summaryrefslogtreecommitdiff
path: root/main/openvpn/contrib
diff options
context:
space:
mode:
authorArne Schwabe <arne@rfc2549.org>2015-04-15 00:17:26 +0200
committerArne Schwabe <arne@rfc2549.org>2015-04-15 00:20:23 +0200
commitc3ae4aaac9f0b168aed063d3e86c5196608eaba1 (patch)
tree1a18e7d8751d4dd3682d82d12c8441b335112984 /main/openvpn/contrib
parent5e42114d22faefe7c272b1b498fdf5640da494c7 (diff)
Move more to git, add submodules, fix build script, change hgignore to gitignore
Diffstat (limited to 'main/openvpn/contrib')
m---------main/openvpn0
-rw-r--r--main/openvpn/contrib/OCSP_check/OCSP_check.sh118
-rw-r--r--main/openvpn/contrib/README2
-rw-r--r--main/openvpn/contrib/keychain-mcd/cert_data.c733
-rw-r--r--main/openvpn/contrib/keychain-mcd/cert_data.h46
-rw-r--r--main/openvpn/contrib/keychain-mcd/common_osx.c94
-rw-r--r--main/openvpn/contrib/keychain-mcd/common_osx.h36
-rw-r--r--main/openvpn/contrib/keychain-mcd/crypto_osx.c75
-rw-r--r--main/openvpn/contrib/keychain-mcd/crypto_osx.h44
-rw-r--r--main/openvpn/contrib/keychain-mcd/keychain-mcd.8149
-rw-r--r--main/openvpn/contrib/keychain-mcd/main.c244
-rw-r--r--main/openvpn/contrib/multilevel-init.patch79
-rw-r--r--main/openvpn/contrib/openvpn-fwmarkroute-1.00/README44
-rwxr-xr-xmain/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down22
-rwxr-xr-xmain/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up49
-rw-r--r--main/openvpn/contrib/pull-resolv-conf/client.down47
-rw-r--r--main/openvpn/contrib/pull-resolv-conf/client.up101
17 files changed, 0 insertions, 1883 deletions
diff --git a/main/openvpn b/main/openvpn
new file mode 160000
+Subproject 7aaf01766f9718375986600216607aeb6397200
diff --git a/main/openvpn/contrib/OCSP_check/OCSP_check.sh b/main/openvpn/contrib/OCSP_check/OCSP_check.sh
deleted file mode 100644
index 6876c6d8..00000000
--- a/main/openvpn/contrib/OCSP_check/OCSP_check.sh
+++ /dev/null
@@ -1,118 +0,0 @@
-#!/bin/sh
-
-# Sample script to perform OCSP queries with OpenSSL
-# given a certificate serial number.
-
-# If you run your own CA, you can set up a very simple
-# OCSP server using the -port option to "openssl ocsp".
-
-# Full documentation and examples:
-# http://www.openssl.org/docs/apps/ocsp.html
-
-
-# Edit the following values to suit your needs
-
-# OCSP responder URL (mandatory)
-# YOU MUST UNCOMMENT ONE OF THESE AND SET IT TO A VALID SERVER
-#ocsp_url="http://ocsp.example.com/"
-#ocsp_url="https://ocsp.secure.example.com/"
-
-# Path to issuer certificate (mandatory)
-# YOU MUST SET THIS TO THE PATH TO THE CA CERTIFICATE
-issuer="/path/to/CAcert.crt"
-
-# use a nonce in the query, set to "-no_nonce" to not use it
-nonce="-nonce"
-
-# Verify the response
-# YOU MUST SET THIS TO THE PATH TO THE RESPONSE VERIFICATION CERT
-verify="/path/to/CAcert.crt"
-
-# Depth in the certificate chain where the cert to verify is.
