handle AAAA (rather, be like idk lol)

add support for CAA lmao
add top level response
2022-09-13 13:55:02 -04:00 · 2022-09-13 13:40:48 -04:00 · 2022-09-13 12:34:09 -04:00 · 2022-07-18 23:36:07 +02:00 · 2022-07-18 23:35:54 +02:00 · 2022-07-18 23:31:13 +02:00
63 changed files with 2547 additions and 1832 deletions
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@ -0,0 +1,21 @@
+name: macos
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+
+    runs-on: macos-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: make
+      run: make
+    - name: install check
+      run: brew install check
+    - name: run tests
+      run: make test
--- a/.github/workflows/ubuntu.yml
+++ b/.github/workflows/ubuntu.yml
@ -0,0 +1,33 @@
+name: ubuntu
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: make
+      run: make
+    - name: install check
+      run: sudo apt install check
+    - name: run tests
+      run: make test
+
+  build-android:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - uses: nttld/setup-ndk@v1
+      with:
+        ndk-version: r21e
+    - name: make
+      run: make cross-android
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@ -0,0 +1,25 @@
+name: windows
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+
+    runs-on: windows-latest
+    defaults:
+      run:
+        shell: msys2 {0}
+
+    steps:
+    - uses: actions/checkout@v2
+    - uses: msys2/setup-msys2@v2
+      with:
+        msystem: MINGW64
+        update: false
+        install: git make mingw-w64-x86_64-toolchain mingw-w64-x86_64-zlib
+    - name: make
+      run: make TARGETOS=windows32
--- a/.gitignore
+++ b/.gitignore
@ -3,3 +3,6 @@
 /src/base64u.c
 /src/base64u.h
 /tests/test
+*.o.d
+/src/obj/local/*/iodine
+/src/libs/*/iodine
--- a/.travis.yml
+++ b/.travis.yml
@ -1,11 +0,0 @@
-#set language to objective-c to force osx build
-#linux builds are done at http://buildbot.dev.kryo.se
-
-language: objective-c
-os: osx
-
-before_install: brew update
-install: brew install check
-
-script: make && make test
-
--- a/.vimrc
+++ b/.vimrc
@ -0,0 +1,4 @@
+set noexpandtab
+set tabstop=8
+set softtabstop=8
+set shiftwidth=8
--- a/19
+++ b/19
@ -1,11 +1,28 @@

-iodine - http://code.kryo.se/iodine
+iodine - https://code.kryo.se/iodine

 ***********************************

 CHANGES:

 master:
+	- Mac OS X: Support native utun VPN devices. Patch by
+		Peter Sagerson, ported from OpenVPN by Catalin Patulea.
+	- Fix compilation failure on kFreeBSD and Hurd, by Gregor Herrmann
+	- Patch from Ryan Welton that fixes compilation warning.
+	- README converted to markdown by Nicolas Braud-Santoni.
+	- Linux: use pkg-config for systemd support flags.
+		Patch by Jason A. Donenfeld.
+	- Add support for IPv6 in the server.
+	   Raw mode will be with same protocol as used for login.
+	   Traffic inside tunnel is still IPv4.
+	- Update android build to support 5.0 (Lollipop) and newer.
+	- Change external IP lookup to using myip.opendns.com via DNS.
+	- Add option to choose IPv4 listen address from external IP lookup.
+	- Add server support for handling multiple domains via wildcard.
+	- Recognize tap device component id 'root' prefix on Windows.
+
+2014-06-16: 0.7.0 "Kryoptonite"
 	- Partial IPv6 support (#107)
 	   Client can connect to iodined through an relaying IPv6
 	   nameserver. Server only supports IPv4 for now.
--- a/13
+++ b/13
@ -0,0 +1,13 @@
+Copyright (c) 2006-2020 iodine authors
+
+Permission to use, copy, modify, and/or distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright notice
+and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
--- a/61
+++ b/61
@ -2,6 +2,7 @@ prefix?=/usr/local
 sbindir=$(prefix)/sbin
 datadir=$(prefix)/share
 mandir=$(datadir)/man
+docdir=$(datadir)/doc

 DESTDIR=

@ -17,7 +18,7 @@ RM_FLAGS=-f
 TARGETOS = `uname`

 all:
-	@(cd src; $(MAKE) TARGETOS=$(TARGETOS) all)
+	@$(MAKE) -C src TARGETOS=$(TARGETOS) all

 install: all
 	$(MKDIR) $(MKDIR_FLAGS) $(DESTDIR)$(sbindir)
@ -28,6 +29,9 @@ install: all
 	$(MKDIR) $(MKDIR_FLAGS) $(DESTDIR)$(mandir)/man8
 	$(INSTALL) $(INSTALL_FLAGS) man/iodine.8 $(DESTDIR)$(mandir)/man8/iodine.8
 	chmod 644 $(DESTDIR)$(mandir)/man8/iodine.8
+	$(MKDIR) $(MKDIR_FLAGS) $(DESTDIR)$(docdir)/iodine
+	$(INSTALL) $(INSTALL_FLAGS) README.md $(DESTDIR)$(docdir)/iodine/README.md
+	chmod 644 $(DESTDIR)$(docdir)/iodine/README.md

 uninstall:
 	$(RM) $(RM_FLAGS) $(DESTDIR)$(sbindir)/iodine
@ -36,13 +40,13 @@ uninstall:

 test: all
 	@echo "!! The check library is required for compiling and running the tests"
-	@echo "!! Get it at http://check.sf.net"
-	@(cd tests; $(MAKE) TARGETOS=$(TARGETOS) all)
+	@echo "!! Get it at https://libcheck.github.io/check/"
+	@$(MAKE) -C tests TARGETOS=$(TARGETOS) all

 clean:
 	@echo "Cleaning..."
-	@(cd src; $(MAKE) clean)
-	@(cd tests; $(MAKE) clean)
+	@$(MAKE) -C src clean
+	@$(MAKE) -C tests clean
 	@rm -rf bin iodine-latest*

 #Helper target for windows/android zipfiles
@ -50,55 +54,60 @@ iodine-latest:
 	@rm -rf iodine-latest*
 	@mkdir -p iodine-latest
 	@echo "Create date: " > iodine-latest/VERSION.txt
-	@date >> iodine-latest/VERSION.txt
+	@LANG=en_US date >> iodine-latest/VERSION.txt
 	@echo "Git version: " >> iodine-latest/VERSION.txt
 	@git rev-parse HEAD >> iodine-latest/VERSION.txt
-	@for i in README CHANGELOG TODO; do cp $$i iodine-latest/$$i.txt; done
+	@for i in README.md CHANGELOG; do cp $$i iodine-latest/$$i.txt; done
 	@unix2dos iodine-latest/*

+#non-PIE build for old android
+cross-android-old:
+	@$(MAKE) -C src base64u.c
+	@(cd src && ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=Android.mk APP_PLATFORM=android-3)
+
+#Position-indepedent build for modern android
 cross-android:
-	@(cd src; $(MAKE) base64u.c base64u.h)
-	@(cd src; ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=Android.mk)
+	@$(MAKE) -C src base64u.c
+	@(cd src && ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=Android.16.mk APP_PLATFORM=android-16)

 iodine-latest-android.zip: iodine-latest
 	@mv iodine-latest iodine-latest-android
-	@mkdir -p iodine-latest-android/armeabi iodine-latest-android/x86
+	@mkdir -p iodine-latest-android/pre-kitkat/armeabi
+	@mkdir -p iodine-latest-android/pre-kitkat/x86
+	@$(MAKE) cross-android-old TARGET_ARCH_ABI=armeabi
+	@cp src/libs/armeabi/* iodine-latest-android/pre-kitkat/armeabi
+	@$(MAKE) cross-android-old TARGET_ARCH_ABI=x86
+	@cp src/libs/x86/* iodine-latest-android/pre-kitkat/x86
+	@rm -rf src/libs src/obj
+	@mkdir -p iodine-latest-android/armeabi
+	@mkdir -p iodine-latest-android/arm64-v8a
+	@mkdir -p iodine-latest-android/x86
 	@$(MAKE) cross-android TARGET_ARCH_ABI=armeabi
 	@cp src/libs/armeabi/* iodine-latest-android/armeabi
+	@$(MAKE) cross-android TARGET_ARCH_ABI=arm64-v8a
+	@cp src/libs/arm64-v8a/* iodine-latest-android/arm64-v8a
 	@$(MAKE) cross-android TARGET_ARCH_ABI=x86
 	@cp src/libs/x86/* iodine-latest-android/x86
 	@cp README-android.txt iodine-latest-android
 	@zip -r iodine-latest-android.zip iodine-latest-android

 cross-mingw32:
-	@(cd src; $(MAKE) TARGETOS=windows32 CC=i686-w64-mingw32-gcc all)
+	@$(MAKE) -C src TARGETOS=windows32 CC=i686-w64-mingw32-gcc all

 cross-mingw64:
-	@(cd src; $(MAKE) TARGETOS=windows32 CC=x86_64-w64-mingw32-gcc all)
+	@$(MAKE) -C src TARGETOS=windows32 CC=x86_64-w64-mingw32-gcc all

 iodine-latest-windows.zip: iodine-latest
 	@mv iodine-latest iodine-latest-windows
 	@mkdir -p iodine-latest-windows/64bit iodine-latest-windows/32bit
-	@(cd src; $(MAKE) TARGETOS=windows32 CC=i686-w64-mingw32-gcc clean all)
+	@$(MAKE) -C src TARGETOS=windows32 CC=i686-w64-mingw32-gcc clean all
 	@i686-w64-mingw32-strip bin/iodine*
 	@for i in `ls bin`; do cp bin/$$i iodine-latest-windows/32bit/$$i.exe; done
 	@cp /usr/i686-w64-mingw32/bin/zlib1.dll iodine-latest-windows/32bit
-	@(cd src; $(MAKE) TARGETOS=windows32 CC=x86_64-w64-mingw32-gcc clean all)
+	@$(MAKE) -C src TARGETOS=windows32 CC=x86_64-w64-mingw32-gcc clean all
 	@x86_64-w64-mingw32-strip bin/iodine*
 	@for i in `ls bin`; do cp bin/$$i iodine-latest-windows/64bit/$$i.exe; done
 	@cp /usr/x86_64-w64-mingw32/bin/zlib1.dll iodine-latest-windows/64bit
 	@cp README-win32.txt iodine-latest-windows
 	@zip -r iodine-latest-windows.zip iodine-latest-windows

-cross-mingw:
-	@(cd src; $(MAKE) TARGETOS=windows32 CC=i686-mingw32-gcc all)
-
-iodine-latest-win32.zip: cross-mingw iodine-latest
-	@mv iodine-latest iodine-latest-win32
-	@mkdir -p iodine-latest-win32/bin
-	@i686-mingw32-strip bin/iodine*
-	@for i in `ls bin`; do cp bin/$$i iodine-latest-win32/bin/$$i.exe; done
-	@cp /usr/i686-mingw32/usr/bin/zlib1.dll iodine-latest-win32/bin
-	@cp README-win32.txt iodine-latest-win32
-	@zip -r iodine-latest-win32.zip iodine-latest-win32
-
--- a/379
+++ b/379
@ -1,379 +0,0 @@
-
-iodine - http://code.kryo.se/iodine
-
-***********************************
-
-This is a piece of software that lets you tunnel IPv4 data through a DNS
-server. This can be usable in different situations where internet access is
-firewalled, but DNS queries are allowed.
-
-
-COMPILING:
-
-Iodine has no configure script. There are two optional features for Linux
-(SELinux and systemd support) that will be enabled automatically if the
-relevant header files are found in /usr/include. (See script at ./src/osflags)
-
-Run 'make' to compile the server and client binaries.
-Run 'make install' to copy binaries and manpage to the destination directory.
-Run 'make test' to compile and run the unit tests. (Requires the check library)
-
-
-QUICKSTART:
-
-Try it out within your own LAN! Follow these simple steps:
- On your server, run: ./iodined -f 10.0.0.1 test.com
-  (If you already use the 10.0.0.0 network, use another internal net like 
-  172.16.0.0)
- Enter a password
- On the client, run: ./iodine -f -r 192.168.0.1 test.com
-  (Replace 192.168.0.1 with your server's ip address)
- Enter the same password
- Now the client has the tunnel ip 10.0.0.2 and the server has 10.0.0.1
- Try pinging each other through the tunnel
- Done! :)
-To actually use it through a relaying nameserver, see below.
-
-
-HOW TO USE:
-
-Note: server and client are required to speak the exact same protocol. In most
-cases, this means running the same iodine version. Unfortunately, implementing
-backward and forward protocol compatibility is usually not feasible.
-
-Server side:
-To use this tunnel, you need control over a real domain (like mydomain.com),
-and a server with a public IP address to run iodined on. If this server
-already runs a DNS program, change its listening port and then use iodined's
-b option to let iodined forward the DNS requests. (Note that this procedure
-is not advised in production environments, because iodined's DNS forwarding
-is not completely transparent.)
-
-Then, delegate a subdomain (say, t1.mydomain.com) to the iodined server.
-If you use BIND for your domain, add two lines like these to the zone file:
-
-t1		IN	NS	t1ns.mydomain.com.		; note the dot!
-t1ns		IN	A	10.15.213.99
-
-The "NS" line is all that's needed to route queries for the "t1" subdomain
-to the "t1ns" server. We use a short name for the subdomain, to keep as much
-space as possible available for the data traffic. At the end of the "NS" line
-is the name of your iodined server. This can be any name, pointing anywhere,
-but in this case it's easily kept in the same zone file. It must be a name
-(not an IP address), and that name itself must have an A record (not a CNAME).
-
-If your iodined server has a dynamic IP, use a dynamic dns provider. Simply
-point the "NS" line to it, and leave the "A" line out:
-
-t1		IN	NS	myname.mydyndnsprovider.com.	; note the dot!
-
-Then reload or restart your nameserver program. Now any DNS queries for
-domains ending in t1.mydomain.com will be sent to your iodined server.
-
-Finally start iodined on your server. The first argument is the IP address
-inside the tunnel, which can be from any range that you don't use yet (for
-example 192.168.99.1), and the second argument is the assigned domain (in this
-case t1.mydomain.com). Using the -f option will keep iodined running in the
-foreground, which helps when testing. iodined will open a virtual interface
-("tun device"), and will also start listening for DNS queries on UDP port 53.
-Either enter a password on the commandline (-P pass) or after the server has
-started. Now everything is ready for the client.
-
-If there is a chance you'll be using an iodine tunnel from unexpected
-environments, start iodined with a -c option.
-
-Resulting commandline in this example situation:
-./iodined -f -c -P secretpassword 192.168.99.1 t1.mydomain.com
-
-Client side: 
-All the setup is done, just start iodine. It takes one or two arguments, the
-first is the local relaying DNS server (optional) and the second is the domain
-you used (t1.mydomain.com). If you don't specify the first argument, the
-system's current DNS setting will be consulted.
-
-If DNS queries are allowed to any computer, you can directly give the iodined
-server's address as first argument (in the example: t1ns.mydomain.com or
-10.15.213.99). In that case, it may also happen that _any_ traffic is allowed
-to the DNS port (53 UDP) of any computer. Iodine will detect this, and switch
-to raw UDP tunneling if possible. To force DNS tunneling in any case, use the
-r option (especially useful when testing within your own network).
-
-The client's tunnel interface will get an IP close to the server's (in this
-case 192.168.99.2 or .3 etc.) and a suitable MTU. Enter the same password as
-on the server either as commandline option or after the client has started.
-Using the -f option will keep the iodine client running in the foreground.
-
-Resulting commandline in this example situation:
-./iodine -f -P secretpassword t1.mydomain.com
-(add -r to force DNS tunneling even if raw UDP tunneling would be possible)
-
-From either side, you should now be able to ping the IP address on the other
-end of the tunnel. In this case, ping 192.168.99.1 from the iodine client, and
-192.168.99.2 or .3 etc. from the iodine server.
-
-
-MISC. INFO:
-
-IPv6:
-At the moment the iodined server only supports IPv4. The data inside the tunnel
-is IPv4 only.
-
-The client can use IPv4 or IPv6 nameservers to connect to iodined. The relay
-nameservers will translate between protocols automatically if needed. Use
-options -4 or -6 to force the client to use a specific IP version for its DNS
-queries. The client has to force IPv4 if it has dual-stack connectivity and
-the hostname handling the tunnel domain has both A and AAAA records.
-
-Routing:
-It is possible to route all traffic through the DNS tunnel. To do this, first
-add a host route to the nameserver used by iodine over the wired/wireless
-interface with the default gateway as gateway. Then replace the default
-gateway with the iodined server's IP address inside the DNS tunnel, and
-configure the server to do NAT.
-
-However, note that the tunneled data traffic is not encrypted at all, and can
-be read and changed by external parties relatively easily. For maximum
-security, run a VPN through the DNS tunnel (=double tunneling), or use secure
-shell (SSH) access, possibly with port forwarding. The latter can also be used
-for web browsing, when you run a web proxy (for example Privoxy) on your
-server.
-
-Testing:
-The iodined server replies to NS requests sent for subdomains of the tunnel
-domain. If your iodined subdomain is t1.mydomain.com, send a NS request for
-foo123.t1.mydomain.com to see if the delegation works. dig is a good tool
-for this:
-dig -t NS foo123.t1.mydomain.com
-
-Also, the iodined server will answer requests starting with 'z' for any of the
-supported request types, for example:
-dig -t TXT z456.t1.mydomain.com
-dig -t SRV z456.t1.mydomain.com
-dig -t CNAME z456.t1.mydomain.com
-The reply should look like garbled text in all these cases.
-
-Operational info:
-The DNS-response fragment size is normally autoprobed to get maximum bandwidth.
-To force a specific value (and speed things up), use the -m option.
-
-The DNS hostnames are normally used up to their maximum length, 255 characters.
-Some DNS relays have been found that answer full-length queries rather
-unreliably, giving widely varying (and mostly very bad) results of the
-fragment size autoprobe on repeated tries. In these cases, use the -M switch
-to reduce the DNS hostname length to for example 200 characters, which makes
-these DNS relays much more stable. This is also useful on some "de-optimizing"
-DNS relays that stuff the response with two full copies of the query, leaving
-very little space for downstream data (also not capable of EDNS0). The -M
-switch can trade some upstream bandwidth for downstream bandwidth. Note that
-the minimum -M value is about 100, since the protocol can split packets (1200
-bytes max) in only 16 fragments, requiring at least 75 real data bytes per
-fragment.
-
-The upstream data is sent gzipped encoded with Base32; or Base64 if the relay
-server supports mixed case and '+' in domain names; or Base64u if '_' is
-supported instead; or Base128 if high-byte-value characters are supported.
-This upstream encoding is autodetected. The DNS protocol allows one query per
-packet, and one query can be max 256 chars. Each domain name part can be max
-63 chars. So your domain name and subdomain should be as short as possible to
-allow maximum upstream throughput.
-
-Several DNS request types are supported, with the NULL and PRIVATE types
-expected to provide the largest downstream bandwidth. The PRIVATE type uses
-value 65399 in the private-use range. Other available types are TXT, SRV, MX,
-CNAME and A (returning CNAME), in decreasing bandwidth order.  Normally the
-"best" request type is autodetected and used. However, DNS relays may impose
-limits on for example NULL and TXT, making SRV or MX actually the best choice.
-This is not autodetected, but can be forced using the -T option.  It is
-advisable to try various alternatives especially when the autodetected request
-type provides a downstream fragment size of less than 200 bytes.
-
-Note that SRV, MX and A (returning CNAME) queries may/will cause additional
-lookups by "smart" caching nameservers to get an actual IP address, which may
-either slow down or fail completely.
-
-DNS responses for non-NULL/PRIVATE queries can be encoded with the same set of
-codecs as upstream data. This is normally also autodetected, but no fully
-exhaustive tests are done, so some problems may not be noticed when selecting
-more advanced codecs. In that case, you'll see failures/corruption in the
-fragment size autoprobe. In particular, several DNS relays have been found that
-change replies returning hostnames (SRV, MX, CNAME, A) to lowercase only when
-that hostname exceeds ca. 180 characters. In these and similar cases, use the
-O option to try other downstream codecs; Base32 should always work.
-
-Normal operation now is for the server to _not_ answer a DNS request until
-the next DNS request has come in, a.k.a. being "lazy". This way, the server
-will always have a DNS request handy when new downstream data has to be sent.
-This greatly improves (interactive) performance and latency, and allows to
-slow down the quiescent ping requests to 4 second intervals by default, and
-possibly much slower. In fact, the main purpose of the pings now is to force
-a reply to the previous ping, and prevent DNS server timeouts (usually at
-least 5-10 seconds per RFC1035). Some DNS servers are more impatient and will
-give SERVFAIL errors (timeouts) in periods without tunneled data traffic. All
-data should still get through in these cases, but iodine will reduce the ping
-interval to 1 second anyway (-I1) to reduce the number of error messages. This
-may not help for very impatient DNS relays like dnsadvantage.com (ultradns),
-which time out in 1 second or even less. Yet data will still get trough, and
-you can ignore the SERVFAIL errors.
-
-If you are running on a local network without any DNS server in-between, try
-I 50 (iodine and iodined close the connection after 60 seconds of silence).
-The only time you'll notice a slowdown, is when DNS reply packets go missing;
-the iodined server then has to wait for a new ping to re-send the data. You can
-speed this up by generating some upstream traffic (keypress, ping). If this
-happens often, check your network for bottlenecks and/or run with -I1.
-
-The delayed answering in lazy mode will cause some "carrier grade" commercial
-DNS relays to repeatedly re-send the same DNS query to the iodined server.
-If the DNS relay is actually implemented as a pool of parallel servers,
-duplicate requests may even arrive from multiple sources. This effect will
-only be visible in the network traffic at the iodined server, and will not
-affect the client's connection. Iodined will notice these duplicates, and send
-the same answer (when its time has come) to both the original query and the
-latest duplicate. After that, the full answer is cached for a short while.
-Delayed duplicates that arrive at the server even later, get a reply that the
-iodine client will ignore (if it ever arrives there).
-
-If you have problems, try inspecting the traffic with network monitoring tools
-like tcpdump or ethereal/wireshark, and make sure that the relaying DNS server
-has not cached the response. A cached error message could mean that you
-started the client before the server. The -D (and -DD) option on the server
-can also show received and sent queries.
-
-
-TIPS & TRICKS:
-
-If your port 53 is taken on a specific interface by an application that does 
-not use it, use -p on iodined to specify an alternate port (like -p 5353) and 
-use for instance iptables (on Linux) to forward the traffic:
-iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to :5353
-(Sent in by Tom Schouten)
-
-Iodined will reject data from clients that have not been active (data/pings)
-for more than 60 seconds. Similarly, iodine will exit when no downstream
-data has been received for 60 seconds. In case of a long network outage or
-similar, just restart iodine (re-login), possibly multiple times until you get
-your old IP address back. Once that's done, just wait a while, and you'll
-eventually see the tunneled TCP traffic continue to flow from where it left
-off before the outage.
-
-With the introduction of the downstream packet queue in the server, its memory
-usage has increased with several megabytes in the default configuration.
-For use in low-memory environments (e.g. running on your DSL router), you can
-decrease USERS and undefine OUTPACKETQ_LEN in user.h without any ill conse-
-quence, assuming at most one client will be connected at any time. A small
-DNSCACHE_LEN is still advised, preferably 2 or higher, however you can also
-undefine it to save a few more kilobytes.
-
-
-PERFORMANCE:
-
-This section tabulates some performance measurements. To view properly, use
-a fixed-width font like Courier.
-
-Measurements were done in protocol 00000502 in lazy mode; upstream encoding
-always Base128; iodine -M255; iodined -m1130. Network conditions were not
-extremely favorable; results are not benchmarks but a realistic indication of
-real-world performance that can be expected in similar situations.
-
-Upstream/downstream throughput was measured by scp'ing a file previously
-read from /dev/urandom (i.e. incompressible), and measuring size with
-"ls -l ; sleep 30 ; ls -l" on a separate non-tunneled connection. Given the
-large scp block size of 16 kB, this gives a resolution of 4.3 kbit/s, which
-explains why some values are exactly equal.
-Ping round-trip times measured with "ping -c100", presented are average rtt
-and mean deviation (indicating spread around the average), in milliseconds.
-
-
-Situation 1:
-Laptop  ->   Wifi AP   ->  Home server  ->  DSL provider  ->  Datacenter
- iodine    DNS "relay"        bind9           DNS cache        iodined
-
-                        downstr.  upstream downstr.  ping-up       ping-down
-                        fragsize   kbit/s   kbit/s  avg +/-mdev   avg +/-mdev
------------------------------------------------------------------------------
-
-iodine -> Wifi AP :53
-  -Tnull (= -Oraw)           982    43.6    131.0   28.0    4.6   26.8    3.4
-
-iodine -> Home server :53
-  -Tnull (= -Oraw)          1174    48.0    305.8   26.6    5.0   26.9    8.4
-
-iodine -> DSL provider :53  
-  -Tnull (= -Oraw)          1174    56.7    367.0   20.6    3.1   21.2    4.4
-  -Ttxt -Obase32             730    56.7    174.7*
-  -Ttxt -Obase64             874    56.7    174.7
-  -Ttxt -Obase128           1018    56.7    174.7
-  -Ttxt -Oraw               1162    56.7    358.2
-  -Tsrv -Obase128            910    56.7    174.7
-  -Tcname -Obase32           151    56.7     43.6
-  -Tcname -Obase128          212    56.7     52.4
-
-iodine -> DSL provider :53  
-  wired (no Wifi) -Tnull    1174    74.2    585.4   20.2    5.6   19.6    3.4
-
- [174.7* : these all have 2frag/packet]
-
-
-Situation 2:
-Laptop  ->  Wifi+vpn / wired  ->  Home server
- iodine                            iodined
-
-                        downstr.  upstream downstr.  ping-up       ping-down
-                        fragsize   kbit/s   kbit/s  avg +/-mdev   avg +/-mdev
------------------------------------------------------------------------------
-
-wifi + openvpn  -Tnull      1186   166.0   1022.3    6.3    1.3    6.6    1.6
-
-wired  -Tnull               1186   677.2   2464.1    1.3    0.2    1.3    0.1
-
-
-Performance is strongly coupled to low ping times, as iodine requires
-confirmation for every data fragment before moving on to the next. Allowing
-multiple fragments in-flight like TCP could possibly increase performance,
-but it would likely cause serious overload for the intermediary DNS servers.
-The current protocol scales performance with DNS responsivity, since the
-DNS servers are on average handling at most one DNS request per client.
-
-
-PORTABILITY:
-
-iodine has been tested on Linux (arm, ia64, x86, AMD64 and SPARC64), FreeBSD
-(ia64, x86), OpenBSD (x86), NetBSD (x86), MacOS X (ppc and x86, with
-http://tuntaposx.sourceforge.net/). and Windows (with OpenVPN TAP32 driver, see
-win32 readme file).  It should be easy to port to other unix-like systems that
-has TUN/TAP tunneling support. Let us know if you get it to run on other
-platforms. 
-
-
-THE NAME:
-
-The name iodine was chosen since it starts with IOD (IP Over DNS) and since
-iodine has atomic number 53, which happens to be the DNS port number.
-
-
-THANKS:
-
- To kuxien for FreeBSD and OS X testing
- To poplix for code audit
-
-
-AUTHORS & LICENSE:
-
-Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>, 2006-2009 Bjorn
-Andersson <flex@kryo.se>. Also major contributions by Anne Bezemer.
-
-Permission to use, copy, modify, and distribute this software for any purpose
-with or without fee is hereby granted, provided that the above copyright notice
-and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
-REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
-FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
-INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
-OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-PERFORMANCE OF THIS SOFTWARE.
-
-
-MD5 implementation by L. Peter Deutsch (license and source in src/md5.[ch])
-Copyright (C) 1999, 2000, 2002 Aladdin Enterprises.  All rights reserved.
--- a/README-android.txt
+++ b/README-android.txt
@ -1,6 +1,6 @@


