From 1400e1c156bfea6e3c0ff73ccbc8dd3503eb9ec3 Mon Sep 17 00:00:00 2001
From: James Yonan <james@openvpn.net>
Date: Mon, 26 Jul 2010 18:26:49 +0000
Subject: Fixed typo: missing comment close.

git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6347 e7ae566f-a301-0410-adde-c780ea21d3b5
---
 socket.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/socket.c b/socket.c
index 6f488e9..8153209 100644
--- a/socket.c
+++ b/socket.c
@@ -231,7 +231,7 @@ getaddr_multi (unsigned int flags,
 		   n);
 
 	      /* choose address randomly, for basic load-balancing capability */
-	      /*ia.s_addr = *(in_addr_t *) (h->h_addr_list[get_random () % n]);*
+	      /*ia.s_addr = *(in_addr_t *) (h->h_addr_list[get_random () % n]);*/
 
 	      /* choose first address */
 	      ia.s_addr = *(in_addr_t *) (h->h_addr_list[0]);
-- 
cgit v1.2.3


From dc85dae67ff8afcce2bb07cdbd7bf1750525820a Mon Sep 17 00:00:00 2001
From: James Yonan <james@openvpn.net>
Date: Tue, 27 Jul 2010 07:10:01 +0000
Subject: Fixed an issue where application payload transmissions on the TLS
 control channel (such as AUTH_FAILED) that occur during or immediately after
 a TLS renegotiation might be dropped.

Version 2.1.1n


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6350 e7ae566f-a301-0410-adde-c780ea21d3b5
---
 buffer.c   | 34 ++++++++++++++++++++++++++--------
 buffer.h   |  2 ++
 ssl.c      | 22 ++++++++++++++++++++++
 ssl.h      |  2 ++
 syshead.h  |  4 +---
 version.m4 |  2 +-
 6 files changed, 54 insertions(+), 12 deletions(-)

diff --git a/buffer.c b/buffer.c
index c7a42fb..5108429 100644
--- a/buffer.c
+++ b/buffer.c
@@ -896,8 +896,11 @@ buffer_list_new (const int max_size)
 void
 buffer_list_free (struct buffer_list *ol)
 {
-  buffer_list_reset (ol);
-  free (ol);
+  if (ol)
+    {
+      buffer_list_reset (ol);
+      free (ol);
+    }
 }
 
 bool
@@ -924,9 +927,21 @@ buffer_list_reset (struct buffer_list *ol)
 void
 buffer_list_push (struct buffer_list *ol, const unsigned char *str)
 {
-  if (!ol->max_size || ol->size < ol->max_size)
+  if (str)
+    {
+      const size_t len = strlen ((const char *)str);
+      struct buffer_entry *e = buffer_list_push_data (ol, str, len+1);
+      if (e)
+	e->buf.len = len; /* Don't count trailing '\0' as part of length */
+    }
+}
+
+struct buffer_entry *
+buffer_list_push_data (struct buffer_list *ol, const uint8_t *data, size_t size)
+{
+  struct buffer_entry *e = NULL;
+  if (data && (!ol->max_size || ol->size < ol->max_size))
     {
-      struct buffer_entry *e;
       ALLOC_OBJ_CLEAR (e, struct buffer_entry);
 
       ++ol->size;
@@ -940,15 +955,18 @@ buffer_list_push (struct buffer_list *ol, const unsigned char *str)
 	  ASSERT (!ol->head);
 	  ol->head = e;
 	}
-      e->buf = string_alloc_buf ((const char *) str, NULL);
+      e->buf = alloc_buf (size);
+      memcpy (e->buf.data, data, size);
+      e->buf.len = (int)size;
       ol->tail = e;
     }
+  return e;
 }
 
 struct buffer *
 buffer_list_peek (struct buffer_list *ol)
 {
-  if (ol->head)
+  if (ol && ol->head)
     return &ol->head->buf;
   else
     return NULL;
@@ -993,10 +1011,10 @@ buffer_list_aggregate (struct buffer_list *bl, const size_t max)
     }
 }
 
-static void
+void
 buffer_list_pop (struct buffer_list *ol)
 {
-  if (ol->head)
+  if (ol && ol->head)
     {
       struct buffer_entry *e = ol->head->next;
       free_buf (&ol->head->buf);
diff --git a/buffer.h b/buffer.h
index 9351c4e..0f22cda 100644
--- a/buffer.h
+++ b/buffer.h
@@ -851,8 +851,10 @@ bool buffer_list_defined (const struct buffer_list *ol);
 void buffer_list_reset (struct buffer_list *ol);
 
 void buffer_list_push (struct buffer_list *ol, const unsigned char *str);
+struct buffer_entry *buffer_list_push_data (struct buffer_list *ol, const uint8_t *data, size_t size);
 struct buffer *buffer_list_peek (struct buffer_list *ol);
 void buffer_list_advance (struct buffer_list *ol, int n);
+void buffer_list_pop (struct buffer_list *ol);
 
 void buffer_list_aggregate (struct buffer_list *bl, const size_t max);
 
diff --git a/ssl.c b/ssl.c
index 9801b0e..a140641 100644
--- a/ssl.c
+++ b/ssl.c
@@ -2266,6 +2266,7 @@ key_state_free (struct key_state *ks, bool clear)
   free_buf (&ks->plaintext_read_buf);
   free_buf (&ks->plaintext_write_buf);
   free_buf (&ks->ack_write_buf);
+  buffer_list_free(ks->paybuf);
 
   if (ks->send_reliable)
     {
@@ -3064,6 +3065,17 @@ key_source2_read (struct key_source2 *k2,
   return 1;
 }
 