-# Set to -1 to run the verification at every level (NOTE that
-# in that case you need a more complex script as the various
-# parameters for the query will likely be different at each level)
-# "0" is the usual value here, where the client certificate is
-check_depth=0
-
-cur_depth=$1 # this is the *CURRENT* depth
-common_name=$2 # CN in case you need it
-
-# minimal sanity checks
-
-err=0
-if [ -z "$issuer" ] || [ ! -e "$issuer" ]; then
- echo "Error: issuer certificate undefined or not found!" >&2
- err=1
-fi
-
-if [ -z "$verify" ] || [ ! -e "$verify" ]; then
- echo "Error: verification certificate undefined or not found!" >&2
- err=1
-fi
-
-if [ -z "$ocsp_url" ]; then
- echo "Error: OCSP server URL not defined!" >&2
- err=1
-fi
-
-if [ $err -eq 1 ]; then
- echo "Did you forget to customize the variables in the script?" >&2
- exit 1
-fi
-
-# begin
-if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
-
- eval serial="\$tls_serial_${cur_depth}"
-
- # To successfully complete, the following must happen:
- #
- # - The serial number must not be empty
- # - The exit status of "openssl ocsp" must be zero
- # - The output of the above command must contain the line
- # "${serial}: good"
- #
- # Everything else fails with exit status 1.
-
- if [ -n "$serial" ]; then
-
- # This is only an example; you are encouraged to run this command (without
- # redirections) manually against your or your CA's OCSP server to see how
- # it responds, and adapt accordingly.
- # Sample output that is assumed here:
- #
- # Response verify OK
- # 4287405: good
- # This Update: Apr 24 19:38:49 2010 GMT
- # Next Update: May 2 14:23:42 2010 GMT
- #
- # NOTE: It is needed to check the exit code of OpenSSL explicitly. OpenSSL
- # can in some circumstances give a "good" result if it could not
- # reach the the OSCP server. In this case, the exit code will indicate
- # if OpenSSL itself failed or not. If OpenSSL's exit code is not 0,
- # don't trust the OpenSSL status.
-
- status=$(openssl ocsp -issuer "$issuer" \
- "$nonce" \
- -CAfile "$verify" \
- -url "$ocsp_url" \
- -serial "${serial}" 2>&1)
-
- if [ $? -eq 0 ]; then
- # check if ocsp didn't report any errors
- if echo "$status" | grep -Eq "(error|fail)"; then
- exit 1
- fi
- # check that the reported status of certificate is ok
- if echo "$status" | grep -Fq "^${serial}: good"; then
- # check if signature on the OCSP response verified correctly
- if echo "$status" | grep -Fq "^Response verify OK"; then
- exit 0
- fi
- fi
- fi
- fi
- # if we get here, something was wrong
- exit 1
-fi
diff --git a/main/openvpn/contrib/README b/main/openvpn/contrib/README
deleted file mode 100644
index e1a57d0e..00000000
--- a/main/openvpn/contrib/README
+++ /dev/null
@@ -1,2 +0,0 @@
-This directory contains scripts and patches contributed
-by users.
diff --git a/main/openvpn/contrib/keychain-mcd/cert_data.c b/main/openvpn/contrib/keychain-mcd/cert_data.c
deleted file mode 100644
index f2b33edc..00000000
--- a/main/openvpn/contrib/keychain-mcd/cert_data.c
+++ /dev/null
@@ -1,733 +0,0 @@
-/*
- * OpenVPN -- An application to securely tunnel IP networks
- * over a single UDP port, with support for SSL/TLS-based
- * session authentication and key exchange,
- * packet encryption, packet authentication, and
- * packet compression.