-iodine - http://code.kryo.se/iodine
+iodine - https://code.kryo.se/iodine

 ***********************************

@ -37,9 +37,14 @@ For more information: http://blog.bokhorst.biz/5123
 3. Build:
 	cd src
 	make base64u.h base64u.c
-		ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=Android.mk
+	ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=Android.16.mk APP_PLATFORM=android-16

   or run "make cross-android" in the iodine root directory.
   To build for other archs, specify TARGET_ARCH_ABI:
 		"make cross-android TARGET_ARCH_ABI=x86"

+   For older android versions (pre-kitkat), build with "make cross-android-old" in the
+   root directory, or manually like above but with APP_PLATFORM=android-3 and with
+   APP_BUILD_SCRIPT=Android.mk
+
+   The iodine binary ends up in src/libs/<arch>/iodine
--- a/README-win32.txt
+++ b/README-win32.txt
@ -1,6 +1,6 @@


-iodine - http://code.kryo.se/iodine
+iodine - https://code.kryo.se/iodine

 ***********************************

@ -11,10 +11,11 @@ Extra README file for Win32 related stuff

 0. After iodine 0.6, you need Windows XP or newer to run.

-1. Install the TAP32 driver 
-   http://openvpn.net/index.php/open-source/downloads.html
-   Choose OpenVPN 2.0.9 Windows Installer, when installing you can
-   select to install only the TAP driver.
+1. Install the TAP driver 
+   https://openvpn.net/index.php/open-source/downloads.html
+   Download the OpenVPN TAP driver (under section Tap-windows)
+   Problems has been reported with the NDIS6 version (9.2x.y), use the
+   NDIS5 version for now if possible.

 2. Have at least one TAP32 interface installed. There are scripts for adding
   and removing in the OpenVPN bin directory. If you have more than one
@ -46,7 +47,7 @@ Note that the binaries will not get a .exe suffix

 == Zlib download
 You can get zlib for MinGW here (both for native and crosscompile):
-http://code.kryo.se/iodine/deps/zlib.zip
+https://code.kryo.se/iodine/deps/zlib.zip
 Unzip it in your MinGW directory on Windows or in $ROOT/usr for
 cross-compile.

--- a/README.md
+++ b/README.md
@ -0,0 +1,423 @@
+iodine - <https://code.kryo.se/iodine>
+=====================================
+
+
+This is a piece of software that lets you tunnel IPv4 data through a DNS
+server. This can be usable in different situations where internet access is
+firewalled, but DNS queries are allowed.
+
+
+COMPILING
+---------
+
+Iodine has no configure script. There are two optional features for Linux
+(SELinux and systemd support) that will be enabled automatically if the
+relevant header files are found in `/usr/include`.
+(See script at `./src/osflags`)
+
+Run `make` to compile the server and client binaries.
+Run `make install` to copy binaries and manpage to the destination directory.
+Run `make test` to compile and run the unit tests. (Requires the `check` library)
+
+
+QUICKSTART
+----------
+
+Try it out within your own LAN! Follow these simple steps:
+- On your server, run: `./iodined -f 10.0.0.1 test.com`.
+  If you already use the `10.0.0.0` network, use another internal net like
+  `172.16.0.0`.
+- Enter a password.
+- On the client, run: `./iodine -f -r 192.168.0.1 test.com`.
+  Replace `192.168.0.1` with your server's ip address.
+- Enter the same password.
+- Now the client has the tunnel ip `10.0.0.2` and the server has `10.0.0.1`.
+- Try pinging each other through the tunnel.
+- Done! :)
+
+To actually use it through a relaying nameserver, see below.
+
+
+HOW TO USE
+----------
+
+Note: server and client are required to speak the exact same protocol. In most
+cases, this means running the same iodine version. Unfortunately, implementing
+backward and forward protocol compatibility is usually not feasible.
+
+### Server side
+To use this tunnel, you need control over a real domain (like `mydomain.com`),
+and a server with a public IP address to run `iodined` on. If this server
+already runs a DNS program, change its listening port and then use `iodined`'s
+`-b` option to let `iodined` forward the DNS requests. (Note that this procedure
+is not advised in production environments, because `iodined`'s DNS forwarding
+is not completely transparent, for example zone transfers will not work.)
+Alternatively you can forward the subdomain from your DNS server to `iodined`
+which must then run on a different port (`-p`).
+
+Then, delegate a subdomain (say, `t1.mydomain.com`) to the iodined server.
+If you use BIND for your domain, add two lines like these to the zone file:
+
+	t1		IN	NS	t1ns.mydomain.com.		; note the dot!
+	t1ns		IN	A	10.15.213.99
+
+The `NS` line is all that's needed to route queries for the `t1` subdomain
+to the `t1ns` server. We use a short name for the subdomain, to keep as much
+space as possible available for the data traffic. At the end of the `NS` line
+is the name of your `iodined` server. This can be any name, pointing anywhere,
+but in this case it's easily kept in the same zone file. It must be a name
+(not an IP address), and that name itself must have an `A` record
+(not a `CNAME`).
+
+If your `iodined` server has a dynamic IP, use a dynamic DNS provider. Simply
+point the `NS` line to it, and leave the `A` line out:
+
+	t1		IN	NS	myname.mydyndnsprovider.com.	; note the dot!
+
+Then reload or restart your nameserver program. Now any DNS queries for
+domains ending in `t1.mydomain.com` will be sent to your `iodined` server.
+
+Finally start `iodined` on your server. The first argument is the IP address
+inside the tunnel, which can be from any range that you don't use yet (for
+example `192.168.99.1`), and the second argument is the assigned domain (in this
+case `t1.mydomain.com`). Using the `-f` option will keep iodined running in the
+foreground, which helps when testing. iodined will open a virtual interface
+("tun device"), and will also start listening for DNS queries on UDP port 53.
+Either enter a password on the commandline (`-P pass`) or after the server has
+started. Now everything is ready for the client.
+
+If there is a chance you'll be using an iodine tunnel from unexpected
+environments, start `iodined` with a `-c` option.
+Resulting commandline in this example situation:
+
+	./iodined -f -c -P secretpassword 192.168.99.1 t1.mydomain.com
+
+### Client side
+All the setup is done, just start `iodine`. It takes one or two arguments, the
+first is the local relaying DNS server (optional) and the second is the domain
+you used (`t1.mydomain.com`). If you don't specify the first argument, the
+system's current DNS setting will be consulted.
+
+If DNS queries are allowed to any computer, you can directly give the `iodined`
+server's address as first argument (in the example: `t1ns.mydomain.com` or
+`10.15.213.99`). In that case, it may also happen that _any_ traffic is allowed
+to the DNS port (53 UDP) of any computer. Iodine will detect this, and switch
+to raw UDP tunneling if possible. To force DNS tunneling in any case, use the
+`-r` option (especially useful when testing within your own network).
+
+The client's tunnel interface will get an IP close to the server's (in this
+case `192.168.99.2` or `.3` etc.) and a suitable MTU. Enter the same password as
+on the server either as commandline option or after the client has started.
+Using the `-f` option will keep the iodine client running in the foreground.
+
+Resulting commandline in this example situation, adding -r forces DNS tunneling
+even if raw UDP tunneling would be possible:
+
+	./iodine -f -P secretpassword t1.mydomain.com
+
+From either side, you should now be able to ping the IP address on the other
+end of the tunnel. In this case, `ping 192.168.99.1` from the iodine client, and
+`192.168.99.2` from the iodine server.
+
+
+### MISC. INFO
+
+#### IPv6
+The data inside the tunnel is IPv4 only.
+
+The server listens to both IPv4 and IPv6 for incoming requests by default.
+Use options `-4` or `-6` to only listen on one protocol. Raw mode will be
+attempted on the same protocol as used for the login.
+
+The client can use IPv4 or IPv6 nameservers to connect to iodined. The relay
+nameservers will translate between protocols automatically if needed. Use
+options `-4` or `-6` to force the client to use a specific IP version for its DNS
+queries.
+
+If your server is listening on IPv6 and is reachable, add an AAAA record for it
+to your DNS setup. Extending the example above would look like this:
+
+	t1		IN	NS	t1ns.mydomain.com.		; note the dot!
+	t1ns		IN	A	10.15.213.99
+	t1ns		IN	AAAA	2001:db8::1001:99
+
+#### Routing
+It is possible to route all traffic through the DNS tunnel. To do this, first
+add a host route to the nameserver used by iodine over the wired/wireless
+interface with the default gateway as gateway. Then replace the default
+gateway with the iodined server's IP address inside the DNS tunnel, and
+configure the server to do NAT.
+
+However, note that the tunneled data traffic is not encrypted at all, and can
+be read and changed by external parties relatively easily. For maximum
+security, run a VPN through the DNS tunnel (=double tunneling), or use secure
+shell (SSH) access, possibly with port forwarding. The latter can also be used
+for web browsing, when you run a web proxy (for example Privoxy) on your
+server.
+
+#### Testing
+The `iodined` server replies to `NS` requests sent for subdomains of the tunnel
+domain. If your iodined subdomain is `t1.mydomain.com`, send a `NS` request for
+`foo123.t1.mydomain.com` to see if the delegation works.
+`dig` is a good tool for this:
+
+	% dig -t NS foo123.t1.mydomain.com
+	ns.io.citronna.de.
+
+Also, the iodined server will answer requests starting with 'z' for any of the
+supported request types, for example:
+
+	dig -t TXT z456.t1.mydomain.com
+	dig -t SRV z456.t1.mydomain.com
+	dig -t CNAME z456.t1.mydomain.com
+
+The reply should look like garbled text in all these cases.
+
+#### Mac OS X
+On Mac OS X 10.6 and later, iodine supports the native utun devices built into
+the OS - use `-d utunX`.
+
+
+Operational info
+----------------
+
+The DNS-response fragment size is normally autoprobed to get maximum bandwidth.
+To force a specific value (and speed things up), use the `-m` option.
+
+The DNS hostnames are normally used up to their maximum length, 255 characters.
+Some DNS relays have been found that answer full-length queries rather
+unreliably, giving widely varying (and mostly very bad) results of the
+fragment size autoprobe on repeated tries. In these cases, use the `-M` switch
+to reduce the DNS hostname length to, for example 200 characters, which makes
+these DNS relays much more stable. This is also useful on some “de-optimizing”
+DNS relays that stuff the response with two full copies of the query, leaving
+very little space for downstream data (also not capable of EDNS0). The `-M`
+switch can trade some upstream bandwidth for downstream bandwidth. Note that
+the minimum `-M` value is about 100, since the protocol can split packets (1200
+bytes max) in only 16 fragments, requiring at least 75 real data bytes per
+fragment.
+
+The upstream data is sent gzipped encoded with Base32; or Base64 if the relay
+server supports mixed case and `+` in domain names; or Base64u if `_` is
+supported instead; or Base128 if high-byte-value characters are supported.
+This upstream encoding is autodetected. The DNS protocol allows one query per
+packet, and one query can be max 256 chars. Each domain name part can be max
+63 chars. So your domain name and subdomain should be as short as possible to
+allow maximum upstream throughput.
+
+Several DNS request types are supported, with the `NULL` and `PRIVATE` types
+expected to provide the largest downstream bandwidth. The `PRIVATE` type uses
+value 65399 in the private-use range. Other available types are `TXT`, `SRV`,
+`MX`, `CNAME` and `A` (returning `CNAME`), in decreasing bandwidth order.
+Normally the “best” request type is autodetected and used. However, DNS relays
+may impose limits on for example NULL and TXT, making SRV or MX actually the best
+choice. This is not autodetected, but can be forced using the `-T` option.
+It is advisable to try various alternatives especially when the autodetected
+request type provides a downstream fragment size of less than 200 bytes.
+
+Note that `SRV`, `MX` and `A` (returning `CNAME`) queries may/will cause
+additional lookups by "smart" caching nameservers to get an actual IP address,
+which may either slow down or fail completely.
+
+DNS responses for non-`NULL/PRIVATE` queries can be encoded with the same set of
+codecs as upstream data. This is normally also autodetected, but no fully
+exhaustive tests are done, so some problems may not be noticed when selecting
+more advanced codecs. In that case, you'll see failures/corruption in the
+fragment size autoprobe. In particular, several DNS relays have been found that
+change replies returning hostnames (`SRV`, `MX`, `CNAME`, `A`) to lowercase only
+when that hostname exceeds ca. 180 characters. In these and similar cases, use
+the `-O` option to try other downstream codecs; Base32 should always work.
+
+Normal operation now is for the server to _not_ answer a DNS request until
+the next DNS request has come in, a.k.a. being “lazy”. This way, the server
+will always have a DNS request handy when new downstream data has to be sent.
+This greatly improves (interactive) performance and latency, and allows to
+slow down the quiescent ping requests to 4 second intervals by default, and
+possibly much slower. In fact, the main purpose of the pings now is to force
+a reply to the previous ping, and prevent DNS server timeouts (usually at
+least 5-10 seconds per RFC1035). Some DNS servers are more impatient and will
+give SERVFAIL errors (timeouts) in periods without tunneled data traffic. All
+data should still get through in these cases, but `iodine` will reduce the ping
+interval to 1 second anyway (-I1) to reduce the number of error messages. This
+may not help for very impatient DNS relays like `dnsadvantage.com` (ultradns),
+which time out in 1 second or even less. Yet data will still get trough, and
+you can ignore the `SERVFAIL` errors.
+
+If you are running on a local network without any DNS server in-between, try
+`-I 50` (iodine and iodined close the connection after 60 seconds of silence).
+The only time you'll notice a slowdown, is when DNS reply packets go missing;
+the `iodined` server then has to wait for a new ping to re-send the data. You can
+speed this up by generating some upstream traffic (keypress, ping). If this
+happens often, check your network for bottlenecks and/or run with `-I1`.
+
+The delayed answering in lazy mode will cause some “carrier grade” commercial
+DNS relays to repeatedly re-send the same DNS query to the iodined server.
+If the DNS relay is actually implemented as a pool of parallel servers,
+duplicate requests may even arrive from multiple sources. This effect will
+only be visible in the network traffic at the `iodined` server, and will not
+affect the client's connection. Iodined will notice these duplicates, and send
+the same answer (when its time has come) to both the original query and the
+latest duplicate. After that, the full answer is cached for a short while.
+Delayed duplicates that arrive at the server even later, get a reply that the
+iodine client will ignore (if it ever arrives there).
+
+If you have problems, try inspecting the traffic with network monitoring tools
+like tcpdump or ethereal/wireshark, and make sure that the relaying DNS server
+has not cached the response. A cached error message could mean that you
+started the client before the server. The `-D` (and `-DD`) option on the server
+can also show received and sent queries.
+
+
+TIPS & TRICKS
+-------------
+
+If your port 53 is taken on a specific interface by an application that does
+not use it, use `-p` on iodined to specify an alternate port (like `-p 5353`)
+and use for instance iptables (on Linux) to forward the traffic:
+
+	iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to :5353
+
+(Sent in by Tom Schouten)
+
+Iodined will reject data from clients that have not been active (data/pings)
+for more than 60 seconds. Similarly, iodine will exit when no downstream
+data has been received for 60 seconds. In case of a long network outage or
+similar, just restart iodine (re-login), possibly multiple times until you get
+your old IP address back. Once that's done, just wait a while, and you'll
+eventually see the tunneled TCP traffic continue to flow from where it left
+off before the outage.
+
+With the introduction of the downstream packet queue in the server, its memory
+usage has increased with several megabytes in the default configuration.
+For use in low-memory environments (e.g. running on your DSL router), you can
+decrease USERS and undefine OUTPACKETQ_LEN in user.h without any ill conse-
+quence, assuming at most one client will be connected at any time. A small
+DNSCACHE_LEN is still advised, preferably 2 or higher, however you can also
+undefine it to save a few more kilobytes.
+
+One iodine server can handle multiple domains. Set up different NS records
+on the same domain all pointing to the same host, and use a wildcard
+at the start of the topdomain argument (example `*.mydomain.com`). iodine
+will accept tunnel traffic for all domains matching that pattern. The wildcard
+has to be at the start of the topdomain argument and be followed by a dot.
+
+
+PERFORMANCE
+-----------
+
+This section tabulates some performance measurements. To view properly, use
+a fixed-width font like Courier.
+
+Measurements were done in protocol 00000502 in lazy mode; upstream encoding
+always Base128; `iodine -M255`; `iodined -m1130`. Network conditions were not
+extremely favorable; results are not benchmarks but a realistic indication of
+real-world performance that can be expected in similar situations.
+
+Upstream/downstream throughput was measured by `scp`'ing a file previously
+read from `/dev/urandom` (i.e. incompressible), and measuring size with
+`ls -l ; sleep 30 ; ls -l` on a separate non-tunneled connection. Given the
+large `scp` block size of 16 kB, this gives a resolution of 4.3 kbit/s, which
+explains why some values are exactly equal.
+Ping round-trip times measured with `ping -c100`, presented are average rtt
+and mean deviation (indicating spread around the average), in milliseconds.
+
+
+### Situation 1: `Laptop  ->   Wifi AP   ->  Home server  ->  DSL provider  ->  Datacenter`
+
+	 iodine    DNS "relay"        bind9           DNS cache        iodined
+
+	                        downstr.  upstream downstr.  ping-up       ping-down
+	                        fragsize   kbit/s   kbit/s  avg +/-mdev   avg +/-mdev
+	-----------------------------------------------------------------------------
+
+	iodine -> Wifi AP :53
+	  -Tnull (= -Oraw)           982    43.6    131.0   28.0    4.6   26.8    3.4
+
+	iodine -> Home server :53
+	  -Tnull (= -Oraw)          1174    48.0    305.8   26.6    5.0   26.9    8.4
+
+	iodine -> DSL provider :53
+	  -Tnull (= -Oraw)          1174    56.7    367.0   20.6    3.1   21.2    4.4
+	  -Ttxt -Obase32             730    56.7    174.7*
+	  -Ttxt -Obase64             874    56.7    174.7
+	  -Ttxt -Obase128           1018    56.7    174.7
+	  -Ttxt -Oraw               1162    56.7    358.2
+	  -Tsrv -Obase128            910    56.7    174.7
+	  -Tcname -Obase32           151    56.7     43.6
+	  -Tcname -Obase128          212    56.7     52.4
+
+	iodine -> DSL provider :53
+	  wired (no Wifi) -Tnull    1174    74.2    585.4   20.2    5.6   19.6    3.4
+
+	 [174.7* : these all have 2frag/packet]
+
+
+### Situation 2: `Laptop  ->  Wifi+vpn / wired  ->  Home server`
+
+	 iodine                            iodined
+
+	                        downstr.  upstream downstr.  ping-up       ping-down
+	                        fragsize   kbit/s   kbit/s  avg +/-mdev   avg +/-mdev
+	-----------------------------------------------------------------------------
+
+	wifi + openvpn  -Tnull      1186   166.0   1022.3    6.3    1.3    6.6    1.6
+
+	wired  -Tnull               1186   677.2   2464.1    1.3    0.2    1.3    0.1
+
+
+### Notes
+
+Performance is strongly coupled to low ping times, as iodine requires
+confirmation for every data fragment before moving on to the next. Allowing
+multiple fragments in-flight like TCP could possibly increase performance,
+but it would likely cause serious overload for the intermediary DNS servers.
+The current protocol scales performance with DNS responsivity, since the
+DNS servers are on average handling at most one DNS request per client.
+
+
+PORTABILITY
+-----------
+
+iodine has been tested on Linux (arm, ia64, x86, AMD64 and SPARC64), FreeBSD
+(ia64, x86), OpenBSD (x86), NetBSD (x86), MacOS X (ppc and x86, with
+<http://tuntaposx.sourceforge.net/>). and Windows (with OpenVPN TAP32 driver, see
+win32 readme file).  It should be easy to port to other unix-like systems that
+have TUN/TAP tunneling support. Let us know if you get it to run on other
+platforms.
+
+
+THE NAME
+--------
+
+The name iodine was chosen since it starts with IOD (IP Over DNS) and since
+iodine has atomic number 53, which happens to be the DNS port number.
+
+
+THANKS
+------
+
+- To kuxien for FreeBSD and OS X testing
+- To poplix for code audit
+
+
+AUTHORS & LICENSE
+-----------------
+
+Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>, 2006-2009 Bjorn
+Andersson <flex@kryo.se>. Also major contributions by Anne Bezemer.
+
+Permission to use, copy, modify, and/or distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright notice
+and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+
+
+MD5 implementation by L. Peter Deutsch (license and source in `src/md5.[ch]`)
+Copyright (C) 1999, 2000, 2002 Aladdin Enterprises.  All rights reserved.
--- a/12
+++ b/12
@ -1,12 +0,0 @@
-
-iodine - http://code.kryo.se/iodine
-
-***********************************
-
-The TODO list is now located at
-
-http://dev.kryo.se/iodine/
-
-The list is under the "View tickets" page
-
-Feel free to add your own wishes and bug reports
--- a/doc/iodine-server.socket
+++ b/doc/iodine-server.socket
@ -3,6 +3,8 @@ Description=Iodine socket

