diff options
-rw-r--r-- | openvpn/README.IPv6 | 4 | ||||
-rw-r--r-- | openvpn/TODO.IPv6 | 5 | ||||
-rw-r--r-- | openvpn/doc/openvpn.8 | 8 | ||||
-rw-r--r-- | openvpn/src/openvpn/comp.h | 2 | ||||
-rw-r--r-- | openvpn/src/openvpn/misc.c | 27 | ||||
-rw-r--r-- | openvpn/src/openvpn/options.c | 1 | ||||
-rw-r--r-- | openvpn/src/openvpn/options.h | 1 | ||||
-rw-r--r-- | openvpn/src/openvpn/push.c | 4 | ||||
-rw-r--r-- | openvpn/src/openvpn/ssl.c | 4 | ||||
-rw-r--r-- | openvpn/src/openvpn/ssl_openssl.c | 130 | ||||
-rw-r--r-- | openvpn/src/openvpn/ssl_polarssl.c | 11 | ||||
-rw-r--r-- | src/de/blinkt/openvpn/VpnProfile.java | 2 |
12 files changed, 93 insertions, 106 deletions
diff --git a/openvpn/README.IPv6 b/openvpn/README.IPv6 index d16a6daf..18068fee 100644 --- a/openvpn/README.IPv6 +++ b/openvpn/README.IPv6 @@ -35,7 +35,7 @@ over an IPv6 network ("OpenVPN over IPv6"). The code in 2.3.0 supersedes the IPv6 transport patches from JuanJo Ciarlante, formerly located at http://github.com/jjo/openvpn-ipv6 -Android 2.4.0 includes a big overhaul of the IPv6 transport patches +OpenVPN 2.4.0 includes a big overhaul of the IPv6 transport patches originally implemented for the Android client (ics-openvpn) IPv4/IPv6 transport is automatically is selected when resolving addresses. @@ -53,4 +53,4 @@ handle IPv4 connections on the IPv6 socket as well, making it a true dual-stacked server. Use bind ipv6only to disable this behaviour. On other systems, as of 2.3.0, you need to run separate server instances -for IPv4 and IPv6.
\ No newline at end of file +for IPv4 and IPv6. diff --git a/openvpn/TODO.IPv6 b/openvpn/TODO.IPv6 index ef2b8463..24bf865a 100644 --- a/openvpn/TODO.IPv6 +++ b/openvpn/TODO.IPv6 @@ -183,7 +183,7 @@ tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 TODO for IPv6 transport support ------------------------------- -[ Last updated: 03-01-2013. ] +[ Last updated: 2014-01-03. ] * All platforms: o mgmt console: as currently passes straight in_addr_t bits around @@ -210,5 +210,6 @@ TODO for IPv6 transport support * win32: o find out about mapped addresses, as I can't make it work with bound at ::1 and connect to 127.0.0.1 - - Should be fixed by 8832c6c - "Implement listing on IPv4/IPv6 dual socket on all platform" + - Should be fixed by 8832c6c - "Implement listing on IPv4/IPv6 dual + socket on all platform" diff --git a/openvpn/doc/openvpn.8 b/openvpn/doc/openvpn.8 index 48a88647..0235c2c8 100644 --- a/openvpn/doc/openvpn.8 +++ b/openvpn/doc/openvpn.8 @@ -274,7 +274,7 @@ failover capability. .\"********************************************************* .TP .B \-\-remote-random-hostname -Add a random string (6 characters) to first DNS label of hostname to prevent +Prepend a random string (6 bytes, 12 hex characters) to hostname to prevent DNS caching. For example, "foo.bar.gov" would be modified to "<random-chars>.foo.bar.gov". .\"********************************************************* @@ -2423,9 +2423,11 @@ Enable a compression algorithm. The .B algorithm -parameter may be "snappy", "lzo", or empty. Snappy and LZO +parameter may be "snappy", "lzo", "lz4", or empty. Snappy, LZO and LZ4 are different compression algorithms, with Snappy generally -offering the best performance. +offering the best performance while LZ4 is faster with less CPU usage. +For backwards compatibility with OpenVPN versions before 2.4, use "lzo" +(which is identical to the older option "\-\-comp-lzo yes"). If the .B algorithm diff --git a/openvpn/src/openvpn/comp.h b/openvpn/src/openvpn/comp.h index 57764007..bfa25fd3 100644 --- a/openvpn/src/openvpn/comp.h +++ b/openvpn/src/openvpn/comp.h @@ -24,7 +24,7 @@ /* * Generic compression