonRpcWebApiAllowedSubnetAddr, &server->JsonRpcWebApiAllowedSubnetMask)) {
+			disableJsonRpcWebApi = true;
+		}
+	}
+
 	while (true)
 	{
 		bool not_found_error = false;
@@ -5782,7 +5792,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 			// Receive the data since it's POST
 			data_size = GetContentLength(h);
 
-			if (server->DisableJsonRpcWebApi == false)
+			if (disableJsonRpcWebApi == false)
 			{
 				if (StrCmpi(h->Target, "/api") == 0 || StrCmpi(h->Target, "/api/") == 0)
 				{
@@ -5868,7 +5878,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 		}
 		else if (StrCmpi(h->Method, "OPTIONS") == 0)
 		{
-			if (server->DisableJsonRpcWebApi == false)
+			if (disableJsonRpcWebApi == false)
 			{
 				if (StrCmpi(h->Target, "/api") == 0 || StrCmpi(h->Target, "/api/") == 0 || StartWith(h->Target, "/admin"))
 				{
@@ -5939,7 +5949,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 					BUF *b = NULL;
 					*error_detail_str = "HTTP_ROOT";
 
-					if (server->DisableJsonRpcWebApi == false)
+					if (disableJsonRpcWebApi == false)
 					{
 						b = ReadDump("|wwwroot/index.html");
 					}
@@ -6019,7 +6029,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 
 					if (b == false)
 					{
-						if (server->DisableJsonRpcWebApi == false)
+						if (disableJsonRpcWebApi == false)
 						{
 							if (StartWith(h->Target, "/api?") || StartWith(h->Target, "/api/") || StrCmpi(h->Target, "/api") == 0)
 							{

src/Cedar/Server.c

@@ -30,6 +30,7 @@
 #include "Mayaqua/Internat.h"
 #include "Mayaqua/Memory.h"
 #include "Mayaqua/Microsoft.h"
+#include "Mayaqua/Network.h"
 #include "Mayaqua/Object.h"
 #include "Mayaqua/OS.h"
 #include "Mayaqua/Pack.h"
@@ -6032,6 +6033,15 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
 		// Disable JSON-RPC Web API
 		s->DisableJsonRpcWebApi = CfgGetBool(f, "DisableJsonRpcWebApi");
 
+		char tmpaddr[MAX_PATH];
+		if (CfgGetStr(f, "JsonRpcWebApiAllowedSubnet", tmpaddr, sizeof(tmpaddr))) {
+			IP _subnet, _mask;
+			if (ParseIpAndMask46(tmpaddr, &_subnet, &_mask)) {
+				s->JsonRpcWebApiAllowedSubnetAddr = _subnet;
+				s->JsonRpcWebApiAllowedSubnetMask = _mask;
+			}
+		}
+
 		// Bits of Diffie-Hellman parameters
 		c->DhParamBits = CfgGetInt(f, "DhParamBits");
 		if (c->DhParamBits == 0)
@@ -6365,6 +6375,11 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
 
 		// Disable JSON-RPC Web API
 		CfgAddBool(f, "DisableJsonRpcWebApi", s->DisableJsonRpcWebApi);
+
+		char tmpaddr[MAX_PATH];
+		IPAndMaskToStr(tmpaddr, sizeof(tmpaddr),
+			&s->JsonRpcWebApiAllowedSubnetAddr, &s->JsonRpcWebApiAllowedSubnetMask);
+		CfgAddStr(f, "JsonRpcWebApiAllowedSubnet", tmpaddr);
 	}
 	Unlock(c->lock);
 }

src/Cedar/Server.h

@@ -276,6 +276,9 @@ struct SERVER
 	IP ListenIP;						// Listen IP
 	bool StrictSyslogDatetimeFormat;	// Make syslog datetime format strict RFC3164
 	bool DisableJsonRpcWebApi;					// Disable JSON-RPC Web API
+
+	IP JsonRpcWebApiAllowedSubnetAddr;  // If set, allow access to JSON-RPC Web API from
+	IP JsonRpcWebApiAllowedSubnetMask;  //   this subnet only
 };
 
