summaryrefslogtreecommitdiff
path: root/openvpn
diff options
context:
space:
mode:
Diffstat (limited to 'openvpn')
-rw-r--r--openvpn/README.IPv64
-rw-r--r--openvpn/TODO.IPv65
-rw-r--r--openvpn/doc/openvpn.88
-rw-r--r--openvpn/src/openvpn/comp.h2
-rw-r--r--openvpn/src/openvpn/misc.c27
-rw-r--r--openvpn/src/openvpn/options.c1
-rw-r--r--openvpn/src/openvpn/options.h1
-rw-r--r--openvpn/src/openvpn/push.c4
-rw-r--r--openvpn/src/openvpn/ssl.c4
-rw-r--r--openvpn/src/openvpn/ssl_openssl.c130
-rw-r--r--openvpn/src/openvpn/ssl_polarssl.c11
11 files changed, 92 insertions, 105 deletions
diff --git a/openvpn/README.IPv6 b/openvpn/README.IPv6
index d16a6daf..18068fee 100644
--- a/openvpn/README.IPv6
+++ b/openvpn/README.IPv6
@@ -35,7 +35,7 @@ over an IPv6 network ("OpenVPN over IPv6").
The code in 2.3.0 supersedes the IPv6 transport patches from JuanJo Ciarlante,
formerly located at http://github.com/jjo/openvpn-ipv6
-Android 2.4.0 includes a big overhaul of the IPv6 transport patches
+OpenVPN 2.4.0 includes a big overhaul of the IPv6 transport patches
originally implemented for the Android client (ics-openvpn)
IPv4/IPv6 transport is automatically is selected when resolving addresses.
@@ -53,4 +53,4 @@ handle IPv4 connections on the IPv6 socket as well, making it a true
dual-stacked server. Use bind ipv6only to disable this behaviour.
On other systems, as of 2.3.0, you need to run separate server instances
-for IPv4 and IPv6. \ No newline at end of file
+for IPv4 and IPv6.
diff --git a/openvpn/TODO.IPv6 b/openvpn/TODO.IPv6
index ef2b8463..24bf865a 100644
--- a/openvpn/TODO.IPv6
+++ b/openvpn/TODO.IPv6
@@ -183,7 +183,7 @@ tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
TODO for IPv6 transport support
-------------------------------
-[ Last updated: 03-01-2013. ]
+[ Last updated: 2014-01-03. ]
* All platforms:
o mgmt console: as currently passes straight in_addr_t bits around
@@ -210,5 +210,6 @@ TODO for IPv6 transport support
* win32:
o find out about mapped addresses, as I can't make it work
with bound at ::1 and connect to 127.0.0.1
- - Should be fixed by 8832c6c - "Implement listing on IPv4/IPv6 dual socket on all platform"
+ - Should be fixed by 8832c6c - "Implement listing on IPv4/IPv6 dual
+ socket on all platform"
diff --git a/openvpn/doc/openvpn.8 b/openvpn/doc/openvpn.8
index 48a88647..0235c2c8 100644
--- a/openvpn/doc/openvpn.8
+++ b/openvpn/doc/openvpn.8
@@ -274,7 +274,7 @@ failover capability.
.\"*********************************************************
.TP
.B \-\-remote-random-hostname
-Add a random string (6 characters) to first DNS label of hostname to prevent
+Prepend a random string (6 bytes, 12 hex characters) to hostname to prevent
DNS caching. For example, "foo.bar.gov" would be modified to
"<random-chars>.foo.bar.gov".
.\"*********************************************************
@@ -2423,9 +2423,11 @@ Enable a compression algorithm.
The
.B algorithm
-parameter may be "snappy", "lzo", or empty. Snappy and LZO
+parameter may be "snappy", "lzo", "lz4", or empty. Snappy, LZO and LZ4
are different compression algorithms, with Snappy generally
-offering the best performance.
+offering the best performance while LZ4 is faster with less CPU usage.
+For backwards compatibility with OpenVPN versions before 2.4, use "lzo"
+(which is identical to the older option "\-\-comp-lzo yes").
If the
.B algorithm
diff --git a/openvpn/src/openvpn/comp.h b/openvpn/src/openvpn/comp.h
index 57764007..bfa25fd3 100644
--- a/openvpn/src/openvpn/comp.h
+++ b/openvpn/src/openvpn/comp.h
@@ -24,7 +24,7 @@
/*
* Generic compression support. Currently we support
- * Snappy, LZO 2 and LX4.
