@@ -131,9 +131,9 @@

 #include "packet_id.h"

 #include "mtu.h"

-/** Wrapper struct to pass around MD5 digests */

-struct md5_digest {

-    uint8_t digest[MD5_DIGEST_LENGTH];

+/** Wrapper struct to pass around SHA256 digests */

+struct sha256_digest {

+    uint8_t digest[SHA256_DIGEST_LENGTH];

 };

 /*

@@ -73,6 +73,7 @@ typedef mbedtls_md_context_t hmac_ctx_t;

 #define MD4_DIGEST_LENGTH       16

 #define MD5_DIGEST_LENGTH       16

 #define SHA_DIGEST_LENGTH       20

+#define SHA256_DIGEST_LENGTH    32

 #define DES_KEY_LENGTH 8

 /**

@@ -33,6 +33,7 @@

 #include <openssl/evp.h>

 #include <openssl/hmac.h>

 #include <openssl/md5.h>

+#include <openssl/sha.h>

 /** Generic cipher key type %context. */

 typedef EVP_CIPHER cipher_kt_t;

@@ -1919,12 +1919,12 @@ tun_abort()

  * equal, or either one is all-zeroes.

  */

 static bool

-options_hash_changed_or_zero(const struct md5_digest *a,

-                             const struct md5_digest *b)

+options_hash_changed_or_zero(const struct sha256_digest *a,

+                             const struct sha256_digest *b)

 {

-    const struct md5_digest zero = {{0}};

-    return memcmp(a, b, sizeof(struct md5_digest))

-           || !memcmp(a, &zero, sizeof(struct md5_digest));

+    const struct sha256_digest zero = {{0}};

+    return memcmp(a, b, sizeof(struct sha256_digest))

+           || !memcmp(a, &zero, sizeof(struct sha256_digest));

 }

 #endif /* P2MP */

@@ -202,7 +202,7 @@ struct context_1

 #endif

     /* if client mode, hash of option strings we pulled from server */

-    struct md5_digest pulled_options_digest_save;

+    struct sha256_digest pulled_options_digest_save;

     /**< Hash of option strings received from the

      *   remote OpenVPN server.  Only used in

      *   client-mode. */

@@ -471,9 +471,9 @@ struct context_2

     bool did_pre_pull_restore;

     /* hash of pulled options, so we can compare when options change */

-    bool pulled_options_md5_init_done;

+    bool pulled_options_digest_init_done;

     md_ctx_t pulled_options_state;

-    struct md5_digest pulled_options_digest;

+    struct sha256_digest pulled_options_digest;

     struct event_timeout scheduled_exit;

     int scheduled_exit_signal;

@@ -720,10 +720,10 @@ process_incoming_push_msg(struct context *c,

         if (ch == ',')

         {

             struct buffer buf_orig = buf;

-            if (!c->c2.pulled_options_md5_init_done)

+            if (!c->c2.pulled_options_digest_init_done)

             {

-                md_ctx_init(&c->c2.pulled_options_state, md_kt_get("MD5"));

-                c->c2.pulled_options_md5_init_done = true;

+                md_ctx_init(&c->c2.pulled_options_state, md_kt_get("SHA256"));

+                c->c2.pulled_options_digest_init_done = true;

             }

             if (!c->c2.did_pre_pull_restore)

             {

@@ -744,7 +744,7 @@ process_incoming_push_msg(struct context *c,

                     case 1:

                         md_ctx_final(&c->c2.pulled_options_state, c->c2.pulled_options_digest.digest);

                         md_ctx_cleanup(&c->c2.pulled_options_state);

-                        c->c2.pulled_options_md5_init_done = false;

+                        c->c2.pulled_options_digest_init_done = false;

                         ret = PUSH_MSG_REPLY;

                         break;