support. Currently we support - * Snappy, LZO 2 and LX4. + * Snappy, LZO 2 and LZ4. */ #ifndef OPENVPN_COMP_H #define OPENVPN_COMP_H diff --git a/openvpn/src/openvpn/misc.c b/openvpn/src/openvpn/misc.c index 4688444e..7483184f 100644 --- a/openvpn/src/openvpn/misc.c +++ b/openvpn/src/openvpn/misc.c @@ -926,32 +926,23 @@ create_temp_file (const char *directory, const char *prefix, struct gc_arena *gc } /* - * Add a random string to first DNS label of hostname to prevent DNS caching. + * Prepend a random string to hostname to prevent DNS caching. * For example, foo.bar.gov would be modified to <random-chars>.foo.bar.gov. - * Of course, this requires explicit support in the DNS server. + * Of course, this requires explicit support in the DNS server (wildcard). */ const char * hostname_randomize(const char *hostname, struct gc_arena *gc) { # define n_rnd_bytes 6 - char *hst = string_alloc(hostname, gc); - char *dot = strchr(hst, '.'); + uint8_t rnd_bytes[n_rnd_bytes]; + const char *rnd_str; + struct buffer hname = alloc_buf_gc (strlen(hostname)+sizeof(rnd_bytes)*2+4, gc); - if (dot) - { - uint8_t rnd_bytes[n_rnd_bytes]; - const char *rnd_str; - struct buffer hname = alloc_buf_gc (strlen(hostname)+sizeof(rnd_bytes)*2+4, gc); - - *dot++ = '\0'; - prng_bytes (rnd_bytes, sizeof (rnd_bytes)); - rnd_str = format_hex_ex (rnd_bytes, sizeof (rnd_bytes), 40, 0, NULL, gc); - buf_printf(&hname, "%s-0x%s.%s", hst, rnd_str, dot); - return BSTR(&hname); - } - else - return hostname; + prng_bytes (rnd_bytes, sizeof (rnd_bytes)); + rnd_str = format_hex_ex (rnd_bytes, sizeof (rnd_bytes), 40, 0, NULL, gc); + buf_printf(&hname, "%s.%s", rnd_str, hostname); + return BSTR(&hname); # undef n_rnd_bytes } diff --git a/openvpn/src/openvpn/options.c b/openvpn/src/openvpn/options.c index b93a67a0..892dbfdd 100644 --- a/openvpn/src/openvpn/options.c +++ b/openvpn/src/openvpn/options.c @@ -2874,6 +2874,7 @@ pre_pull_restore (struct options *o) } o->push_continuation = 0; + o->push_option_types_found = 0; } #endif diff --git a/openvpn/src/openvpn/options.h b/openvpn/src/openvpn/options.h index dafb8ff6..1992f5a7 100644 --- a/openvpn/src/openvpn/options.h +++ b/openvpn/src/openvpn/options.h @@ -467,6 +467,7 @@ struct options bool client; bool pull; /* client pull of config options from server */ int push_continuation; + unsigned int push_option_types_found; const char *auth_user_pass_file; struct options_pre_pull *pre_pull; diff --git a/openvpn/src/openvpn/push.c b/openvpn/src/openvpn/push.c index bd08cff7..e971357d 100644 --- a/openvpn/src/openvpn/push.c +++ b/openvpn/src/openvpn/push.c @@ -203,8 +203,10 @@ incoming_push_message (struct context *c, const struct buffer *buffer) msg (D_PUSH_ERRORS, "WARNING: Received bad push/pull message: %s", sanitize_control_message(BSTR(buffer), &gc)); else if (status == PUSH_MSG_REPLY || status == PUSH_MSG_CONTINUATION) { + c->options.push_option_types_found |= option_types_found; + if (status == PUSH_MSG_REPLY) - do_up (c, true, option_types_found); /* delay bringing tun/tap up until --push parms received from remote */ + do_up (c, true, c->options.push_option_types_found ); /* delay bringing tun/tap up until --push parms received from remote */ event_timeout_clear (&c->c2.push_request_interval); } diff --git a/openvpn/src/openvpn/ssl.c b/openvpn/src/openvpn/ssl.c index 93222c47..15518cab 100644 --- a/openvpn/src/openvpn/ssl.c +++ b/openvpn/src/openvpn/ssl.c @@ -1825,13 +1825,13 @@ push_peer_info(struct buffer *buf, struct tls_session *session) buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc)); } - /* push env vars that begin with UV_ and IV_OPENVPN_GUI_VERSION */ + /* push env vars that begin with UV_ and IV_GUI_VER */ for (e=es->list; e != NULL; e=e->next) { if (e->string) { if (((strncmp(e->string, "UV_", 3)==0 && session->opt->push_peer_info_detail >= 2) - || (strncmp(e->string,"IV_OPENVPN_GUI_VERSION=",sizeof("IV_OPENVPN_GUI_VERSION=")-1)==0)) + || (strncmp(e->string,"IV_GUI_VER=",sizeof("IV_GUI_VER=")-1)==0)) && buf_safe(&out, strlen(e->string)+1)) buf_printf (&out, "%s\n", e->string); } diff --git a/openvpn/src/openvpn/ssl_openssl.c b/openvpn/src/openvpn/ssl_openssl.c index 9dced724..f0796526 100644 --- a/openvpn/src/openvpn/ssl_openssl.c +++ b/openvpn/src/openvpn/ssl_openssl.c @@ -224,86 +224,73 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) msg(M_SSLERR, "Failed to set default TLS cipher list."); return; } - else - { - /* Parse supplied cipher list and pass on to OpenSSL */ - size_t begin_of_cipher, end_of_cipher; - const char *current_cipher; - size_t current_cipher_len; + /* Parse supplied cipher list and pass on to OpenSSL */ + size_t begin_of_cipher, end_of_cipher; - const tls_cipher_name_pair *cipher_pair; + const char *current_cipher; + size_t current_cipher_len; - char openssl_ciphers[4096]; - size_t openssl_ciphers_len = 0; - openssl_ciphers[0] = '\0'; + const tls_cipher_name_pair *cipher_pair; - ASSERT(NULL != ctx); + char openssl_ciphers[4096]; + size_t openssl_ciphers_len = 0; + openssl_ciphers[0] = '\0'; - // Translate IANA cipher suite names to OpenSSL names - begin_of_cipher = end_of_cipher = 0; - for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) - { - end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":"); - cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], - end_of_cipher - begin_of_cipher); + ASSERT(NULL != ctx); - if (NULL == cipher_pair) - { - // No translation found, use original - current_cipher = &ciphers[begin_of_cipher]; - current_cipher_len = end_of_cipher - begin_of_cipher; - - // Issue warning on missing translation - // %.*s format specifier expects length of type int, so guarantee - // that length is small enough and cast to int. - msg (M_WARN, "No valid translation found for TLS cipher '%.*s'", - constrain_int(current_cipher_len, 0, 256), current_cipher); - } - else - { - // Use OpenSSL name - current_cipher = cipher_pair->openssl_name; - current_cipher_len = strlen(current_cipher); - - if (end_of_cipher - begin_of_cipher == current_cipher_len && - 0 == memcmp (&ciphers[begin_of_cipher], - cipher_pair->openssl_name, - end_of_cipher - begin_of_cipher)) - { - // Non-IANA name used, show warning - msg (M_WARN, "Deprecated TLS cipher name '%s', " - "please use IANA name '%s'", cipher_pair->openssl_name, - cipher_pair->iana_name); - } - } + // Translate IANA cipher suite names to OpenSSL names + begin_of_cipher = end_of_cipher = 0; + for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) { + end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":"); + cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher); - // Make sure new cipher name fits in cipher string - if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) < - current_cipher_len) { - msg(M_SSLERR, - "Failed to set restricted TLS cipher list, too long (>%d).", - (int)sizeof(openssl_ciphers)-1); - } - - // Concatenate cipher name to OpenSSL cipher string - memcpy(&openssl_ciphers[openssl_ciphers_len], current_cipher, - current_cipher_len); - openssl_ciphers_len += current_cipher_len; - openssl_ciphers[openssl_ciphers_len] = ':'; - openssl_ciphers_len++; - - end_of_cipher++; + if (NULL == cipher_pair) + { + // No translation found, use original + current_cipher = &ciphers[begin_of_cipher]; + current_cipher_len = end_of_cipher - begin_of_cipher; + + // Issue warning on missing translation + // %.