- *
- * Copyright (C) 2010 Brian Raderman <brian@irregularexpression.org>
- * Copyright (C) 2013-2015 Vasily Kulikov <segoon@openwall.com>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-
-#include "cert_data.h"
-#include <CommonCrypto/CommonDigest.h>
-#include <openssl/ssl.h>
-
-#include "common_osx.h"
-#include "crypto_osx.h"
-#include <err.h>
-
-CFStringRef kCertDataSubjectName = CFSTR("subject"),
- kCertDataIssuerName = CFSTR("issuer"),
- kCertDataSha1Name = CFSTR("SHA1"),
- kCertDataMd5Name = CFSTR("MD5"),
- kCertDataSerialName = CFSTR("serial"),
- kCertNameFwdSlash = CFSTR("/"),
- kCertNameEquals = CFSTR("=");
-CFStringRef kCertNameOrganization = CFSTR("o"),
- kCertNameOrganizationalUnit = CFSTR("ou"),
- kCertNameCountry = CFSTR("c"),
- kCertNameLocality = CFSTR("l"),
- kCertNameState = CFSTR("st"),
- kCertNameCommonName = CFSTR("cn"),
- kCertNameEmail = CFSTR("e");
-CFStringRef kStringSpace = CFSTR(" "),
- kStringEmpty = CFSTR("");
-
-typedef struct _CertName
-{
- CFArrayRef countryName, organization, organizationalUnit, commonName, description, emailAddress,
- stateName, localityName;
-} CertName, *CertNameRef;
-
-typedef struct _DescData
-{
- CFStringRef name, value;
-} DescData, *DescDataRef;
-
-void destroyDescData(DescDataRef pData);
-
-CertNameRef createCertName()
-{
- CertNameRef pCertName = (CertNameRef)malloc(sizeof(CertName));
- pCertName->countryName = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- pCertName->organization = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- pCertName->organizationalUnit = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- pCertName->commonName = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- pCertName->description = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- pCertName->emailAddress = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- pCertName->stateName = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- pCertName->localityName = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- return pCertName;
-}
-
-void destroyCertName(CertNameRef pCertName)
-{
- if (!pCertName)
- return;
-
- CFRelease(pCertName->countryName);
- CFRelease(pCertName->organization);
- CFRelease(pCertName->organizationalUnit);
- CFRelease(pCertName->commonName);
- CFRelease(pCertName->description);
- CFRelease(pCertName->emailAddress);
- CFRelease(pCertName->stateName);
- CFRelease(pCertName->localityName);
- free(pCertName);
-}
-
-bool CFStringRefCmpCString(CFStringRef cfstr, const char *str)
-{
- CFStringRef tmp = CFStringCreateWithCStringNoCopy(NULL, str, kCFStringEncodingUTF8, kCFAllocatorNull);
- CFComparisonResult cresult = CFStringCompare(cfstr, tmp, 0);
- bool result = cresult == kCFCompareEqualTo;
- CFRelease(tmp);
- return result;
-}
-
-CFDateRef GetDateFieldFromCertificate(SecCertificateRef certificate, CFTypeRef oid)
-{
- const void *keys[] = { oid };
- CFDictionaryRef dict = NULL;
- CFErrorRef error;
- CFDateRef date = NULL;
-
- CFArrayRef keySelection = CFArrayCreate(NULL, keys , sizeof(keys)/sizeof(keys[0]), &kCFTypeArrayCallBacks);
- dict = SecCertificateCopyValues(certificate, keySelection, &error);
- if (dict == NULL)
- {
- printErrorMsg("GetDateFieldFromCertificate: SecCertificateCopyValues", error);
- goto release_ks;
- }
- CFDictionaryRef vals = dict ? CFDictionaryGetValue(dict, oid) : NULL;