+static void
+flush_payload_buffer (struct tls_multi *multi, struct key_state *ks)
+{
+  struct buffer *b;
+  while ((b = buffer_list_peek (ks->paybuf)))
+    {
+      key_state_write_plaintext_const (multi, ks, b->data, b->len);
+      buffer_list_pop (ks->paybuf);
+    }
+}
+
 /*
  * Macros for key_state_soft_reset & tls_process
  */
@@ -3978,6 +3990,9 @@ tls_process (struct tls_multi *multi,
 		  /* Set outgoing address for data channel packets */
 		  link_socket_set_outgoing_addr (NULL, to_link_socket_info, &ks->remote_addr, session->common_name, session->opt->es);
 
+		  /* Flush any payload packets that were buffered before our state transitioned to S_ACTIVE */
+		  flush_payload_buffer (multi, ks);
+
 #ifdef MEASURE_TLS_HANDSHAKE_STATS
 		  show_tls_performance_stats();
 #endif
@@ -5077,6 +5092,13 @@ tls_send_payload (struct tls_multi *multi,
       if (key_state_write_plaintext_const (multi, ks, data, size) == 1)
 	ret = true;
     }
+  else
+    {
+      if (!ks->paybuf)
+	ks->paybuf = buffer_list_new (0);
+      buffer_list_push_data (ks->paybuf, data, (size_t)size);
+      ret = true;
+    }
 
   ERR_clear_error ();
 
diff --git a/ssl.h b/ssl.h
index e895bb2..c6a5627 100644
--- a/ssl.h
+++ b/ssl.h
@@ -376,6 +376,8 @@ struct key_state
   struct reliable *rec_reliable;  /* order incoming ciphertext packets before we pass to TLS */
   struct reliable_ack *rec_ack;	  /* buffers all packet IDs we want to ACK back to sender */
 
+  struct buffer_list *paybuf;
+
   int n_bytes;			 /* how many bytes sent/recvd since last key exchange */
   int n_packets;		 /* how many packets sent/recvd since last key exchange */
 
diff --git a/syshead.h b/syshead.h
index d2ea8de..15445fc 100644
--- a/syshead.h
+++ b/syshead.h
@@ -531,11 +531,9 @@ socket_defined (const socket_descriptor_t sd)
 #endif
 
 /*
- * Don't compile the struct buffer_list code unless something needs it
+ * Compile the struct buffer_list code
  */
-#if defined(ENABLE_MANAGEMENT) || defined(ENABLE_PF)
 #define ENABLE_BUFFER_LIST
-#endif
 
 /*
  * Do we have pthread capability?
diff --git a/version.m4 b/version.m4
index b6d1f61..be40252 100644
--- a/version.m4
+++ b/version.m4
@@ -1,5 +1,5 @@
 dnl define the OpenVPN version
-define(PRODUCT_VERSION,[2.1.1m])
+define(PRODUCT_VERSION,[2.1.1n])
 dnl define the TAP version
 define(PRODUCT_TAP_ID,[tap0901])
 define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])
-- 
cgit v1.2.3


From 75dfe3d7f73279ddefb533f2e3b4a4cce4e9802a Mon Sep 17 00:00:00 2001
From: James Yonan <james@openvpn.net>
Date: Tue, 27 Jul 2010 21:46:34 +0000
Subject: Added "net stop dnscache" and "net start dnscache" in front of
 existing --register-dns commands.

git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6352 e7ae566f-a301-0410-adde-c780ea21d3b5
---
 error.c    | 10 +++++++---
 openvpn.8  |  5 +++--
 options.c  |  4 ++--
 tun.c      | 20 ++++++++++++++++++++
 version.m4 |  2 +-
 win32.h    |  1 +
 6 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/error.c b/error.c
index ec8f9df..873718c 100644
--- a/error.c
+++ b/error.c
@@ -477,14 +477,16 @@ redirect_stdout_stderr (const char *file, bool append)
     {
       HANDLE log_handle;
       int log_fd;
-      struct security_attributes sa;
 
-      init_security_attributes_allow_all (&sa);
+      SECURITY_ATTRIBUTES saAttr; 
+      saAttr.nLength = sizeof(SECURITY_ATTRIBUTES); 
+      saAttr.bInheritHandle = TRUE; 
+      saAttr.lpSecurityDescriptor = NULL; 
 
       log_handle = CreateFile (file,
 			       GENERIC_WRITE,
 			       FILE_SHARE_READ,
-			       &sa.sa,
+			       &saAttr,
 			       append ? OPEN_ALWAYS : CREATE_ALWAYS,
 			       FILE_ATTRIBUTE_NORMAL,
 			       NULL);
@@ -505,10 +507,12 @@ redirect_stdout_stderr (const char *file, bool append)
       /* save original stderr for password prompts */
       orig_stderr = GetStdHandle (STD_ERROR_HANDLE);
 