 [Socket]
 ListenDatagram=53
+ListenDatagram=0.0.0.0:53
+BindIPv6Only=ipv6-only

 [Install]
 WantedBy=sockets.target
--- a/doc/proto_00000502.txt
+++ b/doc/proto_00000502.txt
@ -50,14 +50,16 @@ Server replies:
 	LNAK means not accepted
 	x.x.x.x-y.y.y.y-mtu-netmask means accepted (server ip, client ip, mtu, netmask bits)

-IP Request:
+IP Request: (for where to try raw login)
 Client sends:
 	First byte i or I
 	5 bits coded as Base32 char, meaning userid
 	CMC as 3 Base32 chars
 Server replies
-	BADIP if bad userid, or
-	I and then 4 bytes network order external IP address of iodined server
+	BADIP if bad userid
+	First byte I
+	Then comes external IP address of iodined server
+	as 4 bytes (IPv4) or 16 bytes (IPv6)

 Upstream codec check / bounce:
 Client sends:
--- a/man/iodine.8
+++ b/man/iodine.8
@ -45,7 +45,7 @@ iodine, iodined \- tunnel IPv4 over DNS

 .B iodined [-h]

-.B iodined [-c] [-s] [-f] [-D] [-u
+.B iodined [-4] [-6] [-c] [-s] [-f] [-D] [-u
 .I user
 .B ] [-t
 .I chrootdir
@ -54,7 +54,9 @@ iodine, iodined \- tunnel IPv4 over DNS
 .B ] [-m
 .I mtu
 .B ] [-l
-.I listen_ip
+.I listen_ip4
+.B ] [-L
+.I listen_ip6
 .B ] [-p
 .I port
 .B ] [-n
@ -110,6 +112,12 @@ Print usage info and exit.
 .B -f
 Keep running in foreground.
 .TP
+.B -4
+Force/allow only IPv4 DNS queries
+.TP
+.B -6
+Force/allow only IPv6 DNS queries
+.TP
 .B -u user
 Drop privileges and run as user 'user' after setting up tunnel.
 .TP
@ -118,7 +126,8 @@ Chroot to 'chrootdir' after setting up tunnel.
 .TP
 .B -d device
 Use the TUN device 'device' instead of the normal one, which is dnsX on Linux
-and otherwise tunX.
+and otherwise tunX. On Mac OS X 10.6, this can also be utunX, which will attempt
+to use an utun device built into the OS.
 .TP
 .B -P password
 Use 'password' to authenticate. If not used,
@ -132,12 +141,6 @@ Apply SELinux 'context' after initialization.
 Create 'pidfile' and write process id in it.
 .SS Client Options:
 .TP
-.B -4
-Force IPv4 DNS queries
-.TP
-.B -6
-Force IPv6 DNS queries
-.TP
 .B -r
 Skip raw UDP mode. If not used, iodine will try getting the public IP address
 of the iodined host and test if it is reachable directly. If it is, traffic
@ -265,13 +268,21 @@ This will be sent to the client on login, and the client will use the same mtu
 for its tun device.  Default 1130.  Note that the DNS traffic will be
 automatically fragmented when needed.
 .TP
-.B -l listen_ip
-Make the server listen only on 'listen_ip' for incoming requests.
-By default, incoming requests are accepted from all interfaces.
+.B -l external|listen_ip4
+Make the server listen only on 'listen_ip4' for incoming IPv4 requests.
+By default, incoming requests are accepted from all interfaces (0.0.0.0).
+A domain name can be used as argument - use one with only one A record.
+If listen_ip4 is 'external', iodined will use the opendns.com DNS service to
+retrieve the external IP of the host and use that as listen address.
+.TP
+.B -L listen_ip6
+Make the server listen only on 'listen_ip6' for incoming IPv6 requests.
+By default, incoming requests are accepted from all interfaces (::).
+A domain name can be used as argument - use one with only one AAAA record.
 .TP
 .B -p port
 Make the server listen on 'port' instead of 53 for traffic.
-If 'listen_ip' does not include localhost, this 'port' can be the same
+If 'listen_ip4' does not include localhost, this 'port' can be the same
 as 'dnsport'.
 .B Note:
 You must make sure the dns requests are forwarded to this port yourself.
@ -279,7 +290,7 @@ You must make sure the dns requests are forwarded to this port yourself.
 .B -n auto|external_ip
 The IP address to return in NS responses. Default is to return the address used
 as destination in the query.
-If external_ip is 'auto', iodined will use externalip.net web service to
+If external_ip is 'auto', iodined will use the opendns.com DNS service to
 retrieve the external IP of the host and use that for NS responses.
 .TP
 .B -b dnsport
@ -326,7 +337,8 @@ subdomains under 'topdomain'. This is normally a subdomain to a domain you
 own. Use a short domain name to get better throughput. This argument must be
 the same on both the client and the server. Queries for domains other
 than 'topdomain' will be forwarded when the \-b option is given, otherwise
-they will be dropped.
+they will be dropped. The topdomain can start with '*' which will allow all
+domains ending with the same suffix.
 .SH EXAMPLES
 See the README file for both a quick test scenario, and a detailed description
 of real-world deployment.
@ -362,7 +374,7 @@ option still has precedence.
 The README file in the source distribution contains some more elaborate
 information.
 .SH BUGS
-File bugs at http://dev.kryo.se/iodine/
+File bugs at https://github.com/yarrick/iodine
 .SH AUTHORS
 Erik Ekman <yarrick@kryo.se> and Bjorn Andersson <flex@kryo.se>. Major
 contributions by Anne Bezemer.
--- a/src/Android.16.mk
+++ b/src/Android.16.mk
@ -0,0 +1,26 @@
+#
+# iodine for Android
+#
+# by Marcel Bokhorst
+# http://blog.bokhorst.biz/5123/computers-en-internet/iodine-for-android/
+#
+# cd iodine-0.6.0-rc1/src
+# make base64u.h base64u.c
+# .../ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=Android.mk
+#
+
+LOCAL_PATH:= $(call my-dir)
+
+HEAD_COMMIT = `git rev-parse --short HEAD`
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE    := iodine
+LOCAL_SRC_FILES := tun.c dns.c read.c encoding.c login.c base32.c base64.c base64u.c base128.c md5.c common.c iodine.c client.c util.c
+LOCAL_CFLAGS    := -c -DANDROID -DLINUX -DIFCONFIGPATH=\"/system/bin/\" -Wall -DGITREVISION=\"$(HEAD_COMMIT)\"
+LOCAL_LDLIBS    := -lz
+LOCAL_CFLAGS += -fPIE
+LOCAL_LDFLAGS += -fPIE -pie
+
+include $(BUILD_EXECUTABLE)
+
--- a/src/Makefile
+++ b/src/Makefile
@ -11,6 +11,7 @@ HEAD_COMMIT = `git rev-parse --short HEAD`
 LIBPATH = -L.
 LDFLAGS +=  -lz `sh osflags $(TARGETOS) link` $(LIBPATH)
 CFLAGS += -std=c99 -c -g -Wall -D$(OS) -pedantic `sh osflags $(TARGETOS) cflags` -DGITREVISION=\"$(HEAD_COMMIT)\"
+CFLAGS += -Wstrict-prototypes -Wtype-limits -Wmissing-declarations -Wmissing-prototypes

 all: stateos $(CLIENT) $(SERVER)

@ -31,15 +32,10 @@ $(SERVER): $(COMMONOBJS) $(SERVEROBJS)
 	@echo CC $<
 	@$(CC) $(CFLAGS) $< -o $@

-base64u.o client.o iodined.o: base64u.h
 base64u.c: base64.c
 	@echo Making $@
 	@echo '/* No use in editing, produced by Makefile! */' > $@
 	@sed -e 's/\([Bb][Aa][Ss][Ee]64\)/\1u/g ; s/0123456789+/0123456789_/' < base64.c >> $@
-base64u.h: base64.h
-	@echo Making $@
-	@echo '/* No use in editing, produced by Makefile! */' > $@
-	@sed -e 's/\([Bb][Aa][Ss][Ee]64\)/\1u/g ; s/0123456789+/0123456789_/' < base64.h >> $@

 clean:
 	@echo "Cleaning src/"
--- a/src/android_dns.h
+++ b/src/android_dns.h
@ -1,7 +1,25 @@
+/*
+ * Copyright (c) 2009 Marcel Bokhorst <marcel@bokhorst.biz>
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */

 #ifndef __FIX_ANDROID_H__
 #define __FIX_ANDROID_H__

+/* Newer android platforms can have this data already */
+#ifndef C_IN
+
 typedef struct {
 	unsigned id :16;
 	unsigned rd :1;
@ -36,4 +54,6 @@ typedef struct {
 #define T_TXT		16
 #define T_SRV		33

+#endif /* !C_IN */
+
 #endif
--- a/src/base128.c
+++ b/src/base128.c
@ -1,7 +1,7 @@
 /*
 * Copyright (C) 2009 J.A.Bezemer@opensourcepartners.nl
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -33,10 +33,9 @@
 #include <string.h>

 #include "encoding.h"
-#include "base128.h"

-#define BLKSIZE_RAW 7
-#define BLKSIZE_ENC 8
+#define BASE128_BLKSIZE_RAW 7
+#define BASE128_BLKSIZE_ENC 8

 /* Don't use '-' (restricted to middle of labels), prefer iso_8859-1
 * accent chars since they might readily be entered in normal use,
@ -52,49 +51,7 @@ static const unsigned char cb128[] =
 static unsigned char rev128[256];
 static int reverse_init = 0;

-static int base128_encode(char *, size_t *, const void *, size_t);
-static int base128_decode(void *, size_t *, const char *, size_t);
-static int base128_handles_dots();
-static int base128_blksize_raw();
-static int base128_blksize_enc();
-
-static struct encoder base128_encoder =
-{
-	"Base128",
-	base128_encode,
-	base128_decode,
-	base128_handles_dots,
-	base128_handles_dots,
-	base128_blksize_raw,
-	base128_blksize_enc
-};
-
-struct encoder
-*get_base128_encoder()
-{
-	return &base128_encoder;
-}
-
-static int
-base128_handles_dots()
-{
-	return 0;
-}
-
-static int
-base128_blksize_raw()
-{
-	return BLKSIZE_RAW;
-}
-
-static int
-base128_blksize_enc()
-{
-	return BLKSIZE_ENC;
-}
-
-inline static void
-base128_reverse_init()
+inline static void base128_reverse_init(void)
 {
 	int i;
 	unsigned char c;
@ -109,8 +66,6 @@ base128_reverse_init()
 	}
 }

-static int
-base128_encode(char *buf, size_t *buflen, const void *data, size_t size)
 /*
 * Fills *buf with max. *buflen characters, encoding size bytes of *data.
 *
@ -120,6 +75,8 @@ base128_encode(char *buf, size_t *buflen, const void *data, size_t size)
 * return value    : #bytes filled in buf   (excluding \0)
 * sets *buflen to : #bytes encoded from data
 */
+static int base128_encode(char *buf, size_t *buflen, const void *data,
+			  size_t size)
 {
 	unsigned char *ubuf = (unsigned char *) buf;
 	unsigned char *udata = (unsigned char *) data;
@ -203,8 +160,6 @@ base128_encode(char *buf, size_t *buflen, const void *data, size_t size)

 #define REV128(x) rev128[(int) (x)]

-static int
-base128_decode(void *buf, size_t *buflen, const char *str, size_t slen)
 /*
 * Fills *buf with max. *buflen bytes, decoded from slen chars in *str.
 * Decoding stops early when *str contains \0.
@ -216,6 +171,8 @@ base128_decode(void *buf, size_t *buflen, const char *str, size_t slen)
 *
 * return value    : #bytes filled in buf   (excluding \0)
 */
+static int base128_decode(void *buf, size_t *buflen, const char *str,
+			  size_t slen)
 {
 	unsigned char *ustr = (unsigned char *) str;
 	unsigned char *ubuf = (unsigned char *) buf;
@ -289,3 +246,16 @@ base128_decode(void *buf, size_t *buflen, const char *str, size_t slen)

 	return iout;
 }
+
+const struct encoder base128_ops = {
+	.name = "Base128",
+
+	.encode = base128_encode,
+	.decode = base128_decode,
+
+	.places_dots = false,
+	.eats_dots = false,
+
+	.blocksize_raw = BASE128_BLKSIZE_RAW,
+	.blocksize_encoded = BASE128_BLKSIZE_ENC,
+};
--- a/src/base128.h
+++ b/src/base128.h
@ -1,22 +0,0 @@
-/*
- * Copyright (C) 2009 J.A.Bezemer@opensourcepartners.nl
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef __BASE128_H__
-#define __BASE128_H__
-
-struct encoder *get_base128_encoder(void);
-
-#endif
--- a/src/base32.c
+++ b/src/base32.c
@ -3,7 +3,7 @@
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 * Mostly rewritten 2009 J.A.Bezemer@opensourcepartners.nl
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -21,10 +21,9 @@
 #include <string.h>

 #include "encoding.h"
-#include "base32.h"

-#define BLKSIZE_RAW 5
-#define BLKSIZE_ENC 8
+#define BASE32_BLKSIZE_RAW 5
+#define BASE32_BLKSIZE_ENC 8

 static const char cb32[] =
 	"abcdefghijklmnopqrstuvwxyz012345";
@ -33,49 +32,7 @@ static const char cb32_ucase[] =
 static unsigned char rev32[256];
 static int reverse_init = 0;

-static int base32_encode(char *, size_t *, const void *, size_t);
-static int base32_decode(void *, size_t *, const char *, size_t);
-static int base32_handles_dots();
-static int base32_blksize_raw();
-static int base32_blksize_enc();
-
-static struct encoder base32_encoder =
-{
-	"Base32",
-	base32_encode,
-	base32_decode,
-	base32_handles_dots,
-	base32_handles_dots,
-	base32_blksize_raw,
-	base32_blksize_enc
-};
-
-struct encoder
-*get_base32_encoder()
-{
-	return &base32_encoder;
-}
-
-static int
-base32_handles_dots()
-{
-	return 0;
-}
-
-static int
-base32_blksize_raw()
-{
-	return BLKSIZE_RAW;
-}
-
-static int
-base32_blksize_enc()
-{
-	return BLKSIZE_ENC;
-}
-
-inline static void
-base32_reverse_init()
+inline static void base32_reverse_init(void)
 {
 	int i;
 	unsigned char c;
@ -92,21 +49,17 @@ base32_reverse_init()
 	}
 }

-int
-b32_5to8(int in)
+int b32_5to8(int in)
 {
 	return cb32[in & 31];
 }

-int
-b32_8to5(int in)
+int b32_8to5(int in)
 {
 	base32_reverse_init();
 	return rev32[in];
 }

-static int
-base32_encode(char *buf, size_t *buflen, const void *data, size_t size)
 /*
 * Fills *buf with max. *buflen characters, encoding size bytes of *data.
 *
@ -116,6 +69,7 @@ base32_encode(char *buf, size_t *buflen, const void *data, size_t size)
 * return value    : #bytes filled in buf   (excluding \0)
 * sets *buflen to : #bytes encoded from data
 */
+static int base32_encode(char *buf, size_t *buflen, const void *data, size_t size)
 {
 	unsigned char *udata = (unsigned char *) data;
 	int iout = 0;	/* to-be-filled output char */
@ -196,8 +150,6 @@ base32_encode(char *buf, size_t *buflen, const void *data, size_t size)

 #define REV32(x) rev32[(int) (x)]

-static int
-base32_decode(void *buf, size_t *buflen, const char *str, size_t slen)
 /*
 * Fills *buf with max. *buflen bytes, decoded from slen chars in *str.
 * Decoding stops early when *str contains \0.
@ -209,6 +161,8 @@ base32_decode(void *buf, size_t *buflen, const char *str, size_t slen)
 *
 * return value    : #bytes filled in buf   (excluding \0)
 */
+static int base32_decode(void *buf, size_t *buflen, const char *str,
+			 size_t slen)
 {
 	unsigned char *ubuf = (unsigned char *) buf;
 	int iout = 0;	/* to-be-filled output byte */
@ -269,3 +223,16 @@ base32_decode(void *buf, size_t *buflen, const char *str, size_t slen)

 	return iout;
 }
+
+const struct encoder base32_ops = {
+	.name = "Base32",
+
+	.encode = base32_encode,
+	.decode = base32_decode,
+
+	.places_dots = false,
+	.eats_dots = false,
+
+	.blocksize_raw = BASE32_BLKSIZE_RAW,
+	.blocksize_encoded = BASE32_BLKSIZE_ENC,
+};
--- a/src/base32.h
+++ b/src/base32.h
@ -1,25 +0,0 @@
-/*
- * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
- * 2006-2009 Bjorn Andersson <flex@kryo.se>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef __BASE32_H__
-#define __BASE32_H__
-
-struct encoder *get_base32_encoder(void);
-
-int b32_5to8(int);
-int b32_8to5(int);
-#endif
--- a/src/base64.c
+++ b/src/base64.c
@ -3,7 +3,7 @@
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 * Mostly rewritten 2009 J.A.Bezemer@opensourcepartners.nl
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -21,10 +21,9 @@
 #include <string.h>

 #include "encoding.h"
-#include "base64.h"

-#define BLKSIZE_RAW 3
-#define BLKSIZE_ENC 4
+#define BASE64_BLKSIZE_RAW 3
+#define BASE64_BLKSIZE_ENC 4

 /* Note: the "unofficial" char is last here, which means that the \377 pattern
   in DOWNCODECCHECK1 ('Y' request) will properly test it. */
@ -33,49 +32,7 @@ static const char cb64[] =
 static unsigned char rev64[256];
 static int reverse_init = 0;

-static int base64_encode(char *, size_t *, const void *, size_t);
-static int base64_decode(void *, size_t *, const char *, size_t);
-static int base64_handles_dots();
-static int base64_blksize_raw();
-static int base64_blksize_enc();
-
-static struct encoder base64_encoder =
-{
-	"Base64",
-	base64_encode,
-	base64_decode,
-	base64_handles_dots,
-	base64_handles_dots,
-	base64_blksize_raw,
-	base64_blksize_enc
-};
-
-struct encoder
-*get_base64_encoder()
-{
-	return &base64_encoder;
-}
-
-static int
-base64_handles_dots()
-{
-	return 0;
-}
-
-static int
-base64_blksize_raw()
-{
-	return BLKSIZE_RAW;
-}
-
-static int
-base64_blksize_enc()
-{
-	return BLKSIZE_ENC;
-}
-
-inline static void
-base64_reverse_init()
+inline static void base64_reverse_init(void)
 {
 	int i;
 	unsigned char c;
@ -90,8 +47,6 @@ base64_reverse_init()
 	}
 }

-static int
-base64_encode(char *buf, size_t *buflen, const void *data, size_t size)
 /*
 * Fills *buf with max. *buflen characters, encoding size bytes of *data.
 *
@ -101,6 +56,8 @@ base64_encode(char *buf, size_t *buflen, const void *data, size_t size)
 * return value    : #bytes filled in buf   (excluding \0)
 * sets *buflen to : #bytes encoded from data
 */
+static int base64_encode(char *buf, size_t *buflen, const void *data,
+			 size_t size)
 {
 	unsigned char *udata = (unsigned char *) data;
 	int iout = 0;	/* to-be-filled output char */
@ -151,8 +108,6 @@ base64_encode(char *buf, size_t *buflen, const void *data, size_t size)

 #define REV64(x) rev64[(int) (x)]

-static int
-base64_decode(void *buf, size_t *buflen, const char *str, size_t slen)
 /*
 * Fills *buf with max. *buflen bytes, decoded from slen chars in *str.
 * Decoding stops early when *str contains \0.
@ -164,6 +119,8 @@ base64_decode(void *buf, size_t *buflen, const char *str, size_t slen)
 *
 * return value    : #bytes filled in buf   (excluding \0)
 */
+static int base64_decode(void *buf, size_t *buflen, const char *str,
+			 size_t slen)
 {
 	unsigned char *ubuf = (unsigned char *) buf;
 	int iout = 0;	/* to-be-filled output byte */
@ -204,3 +161,16 @@ base64_decode(void *buf, size_t *buflen, const char *str, size_t slen)

 	return iout;
 }
+
+const struct encoder base64_ops = {
+	.name = "Base64",
+
+	.encode = base64_encode,
+	.decode = base64_decode,
+
+	.places_dots = false,
+	.eats_dots = false,
+
+	.blocksize_raw = BASE64_BLKSIZE_RAW,
+	.blocksize_encoded = BASE64_BLKSIZE_ENC,
+};
--- a/src/base64.h
+++ b/src/base64.h
@ -1,23 +0,0 @@
-/*
- * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
- * 2006-2009 Bjorn Andersson <flex@kryo.se>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef __BASE64_H__
-#define __BASE64_H__
-
-struct encoder *get_base64_encoder(void);
-
-#endif
--- a/src/client.c
+++ b/src/client.c
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -32,10 +32,10 @@
 #ifdef WINDOWS32
 #include "windows.h"
 #else
+#include <arpa/nameser.h>
 #ifdef ANDROID
 #include "android_dns.h"
 #endif
-#include <arpa/nameser.h>
 #ifdef DARWIN
 #define BIND_8_COMPAT
 #include <arpa/nameser_compat.h>
@ -47,10 +47,6 @@

 #include "common.h"
 #include "encoding.h"
-#include "base32.h"
-#include "base64.h"
-#include "base64u.h"
-#include "base128.h"
 #include "dns.h"
 #include "login.h"
 #include "tun.h"
@ -64,7 +60,8 @@ static const char *password;

 static struct sockaddr_storage nameserv;
 static int nameserv_len;
-static struct sockaddr_in raw_serv;
+static struct sockaddr_storage raw_serv;
+static int raw_serv_len;
 static const char *topdomain;

 static uint16_t rand_seed;
@ -84,16 +81,9 @@ static uint16_t chunkid;
 static uint16_t chunkid_prev;
 static uint16_t chunkid_prev2;

-/* Base32 encoder used for non-data packets and replies */
-static struct encoder *b32;
-/* Base64 etc encoders for replies */
-static struct encoder *b64;
-static struct encoder *b64u;
-static struct encoder *b128;
-
 /* The encoder used for data packets
 * Defaults to Base32, can be changed after handshake */
-static struct encoder *dataenc;
+const static struct encoder *dataenc = &base32_ops;

 /* The encoder to use for downstream data */
 static char downenc = ' ';
@ -116,11 +106,6 @@ void
 client_init()
 {
 	running = 1;
-	b32 = get_base32_encoder();
-	b64 = get_base64_encoder();
-	b64u = get_base64u_encoder();
-	b128 = get_base128_encoder();
-	dataenc = get_base32_encoder();
 	rand_seed = ((unsigned int) rand()) & 0xFFFF;
 	send_ping_soon = 1;	/* send ping immediately after startup */
 	conn = CONN_DNS_NULL;
@ -242,7 +227,7 @@ client_set_hostname_maxlen(int i)
 const char *
 client_get_raw_addr()
 {
-	return inet_ntoa(raw_serv.sin_addr);
+	return format_addr(&raw_serv, raw_serv_len);
 }

 static void
@ -307,7 +292,7 @@ send_query(int fd, char *hostname)
 }

 static void
-send_raw(int fd, char *buf, int buflen, int user, int cmd)
+send_raw(int fd, char *buf, int buflen, int cmd)
 {
 	char packet[4096];
 	int len;
@ -320,7 +305,7 @@ send_raw(int fd, char *buf, int buflen, int user, int cmd)
 	}

 	len += RAW_HDR_LEN;
-	packet[RAW_HDR_CMD] = cmd | (user & 0x0F);
+	packet[RAW_HDR_CMD] = cmd | (userid & 0x0F);

 	sendto(fd, packet, len, 0, (struct sockaddr*)&raw_serv, sizeof(raw_serv));
 }
@ -328,7 +313,7 @@ send_raw(int fd, char *buf, int buflen, int user, int cmd)
 static void
 send_raw_data(int dns_fd)
 {
-	send_raw(dns_fd, outpkt.data, outpkt.len, userid, RAW_HDR_CMD_DATA);
+	send_raw(dns_fd, outpkt.data, outpkt.len, RAW_HDR_CMD_DATA);
 	outpkt.len = 0;
 }