- CFNumberRef vals2 = vals ? CFDictionaryGetValue(vals, kSecPropertyKeyValue) : NULL;
- if (vals2 == NULL)
- goto release_dict;
-
- CFAbsoluteTime validityNotBefore;
- if (CFNumberGetValue(vals2, kCFNumberDoubleType, &validityNotBefore))
- date = CFDateCreate(kCFAllocatorDefault,validityNotBefore);
-
-release_dict:
- CFRelease(dict);
-release_ks:
- CFRelease(keySelection);
- return date;
-}
-
-CFArrayRef GetFieldsFromCertificate(SecCertificateRef certificate, CFTypeRef oid)
-{
- CFMutableArrayRef fields = CFArrayCreateMutable(NULL, 0, NULL);
- CertNameRef pCertName = createCertName();
- const void* keys[] = { oid, };
- CFDictionaryRef dict;
- CFErrorRef error;
-
- CFArrayRef keySelection = CFArrayCreate(NULL, keys , 1, NULL);
-
- dict = SecCertificateCopyValues(certificate, keySelection, &error);
- if (dict == NULL) {
- printErrorMsg("GetFieldsFromCertificate: SecCertificateCopyValues", error);
- CFRelease(keySelection);
- CFRelease(fields);
- return NULL;
- }
- CFDictionaryRef vals = CFDictionaryGetValue(dict, oid);
- CFArrayRef vals2 = vals ? CFDictionaryGetValue(vals, kSecPropertyKeyValue) : NULL;
- if (vals2)
- {
- for(int i = 0; i < CFArrayGetCount(vals2); i++) {
- CFDictionaryRef subDict = CFArrayGetValueAtIndex(vals2, i);
- CFStringRef label = CFDictionaryGetValue(subDict, kSecPropertyKeyLabel);
- CFStringRef value = CFDictionaryGetValue(subDict, kSecPropertyKeyValue);
-
- if (CFStringCompare(label, kSecOIDEmailAddress, 0) == kCFCompareEqualTo)
- CFArrayAppendValue((CFMutableArrayRef)pCertName->emailAddress, value);
- else if (CFStringCompare(label, kSecOIDCountryName, 0) == kCFCompareEqualTo)
- CFArrayAppendValue((CFMutableArrayRef)pCertName->countryName, value);
- else if (CFStringCompare(label, kSecOIDOrganizationName, 0) == kCFCompareEqualTo)
- CFArrayAppendValue((CFMutableArrayRef)pCertName->organization, value);
- else if (CFStringCompare(label, kSecOIDOrganizationalUnitName, 0) == kCFCompareEqualTo)
- CFArrayAppendValue((CFMutableArrayRef)pCertName->organizationalUnit, value);
- else if (CFStringCompare(label, kSecOIDCommonName, 0) == kCFCompareEqualTo)
- CFArrayAppendValue((CFMutableArrayRef)pCertName->commonName, value);
- else if (CFStringCompare(label, kSecOIDDescription, 0) == kCFCompareEqualTo)
- CFArrayAppendValue((CFMutableArrayRef)pCertName->description, value);
- else if (CFStringCompare(label, kSecOIDStateProvinceName, 0) == kCFCompareEqualTo)
- CFArrayAppendValue((CFMutableArrayRef)pCertName->stateName, value);
- else if (CFStringCompare(label, kSecOIDLocalityName, 0) == kCFCompareEqualTo)
- CFArrayAppendValue((CFMutableArrayRef)pCertName->localityName, value);
- }
- CFArrayAppendValue(fields, pCertName);
- }
-
- CFRelease(dict);
- CFRelease(keySelection);
- return fields;
-}
-
-CertDataRef createCertDataFromCertificate(SecCertificateRef certificate)
-{
- CertDataRef pCertData = (CertDataRef)malloc(sizeof(CertData));
- pCertData->subject = GetFieldsFromCertificate(certificate, kSecOIDX509V1SubjectName);
- pCertData->issuer = GetFieldsFromCertificate(certificate, kSecOIDX509V1IssuerName);
-
- CFDataRef data = SecCertificateCopyData(certificate);
- if (data == NULL)
- {
- warnx("SecCertificateCopyData() returned NULL");
- destroyCertData(pCertData);
- return NULL;
- }
-
- unsigned char sha1[CC_SHA1_DIGEST_LENGTH];