 

src/Mayaqua/Network.c

@@ -6986,6 +6986,18 @@ void IPToStr6Inner(char *str, IP *ip)
 	}
 }
 
+// Format IP and subnet mask as "<ip>/<masksize>"
+void IPAndMaskToStr(char *str, UINT size, IP *ip, IP *subnet)
+{
+	int iplen;
+	UINT masksize;
+
+	IPToStr(str, size, ip);
+	iplen = StrLen(str);
+	masksize = SubnetMaskToInt(subnet);
+	Format(str + iplen, size - iplen, "/%d", masksize);
+}
+
 // Convert the string to an IP address
 bool StrToIP6(IP *ip, char *str)
 {

src/Mayaqua/Network.h

@@ -1289,6 +1289,7 @@ void IPToStr6(char *str, UINT size, IP *ip);
 void IP6AddrToStr(char *str, UINT size, IPV6_ADDR *addr);
 void IPToStr6Array(char *str, UINT size, UCHAR *bytes);
 void IPToStr6Inner(char *str, IP *ip);
+void IPAndMaskToStr(char *str, UINT size, IP *ip, IP *subnet);
 void IntToSubnetMask6(IP *ip, UINT i);
 void IPAnd6(IP *dst, IP *a, IP *b);
 void GetAllRouterMulticastAddress6(IP *ip);

src/Mayaqua/pkcs11f.h

@@ -73,7 +73,7 @@ CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
 (
   CK_BBOOL       tokenPresent,  /* only slots with tokens? */
   CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
-  CK_ULONG_PTR   pulCount       /* receives number of slots */
+  CK_UINT_PTR   pulCount       /* receives number of slots */
 );
 #endif
 
@@ -351,7 +351,7 @@ CK_PKCS11_FUNCTION_INFO(C_FindObjects)
  CK_SESSION_HANDLE    hSession,          /* session's handle */
  CK_OBJECT_HANDLE_PTR phObject,          /* gets obj. handles */
  CK_ULONG             ulMaxObjectCount,  /* max handles to get */
- CK_ULONG_PTR         pulObjectCount     /* actual # returned */
+ CK_UINT_PTR         pulObjectCount     /* actual # returned */
 );
 #endif
 
@@ -558,7 +558,7 @@ CK_PKCS11_FUNCTION_INFO(C_Sign)
   CK_BYTE_PTR       pData,           /* the data to sign */
   CK_ULONG          ulDataLen,       /* count of bytes to sign */
   CK_BYTE_PTR       pSignature,      /* gets the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+  CK_UINT_PTR      pulSignatureLen  /* gets signature length */
 );
 #endif
 

src/Mayaqua/pkcs11t.h

@@ -51,6 +51,8 @@ typedef CK_BYTE           CK_BBOOL;
 /* an unsigned value, at least 32 bits long */
 typedef unsigned long int CK_ULONG;
 
+typedef unsigned int CK_UINT;
+
 /* a signed value, the same size as a CK_ULONG */
 /* CK_LONG is new for v2.0 */
 typedef long int          CK_LONG;
@@ -68,6 +70,7 @@ typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
 typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
 typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
 typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
+typedef CK_UINT     CK_PTR   CK_UINT_PTR;
 typedef void        CK_PTR   CK_VOID_PTR;
 
 /* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
@@ -110,7 +113,7 @@ typedef CK_ULONG CK_NOTIFICATION;
 #define CKN_SURRENDER       0
 
 
-typedef CK_ULONG          CK_SLOT_ID;
+typedef CK_UINT          CK_SLOT_ID;
 
 typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
 
@@ -262,7 +265,7 @@ typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
 
 /* CK_SESSION_HANDLE is a Cryptoki-assigned value that
  * identifies a session */
-typedef CK_ULONG          CK_SESSION_HANDLE;
+typedef CK_UINT          CK_SESSION_HANDLE;
 
 typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR; 
 
@@ -310,7 +313,7 @@ typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
 
 /* CK_OBJECT_HANDLE is a token-specific identifier for an
  * object  */
-typedef CK_ULONG          CK_OBJECT_HANDLE;
+typedef CK_UINT          CK_OBJECT_HANDLE;
 
 typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;