@ -341,12 +326,11 @@ send_packet(int fd, char cmd, const char *data, const size_t datalen)
 	buf[0] = cmd;

 	build_hostname(buf + 1, sizeof(buf) - 1, data, datalen, topdomain,
-		       b32, hostname_maxlen);
+		       &base32_ops, hostname_maxlen);
 	send_query(fd, buf);
 }

-static inline int
-is_sending()
+static inline int is_sending(void)
 {
 	return (outpkt.len != 0);
 }
@ -416,7 +400,7 @@ send_ping(int fd)

 		send_packet(fd, 'p', data, sizeof(data));
 	} else {
-		send_raw(fd, NULL, 0, userid, RAW_HDR_CMD_PING);
+		send_raw(fd, NULL, 0, RAW_HDR_CMD_PING);
 	}
 }

@ -480,7 +464,7 @@ dns_namedec(char *outdata, int outdatalen, char *buf, int buflen)

 		/* this also does undotify */
 		return unpack_data(outdata, outdatalen, buf + 1, buflen - 4,
-				   b32);
+				   &base32_ops);

 	case 'i': /* Hostname++ with base64 */
 	case 'I':
@ -490,7 +474,7 @@ dns_namedec(char *outdata, int outdatalen, char *buf, int buflen)

 		/* this also does undotify */
 		return unpack_data(outdata, outdatalen, buf + 1, buflen - 4,
-				   b64);
+				   &base64_ops);

 	case 'j': /* Hostname++ with base64u */
 	case 'J':
@ -500,7 +484,7 @@ dns_namedec(char *outdata, int outdatalen, char *buf, int buflen)

 		/* this also does undotify */
 		return unpack_data(outdata, outdatalen, buf + 1, buflen - 4,
-				   b64u);
+				   &base64u_ops);

 	case 'k': /* Hostname++ with base128 */
 	case 'K':
@ -510,35 +494,35 @@ dns_namedec(char *outdata, int outdatalen, char *buf, int buflen)

 		/* this also does undotify */
 		return unpack_data(outdata, outdatalen, buf + 1, buflen - 4,
-				   b128);
+				   &base128_ops);

 	case 't': /* plain base32(Thirty-two) from TXT */
 	case 'T':
 		if (buflen < 2)
 			return 0;

-		return b32->decode(outdata, &outdatalenu, buf + 1, buflen - 1);
+		return base32_ops.decode(outdata, &outdatalenu, buf + 1, buflen - 1);

 	case 's': /* plain base64(Sixty-four) from TXT */
 	case 'S':
 		if (buflen < 2)
 			return 0;

-		return b64->decode(outdata, &outdatalenu, buf + 1, buflen - 1);
+		return base64_ops.decode(outdata, &outdatalenu, buf + 1, buflen - 1);

 	case 'u': /* plain base64u (Underscore) from TXT */
 	case 'U':
 		if (buflen < 2)
 			return 0;

-		return b64u->decode(outdata, &outdatalenu, buf + 1, buflen - 1);
+		return base64_ops.decode(outdata, &outdatalenu, buf + 1, buflen - 1);

 	case 'v': /* plain base128 from TXT */
 	case 'V':
 		if (buflen < 2)
 			return 0;

-		return b128->decode(outdata, &outdatalenu, buf + 1, buflen - 1);
+		return base128_ops.decode(outdata, &outdatalenu, buf + 1, buflen - 1);

 	case 'r': /* Raw binary from TXT */
 	case 'R':
@ -1271,32 +1255,39 @@ send_version(int fd, uint32_t version)
 	send_packet(fd, 'v', data, sizeof(data));
 }

+/* Add lower 15 bits of rand seed as base32,
+ * followed by a dot and the tunnel domain and send */
 static void
-send_ip_request(int fd, int userid)
+send_handshake_query(int fd, char *prefix)
 {
-	char buf[512] = "i____.";
-	buf[1] = b32_5to8(userid);
+	char buf[300];
+	char cmc_dot[5];

-	buf[2] = b32_5to8((rand_seed >> 10) & 0x1f);
-	buf[3] = b32_5to8((rand_seed >> 5) & 0x1f);
-	buf[4] = b32_5to8((rand_seed ) & 0x1f);
+	cmc_dot[0] = b32_5to8((rand_seed >> 10) & 0x1f);
+	cmc_dot[1] = b32_5to8((rand_seed >> 5) & 0x1f);
+	cmc_dot[2] = b32_5to8((rand_seed) & 0x1f);
+	cmc_dot[3] = '.';
+	cmc_dot[4] = 0;
 	rand_seed++;

-	strncat(buf, topdomain, 512 - strlen(buf));
+	buf[0] = 0;
+	strncat(buf, prefix, 60); /* 63 - space for 3 CMC bytes */
+	strcat(buf, cmc_dot);
+	strncat(buf, topdomain, sizeof(buf) - strlen(buf) - 1);
 	send_query(fd, buf);
 }

 static void
-send_raw_udp_login(int dns_fd, int userid, int seed)
+send_raw_udp_login(int dns_fd, int seed)
 {
 	char buf[16];
 	login_calculate(buf, 16, password, seed + 1);

-	send_raw(dns_fd, buf, sizeof(buf), userid, RAW_HDR_CMD_LOGIN);
+	send_raw(dns_fd, buf, sizeof(buf), RAW_HDR_CMD_LOGIN);
 }

 static void
-send_upenctest(int fd, char *s)
+send_upenctest(int fd, const char *s)
 /* NOTE: String may be at most 63-4=59 chars to fit in 1 dns chunk. */
 {
 	char buf[512] = "z___";
@ -1306,81 +1297,32 @@ send_upenctest(int fd, char *s)
 	buf[3] = b32_5to8((rand_seed) & 0x1f);
 	rand_seed++;

-	strncat(buf, s, 512);
-	strncat(buf, ".", 512);
+	strncat(buf, s, 128);
+	strncat(buf, ".", 2);
 	strncat(buf, topdomain, 512 - strlen(buf));
 	send_query(fd, buf);
 }

 static void
-send_downenctest(int fd, char downenc, int variant, char *s, int slen)
-/* Note: content/handling of s is not defined yet. */
+send_downenctest(int fd, char downenc, int variant)
 {
-	char buf[512] = "y_____.";
+	char prefix[4] = "y__";
+	prefix[1] = tolower(downenc);
+	prefix[2] = b32_5to8(variant);

-	buf[1] = tolower(downenc);
-	buf[2] = b32_5to8(variant);
-
-	buf[3] = b32_5to8((rand_seed >> 10) & 0x1f);
-	buf[4] = b32_5to8((rand_seed >> 5) & 0x1f);
-	buf[5] = b32_5to8((rand_seed ) & 0x1f);
-	rand_seed++;
-
-	strncat(buf, topdomain, 512 - strlen(buf));
-	send_query(fd, buf);
+	/* Use send_query directly if we ever send more data here. */
+	send_handshake_query(fd, prefix);
 }

 static void
-send_codec_switch(int fd, int userid, int bits)
+send_lazy_switch(int fd)
 {
-	char buf[512] = "s_____.";
-	buf[1] = b32_5to8(userid);
-	buf[2] = b32_5to8(bits);
-
-	buf[3] = b32_5to8((rand_seed >> 10) & 0x1f);
-	buf[4] = b32_5to8((rand_seed >> 5) & 0x1f);
-	buf[5] = b32_5to8((rand_seed ) & 0x1f);
-	rand_seed++;
-
-	strncat(buf, topdomain, 512 - strlen(buf));
-	send_query(fd, buf);
-}
-
-
-static void
-send_downenc_switch(int fd, int userid)
-{
-	char buf[512] = "o_____.";
-	buf[1] = b32_5to8(userid);
-	buf[2] = tolower(downenc);
-
-	buf[3] = b32_5to8((rand_seed >> 10) & 0x1f);
-	buf[4] = b32_5to8((rand_seed >> 5) & 0x1f);
-	buf[5] = b32_5to8((rand_seed ) & 0x1f);
-	rand_seed++;
-
-	strncat(buf, topdomain, 512 - strlen(buf));
-	send_query(fd, buf);
-}
-
-static void
-send_lazy_switch(int fd, int userid)
-{
-	char buf[512] = "o_____.";
-	buf[1] = b32_5to8(userid);
+	char sw_lazy[] = { 'o', b32_5to8(userid), 'i', 0 };

 	if (lazymode)
-		buf[2] = 'l';
-	else
-		buf[2] = 'i';
+		sw_lazy[2] = 'l';

-	buf[3] = b32_5to8((rand_seed >> 10) & 0x1f);
-	buf[4] = b32_5to8((rand_seed >> 5) & 0x1f);
-	buf[5] = b32_5to8((rand_seed ) & 0x1f);
-	rand_seed++;
-
-	strncat(buf, topdomain, 512 - strlen(buf));
-	send_query(fd, buf);
+	send_handshake_query(fd, sw_lazy);
 }

 static int
@ -1395,7 +1337,7 @@ handshake_version(int dns_fd, int *seed)

 	for (i = 0; running && i < 5; i++) {

-		send_version(dns_fd, VERSION);
+		send_version(dns_fd, PROTOCOL_VERSION);

 		read = handshake_waitdns(dns_fd, in, sizeof(in), 'v', 'V', i+1);

@ -1411,11 +1353,12 @@ handshake_version(int dns_fd, int *seed)
 				userid_char = hex[userid & 15];
 				userid_char2 = hex2[userid & 15];

-				fprintf(stderr, "Version ok, both using protocol v 0x%08x. You are user #%d\n", VERSION, userid);
+				fprintf(stderr, "Version ok, both using protocol v 0x%08x. You are user #%d\n",
+					PROTOCOL_VERSION, userid);
 				return 0;
 			} else if (strncmp("VNAK", in, 4) == 0) {
 				warnx("You use protocol v 0x%08x, server uses v 0x%08x. Giving up",
-						VERSION, payload);
+						PROTOCOL_VERSION, payload);
 				return 1;
 			} else if (strncmp("VFUL", in, 4) == 0) {
 				warnx("Server full, all %d slots are taken. Try again later", payload);
@ -1454,6 +1397,9 @@ handshake_login(int dns_fd, int seed)
 			if (strncmp("LNAK", in, 4) == 0) {
 				fprintf(stderr, "Bad password\n");
 				return 1;
+			} else if (strncmp("BADIP", in, 5) == 0) {
+				warnx("BADIP: Server rejected sender IP address (maybe iodined -c will help)");
+				return 1;
 			} else if (sscanf(in, "%64[^-]-%64[^-]-%d-%d",
 				server, client, &mtu, &netmask) == 4) {

@ -1482,31 +1428,43 @@ static int
 handshake_raw_udp(int dns_fd, int seed)
 {
 	struct timeval tv;
+	char get_ip[] = { 'i', b32_5to8(userid), 0 };
 	char in[4096];
 	fd_set fds;
 	int i;
 	int r;
 	int len;
-	unsigned remoteaddr = 0;
-	struct in_addr server;
+	int got_addr;

-	fprintf(stderr, "Testing raw UDP data to the server (skip with -r)");
+	memset(&raw_serv, 0, sizeof(raw_serv));
+	got_addr = 0;
+
+	fprintf(stderr, "Requesting server address to attempt raw UDP mode (skip with -r) ");
+	fflush(stderr);
 	for (i = 0; running && i < 3; i++) {

-		send_ip_request(dns_fd, userid);
+		send_handshake_query(dns_fd, get_ip);

 		len = handshake_waitdns(dns_fd, in, sizeof(in), 'i', 'I', i+1);

 		if (len == 5 && in[0] == 'I') {
-			/* Received IP address */
-			remoteaddr = (in[1] & 0xff);
-			remoteaddr <<= 8;
-			remoteaddr |= (in[2] & 0xff);
-			remoteaddr <<= 8;
-			remoteaddr |= (in[3] & 0xff);
-			remoteaddr <<= 8;
-			remoteaddr |= (in[4] & 0xff);
-			server.s_addr = ntohl(remoteaddr);
+			/* Received IPv4 address */
+			struct sockaddr_in *raw4_serv = (struct sockaddr_in *) &raw_serv;
+			raw4_serv->sin_family = AF_INET;
+			memcpy(&raw4_serv->sin_addr, &in[1], sizeof(struct in_addr));
+			raw4_serv->sin_port = htons(53);
+			raw_serv_len = sizeof(struct sockaddr_in);
+			got_addr = 1;
+			break;
+		}
+		if (len == 17 && in[0] == 'I') {
+			/* Received IPv6 address */
+			struct sockaddr_in6 *raw6_serv = (struct sockaddr_in6 *) &raw_serv;
+			raw6_serv->sin6_family = AF_INET6;
+			memcpy(&raw6_serv->sin6_addr, &in[1], sizeof(struct in6_addr));
+			raw6_serv->sin6_port = htons(53);
+			raw_serv_len = sizeof(struct sockaddr_in6);
+			got_addr = 1;
 			break;
 		}

@ -1517,19 +1475,14 @@ handshake_raw_udp(int dns_fd, int seed)
 	if (!running)
 		return 0;

-	if (!remoteaddr) {
+	if (!got_addr) {
 		fprintf(stderr, "Failed to get raw server IP, will use DNS mode.\n");
 		return 0;
 	}
-	fprintf(stderr, "Server is at %s, trying raw login: ", inet_ntoa(server));
+	fprintf(stderr, "Server is at %s, trying raw login: (skip with -r) ",
+		format_addr(&raw_serv, raw_serv_len));
 	fflush(stderr);

-	/* Store address to iodined server */
-	memset(&raw_serv, 0, sizeof(raw_serv));
-	raw_serv.sin_family = AF_INET;
-	raw_serv.sin_port = htons(53);
-	raw_serv.sin_addr = server;
-
 	/* do login against port 53 on remote server
 	 * based on the old seed. If reply received,
 	 * switch to raw udp mode */
@ -1537,7 +1490,7 @@ handshake_raw_udp(int dns_fd, int seed)
 		tv.tv_sec = i + 1;
 		tv.tv_usec = 0;

-		send_raw_udp_login(dns_fd, userid, seed);
+		send_raw_udp_login(dns_fd, seed);

 		FD_ZERO(&fds);
 		FD_SET(dns_fd, &fds);
@ -1568,7 +1521,7 @@ handshake_raw_udp(int dns_fd, int seed)
 }

 static int
-handshake_upenctest(int dns_fd, char *s)
+handshake_upenctest(int dns_fd, const char *s)
 /* NOTE: *s may be max 59 chars; must start with "aA" for case-swap check
   Returns:
   -1: case swap, no need for any further test: error printed; or Ctrl-C
@ -1578,7 +1531,7 @@ handshake_upenctest(int dns_fd, char *s)
 {
 	char in[4096];
 	unsigned char *uin = (unsigned char *) in;
-	unsigned char *us = (unsigned char *) s;
+	const unsigned char *us = (const unsigned char *) s;
 	int i;
 	int read;
 	int slen;
@ -1660,14 +1613,14 @@ handshake_upenc_autodetect(int dns_fd)
 	   [A-Z] as first, and [A-Z0-9] as last char _per label_.
 	   Test by having '-' as last char.
 	 */
-        char *pat64="aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ+0129-";
-        char *pat64u="aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ_0129-";
-        char *pat128a="aA-Aaahhh-Drink-mal-ein-J\344germeister-";
-        char *pat128b="aA-La-fl\373te-na\357ve-fran\347aise-est-retir\351-\340-Cr\350te";
-        char *pat128c="aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ";
-        char *pat128d="aA0123456789\274\275\276\277"
+	const char *pat64 = "aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ+0129-";
+	const char *pat64u = "aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ_0129-";
+	const char *pat128a = "aA-Aaahhh-Drink-mal-ein-J\344germeister-";
+	const char *pat128b = "aA-La-fl\373te-na\357ve-fran\347aise-est-retir\351-\340-Cr\350te";
+	const char *pat128c = "aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ";
+	const char *pat128d = "aA0123456789\274\275\276\277"
 		"\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317";
-        char *pat128e="aA"
+	const char *pat128e="aA"
 			"\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337"
 			"\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357"
 			"\360\361\362\363\364\365\366\367\370\371\372\373\374\375";
@ -1754,7 +1707,7 @@ handshake_downenctest(int dns_fd, char trycodec)

 	for (i = 0; running && i < 3; i++) {

-		send_downenctest(dns_fd, trycodec, 1, NULL, 0);
+		send_downenctest(dns_fd, trycodec, 1);

 		read = handshake_waitdns(dns_fd, in, sizeof(in), 'y', 'Y', i+1);

@ -1854,7 +1807,7 @@ handshake_qtypetest(int dns_fd, int timeout)
 	   byte values can be returned, which is needed for NULL/PRIVATE
 	   to work. */

-	send_downenctest(dns_fd, trycodec, 1, NULL, 0);
+	send_downenctest(dns_fd, trycodec, 1);

 	read = handshake_waitdns(dns_fd, in, sizeof(in), 'y', 'Y', timeout);

@ -1980,7 +1933,7 @@ handshake_edns0_check(int dns_fd)

 	for (i = 0; running && i < 3; i++) {

-		send_downenctest(dns_fd, trycodec, 1, NULL, 0);
+		send_downenctest(dns_fd, trycodec, 1);

 		read = handshake_waitdns(dns_fd, in, sizeof(in), 'y', 'Y', i+1);

@ -2012,26 +1965,27 @@ handshake_edns0_check(int dns_fd)
 static void
 handshake_switch_codec(int dns_fd, int bits)
 {
+	char sw_codec[] = { 's', b32_5to8(userid), b32_5to8(bits), 0 };
 	char in[4096];
 	int i;
 	int read;
-	struct encoder *tempenc;
+	const struct encoder *tempenc;

 	if (bits == 5)
-		tempenc = get_base32_encoder();
+		tempenc = &base32_ops;
 	else if (bits == 6)
-		tempenc = get_base64_encoder();
+		tempenc = &base64_ops;
 	else if (bits == 26)	/* "2nd" 6 bits per byte, with underscore */
-		tempenc = get_base64u_encoder();
+		tempenc = &base64u_ops;
 	else if (bits == 7)
-		tempenc = get_base128_encoder();
+		tempenc = &base128_ops;
 	else return;

 	fprintf(stderr, "Switching upstream to codec %s\n", tempenc->name);

 	for (i = 0; running && i < 5; i++) {

-		send_codec_switch(dns_fd, userid, bits);
+		send_handshake_query(dns_fd, sw_codec);

 		read = handshake_waitdns(dns_fd, in, sizeof(in), 's', 'S', i+1);

@ -2066,6 +2020,7 @@ codec_revert:
 static void
 handshake_switch_downenc(int dns_fd)
 {
+	char sw_downenc[] = { 'o', b32_5to8(userid), tolower(downenc), 0 };
 	char in[4096];
 	int i;
 	int read;
@ -2084,7 +2039,7 @@ handshake_switch_downenc(int dns_fd)
 	fprintf(stderr, "Switching downstream to codec %s\n", dname);
 	for (i = 0; running && i < 5; i++) {

-		send_downenc_switch(dns_fd, userid);
+		send_handshake_query(dns_fd, sw_downenc);

 		read = handshake_waitdns(dns_fd, in, sizeof(in), 'o', 'O', i+1);

@ -2125,7 +2080,7 @@ handshake_try_lazy(int dns_fd)
 	fprintf(stderr, "Switching to lazy mode for low-latency\n");
 	for (i = 0; running && i < 5 ;i++) {

-		send_lazy_switch(dns_fd, userid);
+		send_lazy_switch(dns_fd);

 		read = handshake_waitdns(dns_fd, in, sizeof(in), 'o', 'O', i+1);

@ -2169,7 +2124,7 @@ handshake_lazyoff(int dns_fd)

 	for (i = 0; running && i < 5; i++) {

-		send_lazy_switch(dns_fd, userid);
+		send_lazy_switch(dns_fd);

 		read = handshake_waitdns(dns_fd, in, sizeof(in), 'o', 'O', 1);

--- a/src/client.h
+++ b/src/client.h
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -18,23 +18,24 @@
 #ifndef __CLIENT_H__
 #define __CLIENT_H__

-void client_init();
-void client_stop();
+void client_init(void);
+void client_stop(void);

-enum connection client_get_conn();
-const char *client_get_raw_addr();
+enum connection client_get_conn(void);
+const char *client_get_raw_addr(void);

 void client_set_nameserver(struct sockaddr_storage *, int);
 void client_set_topdomain(const char *cp);
 void client_set_password(const char *cp);
 int client_set_qtype(char *qtype);
-char *client_get_qtype();
+char *client_get_qtype(void);
 void client_set_downenc(char *encoding);
 void client_set_selecttimeout(int select_timeout);
 void client_set_lazymode(int lazy_mode);
 void client_set_hostname_maxlen(int i);

-int client_handshake(int dns_fd, int raw_mode, int autodetect_frag_size, int fragsize);
+int client_handshake(int dns_fd, int raw_mode, int autodetect_frag_size,
+		     int fragsize);
 int client_tunnel(int tun_fd, int dns_fd);

 #endif
--- a/src/common.c
+++ b/src/common.c
@ -2,7 +2,7 @@
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 * Copyright (c) 2007 Albert Lee <trisk@acm.jhu.edu>.
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -101,18 +101,16 @@ int setgroups(int count, int *groups)
 }
 #endif

-
-void
-check_superuser(void (*usage_fn)(void))
-{
 #ifndef WINDOWS32
+void
+check_superuser(void)
+{
 	if (geteuid() != 0) {
-		warnx("Run as root and you'll be happy.\n");
-		usage_fn();
-		/* NOTREACHED */
+		warnx("Run as root and you'll be happy.");
+		exit(-1);
+	}
 }
 #endif
-}

 char *
 format_addr(struct sockaddr_storage *sockaddr, int sockaddr_len)
@ -173,7 +171,13 @@ get_addr(char *host, int port, int addr_family, int flags, struct sockaddr_stora
 int
 open_dns(struct sockaddr_storage *sockaddr, size_t sockaddr_len)
 {
-	int flag = 1;
+	return open_dns_opt(sockaddr, sockaddr_len, -1);
+}
+
+int
+open_dns_opt(struct sockaddr_storage *sockaddr, size_t sockaddr_len, int v6only)
+{
+	int flag;
 	int fd;

 	if ((fd = socket(sockaddr->ss_family, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
@ -187,12 +191,13 @@ open_dns(struct sockaddr_storage *sockaddr, size_t sockaddr_len)
 	setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (const void*) &flag, sizeof(flag));

 #ifndef WINDOWS32
-	/* To get destination address from each UDP datagram, see iodined.c:read_dns() */
-	setsockopt(fd, IPPROTO_IP, DSTADDR_SOCKOPT, (const void*) &flag, sizeof(flag));
-
 	fd_set_close_on_exec(fd);
 #endif

+	if (sockaddr->ss_family == AF_INET6 && v6only >= 0) {
+		setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, (const void*) &v6only, sizeof(v6only));
+	}
+
 #ifdef IP_OPT_DONT_FRAG
 	/* Set dont-fragment ip header flag */
 	flag = DONT_FRAG_VALUE;
@ -200,7 +205,7 @@ open_dns(struct sockaddr_storage *sockaddr, size_t sockaddr_len)
 #endif

 	if (bind(fd, (struct sockaddr*) sockaddr, sockaddr_len) < 0)
-		err(1, "bind");
+		err(1, "bind() to %s", format_addr(sockaddr, sockaddr_len));

 	fprintf(stderr, "Opened IPv%d UDP socket\n", sockaddr->ss_family == AF_INET6 ? 6 : 4);

@ -300,7 +305,7 @@ read_password(char *buf, size_t len)
 	int i;
 #endif

-	fprintf(stderr, "Enter password: ");
+	fprintf(stderr, "Enter tunnel password: ");
 	fflush(stderr);
 #ifndef WINDOWS32
 	fscanf(stdin, "%79[^\n]", pwd);
@ -327,7 +332,7 @@ read_password(char *buf, size_t len)
 }

 int
-check_topdomain(char *str, char **errormsg)
+check_topdomain(char *str, int allow_wildcard, char **errormsg)
 {
 	int i;
 	int dots = 0;
@ -365,6 +370,18 @@ check_topdomain(char *str, char **errormsg)
 		if ((str[i] >= 'a' && str[i] <= 'z') || (str[i] >= 'A' && str[i] <= 'Z') ||
 				isdigit(str[i]) || str[i] == '-' || str[i] == '.') {
 			continue;
+		} else if (allow_wildcard && str[i] == '*') {
+			/* First char allowed to be wildcard, if followed by dot */
+			if (i == 0) {
+				if (str[i+1] == '.') {
+					continue;
+				}
+				if (errormsg) *errormsg = "Wildcard (*) must be followed by dot";
+				return 1;
+			} else {
+				if (errormsg) *errormsg = "Wildcard (*) only allowed as first char";
+				return 1;
+			}
 		} else {
 			if (errormsg) *errormsg = "Contains illegal character (allowed: [a-zA-Z0-9-.])";
 			return 1;
@ -387,6 +404,52 @@ check_topdomain(char *str, char **errormsg)
 	return 0;
 }