- CC_SHA1(CFDataGetBytePtr(data), CFDataGetLength(data), sha1);
- pCertData->sha1 = createHexString(sha1, CC_SHA1_DIGEST_LENGTH);
-
- unsigned char md5[CC_MD5_DIGEST_LENGTH];
- CC_MD5(CFDataGetBytePtr(data), CFDataGetLength(data), md5);
- pCertData->md5 = createHexString((unsigned char*)md5, CC_MD5_DIGEST_LENGTH);
-
- CFDataRef serial = SecCertificateCopySerialNumber(certificate, NULL);
- pCertData->serial = createHexString((unsigned char *)CFDataGetBytePtr(serial), CFDataGetLength(serial));
- CFRelease(serial);
-
- return pCertData;
-}
-
-CFStringRef stringFromRange(const char *cstring, CFRange range)
-{
- CFStringRef str = CFStringCreateWithBytes (NULL, (uint8*)&cstring[range.location], range.length, kCFStringEncodingUTF8, false);
- CFMutableStringRef mutableStr = CFStringCreateMutableCopy(NULL, 0, str);
- CFStringTrimWhitespace(mutableStr);
- CFRelease(str);
- return mutableStr;
-}
-
-DescDataRef createDescData(const char *description, CFRange nameRange, CFRange valueRange)
-{
- DescDataRef pRetVal = (DescDataRef)malloc(sizeof(DescData));
-
- memset(pRetVal, 0, sizeof(DescData));
-
- if (nameRange.length > 0)
- pRetVal->name = stringFromRange(description, nameRange);
-
- if (valueRange.length > 0)
- pRetVal->value = stringFromRange(description, valueRange);
-
-#if 0
- fprintf(stderr, "name = '%s', value = '%s'\n",
- CFStringGetCStringPtr(pRetVal->name, kCFStringEncodingUTF8),
- CFStringGetCStringPtr(pRetVal->value, kCFStringEncodingUTF8));
-#endif
- return pRetVal;
-}
-
-void destroyDescData(DescDataRef pData)
-{
- if (pData->name)
- CFRelease(pData->name);
-
- if (pData->value)
- CFRelease(pData->value);
-
- free(pData);
-}
-
-CFArrayRef createDescDataPairs(const char *description)
-{
- int numChars = strlen(description);
- CFRange nameRange, valueRange;
- DescDataRef pData;
- CFMutableArrayRef retVal = CFArrayCreateMutable(NULL, 0, NULL);
-
- int i = 0;
-
- nameRange = CFRangeMake(0, 0);
- valueRange = CFRangeMake(0, 0);
- bool bInValue = false;
-
- while(i < numChars)
- {
- if (!bInValue && (description[i] != ':'))
- {
- nameRange.length++;
- }
- else if (bInValue && (description[i] != ':'))
- {
- valueRange.length++;
- }
- else if(!bInValue)
- {
- bInValue = true;
- valueRange.location = i + 1;
- valueRange.length = 0;
- }
- else //(bInValue)
- {
- bInValue = false;
- while(description[i] != ' ')
- {
- valueRange.length--;
- i--;
- }
-
- pData = createDescData(description, nameRange, valueRange);
- CFArrayAppendValue(retVal, pData);
-
- nameRange.location = i + 1;
- nameRange.length = 0;
- }
-
- i++;
- }
-
- pData = createDescData(description, nameRange, valueRange);
- CFArrayAppendValue(retVal, pData);
- return retVal;
-}
-
-void arrayDestroyDescData(const void *val, void *context)
-{
- DescDataRef pData = (DescDataRef) val;
- destroyDescData(pData);
-}
-
-
-int parseNameComponent(CFStringRef dn, CFStringRef *pName, CFStringRef *pValue)
-{
- CFArrayRef nameStrings = CFStringCreateArrayBySeparatingStrings(NULL, dn, kCertNameEquals);
-
- *pName = *pValue = NULL;
-
- if (CFArrayGetCount(nameStrings) != 2)
- return 0;
-
- CFMutableStringRef str;
-
- str = CFStringCreateMutableCopy(NULL, 0, CFArrayGetValueAtIndex(nameStrings, 0));
- CFStringTrimWhitespace(str);
- *pName = str;
-
- str = CFStringCreateMutableCopy(NULL, 0, CFArrayGetValueAtIndex(nameStrings, 1));
- CFStringTrimWhitespace(str);