*s format specifier expects length of type int, so guarantee + // that length is small enough and cast to int. + msg (M_WARN, "No valid translation found for TLS cipher '%.*s'", + constrain_int(current_cipher_len, 0, 256), current_cipher); } + else + { + // Use OpenSSL name + current_cipher = cipher_pair->openssl_name; + current_cipher_len = strlen(current_cipher); - if (openssl_ciphers_len > 0) - openssl_ciphers[openssl_ciphers_len-1] = '\0'; + if (end_of_cipher - begin_of_cipher == current_cipher_len && + 0 == memcmp (&ciphers[begin_of_cipher], cipher_pair->openssl_name, end_of_cipher - begin_of_cipher)) + { + // Non-IANA name used, show warning + msg (M_WARN, "Deprecated TLS cipher name '%s', please use IANA name '%s'", cipher_pair->openssl_name, cipher_pair->iana_name); + } + } - // Set OpenSSL cipher list - if(!SSL_CTX_set_cipher_list(ctx->ctx, openssl_ciphers)) - msg(M_SSLERR, "Failed to set restricted TLS cipher list: %s", - openssl_ciphers); - } + // Make sure new cipher name fits in cipher string + if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) < current_cipher_len) { + msg(M_SSLERR, "Failed to set restricted TLS cipher list, too long (>%d).", (int)sizeof(openssl_ciphers)-1); + } + + // Concatenate cipher name to OpenSSL cipher string + memcpy(&openssl_ciphers[openssl_ciphers_len], current_cipher, current_cipher_len); + openssl_ciphers_len += current_cipher_len; + openssl_ciphers[openssl_ciphers_len] = ':'; + openssl_ciphers_len++; + + end_of_cipher++; + } + + if (openssl_ciphers_len > 0) + openssl_ciphers[openssl_ciphers_len-1] = '\0'; + + // Set OpenSSL cipher list + if(!SSL_CTX_set_cipher_list(ctx->ctx, openssl_ciphers)) + msg(M_SSLERR, "Failed to set restricted TLS cipher list: %s", openssl_ciphers); } void @@ -1294,8 +1281,7 @@ show_available_tls_ciphers (const char *cipher_list) if (!ssl) msg (M_SSLERR, "Cannot create SSL object"); - if (cipher_list) - tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); + tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); printf ("Available TLS Ciphers,\n"); printf ("listed in order of preference:\n\n"); diff --git a/openvpn/src/openvpn/ssl_polarssl.c b/openvpn/src/openvpn/ssl_polarssl.c index d964b918..47fb62a5 100644 --- a/openvpn/src/openvpn/ssl_polarssl.c +++ b/openvpn/src/openvpn/ssl_polarssl.c @@ -176,7 +176,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) int ciphers_len; if (NULL == ciphers) - return; // Nothing to do + return; /* Nothing to do */ ciphers_len = strlen (ciphers); @@ -1043,10 +1043,11 @@ show_available_tls_ciphers (const char *cipher_list) struct tls_root_ctx tls_ctx; const int *ciphers = ssl_list_ciphersuites(); - if (cipher_list) { - tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); + tls_ctx_server_new(&tls_ctx); + tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); + + if (tls_ctx.allowed_ciphers) ciphers = tls_ctx.allowed_ciphers; - } #ifndef ENABLE_SMALL printf ("Available TLS Ciphers,\n"); @@ -1059,6 +1060,8 @@ show_available_tls_ciphers (const char *cipher_list) ciphers++; } printf ("\n"); + + tls_ctx_free(&tls_ctx); } void diff --git a/src/de/blinkt/openvpn/VpnProfile.java b/src/de/blinkt/openvpn/VpnProfile.java index f4389f0b..89e27c47 100644 --- a/src/de/blinkt/openvpn/VpnProfile.java +++ b/src/de/blinkt/openvpn/VpnProfile.java @@ -423,7 +423,7 @@ public class VpnProfile implements Serializable { } catch (PackageManager.NameNotFoundException e) { VpnStatus.logException(e); } - return String.format(Locale.US, "setenv IV_OPENVPN_GUI_VERSION \"%s %s\"\n", c.getPackageName(), version); + return String.format(Locale.US, "setenv IV_GUI_VER \"%s %s\"\n", c.getPackageName(), version); } |