rename IV_OPENVPN_GUI_VERSION to IV_GUI_VER

author: Arne Schwabe <arne@rfc2549.org> 2014-01-09 22:18:17 +0100
committer: Arne Schwabe <arne@rfc2549.org> 2014-01-09 22:18:17 +0100
commit: dd6f4ac1248e73106cf54ba78856dc27265bc5e1 (patch)
tree: 8049eb01214b11b30e9d4a6f5e3d5fd1b8bc670b
parent: 97deae46f78cc96540d207f452f2bd97cf540b13 (diff)
12 files changed, 93 insertions, 106 deletions
diff --git a/openvpn/README.IPv6 b/openvpn/README.IPv6
index d16a6daf..18068fee 100644
--- a/openvpn/README.IPv6
+++ b/openvpn/README.IPv6
@@ -35,7 +35,7 @@ over an IPv6 network ("OpenVPN over IPv6").
 The code in 2.3.0 supersedes the IPv6 transport patches from JuanJo Ciarlante,
 formerly located at http://github.com/jjo/openvpn-ipv6
 
-Android 2.4.0 includes a big overhaul of the IPv6 transport patches
+OpenVPN 2.4.0 includes a big overhaul of the IPv6 transport patches
 originally implemented for the Android client (ics-openvpn)
 
 IPv4/IPv6 transport is automatically is selected when resolving addresses.
@@ -53,4 +53,4 @@ handle IPv4 connections on the IPv6 socket as well, making it a true
 dual-stacked server. Use bind ipv6only to disable this behaviour.
 
 On other systems, as of 2.3.0, you need to run separate server instances
-for IPv4 and IPv6.
-\ No newline at end of file
+for IPv4 and IPv6.
diff --git a/openvpn/TODO.IPv6 b/openvpn/TODO.IPv6
index ef2b8463..24bf865a 100644
--- a/openvpn/TODO.IPv6
+++ b/openvpn/TODO.IPv6
@@ -183,7 +183,7 @@ tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
 TODO for IPv6 transport support
 -------------------------------
 
-[ Last updated: 03-01-2013. ]
+[ Last updated: 2014-01-03. ]
 
 * All platforms:
   o mgmt console: as currently passes straight in_addr_t bits around
@@ -210,5 +210,6 @@ TODO for IPv6 transport support
 * win32:
   o find out about mapped addresses, as I can't make it work
     with bound at ::1 and connect to 127.0.0.1
-    - Should be fixed by 8832c6c - "Implement listing on IPv4/IPv6 dual socket on all platform"
+    - Should be fixed by 8832c6c - "Implement listing on IPv4/IPv6 dual 
+      socket on all platform"
 
diff --git a/openvpn/doc/openvpn.8 b/openvpn/doc/openvpn.8
index 48a88647..0235c2c8 100644
--- a/openvpn/doc/openvpn.8
+++ b/openvpn/doc/openvpn.8
@@ -274,7 +274,7 @@ failover capability.
 .\"*********************************************************
 .TP
 .B \-\-remote-random-hostname
-Add a random string (6 characters) to first DNS label of hostname to prevent
+Prepend a random string (6 bytes, 12 hex characters) to hostname to prevent
 DNS caching.  For example, "foo.bar.gov" would be modified to
 "<random-chars>.foo.bar.gov".
 .\"*********************************************************
@@ -2423,9 +2423,11 @@ Enable a compression algorithm.
 
 The
 .B algorithm
-parameter may be "snappy", "lzo", or empty.  Snappy and LZO
+parameter may be "snappy", "lzo", "lz4", or empty.  Snappy, LZO and LZ4
 are different compression algorithms, with Snappy generally
-offering the best performance.
+offering the best performance while LZ4 is faster with less CPU usage.
+For backwards compatibility with OpenVPN versions before 2.4, use "lzo"
+(which is identical to the older option "\-\-comp-lzo yes").
 
 If the
 .B algorithm
diff --git a/openvpn/src/openvpn/comp.h b/openvpn/src/openvpn/comp.h
index 57764007..bfa25fd3 100644
--- a/openvpn/src/openvpn/comp.h
+++ b/openvpn/src/openvpn/comp.h
@@ -24,7 +24,7 @@
 
 /*
  * Generic compression support.  Currently we support
- * Snappy, LZO 2 and LX4.
+ * Snappy, LZO 2 and LZ4.
  */
 #ifndef OPENVPN_COMP_H
 #define OPENVPN_COMP_H
diff --git a/openvpn/src/openvpn/misc.c b/openvpn/src/openvpn/misc.c
index 4688444e..7483184f 100644
--- a/openvpn/src/openvpn/misc.c
+++ b/openvpn/src/openvpn/misc.c
@@ -926,32 +926,23 @@ create_temp_file (const char *directory, const char *prefix, struct gc_arena *gc
 }
 