- *pValue = str;
-
- CFRelease(nameStrings);
- return 1;
-}
-
-int tryAppendSingleCertField(CertNameRef pCertName, CFArrayRef where, CFStringRef key,
- CFStringRef name, CFStringRef value)
-{
- if (CFStringCompareWithOptions(name, key, CFRangeMake(0, CFStringGetLength(name)), kCFCompareCaseInsensitive)
- == kCFCompareEqualTo) {
- CFArrayAppendValue((CFMutableArrayRef)where, value);
- return 1;
- }
- return 0;
-}
-
-int appendCertField(CertNameRef pCert, CFStringRef name, CFStringRef value)
-{
- struct {
- CFArrayRef field;
- CFStringRef key;
- } fields[] = {
- { pCert->organization, kCertNameOrganization},
- { pCert->organizationalUnit, kCertNameOrganizationalUnit},
- { pCert->countryName, kCertNameCountry},
- { pCert->localityName, kCertNameLocality},
- { pCert->stateName, kCertNameState},
- { pCert->commonName, kCertNameCommonName},
- { pCert->emailAddress, kCertNameEmail},
- };
- int i;
- int ret = 0;
-
- for (i=0; i<sizeof(fields)/sizeof(fields[0]); i++)
- ret += tryAppendSingleCertField(pCert, fields[i].field, fields[i].key, name, value);
- return ret;
-}
-
-int parseCertName(CFStringRef nameDesc, CFMutableArrayRef names)
-{
- CFArrayRef nameStrings = CFStringCreateArrayBySeparatingStrings(NULL, nameDesc, kCertNameFwdSlash);
- int count = CFArrayGetCount(nameStrings);
- int i;
- int ret = 1;
-
- CertNameRef pCertName = createCertName();
-
- for(i = 0;i < count;i++)
- {
- CFMutableStringRef dn = CFStringCreateMutableCopy(NULL, 0, CFArrayGetValueAtIndex(nameStrings, i));
- CFStringTrimWhitespace(dn);
-
- CFStringRef name, value;
-
- if (!parseNameComponent(dn, &name, &value))
- ret = 0;
-
- if (!name || !value)
- {
- if (name)
- CFRelease(name);
-
- if (value)
- CFRelease(value);
- if (name && !value)
- ret = 0;
-
- CFRelease(dn);
- continue;
- }
-
- if (!appendCertField(pCertName, name, value))
- ret = 0;
- CFRelease(name);
- CFRelease(value);
- CFRelease(dn);
- }
-
- CFArrayAppendValue(names, pCertName);
- CFRelease(nameStrings);
- return ret;
-}
-
-int arrayParseDescDataPair(const void *val, void *context)
-{
- DescDataRef pDescData = (DescDataRef)val;
- CertDataRef pCertData = (CertDataRef)context;
- int ret = 1;
-
- if (!pDescData->name || !pDescData->value)
- return 0;
-
- if (CFStringCompareWithOptions(pDescData->name, kCertDataSubjectName, CFRangeMake(0, CFStringGetLength(pDescData->name)), kCFCompareCaseInsensitive) == kCFCompareEqualTo)
- ret = parseCertName(pDescData->value, (CFMutableArrayRef)pCertData->subject);
- else if (CFStringCompareWithOptions(pDescData->name, kCertDataIssuerName, CFRangeMake(0, CFStringGetLength(pDescData->name)), kCFCompareCaseInsensitive) == kCFCompareEqualTo)
- ret = parseCertName(pDescData->value, (CFMutableArrayRef)pCertData->issuer);
- else if (CFStringCompareWithOptions(pDescData->name, kCertDataSha1Name, CFRangeMake(0, CFStringGetLength(pDescData->name)), kCFCompareCaseInsensitive) == kCFCompareEqualTo)
- pCertData->sha1 = CFRetain(pDescData->value);
- else if (CFStringCompareWithOptions(pDescData->name, kCertDataMd5Name, CFRangeMake(0, CFStringGetLength(pDescData->name)), kCFCompareCaseInsensitive) == kCFCompareEqualTo)
- pCertData->md5 = CFRetain(pDescData->value);
- else if (CFStringCompareWithOptions(pDescData->name, kCertDataSerialName, CFRangeMake(0, CFStringGetLength(pDescData->name)), kCFCompareCaseInsensitive) == kCFCompareEqualTo)