+int
+query_datalen(const char *qname, const char *topdomain)
+{
+	/* Return number of data bytes embedded in DNS query name,
+	 * or -1 if domains do not match.
+	 */
+	int qpos = strlen(qname);
+	int tpos = strlen(topdomain);
+	if (tpos < 3 || qpos < tpos) {
+		/* Domain or query name too short */
+		return -1;
+	}
+	/* Backward string compare */
+	qpos--;
+	tpos--;
+	while (qpos >= 0) {
+		if (topdomain[tpos] == '*') {
+			/* Wild match, is first in topdomain */
+			if (qname[qpos] == '*') {
+				/* Don't match against stars in query name */
+				return -1;
+			} else if (qpos == 0 || qname[qpos-1] == '.') {
+				/* Reached start of query name or chunk separator */
+				return qpos;
+			}
+			qpos--;
+		} else if (tolower(qname[qpos]) == tolower(topdomain[tpos])) {
+			/* Matching char, exclude wildcard in query name */
+			if (tpos == 0) {
+				/* Fully matched domain */
+				if (qpos == 0 || qname[qpos-1] == '.') {
+					/* Start of name or has dot before matching topdomain */
+					return qpos;
+				}
+				/* Query name has longer chunk than topdomain */
+				return -1;
+			}
+			tpos--;
+			qpos--;
+		} else {
+			return -1;
+		}
+	}
+	return -1;
+}
+
 #if defined(WINDOWS32) || defined(ANDROID)
 #ifndef ANDROID
 int
@ -398,12 +461,9 @@ inet_aton(const char *cp, struct in_addr *inp)
 #endif

 void
-warn(const char *fmt, ...)
+vwarn(const char *fmt, va_list list)
 {
-	va_list list;
-
-	va_start(list, fmt);
-	if (fmt) fprintf(stderr, fmt, list);
+	if (fmt) vfprintf(stderr, fmt, list);
 #ifndef ANDROID
 	if (errno == 0) {
 		fprintf(stderr, ": WSA error %d\n", WSAGetLastError());
@ -411,17 +471,15 @@ warn(const char *fmt, ...)
 		fprintf(stderr, ": %s\n", strerror(errno));
 	}
 #endif
-	va_end(list);
 }

 void
-warnx(const char *fmt, ...)
+warn(const char *fmt, ...)
 {
 	va_list list;

 	va_start(list, fmt);
-	if (fmt) fprintf(stderr, fmt, list);
-	fprintf(stderr, "\n");
+	vwarn(fmt, list);
 	va_end(list);
 }

@ -431,18 +489,35 @@ err(int eval, const char *fmt, ...)
 	va_list list;

 	va_start(list, fmt);
-	warn(fmt, list);
+	vwarn(fmt, list);
 	va_end(list);
 	exit(eval);
 }

+void
+vwarnx(const char *fmt, va_list list)
+{
+	if (fmt) vfprintf(stderr, fmt, list);
+	fprintf(stderr, "\n");
+}
+
+void
+warnx(const char *fmt, ...)
+{
+	va_list list;
+
+	va_start(list, fmt);
+	vwarnx(fmt, list);
+	va_end(list);
+}
+
 void
 errx(int eval, const char *fmt, ...)
 {
 	va_list list;

 	va_start(list, fmt);
-	warnx(fmt, list);
+	vwarnx(fmt, list);
 	va_end(list);
 	exit(eval);
 }
--- a/src/common.h
+++ b/src/common.h
@ -1,8 +1,8 @@
 /*
- * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
+ * Copyright (c) 2006-2015 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -32,6 +32,7 @@
 #define RAW_HDR_GET_USR(x) ((x)[RAW_HDR_CMD] & RAW_HDR_USR_MASK)
 extern const unsigned char raw_header[RAW_HDR_LEN];

+#include <stdarg.h>
 #ifdef WINDOWS32
 #include "windows.h"
 #else
@ -53,14 +54,6 @@ extern const unsigned char raw_header[RAW_HDR_LEN];

 #define QUERY_NAME_SIZE 256

-#if defined IP_RECVDSTADDR
-# define DSTADDR_SOCKOPT IP_RECVDSTADDR
-# define dstaddr(x) ((struct in_addr *) CMSG_DATA(x))
-#elif defined IP_PKTINFO
-# define DSTADDR_SOCKOPT IP_PKTINFO
-# define dstaddr(x) (&(((struct in_pktinfo *)(CMSG_DATA(x)))->ipi_addr))
-#endif
-
 #if defined IP_MTU_DISCOVER
  /* Linux */
 # define IP_OPT_DONT_FRAG IP_MTU_DISCOVER
@ -76,7 +69,8 @@ extern const unsigned char raw_header[RAW_HDR_LEN];
 #endif

 #define T_PRIVATE 65399
-/* Undefined RR type; "private use" range, see http://www.bind9.net/dns-parameters */
+/* Undefined RR type; "private use" range, see
+ * http://www.bind9.net/dns-parameters */
 #define T_UNSET 65432
 /* Unused RR type, never actually sent */

@ -95,45 +89,58 @@ struct query {
 	unsigned short type;
 	unsigned short rcode;
 	unsigned short id;
-	struct in_addr destination;
+	struct sockaddr_storage destination;
+	socklen_t dest_len;
 	struct sockaddr_storage from;
-	int fromlen;
+	socklen_t fromlen;
 	unsigned short id2;
-	struct sockaddr from2;
-	int fromlen2;
+	struct sockaddr_storage from2;
+	socklen_t fromlen2;
 };

 enum connection {
-	CONN_RAW_UDP,
+	CONN_RAW_UDP = 0,
 	CONN_DNS_NULL,
 	CONN_MAX
 };

-void check_superuser(void (*usage_fn)(void));
+#ifdef WINDOWS32
+static inline void check_superuser(void)
+{
+}
+#else
+void check_superuser(void);
+#endif
 char *format_addr(struct sockaddr_storage *sockaddr, int sockaddr_len);
 int get_addr(char *, int, int, int, struct sockaddr_storage *);
 int open_dns(struct sockaddr_storage *, size_t);
+int open_dns_opt(struct sockaddr_storage *sockaddr, size_t sockaddr_len,
+		 int v6only);
 int open_dns_from_host(char *host, int port, int addr_family, int flags);
 void close_dns(int);

 void do_chroot(char *);
 void do_setcon(char *);
-void do_detach();
+void do_detach(void);
 void do_pidfile(char *);

 void read_password(char*, size_t);

-int check_topdomain(char *, char **);
+int check_topdomain(char *, int, char **);
+
+int query_datalen(const char *qname, const char *topdomain);

 #if defined(WINDOWS32) || defined(ANDROID)
 #ifndef ANDROID
 int inet_aton(const char *cp, struct in_addr *inp);
 #endif

-void err(int eval, const char *fmt, ...);
+void vwarn(const char *fmt, va_list list);
 void warn(const char *fmt, ...);
-void errx(int eval, const char *fmt, ...);
+void err(int eval, const char *fmt, ...);
+void vwarnx(const char *fmt, va_list list);
 void warnx(const char *fmt, ...);
+void errx(int eval, const char *fmt, ...);
 #endif

 int recent_seqno(int , int);
--- a/src/dns.c
+++ b/src/dns.c
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -27,9 +27,6 @@
 #ifdef WINDOWS32
 #include "windows.h"
 #else
-#ifdef ANDROID
-#include "android_dns.h"
-#endif
 #include <arpa/nameser.h>
 #ifdef DARWIN
 #define BIND_8_COMPAT
@ -38,6 +35,9 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <err.h>
+#ifdef ANDROID
+#include "android_dns.h"
+#endif
 #endif


@ -49,8 +49,8 @@ int dnsc_use_edns0 = 1;

 #define CHECKLEN(x) if (buflen < (x) + (unsigned)(p-buf))  return 0

-int
-dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr, char *data, size_t datalen)
+int dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr,
+	       const char *data, size_t datalen)
 {
 	HEADER *header;
 	short name;
@ -91,7 +91,8 @@ dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr, char *data, size_
 		/* Answer section */

 		if (q->type == T_CNAME || q->type == T_A) {
-			/* data is expected to be like "Hblabla.host.name.com\0" */
+			/* data is expected to be like
+			 * "Hblabla.host.name.com\0" */

 			char *startp;
 			int namelen;
@ -120,7 +121,7 @@ dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr, char *data, size_
 			   For SRV, see RFC2782.
 			 */

-			char *mxdata = data;
+			const char *mxdata = data;
 			char *startp;
 			int namelen;

@ -177,7 +178,6 @@ dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr, char *data, size_
 			ancnt = 1;
 		} else {
 			/* NULL has raw binary data */
-
 			CHECKLEN(10);
 			putshort(&p, name);
 			putshort(&p, q->type);
@ -227,10 +227,123 @@ dns_encode(char *buf, size_t buflen, struct query *q, qr_t qr, char *data, size_
 	return len;
 }

-int
-dns_encode_ns_response(char *buf, size_t buflen, struct query *q, char *topdomain)
+/* Only used when iodined gets a AAAA type query */
+/* Mostly same as dns_encode_caa_response() below */
+int dns_encode_aaaa_response(char *buf, size_t buflen, struct query *q,
+			   char *topdomain)
+{
+	HEADER *header;
+	int len;
+	int domain_len;
+	char *p;
+
+	if (buflen < sizeof(HEADER))
+		return 0;
+
+	memset(buf, 0, buflen);
+
+	header = (HEADER*)buf;
+
+	header->id = htons(q->id);
+	header->qr = 1;
+	header->opcode = 0;
+	header->aa = 1;
+	header->tc = 0;
+	header->rd = 0;
+	header->ra = 0;
+
+	p = buf + sizeof(HEADER);
+
+	header->qdcount = htons(1);
+	header->ancount = htons(0);
+
+	domain_len = strlen(q->name) - strlen(topdomain);
+	if (domain_len < 0 || domain_len == 1)
+		return -1;
+	if (strcasecmp(q->name + domain_len, topdomain))
+		return -1;
+	if (domain_len >= 1 && q->name[domain_len - 1] != '.')
+		return -1;
+
+	/* Query section */
+	putname(&p, buflen - (p - buf), q->name);	/* Name */
+	CHECKLEN(4);
+	putshort(&p, q->type);			/* Type */
+	putshort(&p, C_IN);			/* Class */
+
+	len = p - buf;
+	return len;
+}
+/* Only used when iodined gets a CAA type query */
+/* Mostly same as dns_encode_ns_response() below */
+int dns_encode_caa_response(char *buf, size_t buflen, struct query *q,
+			   char *topdomain)
+{
+	HEADER *header;
+	int len;
+	short name;
+	int domain_len;
+	char *p;
+
+	if (buflen < sizeof(HEADER))
+		return 0;
+
+	memset(buf, 0, buflen);
+
+	header = (HEADER*)buf;
+
+	header->id = htons(q->id);
+	header->qr = 1;
+	header->opcode = 0;
+	header->aa = 1;
+	header->tc = 0;
+	header->rd = 0;
+	header->ra = 0;
+
+	p = buf + sizeof(HEADER);
+
+	header->qdcount = htons(1);
+	header->ancount = htons(1);
+
+	/* pointer to start of name */
+	name = 0xc000 | ((p - buf) & 0x3fff);
+
+	domain_len = strlen(q->name) - strlen(topdomain);
+	if (domain_len < 0 || domain_len == 1)
+		return -1;
+	if (strcasecmp(q->name + domain_len, topdomain))
+		return -1;
+	if (domain_len >= 1 && q->name[domain_len - 1] != '.')
+		return -1;
+
+	/* Query section */
+	putname(&p, buflen - (p - buf), q->name);	/* Name */
+	CHECKLEN(4);
+	putshort(&p, q->type);			/* Type */
+	putshort(&p, C_IN);			/* Class */
+
+	/* Answer section */
+	CHECKLEN(12);
+	putshort(&p, name);			/* Name */
+	putshort(&p, q->type);			/* Type */
+	putshort(&p, C_IN);			/* Class */
+	putlong(&p, 3600);			/* TTL */
+	putshort(&p, 22);			/* Data length */
+
+	/* caa record */
+	CHECKLEN(22);
+	memcpy(p, "\x00\x05\x69\x73\x73\x75\x65\x6c\x65\x74\x73\x65\x6e\x63\x72\x79\x70" \
+			"\x74\x2e\x6f\x72\x67", 22);
+	p += 22;
+
+	len = p - buf;
+	return len;
+}
+
 /* Only used when iodined gets an NS type query */
 /* Mostly same as dns_encode_a_response() below */
+int dns_encode_ns_response(char *buf, size_t buflen, struct query *q,
+			   char *topdomain)
 {
 	HEADER *header;
 	int len;
@ -260,7 +373,6 @@ dns_encode_ns_response(char *buf, size_t buflen, struct query *q, char *topdomai

 	header->qdcount = htons(1);
 	header->ancount = htons(1);
-	header->arcount = htons(1);

 	/* pointer to start of name */
 	name = 0xc000 | ((p - buf) & 0x3fff);
@ -299,6 +411,13 @@ dns_encode_ns_response(char *buf, size_t buflen, struct query *q, char *topdomai
 	putbyte(&p, 's');
 	putshort(&p, topname);			/* Name Server */

+	/* Do we have an IPv4 address to send? */
+	if (q->destination.ss_family == AF_INET) {
+		struct sockaddr_in *dest = (struct sockaddr_in *) &q->destination;
+
+		/* One additional record coming */
+		header->arcount = htons(1);
+
 		/* Additional data (A-record of NS server) */
 		CHECKLEN(12);
 		putshort(&p, nsname);		/* Name Server */
@ -308,28 +427,33 @@ dns_encode_ns_response(char *buf, size_t buflen, struct query *q, char *topdomai
 		putshort(&p, 4);		/* Data length */

 		/* ugly hack to output IP address */
-	ipp = (char *) &q->destination;
+		ipp = (char *) &dest->sin_addr.s_addr;
 		CHECKLEN(4);
 		putbyte(&p, *(ipp++));
 		putbyte(&p, *(ipp++));
 		putbyte(&p, *(ipp++));
 		putbyte(&p, *ipp);
+	}

 	len = p - buf;
 	return len;
 }

-int
-dns_encode_a_response(char *buf, size_t buflen, struct query *q)
-/* Only used when iodined gets an A type query for ns.topdomain or www.topdomain */
-/* Mostly same as dns_encode_ns_response() above */
+/* Only used when iodined gets an A type query for ns.topdomain or
+ * www.topdomain . Mostly same as dns_encode_ns_response() above */
+int dns_encode_a_response(char *buf, size_t buflen, struct query *q)
 {
+	struct sockaddr_in *dest = (struct sockaddr_in *) &q->destination;
 	HEADER *header;
 	int len;
 	short name;
 	char *ipp;
 	char *p;

+	/* Check if we have an IPv4 address to send */
+	if (q->destination.ss_family != AF_INET)
+		return -1;
+
 	if (buflen < sizeof(HEADER))
 		return 0;

@ -368,7 +492,7 @@ dns_encode_a_response(char *buf, size_t buflen, struct query *q)
 	putshort(&p, 4);	/* Data length */

 	/* ugly hack to output IP address */
-	ipp = (char *) &q->destination;
+	ipp = (char *) &dest->sin_addr.s_addr;
 	CHECKLEN(4);
 	putbyte(&p, *(ipp++));
 	putbyte(&p, *(ipp++));
@ -381,8 +505,7 @@ dns_encode_a_response(char *buf, size_t buflen, struct query *q)

 #undef CHECKLEN

-unsigned short
-dns_get_id(char *packet, size_t packetlen)
+unsigned short dns_get_id(char *packet, size_t packetlen)
 {
 	HEADER *header;
 	header = (HEADER*)packet;
@ -395,8 +518,8 @@ dns_get_id(char *packet, size_t packetlen)

 #define CHECKLEN(x) if (packetlen < (x) + (unsigned)(data-packet))  return 0

-int
-dns_decode(char *buf, size_t buflen, struct query *q, qr_t qr, char *packet, size_t packetlen)
+int dns_decode(char *buf, size_t buflen, struct query *q, qr_t qr, char *packet,
+	       size_t packetlen)
 {
 	char name[QUERY_NAME_SIZE];
 	char rdata[4*1024];
@ -494,6 +617,8 @@ dns_decode(char *buf, size_t buflen, struct query *q, qr_t qr, char *packet, siz
 			readlong(packet, &data, &ttl);
 			readshort(packet, &data, &rlen);

+			if (type == T_CNAME) {
+				/* For tunnels, query type A has CNAME type answer */
 				memset(name, 0, sizeof(name));
 				readname(packet, packetlen, &data, name, sizeof(name) - 1);
 				name[sizeof(name)-1] = '\0';
@ -501,6 +626,19 @@ dns_decode(char *buf, size_t buflen, struct query *q, qr_t qr, char *packet, siz
 				buf[buflen - 1] = '\0';
 				rv = strlen(buf);
 			}
+			if (type == T_A) {
+				/* Answer type A includes only 4 bytes.
+				   Not used for tunneling. */
+				rv = MIN(rlen, sizeof(rdata));
+				rv = readdata(packet, &data, rdata, rv);
+				if (rv >= 2 && buf) {
+					rv = MIN(rv, buflen);
+					memcpy(buf, rdata, rv);
+				} else {
+					rv = 0;
+				}
+			}
+		}
 		else if ((type == T_MX || type == T_SRV) && buf) {
 			/* We support 250 records, 250*(255+header) ~= 64kB.
 			   Only exact 10-multiples are accepted, and gaps in
@ -536,7 +674,8 @@ dns_decode(char *buf, size_t buflen, struct query *q, qr_t qr, char *packet, siz
 					readname(packet, packetlen, &data,
 						 names[pref / 10 - 1],
 						 QUERY_NAME_SIZE - 1);
-					names[pref / 10 - 1][QUERY_NAME_SIZE-1] = '\0';
+					names[pref / 10 - 1]
+						[QUERY_NAME_SIZE-1] = '\0';
 				}

 				/* always trust rlen, not name encoding */
@ -569,7 +708,8 @@ dns_decode(char *buf, size_t buflen, struct query *q, qr_t qr, char *packet, siz
 			readlong(packet, &data, &ttl);
 			readshort(packet, &data, &rlen);

-			rv = readtxtbin(packet, &data, rlen, rdata, sizeof(rdata));
+			rv = readtxtbin(packet, &data, rlen, rdata,
+				        sizeof(rdata));
 			if (rv >= 1) {
 				rv = MIN(rv, buflen);
 				memcpy(buf, rdata, rv);
--- a/src/dns.h
+++ b/src/dns.h
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -27,8 +27,13 @@ typedef enum {

 extern int dnsc_use_edns0;

-int dns_encode(char *, size_t, struct query *, qr_t, char *, size_t);
-int dns_encode_ns_response(char *buf, size_t buflen, struct query *q, char *topdomain);
+int dns_encode(char *, size_t, struct query *, qr_t, const char *, size_t);
+int dns_encode_aaaa_response(char *buf, size_t buflen, struct query *q,
+			   char *topdomain);
+int dns_encode_caa_response(char *buf, size_t buflen, struct query *q,
+			   char *topdomain);
+int dns_encode_ns_response(char *buf, size_t buflen, struct query *q,
+			   char *topdomain);
 int dns_encode_a_response(char *buf, size_t buflen, struct query *q);
 unsigned short dns_get_id(char *packet, size_t packetlen);
 int dns_decode(char *, size_t, struct query *, qr_t, char *, size_t);
--- a/src/encoding.c
+++ b/src/encoding.c
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -19,10 +19,9 @@
 #include "common.h"
 #include "encoding.h"

-int
-build_hostname(char *buf, size_t buflen,
-		const char *data, const size_t datalen,
-		const char *topdomain, struct encoder *encoder, int maxlen)
+int build_hostname(char *buf, size_t buflen, const char *data,
+		   const size_t datalen, const char *topdomain,
+		   const struct encoder *encoder, int maxlen)
 {
 	size_t space;
 	char *b;
@ -30,14 +29,14 @@ build_hostname(char *buf, size_t buflen,
 	space = MIN((size_t)maxlen, buflen) - strlen(topdomain) - 8;
 	/* 8 = 5 max header length + 1 dot before topdomain + 2 safety */

-	if (!encoder->places_dots())
+	if (!encoder->places_dots)
 		space -= (space / 57); /* space for dots */

 	memset(buf, 0, buflen);

 	encoder->encode(buf, &space, data, datalen);

-	if (!encoder->places_dots())
+	if (!encoder->places_dots)
 		inline_dotify(buf, buflen);

 	b = buf;
@ -55,16 +54,15 @@ build_hostname(char *buf, size_t buflen,
 	return space;
 }

-int
-unpack_data(char *buf, size_t buflen, char *data, size_t datalen, struct encoder *enc)
+int unpack_data(char *buf, size_t buflen, char *data, size_t datalen,
+		const struct encoder *enc)
 {
-	if (!enc->eats_dots())
+	if (!enc->eats_dots)
 		datalen = inline_undotify(data, datalen);
 	return enc->decode(buf, &buflen, data, datalen);
 }

-int
-inline_dotify(char *buf, size_t buflen)
+int inline_dotify(char *buf, size_t buflen)
 {
 	unsigned dots;
 	unsigned pos;
@ -101,8 +99,7 @@ inline_dotify(char *buf, size_t buflen)
 	return total;
 }

-int
-inline_undotify(char *buf, size_t len)
+int inline_undotify(char *buf, size_t len)
 {
 	unsigned pos;
 	unsigned dots;
--- a/src/encoding.h
+++ b/src/encoding.h
@ -1,8 +1,14 @@
 /*
- * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
- * 2006-2009 Bjorn Andersson <flex@kryo.se>
+ * Copyright (c) 2006-2014 Erik Ekman
+ * 2006-2009 Bjorn Andersson
+ * Copyright (c) 2017 Ralf Ramsauer
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Authors:
+ *   Bjorn Andersson <flex@kryo.se>
+ *   Erok Ekman <yarrick@kryo.se>,
+ *   Ralf Ramsauer <ralf@ramses-pyramidenbau.de>
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -18,27 +24,42 @@
 #ifndef _ENCODING_H_
 #define _ENCODING_H_

+#include <stdbool.h>
+
 /* All-0, all-1, 01010101, 10101010: each 4 times to make sure the pattern
   spreads across multiple encoded chars -> 16 bytes total.
   Followed by 32 bytes from my /dev/random; should be enough.
 */
-#define DOWNCODECCHECK1      "\000\000\000\000\377\377\377\377\125\125\125\125\252\252\252\252\201\143\310\322\307\174\262\027\137\117\316\311\111\055\122\041\141\251\161\040\045\263\006\163\346\330\104\060\171\120\127\277"
+#define DOWNCODECCHECK1 \
+	"\000\000\000\000\377\377\377\377\125\125\125\125\252\252\252\252" \
+	"\201\143\310\322\307\174\262\027\137\117\316\311\111\055\122\041" \
+	"\141\251\161\040\045\263\006\163\346\330\104\060\171\120\127\277"
 #define DOWNCODECCHECK1_LEN  48

 struct encoder {
-	char name[8];
-	int (*encode) (char *, size_t *, const void *, size_t);
-	int (*decode) (void *, size_t *, const char *, size_t);
-	int (*places_dots) (void);
-	int (*eats_dots) (void);
-	int (*blocksize_raw)(void);
-	int (*blocksize_encoded)(void);
+	const char name[8];
+	int (*encode)(char *dst, size_t *dstlen, const void *src, size_t srclen);
+	int (*decode)(void *dst, size_t *dstlen, const char *src, size_t srclen);
+
+	const bool places_dots;
+	const bool eats_dots;
+
+	const int blocksize_raw;
+	const int blocksize_encoded;
 };