+#if 0 /* seems not be necessary with stdout/stderr redirection below*/
       /* set up for redirection */
       if (!SetStdHandle (STD_OUTPUT_HANDLE, log_handle)
 	  || !SetStdHandle (STD_ERROR_HANDLE, log_handle))
 	msg (M_ERR, "Error: cannot redirect stdout/stderr to --log file: %s", file);
+#endif
 
       /* direct stdout/stderr to point to log_handle */
       log_fd = _open_osfhandle ((intptr_t)log_handle, _O_TEXT);
diff --git a/openvpn.8 b/openvpn.8
index 1aa8382..53aabdc 100644
--- a/openvpn.8
+++ b/openvpn.8
@@ -4750,8 +4750,9 @@ above.
 .\"*********************************************************
 .TP
 .B --register-dns
-Run ipconfig /flushdns and ipconfig /registerdns on
-connection initiation.  This is known to kick Windows into
+Run net stop dnscache, net start dnscache, ipconfig /flushdns
+and ipconfig /registerdns on connection initiation.
+This is known to kick Windows into
 recognizing pushed DNS servers.
 .\"*********************************************************
 .TP
diff --git a/options.c b/options.c
index ce53ad5..e1de0d9 100644
--- a/options.c
+++ b/options.c
@@ -615,8 +615,8 @@ static const char usage_message[] =
   "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
 "                       startup.\n"
   "--dhcp-release     : Ask Windows to release the TAP adapter lease on shutdown.\n"
-  "--register-dns     : Run ipconfig /flushdns and ipconfig /registerdns on\n"
-  "                     connection initiation.\n"
+  "--register-dns  : Run net stop dnscache, net start dnscache, ipconfig /flushdns\n"
+  "                  and ipconfig /registerdns on connection initiation.\n"
   "--tap-sleep n   : Sleep for n seconds after TAP adapter open before\n"
   "                  attempting to set adapter properties.\n"
   "--pause-exit         : When run from a console window, pause before exiting.\n"
diff --git a/tun.c b/tun.c
index b05fcf8..7a87256 100644
--- a/tun.c
+++ b/tun.c
@@ -3390,17 +3390,37 @@ ipconfig_register_dns (const struct env_set *es)
   const char err[] = "ERROR: Windows ipconfig command failed";
 
   netcmd_semaphore_lock ();
+
   argv_init (&argv);
+
+  argv_printf (&argv, "%s%sc stop dnscache",
+	       get_win_sys_path(),
+	       WIN_NET_PATH_SUFFIX);
+  argv_msg (D_TUNTAP_INFO, &argv);
+  status = openvpn_execve_check (&argv, es, 0, err);
+  argv_reset(&argv);
+
+  argv_printf (&argv, "%s%sc start dnscache",
+	       get_win_sys_path(),
+	       WIN_NET_PATH_SUFFIX);
+  argv_msg (D_TUNTAP_INFO, &argv);
+  status = openvpn_execve_check (&argv, es, 0, err);
+  argv_reset(&argv);
+
   argv_printf (&argv, "%s%sc /flushdns",
 	       get_win_sys_path(),
 	       WIN_IPCONFIG_PATH_SUFFIX);
+  argv_msg (D_TUNTAP_INFO, &argv);
   status = openvpn_execve_check (&argv, es, 0, err);
   argv_reset(&argv);
+
   argv_printf (&argv, "%s%sc /registerdns",
 	       get_win_sys_path(),
 	       WIN_IPCONFIG_PATH_SUFFIX);
+  argv_msg (D_TUNTAP_INFO, &argv);
   status = openvpn_execve_check (&argv, es, 0, err);
   argv_reset(&argv);
+
   netcmd_semaphore_release ();
 }
 
diff --git a/version.m4 b/version.m4
index be40252..4add313 100644
--- a/version.m4
+++ b/version.m4
@@ -1,5 +1,5 @@
 dnl define the OpenVPN version
-define(PRODUCT_VERSION,[2.1.1n])
+define(PRODUCT_VERSION,[2.1.1o])
 dnl define the TAP version
 define(PRODUCT_TAP_ID,[tap0901])
 define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])
diff --git a/win32.h b/win32.h
index f974b06..fcc3062 100644
--- a/win32.h
+++ b/win32.h
@@ -34,6 +34,7 @@
 #define NETSH_PATH_SUFFIX     "\\system32\\netsh.exe"
 #define WIN_ROUTE_PATH_SUFFIX "\\system32\\route.exe"
 #define WIN_IPCONFIG_PATH_SUFFIX "\\system32\\ipconfig.exe"
+#define WIN_NET_PATH_SUFFIX "\\system32\\net.exe"
 
 /*
  * Win32-specific OpenVPN code, targetted at the mingw
-- 
cgit v1.2.3