+ * Snappy, LZO 2 and LZ4.
*/
#ifndef OPENVPN_COMP_H
#define OPENVPN_COMP_H
diff --git a/openvpn/src/openvpn/misc.c b/openvpn/src/openvpn/misc.c
index 4688444e..7483184f 100644
--- a/openvpn/src/openvpn/misc.c
+++ b/openvpn/src/openvpn/misc.c
@@ -926,32 +926,23 @@ create_temp_file (const char *directory, const char *prefix, struct gc_arena *gc
}
/*
- * Add a random string to first DNS label of hostname to prevent DNS caching.
+ * Prepend a random string to hostname to prevent DNS caching.
* For example, foo.bar.gov would be modified to <random-chars>.foo.bar.gov.
- * Of course, this requires explicit support in the DNS server.
+ * Of course, this requires explicit support in the DNS server (wildcard).
*/
const char *
hostname_randomize(const char *hostname, struct gc_arena *gc)
{
# define n_rnd_bytes 6
- char *hst = string_alloc(hostname, gc);
- char *dot = strchr(hst, '.');
+ uint8_t rnd_bytes[n_rnd_bytes];
+ const char *rnd_str;
+ struct buffer hname = alloc_buf_gc (strlen(hostname)+sizeof(rnd_bytes)*2+4, gc);
- if (dot)
- {
- uint8_t rnd_bytes[n_rnd_bytes];
- const char *rnd_str;
- struct buffer hname = alloc_buf_gc (strlen(hostname)+sizeof(rnd_bytes)*2+4, gc);
-
- *dot++ = '\0';
- prng_bytes (rnd_bytes, sizeof (rnd_bytes));
- rnd_str = format_hex_ex (rnd_bytes, sizeof (rnd_bytes), 40, 0, NULL, gc);
- buf_printf(&hname, "%s-0x%s.%s", hst, rnd_str, dot);
- return BSTR(&hname);
- }
- else
- return hostname;
+ prng_bytes (rnd_bytes, sizeof (rnd_bytes));
+ rnd_str = format_hex_ex (rnd_bytes, sizeof (rnd_bytes), 40, 0, NULL, gc);
+ buf_printf(&hname, "%s.%s", rnd_str, hostname);
+ return BSTR(&hname);
# undef n_rnd_bytes
}
diff --git a/openvpn/src/openvpn/options.c b/openvpn/src/openvpn/options.c
index b93a67a0..892dbfdd 100644
--- a/openvpn/src/openvpn/options.c
+++ b/openvpn/src/openvpn/options.c
@@ -2874,6 +2874,7 @@ pre_pull_restore (struct options *o)
}
o->push_continuation = 0;
+ o->push_option_types_found = 0;
}
#endif
diff --git a/openvpn/src/openvpn/options.h b/openvpn/src/openvpn/options.h
index dafb8ff6..1992f5a7 100644
--- a/openvpn/src/openvpn/options.h
+++ b/openvpn/src/openvpn/options.h
@@ -467,6 +467,7 @@ struct options
bool client;
bool pull; /* client pull of config options from server */
int push_continuation;
+ unsigned int push_option_types_found;
const char *auth_user_pass_file;
struct options_pre_pull *pre_pull;
diff --git a/openvpn/src/openvpn/push.c b/openvpn/src/openvpn/push.c
index bd08cff7..e971357d 100644
--- a/openvpn/src/openvpn/push.c
+++ b/openvpn/src/openvpn/push.c
@@ -203,8 +203,10 @@ incoming_push_message (struct context *c, const struct buffer *buffer)
msg (D_PUSH_ERRORS, "WARNING: Received bad push/pull message: %s", sanitize_control_message(BSTR(buffer), &gc));
else if (status == PUSH_MSG_REPLY || status == PUSH_MSG_CONTINUATION)
{
+ c->options.push_option_types_found |= option_types_found;
+
if (status == PUSH_MSG_REPLY)
- do_up (c, true, option_types_found); /* delay bringing tun/tap up until --push parms received from remote */
+ do_up (c, true, c->options.push_option_types_found ); /* delay bringing tun/tap up until --push parms received from remote */
event_timeout_clear (&c->c2.push_request_interval);
}
diff --git a/openvpn/src/openvpn/ssl.c b/openvpn/src/openvpn/ssl.c
index 93222c47..15518cab 100644
--- a/openvpn/src/openvpn/ssl.c
+++ b/openvpn/src/openvpn/ssl.c
@@ -1825,13 +1825,13 @@ push_peer_info(struct buffer *buf, struct tls_session *session)
buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc));
}
- /* push env vars that begin with UV_ and IV_OPENVPN_GUI_VERSION */
+ /* push env vars that begin with UV_ and IV_GUI_VER */
for (e=es->list; e != NULL; e=e->next)
{
if (e->string)
{