-int build_hostname(char *, size_t, const char *, const size_t, const char *, struct encoder *, int);
-int unpack_data(char *, size_t, char *, size_t, struct encoder *);
+int build_hostname(char *, size_t, const char *, const size_t, const char *,
+		   const struct encoder *, int);
+int unpack_data(char *, size_t, char *, size_t, const struct encoder *);
 int inline_dotify(char *, size_t);
 int inline_undotify(char *, size_t);

+extern const struct encoder base32_ops;
+extern const struct encoder base64_ops;
+extern const struct encoder base64u_ops;
+extern const struct encoder base128_ops;

-#endif /* _ENCODING_H_ */
+int b32_5to8(int);
+int b32_8to5(int);
+
+#endif
--- a/src/fw_query.c
+++ b/src/fw_query.c
@ -1,7 +1,7 @@
 /*
 * Copyright (c) 2008-2014 Erik Ekman <yarrick@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
--- a/src/fw_query.h
+++ b/src/fw_query.h
@ -1,7 +1,7 @@
 /*
 * Copyright (c) 2008-2014 Erik Ekman <yarrick@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -33,7 +33,7 @@ struct fw_query {
 	unsigned short id;
 };

-void fw_query_init();
+void fw_query_init(void);
 void fw_query_put(struct fw_query *fw_query);
 void fw_query_get(unsigned short query_id, struct fw_query **fw_query);

--- a/src/iodine.c
+++ b/src/iodine.c
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -15,6 +15,7 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

+#include <stdbool.h>
 #include <stdio.h>
 #include <stdint.h>
 #include <stdlib.h>
@ -48,6 +49,8 @@ WSADATA wsa_data;

 #if !defined(BSD) && !defined(__GLIBC__)
 static char *__progname;
+#else
+extern char *__progname;
 #endif

 #define PASSWORD_ENV_VAR "IODINE_PASS"
@ -61,63 +64,64 @@ sighandler(int sig)
 #if defined(__GNUC__) || defined(__clang__)
 /* mark as no return to help some compilers to avoid warnings
 * about use of uninitialized variables */
-static void usage() __attribute__((noreturn));
+static inline void usage(void) __attribute__((noreturn));
+static inline void help(FILE * stream, bool verbose) __attribute__((noreturn));
 #endif

-static void
-usage() {
-	extern char *__progname;
-
-	fprintf(stderr, "Usage: %s [-v] [-h] [-f] [-r] [-u user] [-t chrootdir] [-d device] "
-			"[-P password] [-m maxfragsize] [-M maxlen] [-T type] [-O enc] [-L 0|1] [-I sec] "
+static void help(FILE *stream, bool verbose)
+{
+	fprintf(stream,
+		"iodine IP over DNS tunneling client\n\n"
+		"Usage: %s [-46fhrv] [-u user] [-t chrootdir] [-d device] [-P password]\n"
+		"              [-m maxfragsize] [-M maxlen] [-T type] [-O enc] [-L 0|1] [-I sec]\n"
 		"              [-z context] [-F pidfile] [nameserver] topdomain\n", __progname);
+
+	if (!verbose)
 		exit(2);
-}

-static void
-help() {
-	extern char *__progname;
-
-	fprintf(stderr, "iodine IP over DNS tunneling client\n");
-	fprintf(stderr, "Usage: %s [-v] [-h] [-f] [-r] [-u user] [-t chrootdir] [-d device] "
-			"[-P password] [-m maxfragsize] [-M maxlen] [-T type] [-O enc] [-L 0|1] [-I sec] "
-			"[-z context] [-F pidfile] [nameserver] topdomain\n", __progname);
-	fprintf(stderr, "Options to try if connection doesn't work:\n");
-	fprintf(stderr, "  -T force dns type: NULL, PRIVATE, TXT, SRV, MX, CNAME, A (default: autodetect)\n");
-	fprintf(stderr, "  -O force downstream encoding for -T other than NULL: Base32, Base64, Base64u,\n");
-	fprintf(stderr, "     Base128, or (only for TXT:) Raw  (default: autodetect)\n");
-	fprintf(stderr, "  -I max interval between requests (default 4 sec) to prevent DNS timeouts\n");
-	fprintf(stderr, "  -L 1: use lazy mode for low-latency (default). 0: don't (implies -I1)\n");
-	fprintf(stderr, "  -m max size of downstream fragments (default: autodetect)\n");
-	fprintf(stderr, "  -M max size of upstream hostnames (~100-255, default: 255)\n");
-	fprintf(stderr, "  -r to skip raw UDP mode attempt\n");
-	fprintf(stderr, "  -P password used for authentication (max 32 chars will be used)\n");
-	fprintf(stderr, "Other options:\n");
-	fprintf(stderr, "  -v to print version info and exit\n");
-	fprintf(stderr, "  -h to print this help and exit\n");
-	fprintf(stderr, "  -f to keep running in foreground\n");
-	fprintf(stderr, "  -u name to drop privileges and run as user 'name'\n");
-	fprintf(stderr, "  -t dir to chroot to directory dir\n");
-	fprintf(stderr, "  -d device to set tunnel device name\n");
-	fprintf(stderr, "  -z context, to apply specified SELinux context after initialization\n");
-	fprintf(stderr, "  -F pidfile to write pid to a file\n");
-	fprintf(stderr, "nameserver is the IP number/hostname of the relaying nameserver. if absent, /etc/resolv.conf is used\n");
-	fprintf(stderr, "topdomain is the FQDN that is delegated to the tunnel endpoint.\n");
+	fprintf(stream,
+		"\nOptions to try if connection doesn't work:\n"
+		"  -4 to connect only to IPv4\n"
+		"  -6 to connect only to IPv6\n"
+		"  -T force dns type: NULL, PRIVATE, TXT, SRV, MX, CNAME, A (default: autodetect)\n"
+		"  -O force downstream encoding for -T other than NULL: Base32, Base64, Base64u,\n"
+		"     Base128, or (only for TXT:) Raw  (default: autodetect)\n"
+		"  -I max interval between requests (default 4 sec) to prevent DNS timeouts\n"
+		"  -L 1: use lazy mode for low-latency (default). 0: don't (implies -I1)\n"
+		"  -m max size of downstream fragments (default: autodetect)\n"
+		"  -M max size of upstream hostnames (~100-255, default: 255)\n"
+		"  -r to skip raw UDP mode attempt\n"
+		"  -P password used for authentication (max 32 chars will be used)\n\n"
+		"Other options:\n"
+		"  -v to print version info and exit\n"
+		"  -h to print this help and exit\n"
+		"  -f to keep running in foreground\n"
+		"  -u name to drop privileges and run as user 'name'\n"
+		"  -t dir to chroot to directory dir\n"
+		"  -d device to set tunnel device name\n"
+		"  -z context, to apply specified SELinux context after initialization\n"
+		"  -F pidfile to write pid to a file\n\n"
+		"nameserver is the IP number/hostname of the relaying nameserver. If absent,\n"
+		"           /etc/resolv.conf is used\n"
+		"topdomain is the FQDN that is delegated to the tunnel endpoint.\n");

 	exit(0);
 }

-static void
-version() {
+static inline void usage(void)
+{
+	help(stderr, false);
+}

-	fprintf(stderr, "iodine IP over DNS tunneling client\n");
-	fprintf(stderr, "Git version: %s\n", GITREVISION);
+static void version(void)
+{
+	fprintf(stderr, "iodine IP over DNS tunneling client\n"
+			"Git version: %s\n", GITREVISION);

 	exit(0);
 }

-int
-main(int argc, char **argv)
+int main(int argc, char **argv)
 {
 	char *nameserv_host;
 	char *topdomain;
@ -204,7 +208,7 @@ main(int argc, char **argv)
 			foreground = 1;
 			break;
 		case 'h':
-			help();
+			help(stdout, true);
 			/* NOTREACHED */
 			break;
 		case 'r':
@ -275,7 +279,7 @@ main(int argc, char **argv)
 		}
 	}

-	check_superuser(usage);
+	check_superuser();

 	argc -= optind;
 	argv += optind;
@ -313,7 +317,7 @@ main(int argc, char **argv)
 		/* NOTREACHED */
 	}

-	if(check_topdomain(topdomain, &errormsg)) {
+	if (check_topdomain(topdomain, 0, &errormsg)) {
 		warnx("Invalid topdomain: %s", errormsg);
 		usage();
 		/* NOTREACHED */
--- a/src/iodined.c
+++ b/src/iodined.c
--- a/src/login.c
+++ b/src/login.c
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -25,6 +25,7 @@
 #include <arpa/inet.h>
 #endif

+#include "login.h"
 #include "md5.h"

 /*
--- a/src/login.h
+++ b/src/login.h
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
--- a/src/osflags
+++ b/src/osflags
@ -1,5 +1,7 @@
 #!/bin/sh

+: "${PKG_CONFIG:=pkg-config}"
+
 case $2 in
 link)

@ -19,7 +21,8 @@ link)
 		Linux)
 			FLAGS="";
 			[ -e /usr/include/selinux/selinux.h ] && FLAGS="$FLAGS -lselinux";
-			[ -e /usr/include/systemd/sd-daemon.h ] && FLAGS="$FLAGS -lsystemd-daemon";
+			"$PKG_CONFIG" --exists libsystemd-daemon && FLAGS="$FLAGS $($PKG_CONFIG --libs libsystemd-daemon)";
+			"$PKG_CONFIG" --exists libsystemd && FLAGS="$FLAGS $($PKG_CONFIG --libs libsystemd)";
 			echo $FLAGS;
 		;;
 	esac
@ -32,12 +35,19 @@ cflags)
 		BeOS)
 			echo '-Dsocklen_t=int';
 		;;
+		Darwin)
+			echo '-D__APPLE_USE_RFC_3542';
+		;;
 		Linux)
 			FLAGS="-D_GNU_SOURCE"
 			[ -e /usr/include/selinux/selinux.h ] && FLAGS="$FLAGS -DHAVE_SETCON";
-			[ -e /usr/include/systemd/sd-daemon.h ] && FLAGS="$FLAGS -DHAVE_SYSTEMD";
+			"$PKG_CONFIG" --exists libsystemd-daemon && FLAGS="$FLAGS -DHAVE_SYSTEMD";
+			"$PKG_CONFIG" --exists libsystemd && FLAGS="$FLAGS -DHAVE_SYSTEMD";
 			echo $FLAGS;
 		;;
+		GNU/kFreeBSD|GNU)
+			echo '-D_GNU_SOURCE'
+		;;
 	esac
 ;;
 *)
--- a/src/read.c
+++ b/src/read.c
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -19,6 +19,8 @@
 #include <stdint.h>
 #include <stdlib.h>

+#include "read.h"
+
 static int
 readname_loop(char *packet, int packetlen, char **src, char *dst, size_t length, size_t loop)
 {
@ -228,7 +230,7 @@ putlong(char **dst, uint32_t value)
 }

 int
-putdata(char **dst, char *data, size_t len)
+putdata(char **dst, const char *data, size_t len)
 {
 	memcpy(*dst, data, len);

@ -237,7 +239,7 @@ putdata(char **dst, char *data, size_t len)
 }

 int
-puttxtbin(char **buf, size_t bufremain, char *from, size_t fromremain)
+puttxtbin(char **buf, size_t bufremain, const char *from, size_t fromremain)
 {
 	unsigned char uc;
 	unsigned char *ucp = &uc;
--- a/src/read.h
+++ b/src/read.h
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -28,7 +28,7 @@ int putname(char **, size_t, const char *);
 int putbyte(char **, unsigned char);
 int putshort(char **, unsigned short);
 int putlong(char **, uint32_t);
-int putdata(char **, char *, size_t);
-int puttxtbin(char **, size_t, char *, size_t);
+int putdata(char **, const char *, size_t);
+int puttxtbin(char **, size_t, const char *, size_t);

 #endif
--- a/src/tun.c
+++ b/src/tun.c
@ -1,8 +1,9 @@
 /*
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
+ * 2013 Peter Sagerson <psagers.github@ignorare.net>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -25,10 +26,23 @@
 #include <sys/stat.h>
 #include <fcntl.h>

+#ifdef DARWIN
+#include <ctype.h>
+#include <sys/kern_control.h>
+#include <sys/sys_domain.h>
+#include <sys/ioctl.h>
+#include <net/if_utun.h>
+#include <netinet/ip.h>
+#endif
+
 #ifndef IFCONFIGPATH
 #define IFCONFIGPATH "PATH=/sbin:/bin "
 #endif

+#ifndef ROUTEPATH
+#define ROUTEPATH "PATH=/sbin:/bin "
+#endif
+
 #ifdef WINDOWS32
 #include "windows.h"
 #include <winioctl.h>
@ -47,6 +61,7 @@ static void get_name(char *ifname, int namelen, char *dev_name);
 #define TAP_DEVICE_SPACE "\\\\.\\Global\\"
 #define TAP_VERSION_ID_0801 "tap0801"
 #define TAP_VERSION_ID_0901 "tap0901"
+#define TAP_VERSION_ID_0901_ROOT "root\\tap0901"
 #define KEY_COMPONENT_ID "ComponentId"
 #define NET_CFG_INST_ID "NetCfgInstanceId"
 #else
@ -81,7 +96,7 @@ open_tun(const char *tun_device)
 #endif

 	if ((tun_fd = open(tunnel, O_RDWR)) < 0) {
-		warn("open_tun: %s: %s", tunnel, strerror(errno));
+		warn("open_tun: %s", tunnel);
 		return -1;
 	}

@ -102,7 +117,7 @@ open_tun(const char *tun_device)
 		}

 		if (errno != EBUSY) {
-			warn("open_tun: ioctl[TUNSETIFF]: %s", strerror(errno));
+			warn("open_tun: ioctl[TUNSETIFF]");
 			return -1;
 		}
 	} else {
@ -117,7 +132,7 @@ open_tun(const char *tun_device)
 			}

 			if (errno != EBUSY) {
-				warn("open_tun: ioctl[TUNSETIFF]: %s", strerror(errno));
+				warn("open_tun: ioctl[TUNSETIFF]");
 				return -1;
 			}
 		}
@ -179,7 +194,8 @@ get_device(char *device, int device_len, const char *wanted_dev)
 			goto next;
 		}
 		if (strncmp(TAP_VERSION_ID_0801, component, strlen(TAP_VERSION_ID_0801)) == 0 ||
-			strncmp(TAP_VERSION_ID_0901, component, strlen(TAP_VERSION_ID_0901)) == 0) {
+			strncmp(TAP_VERSION_ID_0901, component, strlen(TAP_VERSION_ID_0901)) == 0 ||
+			strncmp(TAP_VERSION_ID_0901_ROOT, component, strlen(TAP_VERSION_ID_0901_ROOT)) == 0) {
 			/* We found a TAP32 device, get its NetCfgInstanceId */
 			char iid_string[256] = NET_CFG_INST_ID;

@ -315,6 +331,95 @@ open_tun(const char *tun_device)

 #else /* BSD and friends */

+#ifdef DARWIN
+
+/* Extract the device number from the name, if given. The value returned will
+ * be suitable for sockaddr_ctl.sc_unit, which means 0 for auto-assign, or
+ * (n + 1) for manual.
+ */
+static int
+utun_unit(const char *dev)
+{
+	const char *unit_str = dev;
+	int unit = 0;
+
+	if (!dev)
+		return -1;
+
+	while (*unit_str != '\0' && !isdigit(*unit_str))
+		unit_str++;
+
+	if (isdigit(*unit_str))
+		unit = strtol(unit_str, NULL, 10) + 1;
+
+	return unit;
+}
+
+static int
+open_utun(const char *dev)
+{
+	struct sockaddr_ctl addr;
+	struct ctl_info info;
+	char ifname[10];
+	socklen_t ifname_len = sizeof(ifname);
+	int unit;
+	int fd = -1;
+	int err = 0;
+
+	fd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL);
+	if (fd < 0) {
+		warn("open_utun: socket(PF_SYSTEM)");
+		return -1;
+	}
+
+	/* Look up the kernel controller ID for utun devices. */
+	bzero(&info, sizeof(info));
+	strncpy(info.ctl_name, UTUN_CONTROL_NAME, MAX_KCTL_NAME);
+
+	err = ioctl(fd, CTLIOCGINFO, &info);
+	if (err != 0) {
+		warn("open_utun: ioctl(CTLIOCGINFO)");
+		close(fd);
+		return -1;
+	}
+
+	/* Connecting to the socket creates the utun device. */
+	addr.sc_len = sizeof(addr);
+	addr.sc_family = AF_SYSTEM;
+	addr.ss_sysaddr = AF_SYS_CONTROL;
+	addr.sc_id = info.ctl_id;
+	unit = utun_unit(dev);
+	if (unit < 0) {
+		close(fd);
+		return -1;
+	}
+	addr.sc_unit = unit;
+
+	err = connect(fd, (struct sockaddr *)&addr, sizeof(addr));
+	if (err != 0) {
+		warn("open_utun: connect");
+		close(fd);
+		return -1;
+	}
+
+	/* Retrieve the assigned interface name. */
+	err = getsockopt(fd, SYSPROTO_CONTROL, UTUN_OPT_IFNAME, ifname, &ifname_len);
+	if (err != 0) {
+		warn("open_utun: getsockopt(UTUN_OPT_IFNAME)");
+		close(fd);
+		return -1;
+	}
+
+	strncpy(if_name, ifname, sizeof(if_name));
+
+	fprintf(stderr, "Opened %s\n", ifname);
+	fd_set_close_on_exec(fd);
+
+	return fd;
+}
+
+#endif
+
 int
 open_tun(const char *tun_device)
 {
@ -323,12 +428,21 @@ open_tun(const char *tun_device)
 	char tun_name[50];

 	if (tun_device != NULL) {
+#ifdef DARWIN
+		if (!strncmp(tun_device, "utun", 4)) {
+			tun_fd = open_utun(tun_device);
+			if (tun_fd >= 0) {
+				return tun_fd;
+			}
+		}
+#endif
+
 		snprintf(tun_name, sizeof(tun_name), "/dev/%s", tun_device);
 		strncpy(if_name, tun_device, sizeof(if_name));
 		if_name[sizeof(if_name)-1] = '\0';

 		if ((tun_fd = open(tun_name, O_RDWR)) < 0) {
-			warn("open_tun: %s: %s", tun_name, strerror(errno));
+			warn("open_tun: %s", tun_name);
 			return -1;
 		}

@ -350,6 +464,17 @@ open_tun(const char *tun_device)
 				break;
 		}

+#ifdef DARWIN
+		fprintf(stderr, "No tun devices found, trying utun\n");
+		for (i = 0; i < TUN_MAX_TRY; i++) {
+			snprintf(tun_name, sizeof(tun_name), "utun%d", i);
+			tun_fd = open_utun(tun_name);
+			if (tun_fd >= 0) {
+				return tun_fd;
+			}
+		}
+#endif
+
 		warn("open_tun: Failed to open tunneling device");
 	}

@ -404,25 +529,43 @@ read_tun(int tun_fd, char *buf, size_t len)
 	}
 }
 #else
+static int
+tun_uses_header(void)
+{
+#if defined (FREEBSD) || defined (NETBSD)
+	/* FreeBSD/NetBSD has no header */
+	return 0;
+#elif defined (DARWIN)
+	/* Darwin tun has no header, Darwin utun does */
+	return !strncmp(if_name, "utun", 4);
+#else  /* LINUX/OPENBSD */
+	return 1;
+#endif
+}
+
 int
 write_tun(int tun_fd, char *data, size_t len)
 {
-#if defined (FREEBSD) || defined (DARWIN) || defined(NETBSD)
+	if (!tun_uses_header()) {
 		data += 4;
 		len -= 4;
-#else /* !FREEBSD/DARWIN */
+	} else {
 #ifdef LINUX
+		// Linux prefixes with 32 bits ethertype
+		// 0x0800 for IPv4, 0x86DD for IPv6
 		data[0] = 0x00;
 		data[1] = 0x00;
 		data[2] = 0x08;
 		data[3] = 0x00;
-#else /* OPENBSD */
+#else /* OPENBSD and DARWIN(utun) */
+		// BSDs prefix with 32 bits address family
+		// AF_INET for IPv4, AF_INET6 for IPv6
 		data[0] = 0x00;
 		data[1] = 0x00;
 		data[2] = 0x00;
 		data[3] = 0x02;
-#endif /* !LINUX */
-#endif /* FREEBSD */
+#endif
+	}

 	if (write(tun_fd, data, len) != len) {
 		warn("write_tun");
@ -434,8 +577,7 @@ write_tun(int tun_fd, char *data, size_t len)
 ssize_t
 read_tun(int tun_fd, char *buf, size_t len)
 {
-#if defined (FREEBSD) || defined (DARWIN) || defined(NETBSD)
-	/* FreeBSD/Darwin/NetBSD has no header */
+	if (!tun_uses_header()) {
 		int bytes;
 		memset(buf, 0, 4);

@ -445,9 +587,9 @@ read_tun(int tun_fd, char *buf, size_t len)
 		} else {
 			return bytes + 4;
 		}
-#else /* !FREEBSD */
+	} else {
 		return read(tun_fd, buf, len);
-#endif /* !FREEBSD */
+	}
 }
 #endif

@ -507,7 +649,7 @@ tun_setip(const char *ip, const char *other_ip, int netbits)
 	} else {

 		snprintf(cmdline, sizeof(cmdline),
-				"/sbin/route add %s/%d %s",
+				ROUTEPATH "route add %s/%d %s",
 				inet_ntoa(netip), netbits, ip);
 	}
 	fprintf(stderr, "Adding route %s/%d to %s\n", inet_ntoa(netip), netbits, ip);
--- a/src/tun.h
+++ b/src/tun.h
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
--- a/src/user.c
+++ b/src/user.c
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -37,12 +37,11 @@
 struct tun_user *users;
 unsigned usercount;

-int
-init_users(in_addr_t my_ip, int netbits)
+int init_users(in_addr_t my_ip, int netbits)
 {
 	int i;
 	int skip = 0;
-	char newip[16];
+	char newip[32];

 	int maxusers;

@ -77,6 +76,7 @@ init_users(in_addr_t my_ip, int netbits)
 		users[i].disabled = 0;
 		users[i].authenticated = 0;
 		users[i].authenticated_raw = 0;
+		users[i].options_locked = 0;
 		users[i].active = 0;
 		/* Rest is reset on login ('V' packet) */
 	}
@ -84,34 +84,14 @@ init_users(in_addr_t my_ip, int netbits)
 	return usercount;
 }

-const char*
-users_get_first_ip()
+const char *users_get_first_ip(void)
 {
 	struct in_addr ip;
 	ip.s_addr = users[0].tun_ip;
 	return strdup(inet_ntoa(ip));
 }

-int
-users_waiting_on_reply()
-{
-	int ret;
-	int i;
-
-	ret = 0;
-	for (i = 0; i < usercount; i++) {
-		if (users[i].active && !users[i].disabled &&
-			users[i].last_pkt + 60 > time(NULL) &&
-			users[i].q.id != 0 && users[i].conn == CONN_DNS_NULL) {
-			ret++;
-		}
-	}
-
-	return ret;
-}
-
-int
-find_user_by_ip(uint32_t ip)
+int find_user_by_ip(uint32_t ip)
 {
 	int ret;
 	int i;
@ -130,13 +110,12 @@ find_user_by_ip(uint32_t ip)
 	return ret;
 }

-int
-all_users_waiting_to_send()
 /* If this returns true, then reading from tun device is blocked.
   So only return true when all clients have at least one packet in
   the outpacket-queue, so that sending back-to-back is possible
   without going through another select loop.
 */
+int all_users_waiting_to_send(void)
 {
 	time_t now;
 	int ret;
@ -163,8 +142,7 @@ all_users_waiting_to_send()
 	return ret;
 }

-int
-find_available_user()
+int find_available_user(void)
 {
 	int ret = -1;
 	int i;
@ -174,6 +152,7 @@ find_available_user()
 			users[i].active = 1;
 			users[i].authenticated = 0;
 			users[i].authenticated_raw = 0;
+			users[i].options_locked = 0;
 			users[i].last_pkt = time(NULL);
 			users[i].fragsize = 4096;
 			users[i].conn = CONN_DNS_NULL;
@ -184,8 +163,7 @@ find_available_user()
 	return ret;
 }

