rename IV_OPENVPN_GUI_VERSION to IV_GUI_VER

8 files changed, 82 insertions, 98 deletions

diff --git a/openvpn/src/openvpn/comp.h b/openvpn/src/openvpn/comp.h
index 57764007..bfa25fd3 100644
--- a/openvpn/src/openvpn/comp.h
+++ b/openvpn/src/openvpn/comp.h
@@ -24,7 +24,7 @@
 
 /*
  * Generic compression support.  Currently we support
- * Snappy, LZO 2 and LX4.
+ * Snappy, LZO 2 and LZ4.
  */
 #ifndef OPENVPN_COMP_H
 #define OPENVPN_COMP_H
diff --git a/openvpn/src/openvpn/misc.c b/openvpn/src/openvpn/misc.c
index 4688444e..7483184f 100644
--- a/openvpn/src/openvpn/misc.c
+++ b/openvpn/src/openvpn/misc.c
@@ -926,32 +926,23 @@ create_temp_file (const char *directory, const char *prefix, struct gc_arena *gc
 }
 
 /*
- * Add a random string to first DNS label of hostname to prevent DNS caching.
+ * Prepend a random string to hostname to prevent DNS caching.
  * For example, foo.bar.gov would be modified to <random-chars>.foo.bar.gov.
- * Of course, this requires explicit support in the DNS server.
+ * Of course, this requires explicit support in the DNS server (wildcard).
  */
 const char *
 hostname_randomize(const char *hostname, struct gc_arena *gc)
 {
 # define n_rnd_bytes 6
 
-  char *hst = string_alloc(hostname, gc);
-  char *dot = strchr(hst, '.');
+  uint8_t rnd_bytes[n_rnd_bytes];
+  const char *rnd_str;
+  struct buffer hname = alloc_buf_gc (strlen(hostname)+sizeof(rnd_bytes)*2+4, gc);
 
-  if (dot)
-    {
-      uint8_t rnd_bytes[n_rnd_bytes];
-      const char *rnd_str;
-      struct buffer hname = alloc_buf_gc (strlen(hostname)+sizeof(rnd_bytes)*2+4, gc);
-
-      *dot++ = '\0';
-      prng_bytes (rnd_bytes, sizeof (rnd_bytes));
-      rnd_str = format_hex_ex (rnd_bytes, sizeof (rnd_bytes), 40, 0, NULL, gc);
-      buf_printf(&hname, "%s-0x%s.%s", hst, rnd_str, dot);
-      return BSTR(&hname);
-    }
-  else
-    return hostname;
+  prng_bytes (rnd_bytes, sizeof (rnd_bytes));
+  rnd_str = format_hex_ex (rnd_bytes, sizeof (rnd_bytes), 40, 0, NULL, gc);
+  buf_printf(&hname, "%s.%s", rnd_str, hostname);
+  return BSTR(&hname);
 # undef n_rnd_bytes
 }
 
diff --git a/openvpn/src/openvpn/options.c b/openvpn/src/openvpn/options.c
index b93a67a0..892dbfdd 100644
--- a/openvpn/src/openvpn/options.c
+++ b/openvpn/src/openvpn/options.c
@@ -2874,6 +2874,7 @@ pre_pull_restore (struct options *o)
     }
 
   o->push_continuation = 0;
+  o->push_option_types_found = 0;
 }
 
 #endif
diff --git a/openvpn/src/openvpn/options.h b/openvpn/src/openvpn/options.h
index dafb8ff6..1992f5a7 100644
--- a/openvpn/src/openvpn/options.h
+++ b/openvpn/src/openvpn/options.h
@@ -467,6 +467,7 @@ struct options
   bool client;
   bool pull; /* client pull of config options from server */
   int push_continuation;
+  unsigned int push_option_types_found;
   const char *auth_user_pass_file;
   struct options_pre_pull *pre_pull;
 
diff --git a/openvpn/src/openvpn/push.c b/openvpn/src/openvpn/push.c
index bd08cff7..e971357d 100644
--- a/openvpn/src/openvpn/push.c
+++ b/openvpn/src/openvpn/push.c
@@ -203,8 +203,10 @@ incoming_push_message (struct context *c, const struct buffer *buffer)
     msg (D_PUSH_ERRORS, "WARNING: Received bad push/pull message: %s", sanitize_control_message(BSTR(buffer), &gc));
   else if (status == PUSH_MSG_REPLY || status == PUSH_MSG_CONTINUATION)
     {
+      c->options.push_option_types_found |= option_types_found;
+
       if (status == PUSH_MSG_REPLY)
-	do_up (c, true, option_types_found); /* delay bringing tun/tap up until --push parms received from remote */
+	do_up (c, true, c->options.push_option_types_found ); /* delay bringing tun/tap up until --push parms received from remote */
       event_timeout_clear (&c->c2.push_request_interval);
     }
 
diff --git a/openvpn/src/openvpn/ssl.c b/openvpn/src/openvpn/ssl.c
index 93222c47..15518cab 100644
--- a/openvpn/src/openvpn/ssl.c
+++ b/openvpn/src/openvpn/ssl.c
@@ -1825,13 +1825,13 @@ push_peer_info(struct buffer *buf, struct tls_session *session)
 	    buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc));
         }
 