- pCertData->serial = CFRetain(pDescData->value);
- else
- return 0;
-
- return ret;
-}
-
-CertDataRef createCertDataFromString(const char *description)
-{
- CertDataRef pCertData = (CertDataRef)malloc(sizeof(CertData));
- pCertData->subject = CFArrayCreateMutable(NULL, 0, NULL);
- pCertData->issuer = CFArrayCreateMutable(NULL, 0, NULL);
- pCertData->sha1 = NULL;
- pCertData->md5 = NULL;
- pCertData->serial = NULL;
-
- CFArrayRef pairs = createDescDataPairs(description);
- for (int i=0; i<CFArrayGetCount(pairs); i++)
- if (!arrayParseDescDataPair(CFArrayGetValueAtIndex(pairs, i), pCertData)) {
- arrayDestroyDescData(pCertData, NULL);
- CFArrayApplyFunction(pairs, CFRangeMake(0, CFArrayGetCount(pairs)), arrayDestroyDescData, NULL);
- CFRelease(pairs);
- return 0;
- }
-
- CFArrayApplyFunction(pairs, CFRangeMake(0, CFArrayGetCount(pairs)), arrayDestroyDescData, NULL);
- CFRelease(pairs);
- return pCertData;
-}
-
-void arrayDestroyCertName(const void *val, void *context)
-{
- CertNameRef pCertName = (CertNameRef)val;
- destroyCertName(pCertName);
-}
-
-void destroyCertData(CertDataRef pCertData)
-{
- if (pCertData->subject)
- {
- CFArrayApplyFunction(pCertData->subject, CFRangeMake(0, CFArrayGetCount(pCertData->subject)), arrayDestroyCertName, NULL);
- CFRelease(pCertData->subject);
- }
-
- if (pCertData->issuer)
- {
- CFArrayApplyFunction(pCertData->issuer, CFRangeMake(0, CFArrayGetCount(pCertData->issuer)), arrayDestroyCertName, NULL);
- CFRelease(pCertData->issuer);
- }
-
- if (pCertData->sha1)
- CFRelease(pCertData->sha1);
-
- if (pCertData->md5)
- CFRelease(pCertData->md5);
-
- if (pCertData->serial)
- CFRelease(pCertData->serial);
-
- free(pCertData);
-}
-
-bool stringArrayMatchesTemplate(CFArrayRef strings, CFArrayRef templateArray)
-{
- int templateCount, stringCount, i;
-
- templateCount = CFArrayGetCount(templateArray);
-
- if (templateCount > 0)
- {
- stringCount = CFArrayGetCount(strings);
- if (stringCount != templateCount)
- return false;
-
- for(i = 0;i < stringCount;i++)
- {
- CFStringRef str, template;
-
- template = (CFStringRef)CFArrayGetValueAtIndex(templateArray, i);
- str = (CFStringRef)CFArrayGetValueAtIndex(strings, i);
-
- if (CFStringCompareWithOptions(template, str, CFRangeMake(0, CFStringGetLength(template)), kCFCompareCaseInsensitive) != kCFCompareEqualTo)
- return false;
- }
- }
-
- return true;
-
-}
-
-bool certNameMatchesTemplate(CertNameRef pCertName, CertNameRef pTemplate)
-{
- if (!stringArrayMatchesTemplate(pCertName->countryName, pTemplate->countryName))
- return false;
- else if (!stringArrayMatchesTemplate(pCertName->organization, pTemplate->organization))
- return false;
- else if (!stringArrayMatchesTemplate(pCertName->organizationalUnit, pTemplate->organizationalUnit))
- return false;
- else if (!stringArrayMatchesTemplate(pCertName->commonName, pTemplate->commonName))
- return false;
- else if (!stringArrayMatchesTemplate(pCertName->emailAddress, pTemplate->emailAddress))
- return false;
- else if (!stringArrayMatchesTemplate(pCertName->stateName, pTemplate->stateName))
- return false;
- else if (!stringArrayMatchesTemplate(pCertName->localityName, pTemplate->localityName))
- return false;
- else
- return true;
-}
-
-bool certNameArrayMatchesTemplate(CFArrayRef certNameArray, CFArrayRef templateArray)
-{