-void
-user_switch_codec(int userid, struct encoder *enc)
+void user_switch_codec(int userid, const struct encoder *enc)
 {
 	if (userid < 0 || userid >= usercount)
 		return;
@ -193,13 +171,12 @@ user_switch_codec(int userid, struct encoder *enc)
 	users[userid].encoder = enc;
 }

-void
-user_set_conn_type(int userid, enum connection c)
+void user_set_conn_type(int userid, enum connection c)
 {
 	if (userid < 0 || userid >= usercount)
 		return;

-	if (c < 0 || c >= CONN_MAX)
+	if (c < CONN_RAW_UDP || c >= CONN_MAX)
 		return;

 	users[userid].conn = c;
--- a/src/user.h
+++ b/src/user.h
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -39,18 +39,20 @@ struct tun_user {
 	int active;
 	int authenticated;
 	int authenticated_raw;
+	int options_locked;
 	int disabled;
 	time_t last_pkt;
 	int seed;
 	in_addr_t tun_ip;
-	struct in_addr host;
+	struct sockaddr_storage host;
+	socklen_t hostlen;
 	struct query q;
 	struct query q_sendrealsoon;
 	int q_sendrealsoon_new;
 	struct packet inpacket;
 	struct packet outpacket;
 	int outfragresent;
-	struct encoder *encoder;
+	const struct encoder *encoder;
 	char downenc;
 	int out_acked_seqno;
 	int out_acked_fragment;
@ -79,12 +81,11 @@ struct tun_user {
 extern struct tun_user *users;

 int init_users(in_addr_t, int);
-const char* users_get_first_ip();
-int users_waiting_on_reply();
+const char* users_get_first_ip(void);
 int find_user_by_ip(uint32_t);
-int all_users_waiting_to_send();
-int find_available_user();
-void user_switch_codec(int userid, struct encoder *enc);
+int all_users_waiting_to_send(void);
+int find_available_user(void);
+void user_switch_codec(int userid, const struct encoder *enc);
 void user_set_conn_type(int userid, enum connection c);

 #endif
--- a/src/util.c
+++ b/src/util.c
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -17,12 +17,12 @@

 #include <stdio.h>
 #include "common.h"
+#include "util.h"

-char *
-get_resolvconf_addr()
+char *get_resolvconf_addr(void)
 {
 	static char addr[16];
-	char *rv;
+	char *rv = NULL;
 #ifndef WINDOWS32
 	char buf[80];
 	FILE *fp;
@ -36,9 +36,6 @@ get_resolvconf_addr()
 		rv = addr;
 	pclose(fp);
 #else
-
-	rv = NULL;
-
 	if ((fp = fopen("/etc/resolv.conf", "r")) == NULL)
 		err(1, "/etc/resolv.conf");

@ -58,7 +55,6 @@ get_resolvconf_addr()
 	ULONG       buflen;
 	DWORD       ret;

-	rv = NULL;
 	fixed_info = malloc(sizeof(FIXED_INFO));
 	buflen = sizeof(FIXED_INFO);

--- a/src/util.h
+++ b/src/util.h
@ -1,7 +1,24 @@
+/*
+ * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
+ * 2006-2009 Bjorn Andersson <flex@kryo.se>
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
 #ifndef __UTIL_H__
 #define __UTIL_H__

-char *get_resolvconf_addr();
+char *get_resolvconf_addr(void);
 void socket_setrtable(int fd, int rtable);

 #endif
--- a/src/version.h
+++ b/src/version.h
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -20,7 +20,7 @@

 /* This is the version of the network protocol
   It is usually equal to the latest iodine version number */
-#define VERSION 0x00000502
+#define PROTOCOL_VERSION 0x00000502

 #endif /* _VERSION_H_ */

--- a/src/windows.h
+++ b/src/windows.h
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -73,8 +73,7 @@ typedef struct {
 	unsigned arcount :16;	/* number of resource entries */
 } HEADER;

-struct ip
-  {
+struct ip {
 	unsigned int ip_hl:4;	/* header length */
 	unsigned int ip_v:4;	/* version */
 	u_char ip_tos;		/* type of service */
@ -99,4 +98,7 @@ struct tun_data {
 	int addrlen;
 };

+/* No-op for now. */
+#define syslog(...)
+
 #endif
--- a/tests/base32.c
+++ b/tests/base32.c
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -22,7 +22,6 @@
 #include <errno.h>

 #include "encoding.h"
-#include "base32.h"
 #include "test.h"

 #define TUPLES 5
@ -43,17 +42,14 @@ START_TEST(test_base32_encode)
 {
 	size_t len;
 	char buf[4096];
-	struct encoder *b32;
 	int val;

-	b32 = get_base32_encoder();

 	len = sizeof(buf);
-	val = b32->encode(buf, &len, testpairs[_i].a, strlen(testpairs[_i].a));
+	val = base32_ops.encode(buf, &len, testpairs[_i].a, strlen(testpairs[_i].a));

-	fail_unless(val == strlen(testpairs[_i].b));
-	fail_unless(strcmp(buf, testpairs[_i].b) == 0,
-			"'%s' != '%s'", buf, testpairs[_i].b);
+	ck_assert(val == strlen(testpairs[_i].b));
+	ck_assert_str_eq(buf, testpairs[_i].b);
 }
 END_TEST

@ -61,17 +57,13 @@ START_TEST(test_base32_decode)
 {
 	size_t len;
 	char buf[4096];
-	struct encoder *b32;
 	int val;

-	b32 = get_base32_encoder();
-
 	len = sizeof(buf);
-	val = b32->decode(buf, &len, testpairs[_i].b, strlen(testpairs[_i].b));
+	val = base32_ops.decode(buf, &len, testpairs[_i].b, strlen(testpairs[_i].b));

-	fail_unless(val == strlen(testpairs[_i].a));
-	fail_unless(strcmp(buf, testpairs[_i].a) == 0,
-			"'%s' != '%s'", buf, testpairs[_i].a);
+	ck_assert(val == strlen(testpairs[_i].a));
+	ck_assert_str_eq(buf, testpairs[_i].a);
 }
 END_TEST

@ -82,7 +74,7 @@ START_TEST(test_base32_5to8_8to5)

 	for (i = 0; i < 32; i++) {
 		c = b32_5to8(i);
-		fail_unless(b32_8to5(c) == i);
+		ck_assert(b32_8to5(c) == i);
 	}
 }
 END_TEST
@ -93,14 +85,11 @@ START_TEST(test_base32_blksize)
 	size_t enclen;
 	char *rawbuf;
 	char *encbuf;
-	struct encoder *b32;
 	int i;
 	int val;

-	b32 = get_base32_encoder();
-
-	rawlen = b32->blocksize_raw();
-	enclen = b32->blocksize_encoded();
+	rawlen = base32_ops.blocksize_raw;
+	enclen = base32_ops.blocksize_encoded;

 	rawbuf = malloc(rawlen + 16);
 	encbuf = malloc(enclen + 16);
@ -110,21 +99,21 @@ START_TEST(test_base32_blksize)
 	}
 	rawbuf[i] = 0;

-	val = b32->encode(encbuf, &enclen, rawbuf, rawlen);
+	val = base32_ops.encode(encbuf, &enclen, rawbuf, rawlen);

-	fail_unless(rawlen == 5, "raw length was %d not 5", rawlen);
-	fail_unless(enclen == 5, "encoded %d bytes, not 5", enclen);
-	fail_unless(val == 8, "encoded string %s was length %d", encbuf, val);
+	ck_assert_msg(rawlen == 5, "raw length was %zu not 5", rawlen);
+	ck_assert_msg(enclen == 5, "encoded %zu bytes, not 5", enclen);
+	ck_assert_msg(val == 8, "encoded string %s was length %d", encbuf, val);

 	memset(rawbuf, 0, rawlen + 16);

 	enclen = val;
-	val = b32->decode(rawbuf, &rawlen, encbuf, enclen);
+	val = base32_ops.decode(rawbuf, &rawlen, encbuf, enclen);

-	fail_unless(rawlen == 5, "raw length was %d not 5", rawlen);
-	fail_unless(val == 5, "val was not 5 but %d", val);
+	ck_assert_msg(rawlen == 5, "raw length was %zu not 5", rawlen);
+	ck_assert_msg(val == 5, "val was not 5 but %d", val);
 	for (i = 0; i < rawlen; i++) {
-		fail_unless(rawbuf[i] == 'A');
+		ck_assert(rawbuf[i] == 'A');
 	}
 }
 END_TEST
--- a/tests/base64.c
+++ b/tests/base64.c
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -22,7 +22,6 @@
 #include <errno.h>

 #include "encoding.h"
-#include "base64.h"
 #include "test.h"

 #define TUPLES 5
@ -69,17 +68,13 @@ START_TEST(test_base64_encode)
 {
 	size_t len;
 	char buf[4096];
-	struct encoder *b64;
 	int val;

-	b64 = get_base64_encoder();
-
 	len = sizeof(buf);
-	val = b64->encode(buf, &len, testpairs[_i].a, strlen(testpairs[_i].a));
+	val = base64_ops.encode(buf, &len, testpairs[_i].a, strlen(testpairs[_i].a));

-	fail_unless(val == strlen(testpairs[_i].b));
-	fail_unless(strcmp(buf, testpairs[_i].b) == 0,
-			"'%s' != '%s'", buf, testpairs[_i].b);
+	ck_assert(val == strlen(testpairs[_i].b));
+	ck_assert_str_eq(buf, testpairs[_i].b);
 }
 END_TEST

@ -87,17 +82,13 @@ START_TEST(test_base64_decode)
 {
 	size_t len;
 	char buf[4096];
-	struct encoder *b64;
 	int val;

-	b64 = get_base64_encoder();
-
 	len = sizeof(buf);
-	val = b64->decode(buf, &len, testpairs[_i].b, strlen(testpairs[_i].b));
+	val = base64_ops.decode(buf, &len, testpairs[_i].b, strlen(testpairs[_i].b));

-	fail_unless(val == strlen(testpairs[_i].a));
-	fail_unless(strcmp(buf, testpairs[_i].a) == 0,
-			"'%s' != '%s'", buf, testpairs[_i].a);
+	ck_assert(val == strlen(testpairs[_i].a));
+	ck_assert_str_eq(buf, testpairs[_i].a);
 }
 END_TEST

@ -107,14 +98,11 @@ START_TEST(test_base64_blksize)
 	size_t enclen;
 	char *rawbuf;
 	char *encbuf;
-	struct encoder *b64;
 	int i;
 	int val;

-	b64 = get_base64_encoder();
-
-	rawlen = b64->blocksize_raw();
-	enclen = b64->blocksize_encoded();
+	rawlen = base64_ops.blocksize_raw;
+	enclen = base64_ops.blocksize_encoded;

 	rawbuf = malloc(rawlen + 16);
 	encbuf = malloc(enclen + 16);
@ -124,21 +112,21 @@ START_TEST(test_base64_blksize)
 	}
 	rawbuf[i] = 0;

-	val = b64->encode(encbuf, &enclen, rawbuf, rawlen);
+	val = base64_ops.encode(encbuf, &enclen, rawbuf, rawlen);

-	fail_unless(rawlen == 3, "raw length was %d not 3", rawlen);
-	fail_unless(enclen == 3, "encoded %d bytes, not 3", enclen);
-	fail_unless(val == 4, "encoded string %s was length %d", encbuf, val);
+	ck_assert_msg(rawlen == 3, "raw length was %zu not 3", rawlen);
+	ck_assert_msg(enclen == 3, "encoded %zu bytes, not 3", enclen);
+	ck_assert_msg(val == 4, "encoded string %s was length %d", encbuf, val);

 	memset(rawbuf, 0, rawlen + 16);

 	enclen = val;
-	val = b64->decode(rawbuf, &rawlen, encbuf, enclen);
+	val = base64_ops.decode(rawbuf, &rawlen, encbuf, enclen);

-	fail_unless(rawlen == 3, "raw length was %d not 3", rawlen);
-	fail_unless(val == 3);
+	ck_assert_msg(rawlen == 3, "raw length was %zu not 3", rawlen);
+	ck_assert(val == 3);
 	for (i = 0; i < rawlen; i++) {
-		fail_unless(rawbuf[i] == 'A');
+		ck_assert(rawbuf[i] == 'A');
 	}
 }
 END_TEST
--- a/tests/common.c
+++ b/tests/common.c
@ -1,3 +1,20 @@
+/*
+ * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
+ * 2006-2009 Bjorn Andersson <flex@kryo.se>
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
 #include <check.h>
 #include <common.h>
 #include <unistd.h>
@ -6,16 +23,20 @@

 START_TEST(test_topdomain_ok)
 {
-	char *error;
+	char *error = NULL;

-	fail_if(check_topdomain("foo.0123456789.qwertyuiop.asdfghjkl.zxcvbnm.com", &error));
+	ck_assert(check_topdomain("foo.0123456789.qwertyuiop.asdfghjkl.zxcvbnm.com", 0, &error) == 0);
+	ck_assert(error == NULL);
+	/* Allowing wildcard */
+	ck_assert(check_topdomain("foo.0123456789.qwertyuiop.asdfghjkl.zxcvbnm.com", 1, &error) == 0);
+	ck_assert(error == NULL);

 	/* Not allowed to start with dot */
-	fail_unless(check_topdomain(".foo.0123456789.qwertyuiop.asdfghjkl.zxcvbnm.com", &error));
-	fail_if(strcmp("Starts with a dot", error));
+	ck_assert(check_topdomain(".foo.0123456789.qwertyuiop.asdfghjkl.zxcvbnm.com", 0, &error));
+	ck_assert_str_eq("Starts with a dot", error);

 	/* Test missing error msg ptr */
-	fail_unless(check_topdomain(".foo", NULL));
+	ck_assert(check_topdomain(".foo", 0, NULL));
 }
 END_TEST

@ -24,29 +45,33 @@ START_TEST(test_topdomain_length)
 	char *error;

 	/* Test empty and too short */
-	fail_unless(check_topdomain("", &error));
-	fail_if(strcmp("Too short (< 3)", error));
-	fail_unless(check_topdomain("a", &error));
-	fail_if(strcmp("Too short (< 3)", error));
-	fail_unless(check_topdomain(".a", &error));
-	fail_if(strcmp("Too short (< 3)", error));
-	fail_unless(check_topdomain("a.", &error));
-	fail_if(strcmp("Too short (< 3)", error));
-	fail_unless(check_topdomain("ab", &error));
-	fail_if(strcmp("Too short (< 3)", error));
-	fail_if(check_topdomain("a.b", &error));
-	fail_if(strcmp("Too short (< 3)", error));
+	ck_assert(check_topdomain("", 0, &error));
+	ck_assert_str_eq("Too short (< 3)", error);
+	error = NULL;
+	ck_assert(check_topdomain("a", 0, &error));
+	ck_assert_str_eq("Too short (< 3)", error);
+	error = NULL;
+	ck_assert(check_topdomain(".a", 0, &error));
+	ck_assert_str_eq("Too short (< 3)", error);
+	error = NULL;
+	ck_assert(check_topdomain("a.", 0, &error));
+	ck_assert_str_eq("Too short (< 3)", error);
+	error = NULL;
+	ck_assert(check_topdomain("ab", 0, &error));
+	ck_assert_str_eq("Too short (< 3)", error);
+	error = NULL;
+	ck_assert(check_topdomain("a.b", 0, &error) == 0);

 	/* Test too long (over 128, need rest of space for data) */
-	fail_unless(check_topdomain(
+	ck_assert(check_topdomain(
 		"abcd12345.abcd12345.abcd12345.abcd12345.abcd12345."
 		"abcd12345.abcd12345.abcd12345.abcd12345.abcd12345."
-		"abcd12345.abcd12345.foo129xxx", &error));
-	fail_if(strcmp("Too long (> 128)", error));
-	fail_if(check_topdomain(
+		"abcd12345.abcd12345.foo129xxx", 0, &error));
+	ck_assert_str_eq("Too long (> 128)", error);
+	ck_assert(check_topdomain(
 		"abcd12345.abcd12345.abcd12345.abcd12345.abcd12345."
 		"abcd12345.abcd12345.abcd12345.abcd12345.abcd12345."
-		"abcd12345.abcd12345.foo128xx", &error));
+		"abcd12345.abcd12345.foo128xx", 0, &error) == 0);
 }
 END_TEST

@ -55,36 +80,112 @@ START_TEST(test_topdomain_chunks)
 	char *error;

 	/* Must have at least one dot */
-	fail_if(check_topdomain("abcde.gh", &error));
-	fail_unless(check_topdomain("abcdefgh", &error));
-	fail_if(strcmp("No dots", error));
+	ck_assert(check_topdomain("abcde.gh", 0, &error) == 0);
+	ck_assert(check_topdomain("abcdefgh", 0, &error));
+	ck_assert_str_eq("No dots", error);

 	/* Not two consecutive dots */
-	fail_unless(check_topdomain("abc..defgh", &error));
-	fail_if(strcmp("Consecutive dots", error));
+	ck_assert(check_topdomain("abc..defgh", 0, &error));
+	ck_assert_str_eq("Consecutive dots", error);

 	/* Not end with a dots */
-	fail_unless(check_topdomain("abc.defgh.", &error));
-	fail_if(strcmp("Ends with a dot", error));
+	ck_assert(check_topdomain("abc.defgh.", 0, &error));
+	ck_assert_str_eq("Ends with a dot", error);

 	/* No chunk longer than 63 chars */
-	fail_if(check_topdomain("123456789012345678901234567890"
-		"123456789012345678901234567890333.com", &error));
-	fail_unless(check_topdomain("123456789012345678901234567890"
-		"1234567890123456789012345678904444.com", &error));
-	fail_if(strcmp("Too long domain part (> 63)", error));
+	ck_assert(check_topdomain("123456789012345678901234567890"
+		"123456789012345678901234567890333.com", 0, &error) == 0);
+	ck_assert(check_topdomain("123456789012345678901234567890"
+		"1234567890123456789012345678904444.com", 0, &error));
+	ck_assert_str_eq("Too long domain part (> 63)", error);

-	fail_if(check_topdomain("abc.123456789012345678901234567890"
-		"123456789012345678901234567890333.com", &error));
-	fail_unless(check_topdomain("abc.123456789012345678901234567890"
-		"1234567890123456789012345678904444.com", &error));
-	fail_if(strcmp("Too long domain part (> 63)", error));
+	ck_assert(check_topdomain("abc.123456789012345678901234567890"
+		"123456789012345678901234567890333.com", 0, &error) == 0);
+	ck_assert(check_topdomain("abc.123456789012345678901234567890"
+		"1234567890123456789012345678904444.com", 0, &error));
+	ck_assert_str_eq("Too long domain part (> 63)", error);

-	fail_if(check_topdomain("abc.123456789012345678901234567890"
-		"123456789012345678901234567890333", &error));
-	fail_unless(check_topdomain("abc.123456789012345678901234567890"
-		"1234567890123456789012345678904444", &error));
-	fail_if(strcmp("Too long domain part (> 63)", error));
+	ck_assert(check_topdomain("abc.123456789012345678901234567890"
+		"123456789012345678901234567890333", 0, &error) == 0);
+	ck_assert(check_topdomain("abc.123456789012345678901234567890"
+		"1234567890123456789012345678904444", 0, &error));
+	ck_assert_str_eq("Too long domain part (> 63)", error);
+}
+END_TEST
+
+START_TEST(test_topdomain_wild)
+{
+	char *error = NULL;
+
+	ck_assert(check_topdomain("*.a", 0, &error) == 1);
+	ck_assert_str_eq("Contains illegal character (allowed: [a-zA-Z0-9-.])", error);
+	error = NULL;
+	ck_assert(check_topdomain("*.a", 1, &error) == 0);
+	ck_assert(error == NULL);
+
+	ck_assert(check_topdomain("b*.a", 0, &error) == 1);
+	ck_assert_str_eq("Contains illegal character (allowed: [a-zA-Z0-9-.])", error);
+	error = NULL;
+	ck_assert(check_topdomain("b*.a", 1, &error) == 1);
+	ck_assert_str_eq("Wildcard (*) only allowed as first char", error);
+
+	ck_assert(check_topdomain("*b.a", 0, &error) == 1);
+	ck_assert_str_eq("Contains illegal character (allowed: [a-zA-Z0-9-.])", error);
+	error = NULL;
+	ck_assert(check_topdomain("*b.a", 1, &error) == 1);
+	ck_assert_str_eq("Wildcard (*) must be followed by dot", error);
+
+	ck_assert(check_topdomain("*.*.a", 0, &error) == 1);
+	ck_assert_str_eq("Contains illegal character (allowed: [a-zA-Z0-9-.])", error);
+	error = NULL;
+	ck_assert(check_topdomain("*.*.a", 1, &error) == 1);
+	ck_assert_str_eq("Wildcard (*) only allowed as first char", error);
+}
+END_TEST
+
+START_TEST(test_query_datalen)
+{
+	char *topdomain = "r.foo.com";
+	/* With data */
+	ck_assert(query_datalen("foobar.r.foo.com", topdomain) == 7);
+	ck_assert(query_datalen("foobar.r.FoO.Com", topdomain) == 7);
+	ck_assert(query_datalen("foo.bar.r.FoO.Com", topdomain) == 8);
+	ck_assert(query_datalen(".r.foo.com", topdomain) == 1);
+	/* Without data */
+	ck_assert(query_datalen("r.foo.com", topdomain) == 0);
+	ck_assert(query_datalen("R.foo.com", topdomain) == 0);
+	/* Shorter query name */
+	ck_assert(query_datalen("foo.com", topdomain) == -1);
+	/* Mismatched query name */
+	ck_assert(query_datalen("b.foo.com", topdomain) == -1);
+	ck_assert(query_datalen("*.foo.com", topdomain) == -1);
+	/* Query name overlaps topdomain, but is longer */
+	ck_assert(query_datalen("bar.foo.com", topdomain) == -1);
+}
+END_TEST
+
+START_TEST(test_query_datalen_wild)
+{
+	char *topdomain = "*.foo.com";
+	/* With data */
+	ck_assert(query_datalen("foobar.a.foo.com", topdomain) == 7);
+	ck_assert(query_datalen("foobar.r.FoO.Com", topdomain) == 7);
+	ck_assert(query_datalen("foo.bar.r.FoO.Com", topdomain) == 8);
+	ck_assert(query_datalen("foo.Ab.foo.cOm", topdomain) == 4);
+	ck_assert(query_datalen("foo.Abcd.Foo.com", topdomain) == 4);
+	ck_assert(query_datalen("***.STARs.foo.com", topdomain) == 4);
+	ck_assert(query_datalen(".a.foo.com", topdomain) == 1);
+	ck_assert(query_datalen(".ab.foo.com", topdomain) == 1);
+	/* Without data */
+	ck_assert(query_datalen("rr.foo.com", topdomain) == 0);
+	ck_assert(query_datalen("b.foo.com", topdomain) == 0);
+	ck_assert(query_datalen("B.foo.com", topdomain) == 0);
+	/* Shorter query name */
+	ck_assert(query_datalen("foo.com", topdomain) == -1);
+	/* Wildcard part of query name matching topdomain */
+	ck_assert(query_datalen("aa.*.foo.com", topdomain) == -1);
+	/* Mismatched query name */
+	ck_assert(query_datalen("bar.r.boo.com", topdomain) == -1);
 }
 END_TEST

@ -97,14 +198,14 @@ START_TEST(test_parse_format_ipv4)
 	int addr_len;

 	addr_len = get_addr(host, 53, AF_INET, 0, &addr);
-	fail_unless(addr_len == sizeof(struct sockaddr_in));
+	ck_assert(addr_len == sizeof(struct sockaddr_in));

 	v4addr = (struct sockaddr_in *) &addr;
-	fail_unless(v4addr->sin_addr.s_addr == htonl(0xc0a8020a));
-	fail_unless(v4addr->sin_port == htons(53));
+	ck_assert(v4addr->sin_addr.s_addr == htonl(0xc0a8020a));
+	ck_assert(v4addr->sin_port == htons(53));

 	formatted = format_addr(&addr, addr_len);
-	fail_if(strcmp(host, formatted));
+	ck_assert_str_eq(host, formatted);
 }
 END_TEST