if (((strncmp(e->string, "UV_", 3)==0 && session->opt->push_peer_info_detail >= 2)
- || (strncmp(e->string,"IV_OPENVPN_GUI_VERSION=",sizeof("IV_OPENVPN_GUI_VERSION=")-1)==0))
+ || (strncmp(e->string,"IV_GUI_VER=",sizeof("IV_GUI_VER=")-1)==0))
&& buf_safe(&out, strlen(e->string)+1))
buf_printf (&out, "%s\n", e->string);
}
diff --git a/openvpn/src/openvpn/ssl_openssl.c b/openvpn/src/openvpn/ssl_openssl.c
index 9dced724..f0796526 100644
--- a/openvpn/src/openvpn/ssl_openssl.c
+++ b/openvpn/src/openvpn/ssl_openssl.c
@@ -224,86 +224,73 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
msg(M_SSLERR, "Failed to set default TLS cipher list.");
return;
}
- else
- {
- /* Parse supplied cipher list and pass on to OpenSSL */
- size_t begin_of_cipher, end_of_cipher;
- const char *current_cipher;
- size_t current_cipher_len;
+ /* Parse supplied cipher list and pass on to OpenSSL */
+ size_t begin_of_cipher, end_of_cipher;
- const tls_cipher_name_pair *cipher_pair;
+ const char *current_cipher;
+ size_t current_cipher_len;
- char openssl_ciphers[4096];
- size_t openssl_ciphers_len = 0;
- openssl_ciphers[0] = '\0';
+ const tls_cipher_name_pair *cipher_pair;
- ASSERT(NULL != ctx);
+ char openssl_ciphers[4096];
+ size_t openssl_ciphers_len = 0;
+ openssl_ciphers[0] = '\0';
- // Translate IANA cipher suite names to OpenSSL names
- begin_of_cipher = end_of_cipher = 0;
- for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher)
- {
- end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":");
- cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher],
- end_of_cipher - begin_of_cipher);
+ ASSERT(NULL != ctx);
- if (NULL == cipher_pair)
- {
- // No translation found, use original
- current_cipher = &ciphers[begin_of_cipher];
- current_cipher_len = end_of_cipher - begin_of_cipher;
-
- // Issue warning on missing translation
- // %.*s format specifier expects length of type int, so guarantee
- // that length is small enough and cast to int.
- msg (M_WARN, "No valid translation found for TLS cipher '%.*s'",
- constrain_int(current_cipher_len, 0, 256), current_cipher);
- }
- else
- {
- // Use OpenSSL name
- current_cipher = cipher_pair->openssl_name;
- current_cipher_len = strlen(current_cipher);
-
- if (end_of_cipher - begin_of_cipher == current_cipher_len &&
- 0 == memcmp (&ciphers[begin_of_cipher],
- cipher_pair->openssl_name,
- end_of_cipher - begin_of_cipher))
- {
- // Non-IANA name used, show warning
- msg (M_WARN, "Deprecated TLS cipher name '%s', "
- "please use IANA name '%s'", cipher_pair->openssl_name,
- cipher_pair->iana_name);
- }
- }
+ // Translate IANA cipher suite names to OpenSSL names
+ begin_of_cipher = end_of_cipher = 0;
+ for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) {
+ end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":");
+ cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher);
- // Make sure new cipher name fits in cipher string
- if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) <
- current_cipher_len) {
- msg(M_SSLERR,
- "Failed to set restricted TLS cipher list, too long (>%d).",
- (int)sizeof(openssl_ciphers)-1);
- }
-
- // Concatenate cipher name to OpenSSL cipher string
- memcpy(&openssl_ciphers[openssl_ciphers_len], current_cipher,
- current_cipher_len);
- openssl_ciphers_len += current_cipher_len;
- openssl_ciphers[openssl_ciphers_len] = ':';
- openssl_ciphers_len++;
-
- end_of_cipher++;
+ if (NULL == cipher_pair)
+ {
+ // No translation found, use original
+ current_cipher = &ciphers[begin_of_cipher];
+ current_cipher_len = end_of_cipher - begin_of_cipher;
+
+ // Issue warning on missing translation
+ // %.*s format specifier expects length of type int, so guarantee
+ // that length is small enough and cast to int.