 /*
- * Add a random string to first DNS label of hostname to prevent DNS caching.
+ * Prepend a random string to hostname to prevent DNS caching.
  * For example, foo.bar.gov would be modified to <random-chars>.foo.bar.gov.
- * Of course, this requires explicit support in the DNS server.
+ * Of course, this requires explicit support in the DNS server (wildcard).
  */
 const char *
 hostname_randomize(const char *hostname, struct gc_arena *gc)
 {
 # define n_rnd_bytes 6
 
-  char *hst = string_alloc(hostname, gc);
-  char *dot = strchr(hst, '.');
+  uint8_t rnd_bytes[n_rnd_bytes];
+  const char *rnd_str;
+  struct buffer hname = alloc_buf_gc (strlen(hostname)+sizeof(rnd_bytes)*2+4, gc);
 
-  if (dot)
-    {
-      uint8_t rnd_bytes[n_rnd_bytes];
-      const char *rnd_str;
-      struct buffer hname = alloc_buf_gc (strlen(hostname)+sizeof(rnd_bytes)*2+4, gc);
-
-      *dot++ = '\0';
-      prng_bytes (rnd_bytes, sizeof (rnd_bytes));
-      rnd_str = format_hex_ex (rnd_bytes, sizeof (rnd_bytes), 40, 0, NULL, gc);
-      buf_printf(&hname, "%s-0x%s.%s", hst, rnd_str, dot);
-      return BSTR(&hname);
-    }
-  else
-    return hostname;
+  prng_bytes (rnd_bytes, sizeof (rnd_bytes));
+  rnd_str = format_hex_ex (rnd_bytes, sizeof (rnd_bytes), 40, 0, NULL, gc);
+  buf_printf(&hname, "%s.%s", rnd_str, hostname);
+  return BSTR(&hname);
 # undef n_rnd_bytes
 }
 
diff --git a/openvpn/src/openvpn/options.c b/openvpn/src/openvpn/options.c
index b93a67a0..892dbfdd 100644
--- a/openvpn/src/openvpn/options.c
+++ b/openvpn/src/openvpn/options.c
@@ -2874,6 +2874,7 @@ pre_pull_restore (struct options *o)
     }
 
   o->push_continuation = 0;
+  o->push_option_types_found = 0;
 }
 
 #endif
diff --git a/openvpn/src/openvpn/options.h b/openvpn/src/openvpn/options.h
index dafb8ff6..1992f5a7 100644
--- a/openvpn/src/openvpn/options.h
+++ b/openvpn/src/openvpn/options.h
@@ -467,6 +467,7 @@ struct options
   bool client;
   bool pull; /* client pull of config options from server */
   int push_continuation;
+  unsigned int push_option_types_found;
   const char *auth_user_pass_file;
   struct options_pre_pull *pre_pull;
 
diff --git a/openvpn/src/openvpn/push.c b/openvpn/src/openvpn/push.c
index bd08cff7..e971357d 100644
--- a/openvpn/src/openvpn/push.c
+++ b/openvpn/src/openvpn/push.c
@@ -203,8 +203,10 @@ incoming_push_message (struct context *c, const struct buffer *buffer)
     msg (D_PUSH_ERRORS, "WARNING: Received bad push/pull message: %s", sanitize_control_message(BSTR(buffer), &gc));
   else if (status == PUSH_MSG_REPLY || status == PUSH_MSG_CONTINUATION)
     {
+      c->options.push_option_types_found |= option_types_found;
+
       if (status == PUSH_MSG_REPLY)
-	do_up (c, true, option_types_found); /* delay bringing tun/tap up until --push parms received from remote */
+	do_up (c, true, c->options.push_option_types_found ); /* delay bringing tun/tap up until --push parms received from remote */
       event_timeout_clear (&c->c2.push_request_interval);
     }
 
diff --git a/openvpn/src/openvpn/ssl.c b/openvpn/src/openvpn/ssl.c
index 93222c47..15518cab 100644
--- a/openvpn/src/openvpn/ssl.c
+++ b/openvpn/src/openvpn/ssl.c
@@ -1825,13 +1825,13 @@ push_peer_info(struct buffer *buf, struct tls_session *session)
 	    buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc));
         }
 