-      /* push env vars that begin with UV_ and IV_OPENVPN_GUI_VERSION */
+      /* push env vars that begin with UV_ and IV_GUI_VER */
       for (e=es->list; e != NULL; e=e->next)
 	{
 	  if (e->string)
 	    {
 	      if (((strncmp(e->string, "UV_", 3)==0 && session->opt->push_peer_info_detail >= 2)
-		   || (strncmp(e->string,"IV_OPENVPN_GUI_VERSION=",sizeof("IV_OPENVPN_GUI_VERSION=")-1)==0))
+		   || (strncmp(e->string,"IV_GUI_VER=",sizeof("IV_GUI_VER=")-1)==0))
 		  && buf_safe(&out, strlen(e->string)+1))
 		buf_printf (&out, "%s\n", e->string);
 	    }
diff --git a/openvpn/src/openvpn/ssl_openssl.c b/openvpn/src/openvpn/ssl_openssl.c
index 9dced724..f0796526 100644
--- a/openvpn/src/openvpn/ssl_openssl.c
+++ b/openvpn/src/openvpn/ssl_openssl.c
@@ -224,86 +224,73 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
         msg(M_SSLERR, "Failed to set default TLS cipher list.");
       return;
     }
-  else
-    {
-      /* Parse supplied cipher list and pass on to OpenSSL */
-      size_t begin_of_cipher, end_of_cipher;
 
-      const char *current_cipher;
-      size_t current_cipher_len;
+  /* Parse supplied cipher list and pass on to OpenSSL */
+  size_t begin_of_cipher, end_of_cipher;
 
-      const tls_cipher_name_pair *cipher_pair;
+  const char *current_cipher;
+  size_t current_cipher_len;
 
-      char openssl_ciphers[4096];
-      size_t openssl_ciphers_len = 0;
-      openssl_ciphers[0] = '\0';
+  const tls_cipher_name_pair *cipher_pair;
 
-      ASSERT(NULL != ctx);
+  char openssl_ciphers[4096];
+  size_t openssl_ciphers_len = 0;
+  openssl_ciphers[0] = '\0';
 
-      // Translate IANA cipher suite names to OpenSSL names
-      begin_of_cipher = end_of_cipher = 0;
-      for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher)
-        {
-          end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":");
-          cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher],
-              end_of_cipher - begin_of_cipher);
+  ASSERT(NULL != ctx);
 
-          if (NULL == cipher_pair)
-            {
-              // No translation found, use original
-              current_cipher = &ciphers[begin_of_cipher];
-              current_cipher_len = end_of_cipher - begin_of_cipher;
-
-              // Issue warning on missing translation
-              // %.*s format specifier expects length of type int, so guarantee
-              // that length is small enough and cast to int.
-              msg (M_WARN, "No valid translation found for TLS cipher '%.*s'",
-                     constrain_int(current_cipher_len, 0, 256), current_cipher);
-            }
-          else
-            {
-              // Use OpenSSL name
-              current_cipher = cipher_pair->openssl_name;
-              current_cipher_len = strlen(current_cipher);
-
-              if (end_of_cipher - begin_of_cipher == current_cipher_len &&
-                  0 == memcmp (&ciphers[begin_of_cipher],
-                      cipher_pair->openssl_name,
-                      end_of_cipher - begin_of_cipher))
-                {
-                  // Non-IANA name used, show warning
-                  msg (M_WARN, "Deprecated TLS cipher name '%s', "
-                      "please use IANA name '%s'", cipher_pair->openssl_name,
-                      cipher_pair->iana_name);
-                }
-            }
+  // Translate IANA cipher suite names to OpenSSL names
+  begin_of_cipher = end_of_cipher = 0;
+  for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) {
+      end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":");
+      cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher);
 