+ msg (M_WARN, "No valid translation found for TLS cipher '%.*s'",
+ constrain_int(current_cipher_len, 0, 256), current_cipher);
}
+ else
+ {
+ // Use OpenSSL name
+ current_cipher = cipher_pair->openssl_name;
+ current_cipher_len = strlen(current_cipher);
- if (openssl_ciphers_len > 0)
- openssl_ciphers[openssl_ciphers_len-1] = '\0';
+ if (end_of_cipher - begin_of_cipher == current_cipher_len &&
+ 0 == memcmp (&ciphers[begin_of_cipher], cipher_pair->openssl_name, end_of_cipher - begin_of_cipher))
+ {
+ // Non-IANA name used, show warning
+ msg (M_WARN, "Deprecated TLS cipher name '%s', please use IANA name '%s'", cipher_pair->openssl_name, cipher_pair->iana_name);
+ }
+ }
- // Set OpenSSL cipher list
- if(!SSL_CTX_set_cipher_list(ctx->ctx, openssl_ciphers))
- msg(M_SSLERR, "Failed to set restricted TLS cipher list: %s",
- openssl_ciphers);
- }
+ // Make sure new cipher name fits in cipher string
+ if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) < current_cipher_len) {
+ msg(M_SSLERR, "Failed to set restricted TLS cipher list, too long (>%d).", (int)sizeof(openssl_ciphers)-1);
+ }
+
+ // Concatenate cipher name to OpenSSL cipher string
+ memcpy(&openssl_ciphers[openssl_ciphers_len], current_cipher, current_cipher_len);
+ openssl_ciphers_len += current_cipher_len;
+ openssl_ciphers[openssl_ciphers_len] = ':';
+ openssl_ciphers_len++;
+
+ end_of_cipher++;
+ }
+
+ if (openssl_ciphers_len > 0)
+ openssl_ciphers[openssl_ciphers_len-1] = '\0';
+
+ // Set OpenSSL cipher list
+ if(!SSL_CTX_set_cipher_list(ctx->ctx, openssl_ciphers))
+ msg(M_SSLERR, "Failed to set restricted TLS cipher list: %s", openssl_ciphers);
}
void
@@ -1294,8 +1281,7 @@ show_available_tls_ciphers (const char *cipher_list)
if (!ssl)
msg (M_SSLERR, "Cannot create SSL object");
- if (cipher_list)
- tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
+ tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
printf ("Available TLS Ciphers,\n");
printf ("listed in order of preference:\n\n");
diff --git a/openvpn/src/openvpn/ssl_polarssl.c b/openvpn/src/openvpn/ssl_polarssl.c
index d964b918..47fb62a5 100644
--- a/openvpn/src/openvpn/ssl_polarssl.c
+++ b/openvpn/src/openvpn/ssl_polarssl.c
@@ -176,7 +176,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
int ciphers_len;
if (NULL == ciphers)
- return; // Nothing to do
+ return; /* Nothing to do */
ciphers_len = strlen (ciphers);
@@ -1043,10 +1043,11 @@ show_available_tls_ciphers (const char *cipher_list)
struct tls_root_ctx tls_ctx;
const int *ciphers = ssl_list_ciphersuites();
- if (cipher_list) {
- tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
+ tls_ctx_server_new(&tls_ctx);
+ tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
+
+ if (tls_ctx.allowed_ciphers)
ciphers = tls_ctx.allowed_ciphers;
- }
#ifndef ENABLE_SMALL
printf ("Available TLS Ciphers,\n");
@@ -1059,6 +1060,8 @@ show_available_tls_ciphers (const char *cipher_list)
ciphers++;
}
printf ("\n");
+
+ tls_ctx_free(&tls_ctx);
}
void