-      /* push env vars that begin with UV_ and IV_OPENVPN_GUI_VERSION */
+      /* push env vars that begin with UV_ and IV_GUI_VER */
       for (e=es->list; e != NULL; e=e->next)
 	{
 	  if (e->string)
 	    {
 	      if (((strncmp(e->string, "UV_", 3)==0 && session->opt->push_peer_info_detail >= 2)
-		   || (strncmp(e->string,"IV_OPENVPN_GUI_VERSION=",sizeof("IV_OPENVPN_GUI_VERSION=")-1)==0))
+		   || (strncmp(e->string,"IV_GUI_VER=",sizeof("IV_GUI_VER=")-1)==0))
 		  && buf_safe(&out, strlen(e->string)+1))
 		buf_printf (&out, "%s\n", e->string);
 	    }
diff --git a/openvpn/src/openvpn/ssl_openssl.c b/openvpn/src/openvpn/ssl_openssl.c
index 9dced724..f0796526 100644
--- a/openvpn/src/openvpn/ssl_openssl.c
+++ b/openvpn/src/openvpn/ssl_openssl.c
@@ -224,86 +224,73 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
         msg(M_SSLERR, "Failed to set default TLS cipher list.");
       return;
     }
-  else
-    {
-      /* Parse supplied cipher list and pass on to OpenSSL */
-      size_t begin_of_cipher, end_of_cipher;
 
-      const char *current_cipher;
-      size_t current_cipher_len;
+  /* Parse supplied cipher list and pass on to OpenSSL */
+  size_t begin_of_cipher, end_of_cipher;
 
-      const tls_cipher_name_pair *cipher_pair;
+  const char *current_cipher;
+  size_t current_cipher_len;
 
-      char openssl_ciphers[4096];
-      size_t openssl_ciphers_len = 0;
-      openssl_ciphers[0] = '\0';
+  const tls_cipher_name_pair *cipher_pair;
 
-      ASSERT(NULL != ctx);
+  char openssl_ciphers[4096];
+  size_t openssl_ciphers_len = 0;
+  openssl_ciphers[0] = '\0';
 
-      // Translate IANA cipher suite names to OpenSSL names
-      begin_of_cipher = end_of_cipher = 0;
-      for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher)
-        {
-          end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":");
-          cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher],
-              end_of_cipher - begin_of_cipher);
+  ASSERT(NULL != ctx);
 
-          if (NULL == cipher_pair)
-            {
-              // No translation found, use original
-              current_cipher = &ciphers[begin_of_cipher];
-              current_cipher_len = end_of_cipher - begin_of_cipher;
-
-              // Issue warning on missing translation
-              // %.*s format specifier expects length of type int, so guarantee
-              // that length is small enough and cast to int.
-              msg (M_WARN, "No valid translation found for TLS cipher '%.*s'",
-                     constrain_int(current_cipher_len, 0, 256), current_cipher);
-            }
-          else
-            {
-              // Use OpenSSL name
-              current_cipher = cipher_pair->openssl_name;
-              current_cipher_len = strlen(current_cipher);
-
-              if (end_of_cipher - begin_of_cipher == current_cipher_len &&
-                  0 == memcmp (&ciphers[begin_of_cipher],
-                      cipher_pair->openssl_name,
-                      end_of_cipher - begin_of_cipher))
-                {
-                  // Non-IANA name used, show warning
-                  msg (M_WARN, "Deprecated TLS cipher name '%s', "
-                      "please use IANA name '%s'", cipher_pair->openssl_name,
-                      cipher_pair->iana_name);
-                }
-            }
+  // Translate IANA cipher suite names to OpenSSL names
+  begin_of_cipher = end_of_cipher = 0;
+  for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) {
+      end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":");
+      cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher);
 
-          // Make sure new cipher name fits in cipher string
-          if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) <
-              current_cipher_len) {
-            msg(M_SSLERR,
-                "Failed to set restricted TLS cipher list, too long (>%d).",
-                (int)sizeof(openssl_ciphers)-1);
-          }
-
-          // Concatenate cipher name to OpenSSL cipher string
-          memcpy(&openssl_ciphers[openssl_ciphers_len], current_cipher,
-              current_cipher_len);
-          openssl_ciphers_len += current_cipher_len;
-          openssl_ciphers[openssl_ciphers_len] = ':';
-          openssl_ciphers_len++;
-
-          end_of_cipher++;
+      if (NULL == cipher_pair)
+        {
+          // No translation found, use original
+          current_cipher = &ciphers[begin_of_cipher];
+          current_cipher_len = end_of_cipher - begin_of_cipher;
+
+          // Issue warning on missing translation
+          // %.*s format specifier expects length of type int, so guarantee
+          // that length is small enough and cast to int.
+          msg (M_WARN, "No valid translation found for TLS cipher '%.*s'",
+                 constrain_int(current_cipher_len, 0, 256), current_cipher);
         }
+      else
+	{
+	  // Use OpenSSL name
+          current_cipher = cipher_pair->openssl_name;
+          current_cipher_len = strlen(current_cipher);
 