-          // Make sure new cipher name fits in cipher string
-          if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) <
-              current_cipher_len) {
-            msg(M_SSLERR,
-                "Failed to set restricted TLS cipher list, too long (>%d).",
-                (int)sizeof(openssl_ciphers)-1);
-          }
-
-          // Concatenate cipher name to OpenSSL cipher string
-          memcpy(&openssl_ciphers[openssl_ciphers_len], current_cipher,
-              current_cipher_len);
-          openssl_ciphers_len += current_cipher_len;
-          openssl_ciphers[openssl_ciphers_len] = ':';
-          openssl_ciphers_len++;
-
-          end_of_cipher++;
+      if (NULL == cipher_pair)
+        {
+          // No translation found, use original
+          current_cipher = &ciphers[begin_of_cipher];
+          current_cipher_len = end_of_cipher - begin_of_cipher;
+
+          // Issue warning on missing translation
+          // %.*s format specifier expects length of type int, so guarantee
+          // that length is small enough and cast to int.
+          msg (M_WARN, "No valid translation found for TLS cipher '%.*s'",
+                 constrain_int(current_cipher_len, 0, 256), current_cipher);
         }
+      else
+	{
+	  // Use OpenSSL name
+          current_cipher = cipher_pair->openssl_name;
+          current_cipher_len = strlen(current_cipher);
 
-      if (openssl_ciphers_len > 0)
-        openssl_ciphers[openssl_ciphers_len-1] = '\0';
+	  if (end_of_cipher - begin_of_cipher == current_cipher_len &&
+	      0 == memcmp (&ciphers[begin_of_cipher], cipher_pair->openssl_name, end_of_cipher - begin_of_cipher))
+	    {
+	      // Non-IANA name used, show warning
+	      msg (M_WARN, "Deprecated TLS cipher name '%s', please use IANA name '%s'", cipher_pair->openssl_name, cipher_pair->iana_name);
+	    }
+	}
 
-      // Set OpenSSL cipher list
-      if(!SSL_CTX_set_cipher_list(ctx->ctx, openssl_ciphers))
-        msg(M_SSLERR, "Failed to set restricted TLS cipher list: %s",
-            openssl_ciphers);
-    }
+      // Make sure new cipher name fits in cipher string
+      if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) < current_cipher_len) {
+	msg(M_SSLERR, "Failed to set restricted TLS cipher list, too long (>%d).", (int)sizeof(openssl_ciphers)-1);
+      }
+
+      // Concatenate cipher name to OpenSSL cipher string
+      memcpy(&openssl_ciphers[openssl_ciphers_len], current_cipher, current_cipher_len);
+      openssl_ciphers_len += current_cipher_len;
+      openssl_ciphers[openssl_ciphers_len] = ':';
+      openssl_ciphers_len++;
+
+      end_of_cipher++;
+  }
+
+  if (openssl_ciphers_len > 0)
+    openssl_ciphers[openssl_ciphers_len-1] = '\0';
+
+  // Set OpenSSL cipher list
+  if(!SSL_CTX_set_cipher_list(ctx->ctx, openssl_ciphers))
+    msg(M_SSLERR, "Failed to set restricted TLS cipher list: %s", openssl_ciphers);
 }
 
 void
@@ -1294,8 +1281,7 @@ show_available_tls_ciphers (const char *cipher_list)
   if (!ssl)
     msg (M_SSLERR, "Cannot create SSL object");
 
-  if (cipher_list)
-    tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
+  tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
 
   printf ("Available TLS Ciphers,\n");
   printf ("listed in order of preference:\n\n");
diff --git a/openvpn/src/openvpn/ssl_polarssl.c b/openvpn/src/openvpn/ssl_polarssl.c
index d964b918..47fb62a5 100644
--- a/openvpn/src/openvpn/ssl_polarssl.c
+++ b/openvpn/src/openvpn/ssl_polarssl.c
@@ -176,7 +176,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
   int ciphers_len;
 
   if (NULL == ciphers)
-    return; // Nothing to do
+    return; /* Nothing to do */
 
   ciphers_len = strlen (ciphers);
 
@@ -1043,10 +1043,11 @@ show_available_tls_ciphers (const char *cipher_list)
   struct tls_root_ctx tls_ctx;
   const int *ciphers = ssl_list_ciphersuites();
 
-  if (cipher_list) {
-    tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
+  tls_ctx_server_new(&tls_ctx);
+  tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
+
+  if (tls_ctx.allowed_ciphers)
     ciphers = tls_ctx.allowed_ciphers;
-  }
 
 #ifndef ENABLE_SMALL
   printf ("Available TLS Ciphers,\n");
@@ -1059,6 +1060,8 @@ show_available_tls_ciphers (const char *cipher_list)
       ciphers++;
     }
   printf ("\n");
+
+  tls_ctx_free(&tls_ctx);
 }
 
 void