@ -117,14 +218,14 @@ START_TEST(test_parse_format_ipv4_listen_all)
 	int addr_len;

 	addr_len = get_addr(NULL, 53, AF_INET, AI_PASSIVE, &addr);
-	fail_unless(addr_len == sizeof(struct sockaddr_in));
+	ck_assert(addr_len == sizeof(struct sockaddr_in));

 	v4addr = (struct sockaddr_in *) &addr;
-	fail_unless(v4addr->sin_addr.s_addr == htonl(0x00000000));
-	fail_unless(v4addr->sin_port == htons(53));
+	ck_assert(v4addr->sin_addr.s_addr == htonl(0x00000000));
+	ck_assert(v4addr->sin_port == htons(53));

 	formatted = format_addr(&addr, addr_len);
-	fail_if(strcmp(host, formatted));
+	ck_assert_str_eq(host, formatted);
 }
 END_TEST

@ -142,14 +243,14 @@ START_TEST(test_parse_format_ipv6)
 	int addr_len;

 	addr_len = get_addr(host, 53, AF_UNSPEC, 0, &addr);
-	fail_unless(addr_len == sizeof(struct sockaddr_in6));
+	ck_assert(addr_len == sizeof(struct sockaddr_in6));

 	v6addr = (struct sockaddr_in6 *) &addr;
-	fail_if(memcmp(&v6addr->sin6_addr, v6_bits, sizeof(v6_bits)));
-	fail_unless(v6addr->sin6_port == htons(53));
+	ck_assert(memcmp(&v6addr->sin6_addr, v6_bits, sizeof(v6_bits)) == 0);
+	ck_assert(v6addr->sin6_port == htons(53));

 	formatted = format_addr(&addr, addr_len);
-	fail_if(strcmp(compact, formatted));
+	ck_assert_str_eq(compact, formatted);
 }
 END_TEST

@ -167,15 +268,15 @@ START_TEST(test_parse_format_ipv4_mapped_ipv6)
 	int addr_len;

 	addr_len = get_addr(v4mapped, 53, AF_INET6, 0, &addr);
-	fail_unless(addr_len == sizeof(struct sockaddr_in6));
+	ck_assert(addr_len == sizeof(struct sockaddr_in6));

 	v6addr = (struct sockaddr_in6 *) &addr;
-	fail_if(memcmp(&v6addr->sin6_addr, v6_bits, sizeof(v6_bits)));
-	fail_unless(v6addr->sin6_port == htons(53));
+	ck_assert(memcmp(&v6addr->sin6_addr, v6_bits, sizeof(v6_bits)) == 0);
+	ck_assert(v6addr->sin6_port == htons(53));

 	/* Format as IPv4 address */
 	formatted = format_addr(&addr, addr_len);
-	fail_if(strcmp(host, formatted));
+	ck_assert_str_eq(host, formatted);
 }
 END_TEST

@ -189,6 +290,9 @@ test_common_create_tests()
 	tcase_add_test(tc, test_topdomain_ok);
 	tcase_add_test(tc, test_topdomain_length);
 	tcase_add_test(tc, test_topdomain_chunks);
+	tcase_add_test(tc, test_topdomain_wild);
+	tcase_add_test(tc, test_query_datalen);
+	tcase_add_test(tc, test_query_datalen_wild);
 	tcase_add_test(tc, test_parse_format_ipv4);
 	tcase_add_test(tc, test_parse_format_ipv4_listen_all);

--- a/tests/dns.c
+++ b/tests/dns.c
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -33,7 +33,6 @@
 #include "common.h"
 #include "dns.h"
 #include "encoding.h"
-#include "base32.h"
 #include "test.h"

 static void dump_packet(char *, size_t);
@ -70,7 +69,7 @@ START_TEST(test_encode_query)
 	char buf[512];
 	char resolv[512];
 	struct query q;
-	struct encoder *enc;
+	const struct encoder *enc;
 	char *d;
 	size_t len;
 	size_t enclen;
@ -83,7 +82,7 @@ START_TEST(test_encode_query)
 	q.type = T_NULL;
 	q.id = 1337;
 	d = resolv;
-	enc = get_base32_encoder();
+	enc = &base32_ops;

 	*d++ = 'A';
 	enc->encode(d, &enclen, innerData, strlen(innerData));
@ -101,8 +100,10 @@ START_TEST(test_encode_query)
 		dump_packet(query_packet, len);
 		dump_packet(buf, ret);
 	}
-	fail_unless(strncmp(query_packet, buf, sizeof(query_packet)) == 0, "Did not compile expected packet");
-	fail_unless(ret == len, "Bad packet length: %d, expected %d", ret, len);
+	ck_assert_msg(strncmp(query_packet, buf, sizeof(query_packet)) == 0,
+		"Did not compile expected packet");
+	ck_assert_msg(ret == len,
+		"Bad packet length: %d, expected %zu", ret, len);
 }
 END_TEST

@ -111,22 +112,25 @@ START_TEST(test_decode_query)
 	char buf[512];
 	char *domain;
 	struct query q;
-	struct encoder *enc;
+	const struct encoder *enc;
 	size_t len;

 	memset(&q, 0, sizeof(struct query));
 	memset(&buf, 0, sizeof(buf));
 	q.id = 0;
 	len = sizeof(query_packet) - 1;
-	enc = get_base32_encoder();
+	enc = &base32_ops;

 	dns_decode(buf, sizeof(buf), &q, QR_QUERY, query_packet, len);
 	domain = strstr(q.name, topdomain);
 	len = sizeof(buf);
 	unpack_data(buf, len, &(q.name[1]), (int) (domain - q.name) - 1, enc);

-	fail_unless(strncmp(buf, innerData, strlen(innerData)) == 0, "Did not extract expected host: '%s'", buf);
-	fail_unless(strlen(buf) == strlen(innerData), "Bad host length: %d, expected %d: '%s'", strlen(buf), strlen(innerData), buf);
+	ck_assert_msg(strncmp(buf, innerData, strlen(innerData)) == 0,
+		"Did not extract expected host: '%s'", buf);
+	ck_assert_msg(strlen(buf) == strlen(innerData),
+		"Bad host length: %zu, expected %zu: '%s'",
+		strlen(buf), strlen(innerData), buf);
 }
 END_TEST

@ -148,8 +152,10 @@ START_TEST(test_encode_response)
 	ret = dns_encode(buf, len, &q, QR_ANSWER, msgData, strlen(msgData));
 	len = sizeof(answer_packet) - 1; /* Skip extra null character */

-	fail_unless(strncmp(answer_packet, buf, sizeof(answer_packet)) == 0, "Did not compile expected packet");
-	fail_unless(ret == len, "Bad packet length: %d, expected %d", ret, len);
+	ck_assert_msg(strncmp(answer_packet, buf, sizeof(answer_packet)) == 0,
+		"Did not compile expected packet");
+	ck_assert_msg(ret == len,
+		"Bad packet length: %d, expected %d", ret, len);
 }
 END_TEST

@ -164,9 +170,11 @@ START_TEST(test_decode_response)
 	memset(&buf, 0, sizeof(buf));

 	ret = dns_decode(buf, len, &q, QR_ANSWER, answer_packet, sizeof(answer_packet)-1);
-	fail_unless(ret == strlen(msgData), "Bad data length: %d, expected %d", ret, strlen(msgData));
-	fail_unless(strncmp(msgData, buf, strlen(msgData)) == 0, "Did not extract expected data");
-	fail_unless(q.id == 0x0539);
+	ck_assert_msg(ret == strlen(msgData),
+		"Bad data length: %d, expected %zu", ret, strlen(msgData));
+	ck_assert_msg(strncmp(msgData, buf, strlen(msgData)) == 0,
+		"Did not extract expected data");
+	ck_assert(q.id == 0x0539);
 }
 END_TEST

@ -181,9 +189,12 @@ START_TEST(test_decode_response_with_high_trans_id)
 	memset(&buf, 0, sizeof(buf));

 	ret = dns_decode(buf, len, &q, QR_ANSWER, answer_packet_high_trans_id, sizeof(answer_packet_high_trans_id)-1);
-	fail_unless(ret == strlen(msgData), "Bad data length: %d, expected %d", ret, strlen(msgData));
-	fail_unless(strncmp(msgData, buf, strlen(msgData)) == 0, "Did not extract expected data");
-	fail_unless(q.id == 0x8539, "q.id was %08X instead of %08X!", q.id, 0x8539);
+	ck_assert_msg(ret == strlen(msgData),
+		"Bad data length: %d, expected %zu", ret, strlen(msgData));
+	ck_assert_msg(strncmp(msgData, buf, strlen(msgData)) == 0,
+		"Did not extract expected data");
+	ck_assert_msg(q.id == 0x8539,
+		"q.id was %08X instead of %08X!", q.id, 0x8539);
 }
 END_TEST

@ -197,7 +208,7 @@ START_TEST(test_get_id_short_packet)
 	memset(&buf, 5, sizeof(buf));

 	id = dns_get_id(buf, len);
-	fail_unless(id == 0);
+	ck_assert(id == 0);
 }
 END_TEST

@ -206,7 +217,7 @@ START_TEST(test_get_id_low)
 	unsigned short id;

 	id = dns_get_id(answer_packet, sizeof(answer_packet));
-	fail_unless(id == 1337);
+	ck_assert(id == 1337);
 }
 END_TEST

@ -215,7 +226,7 @@ START_TEST(test_get_id_high)
 	unsigned short id;

 	id = dns_get_id(answer_packet_high_trans_id, sizeof(answer_packet_high_trans_id));
-	fail_unless(id == 0x8539);
+	ck_assert(id == 0x8539);
 }
 END_TEST

--- a/tests/encoding.c
+++ b/tests/encoding.c
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -22,8 +22,6 @@

 #include "encoding.h"
 #include "test.h"
-#include "base32.h"
-#include "base64.h"

 #define TUPLES 4

@ -52,8 +50,7 @@ START_TEST(test_inline_dotify)
 	b = temp;
 	inline_dotify(b, sizeof(temp));

-	fail_unless(strcmp(dottests[_i].b, temp) == 0,
-			"'%s' != '%s'", temp, dottests[_i].b);
+	ck_assert_str_eq(dottests[_i].b, temp);
 }
 END_TEST

@ -67,8 +64,7 @@ START_TEST(test_inline_undotify)
 	b = temp;
 	inline_undotify(b, sizeof(temp));

-	fail_unless(strcmp(dottests[_i].a, temp) == 0,
-			"'%s' != '%s'", temp, dottests[_i].a);
+	ck_assert_str_eq(dottests[_i].a, temp);
 }
 END_TEST

@ -87,10 +83,11 @@ START_TEST(test_build_hostname)
 	buflen = sizeof(buf);

 	for (i = 1; i < sizeof(data); i++) {
-		int len = build_hostname(buf, buflen, data, i, topdomain, get_base32_encoder(), sizeof(buf));
+		int len = build_hostname(buf, buflen, data, i, topdomain, &base32_ops, sizeof(buf));

-		fail_if(len > i);
-		fail_if(strstr(buf, ".."), "Found double dots when encoding data len %d! buf: %s", i, buf);
+		ck_assert(len <= i);
+		ck_assert_msg(strstr(buf, "..") == NULL,
+			"Found double dots when encoding data len %d! buf: %s", i, buf);
 	}
 }
 END_TEST
--- a/tests/fw_query.c
+++ b/tests/fw_query.c
@ -1,7 +1,7 @@
 /*
 * Copyright (c) 2009-2014 Erik Ekman <yarrick@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -31,14 +31,14 @@ START_TEST(test_fw_query_simple)

 	/* Test empty cache */
 	fw_query_get(0x848A, &qp);
-	fail_unless(qp == NULL);
+	ck_assert(qp == NULL);

 	fw_query_put(&q);

 	/* Test cache with one entry */
 	fw_query_get(0x848A, &qp);
-	fail_unless(qp->addrlen == q.addrlen);
-	fail_unless(qp->id == q.id);
+	ck_assert(qp->addrlen == q.addrlen);
+	ck_assert(qp->id == q.id);
 }
 END_TEST

@ -62,8 +62,8 @@ START_TEST(test_fw_query_edge)

 	/* The query should still be cached */
 	fw_query_get(0x848A, &qp);
-	fail_unless(qp->addrlen == 33);
-	fail_unless(qp->id == 0x848A);
+	ck_assert(qp->addrlen == 33);
+	ck_assert(qp->id == 0x848A);

 	q.addrlen++;
 	q.id++;
@ -71,7 +71,7 @@ START_TEST(test_fw_query_edge)

 	/* but now it is overwritten */
 	fw_query_get(0x848A, &qp);
-	fail_unless(qp == NULL);
+	ck_assert(qp == NULL);
 }
 END_TEST

--- a/tests/login.c
+++ b/tests/login.c
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -34,7 +34,7 @@ START_TEST(test_login_hash)

 	memset(ans, 0, sizeof(ans));
 	login_calculate(ans, len, pass, seed);
-	fail_unless(strncmp(ans, good, len) == 0, NULL);
+	ck_assert(strncmp(ans, good, len) == 0);
 }
 END_TEST

@ -54,7 +54,7 @@ START_TEST(test_login_hash_short)

 	/* If len < 16, it should do nothing */
 	login_calculate(ans, len, pass, seed);
-	fail_if(memcmp(ans, check, sizeof(ans)));
+	ck_assert(memcmp(ans, check, sizeof(ans)) == 0);
 }
 END_TEST

--- a/tests/read.c
+++ b/tests/read.c
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -46,13 +46,13 @@ START_TEST(test_read_putshort)
 	for (i = 0; i < 65536; i++) {
 		p = (char*)&k;
 		putshort(&p, i);
-		fail_unless(ntohs(k) == i,
+		ck_assert_msg(ntohs(k) == i,
 				"Bad value on putshort for %d: %d != %d",
 					i, ntohs(k), i);

 		p = (char*)&k;
 		readshort(NULL, &p, &l);
-		fail_unless(l == i,
+		ck_assert_msg(l == i,
 				"Bad value on readshort for %d: %d != %d",
 					i, l, i);
 	}
@ -73,13 +73,13 @@ START_TEST(test_read_putlong)

 		putlong(&p, j);

-		fail_unless(ntohl(k) == j,
+		ck_assert_msg(ntohl(k) == j,
 				"Bad value on putlong for %d: %d != %d", i, ntohl(j), j);

 		p = (char*)&k;
 		readlong(NULL, &p, &l);

-		fail_unless(l == j,
+		ck_assert_msg(l == j,
 				"Bad value on readlong for %d: %d != %d", i, l, j);
 	}
 }
@ -98,8 +98,8 @@ START_TEST(test_read_name_empty_loop)
 	data = (char*) emptyloop + sizeof(HEADER);
 	buf[1023] = 'A';
 	rv = readname((char *) emptyloop, sizeof(emptyloop), &data, buf, 1023);
-	fail_unless(rv == 0);
-	fail_unless(buf[1023] == 'A');
+	ck_assert(rv == 0);
+	ck_assert(buf[1023] == 'A');
 }
 END_TEST

@ -116,8 +116,8 @@ START_TEST(test_read_name_inf_loop)
 	data = (char*) infloop + sizeof(HEADER);
 	buf[4] = '\a';
 	rv = readname((char*) infloop, sizeof(infloop), &data, buf, 4);
-	fail_unless(rv == 3);
-	fail_unless(buf[4] == '\a');
+	ck_assert(rv == 3);
+	ck_assert(buf[4] == '\a');
 }
 END_TEST

@ -140,8 +140,8 @@ START_TEST(test_read_name_longname)
 	data = (char*) longname + sizeof(HEADER);
 	buf[256] = '\a';
 	rv = readname((char*) longname, sizeof(longname), &data, buf, 256);
-	fail_unless(rv == 256);
-	fail_unless(buf[256] == '\a');
+	ck_assert(rv == 256);
+	ck_assert(buf[256] == '\a');
 }
 END_TEST

@ -157,7 +157,7 @@ START_TEST(test_read_name_onejump)
 	memset(buf, 0, sizeof(buf));
 	data = (char*) onejump + sizeof(HEADER);
 	rv = readname((char*) onejump, sizeof(onejump), &data, buf, 256);
-	fail_unless(rv == 9);
+	ck_assert(rv == 9);
 }
 END_TEST

@ -179,8 +179,8 @@ START_TEST(test_read_name_badjump_start)
 		data = (char*) jumper + sizeof(HEADER);
 		rv = readname((char*) jumper, sizeof(badjump), &data, buf, 256);

-		fail_unless(rv == 0);
-		fail_unless(buf[0] == 0);
+		ck_assert(rv == 0);
+		ck_assert(buf[0] == 0);
 	}
 	free(jumper);
 }
@ -204,9 +204,8 @@ START_TEST(test_read_name_badjump_second)
 		data = (char*) jumper + sizeof(HEADER);
 		rv = readname((char*) jumper, sizeof(badjump2), &data, buf, 256);

-		fail_unless(rv == 4);
-		fail_unless(strcmp("BA.", buf) == 0,
-				"buf is not BA: %s", buf);
+		ck_assert(rv == 4);
+		ck_assert_str_eq("BA.", buf);
 	}
 	free(jumper);
 }
@ -224,8 +223,8 @@ START_TEST(test_putname)
 	b = buf;
 	ret = putname(&b, 256, domain);

-	fail_unless(ret == strlen(domain) + 1);
-	fail_unless(strncmp(buf, out, ret) == 0, "Happy flow failed");
+	ck_assert(ret == strlen(domain) + 1);
+	ck_assert_msg(strncmp(buf, out, ret) == 0, "Happy flow failed");
 }
 END_TEST

@ -242,8 +241,8 @@ START_TEST(test_putname_nodot)
 	b = buf;
 	ret = putname(&b, 256, nodot);

-	fail_unless(ret == -1);
-	fail_unless(b == buf);
+	ck_assert(ret == -1);
+	ck_assert(b == buf);
 }
 END_TEST

@ -264,8 +263,8 @@ START_TEST(test_putname_toolong)
 	b = buf;
 	ret = putname(&b, 256, toolong);

-	fail_unless(ret == -1);
-	fail_unless(b == buf);
+	ck_assert(ret == -1);
+	ck_assert(b == buf);
 }
 END_TEST

--- a/tests/test.c
+++ b/tests/test.c
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
--- a/tests/test.h
+++ b/tests/test.h
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
--- a/tests/user.c
+++ b/tests/user.c
@ -2,7 +2,7 @@
 * Copyright (c) 2006-2014 Erik Ekman <yarrick@kryo.se>,
 * 2006-2009 Bjorn Andersson <flex@kryo.se>
 *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
@ -38,40 +38,16 @@ START_TEST(test_init_users)
 	ip = inet_addr("127.0.0.1");
 	count = init_users(ip, 27);
 	for (i = 0; i < count; i++) {
-		fail_unless(users[i].id == i);
-		fail_unless(users[i].q.id == 0);
-		fail_unless(users[i].inpacket.len == 0);
-		fail_unless(users[i].outpacket.len == 0);
+		ck_assert(users[i].id == i);
+		ck_assert(users[i].q.id == 0);
+		ck_assert(users[i].inpacket.len == 0);
+		ck_assert(users[i].outpacket.len == 0);
 		snprintf(givenip, sizeof(givenip), "127.0.0.%d", i + 2);
-		fail_unless(users[i].tun_ip == inet_addr(givenip));
+		ck_assert(users[i].tun_ip == inet_addr(givenip));
 	}
 }
 END_TEST

-START_TEST(test_users_waiting)
-{
-	in_addr_t ip;
-
-	ip = inet_addr("127.0.0.1");
-	init_users(ip, 27);
-
-	fail_unless(users_waiting_on_reply() == 0);
-
-	users[3].active = 1;
-
-	fail_unless(users_waiting_on_reply() == 0);
-
-	users[3].last_pkt = time(NULL);
-
-	fail_unless(users_waiting_on_reply() == 0);
-
-	users[3].conn = CONN_DNS_NULL;
-	users[3].q.id = 1;
-
-	fail_unless(users_waiting_on_reply() == 1);
-}
-END_TEST
-
 START_TEST(test_find_user_by_ip)
 {
 	in_addr_t ip;
@ -82,25 +58,25 @@ START_TEST(test_find_user_by_ip)
 	users[0].conn = CONN_DNS_NULL;

 	testip = (unsigned int) inet_addr("10.0.0.1");
-	fail_unless(find_user_by_ip(testip) == -1);
+	ck_assert(find_user_by_ip(testip) == -1);

 	testip = (unsigned int) inet_addr("127.0.0.2");
-	fail_unless(find_user_by_ip(testip) == -1);
+	ck_assert(find_user_by_ip(testip) == -1);

 	users[0].active = 1;

 	testip = (unsigned int) inet_addr("127.0.0.2");
-	fail_unless(find_user_by_ip(testip) == -1);
+	ck_assert(find_user_by_ip(testip) == -1);

 	users[0].last_pkt = time(NULL);

 	testip = (unsigned int) inet_addr("127.0.0.2");
-	fail_unless(find_user_by_ip(testip) == -1);
+	ck_assert(find_user_by_ip(testip) == -1);

 	users[0].authenticated = 1;

 	testip = (unsigned int) inet_addr("127.0.0.2");
-	fail_unless(find_user_by_ip(testip) == 0);
+	ck_assert(find_user_by_ip(testip) == 0);
 }
 END_TEST

@ -111,17 +87,17 @@ START_TEST(test_all_users_waiting_to_send)
 	ip = inet_addr("127.0.0.1");
 	init_users(ip, 27);

-	fail_unless(all_users_waiting_to_send() == 1);
+	ck_assert(all_users_waiting_to_send() == 1);

 	users[0].conn = CONN_DNS_NULL;
 	users[0].active = 1;

-	fail_unless(all_users_waiting_to_send() == 1);
+	ck_assert(all_users_waiting_to_send() == 1);

 	users[0].last_pkt = time(NULL);
 	users[0].outpacket.len = 0;

-	fail_unless(all_users_waiting_to_send() == 0);
+	ck_assert(all_users_waiting_to_send() == 0);

 #ifdef OUTPACKETQ_LEN
 	users[0].outpacketq_filled = 1;
@ -129,7 +105,7 @@ START_TEST(test_all_users_waiting_to_send)
 	users[0].outpacket.len = 44;
 #endif

-	fail_unless(all_users_waiting_to_send() == 1);
+	ck_assert(all_users_waiting_to_send() == 1);
 }
 END_TEST

@ -144,24 +120,24 @@ START_TEST(test_find_available_user)
 	for (i = 0; i < USERS; i++) {
 		users[i].authenticated = 1;
 		users[i].authenticated_raw = 1;
-		fail_unless(find_available_user() == i);
-		fail_if(users[i].authenticated);
-		fail_if(users[i].authenticated_raw);
+		ck_assert(find_available_user() == i);
+		ck_assert(users[i].authenticated == 0);
+		ck_assert(users[i].authenticated_raw == 0);
 	}

 	for (i = 0; i < USERS; i++) {
-		fail_unless(find_available_user() == -1);
+		ck_assert(find_available_user() == -1);
 	}

 	users[3].active = 0;

-	fail_unless(find_available_user() == 3);
-	fail_unless(find_available_user() == -1);
+	ck_assert(find_available_user() == 3);
+	ck_assert(find_available_user() == -1);

 	users[3].last_pkt = 55;

-	fail_unless(find_available_user() == 3);
-	fail_unless(find_available_user() == -1);
+	ck_assert(find_available_user() == 3);
+	ck_assert(find_available_user() == -1);
 }
 END_TEST

@ -174,22 +150,22 @@ START_TEST(test_find_available_user_small_net)
 	init_users(ip, 29); /* this should result in 5 enabled users */

 	for (i = 0; i < 5; i++) {
-		fail_unless(find_available_user() == i);
+		ck_assert(find_available_user() == i);
 	}

 	for (i = 0; i < USERS; i++) {
-		fail_unless(find_available_user() == -1);
+		ck_assert(find_available_user() == -1);
 	}

 	users[3].active = 0;

-	fail_unless(find_available_user() == 3);
-	fail_unless(find_available_user() == -1);
+	ck_assert(find_available_user() == 3);
+	ck_assert(find_available_user() == -1);

 	users[3].last_pkt = 55;

-	fail_unless(find_available_user() == 3);
-	fail_unless(find_available_user() == -1);
+	ck_assert(find_available_user() == 3);
+	ck_assert(find_available_user() == -1);
 }
 END_TEST

@ -200,7 +176,6 @@ test_user_create_tests()

 	tc = tcase_create("User");
 	tcase_add_test(tc, test_init_users);
-	tcase_add_test(tc, test_users_waiting);
 	tcase_add_test(tc, test_find_user_by_ip);
 	tcase_add_test(tc, test_all_users_waiting_to_send);
 	tcase_add_test(tc, test_find_available_user);