-      if (openssl_ciphers_len > 0)
-        openssl_ciphers[openssl_ciphers_len-1] = '\0';
+	  if (end_of_cipher - begin_of_cipher == current_cipher_len &&
+	      0 == memcmp (&ciphers[begin_of_cipher], cipher_pair->openssl_name, end_of_cipher - begin_of_cipher))
+	    {
+	      // Non-IANA name used, show warning
+	      msg (M_WARN, "Deprecated TLS cipher name '%s', please use IANA name '%s'", cipher_pair->openssl_name, cipher_pair->iana_name);
+	    }
+	}
 
-      // Set OpenSSL cipher list
-      if(!SSL_CTX_set_cipher_list(ctx->ctx, openssl_ciphers))
-        msg(M_SSLERR, "Failed to set restricted TLS cipher list: %s",
-            openssl_ciphers);
-    }
+      // Make sure new cipher name fits in cipher string
+      if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) < current_cipher_len) {
+	msg(M_SSLERR, "Failed to set restricted TLS cipher list, too long (>%d).", (int)sizeof(openssl_ciphers)-1);
+      }
+
+      // Concatenate cipher name to OpenSSL cipher string
+      memcpy(&openssl_ciphers[openssl_ciphers_len], current_cipher, current_cipher_len);
+      openssl_ciphers_len += current_cipher_len;
+      openssl_ciphers[openssl_ciphers_len] = ':';
+      openssl_ciphers_len++;
+
+      end_of_cipher++;
+  }
+
+  if (openssl_ciphers_len > 0)
+    openssl_ciphers[openssl_ciphers_len-1] = '\0';
+
+  // Set OpenSSL cipher list
+  if(!SSL_CTX_set_cipher_list(ctx->ctx, openssl_ciphers))
+    msg(M_SSLERR, "Failed to set restricted TLS cipher list: %s", openssl_ciphers);
 }
 
 void
@@ -1294,8 +1281,7 @@ show_available_tls_ciphers (const char *cipher_list)
   if (!ssl)
     msg (M_SSLERR, "Cannot create SSL object");
 
-  if (cipher_list)
-    tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
+  tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
 
   printf ("Available TLS Ciphers,\n");
   printf ("listed in order of preference:\n\n");
diff --git a/openvpn/src/openvpn/ssl_polarssl.c b/openvpn/src/openvpn/ssl_polarssl.c
index d964b918..47fb62a5 100644
--- a/openvpn/src/openvpn/ssl_polarssl.c
+++ b/openvpn/src/openvpn/ssl_polarssl.c
@@ -176,7 +176,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
   int ciphers_len;
 
   if (NULL == ciphers)
-    return; // Nothing to do
+    return; /* Nothing to do */
 
   ciphers_len = strlen (ciphers);
 
@@ -1043,10 +1043,11 @@ show_available_tls_ciphers (const char *cipher_list)
   struct tls_root_ctx tls_ctx;
   const int *ciphers = ssl_list_ciphersuites();
 
-  if (cipher_list) {
-    tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
+  tls_ctx_server_new(&tls_ctx);
+  tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
+
+  if (tls_ctx.allowed_ciphers)
     ciphers = tls_ctx.allowed_ciphers;
-  }
 
 #ifndef ENABLE_SMALL
   printf ("Available TLS Ciphers,\n");
@@ -1059,6 +1060,8 @@ show_available_tls_ciphers (const char *cipher_list)
       ciphers++;
     }
   printf ("\n");
+
+  tls_ctx_free(&tls_ctx);
 }
 
 void
diff --git a/src/de/blinkt/openvpn/VpnProfile.java b/src/de/blinkt/openvpn/VpnProfile.java
index f4389f0b..89e27c47 100644
--- a/src/de/blinkt/openvpn/VpnProfile.java
+++ b/src/de/blinkt/openvpn/VpnProfile.java
@@ -423,7 +423,7 @@ public class VpnProfile implements Serializable {
         } catch (PackageManager.NameNotFoundException e) {
             VpnStatus.logException(e);
         }
-        return String.format(Locale.US, "setenv IV_OPENVPN_GUI_VERSION \"%s %s\"\n", c.getPackageName(), version);
+        return String.format(Locale.US, "setenv IV_GUI_VER \"%s %s\"\n", c.getPackageName(), version);
 
     }
author	Arne Schwabe <arne@rfc2549.org>	2014-01-09 22:18:17 +0100
committer	Arne Schwabe <arne@rfc2549.org>	2014-01-09 22:18:17 +0100
commit	dd6f4ac1248e73106cf54ba78856dc27265bc5e1 (patch)
tree	8049eb01214b11b30e9d4a6f5e3d5fd1b8bc670b
parent	97deae46f78cc96540d207f452f2bd97cf540b13 (diff)