- int templateCount, certCount, i;
-
- templateCount = CFArrayGetCount(templateArray);
-
- if (templateCount > 0)
- {
- certCount = CFArrayGetCount(certNameArray);
- if (certCount != templateCount)
- return false;
-
- for(i = 0;i < certCount;i++)
- {
- CertNameRef pName, pTemplateName;
-
- pTemplateName = (CertNameRef)CFArrayGetValueAtIndex(templateArray, i);
- pName = (CertNameRef)CFArrayGetValueAtIndex(certNameArray, i);
-
- if (!certNameMatchesTemplate(pName, pTemplateName))
- return false;
- }
- }
-
- return true;
-}
-
-bool hexStringMatchesTemplate(CFStringRef str, CFStringRef template)
-{
- if (template)
- {
- if (!str)
- return false;
-
- CFMutableStringRef strMutable, templateMutable;
-
- strMutable = CFStringCreateMutableCopy(NULL, 0, str);
- templateMutable = CFStringCreateMutableCopy(NULL, 0, template);
-
- CFStringFindAndReplace(strMutable, kStringSpace, kStringEmpty, CFRangeMake(0, CFStringGetLength(strMutable)), 0);
- CFStringFindAndReplace(templateMutable, kStringSpace, kStringEmpty, CFRangeMake(0, CFStringGetLength(templateMutable)), 0);
-
- CFComparisonResult result = CFStringCompareWithOptions(templateMutable, strMutable, CFRangeMake(0, CFStringGetLength(templateMutable)), kCFCompareCaseInsensitive);
-
- CFRelease(strMutable);
- CFRelease(templateMutable);
-
- if (result != kCFCompareEqualTo)
- return false;
- }
-
- return true;
-}
-
-bool certDataMatchesTemplate(CertDataRef pCertData, CertDataRef pTemplate)
-{
- if (!certNameArrayMatchesTemplate(pCertData->subject, pTemplate->subject))
- return false;
-
- if (!certNameArrayMatchesTemplate(pCertData->issuer, pTemplate->issuer))
- return false;
-
- if (!hexStringMatchesTemplate(pCertData->sha1, pTemplate->sha1))
- return false;
-
- if (!hexStringMatchesTemplate(pCertData->md5, pTemplate->md5))
- return false;
-
- if (!hexStringMatchesTemplate(pCertData->serial, pTemplate->serial))
- return false;
-
- return true;
-}
-
-bool certExpired(SecCertificateRef certificate)
-{
- bool result;
- CFDateRef notAfter = GetDateFieldFromCertificate(certificate, kSecOIDX509V1ValidityNotAfter);
- CFDateRef notBefore = GetDateFieldFromCertificate(certificate, kSecOIDX509V1ValidityNotBefore);
- CFDateRef now = CFDateCreate(kCFAllocatorDefault, CFAbsoluteTimeGetCurrent());
-
- if (!notAfter || !notBefore || !now)
- {
- warnx("GetDateFieldFromCertificate() returned NULL");
- result = true;
- }
- else
- {
- if (CFDateCompare(notBefore, now, NULL) != kCFCompareLessThan ||
- CFDateCompare(now, notAfter, NULL) != kCFCompareLessThan)
- result = true;
- else
- result = false;
- }
-
- CFRelease(notAfter);
- CFRelease(notBefore);
- CFRelease(now);
- return result;
-}
-
-SecIdentityRef findIdentity(CertDataRef pCertDataTemplate)
-{
- const void *keys[] = {
- kSecClass,
- kSecReturnRef,
- kSecMatchLimit
- };
- const void *values[] = {
- kSecClassIdentity,
- kCFBooleanTrue,
- kSecMatchLimitAll
- };
- CFArrayRef result = NULL;
-
- CFDictionaryRef query = CFDictionaryCreate(NULL, keys, values,
- sizeof(keys) / sizeof(*keys),
- &kCFTypeDictionaryKeyCallBacks,
- &kCFTypeDictionaryValueCallBacks);
- OSStatus status = SecItemCopyMatching(query, (CFTypeRef*)&result);
- CFRelease(query);
- if (status != noErr)
- {
- warnx ("No identities in keychain found");
- return NULL;
- }
-
- SecIdentityRef bestIdentity = NULL;
- CFDateRef bestNotBeforeDate = NULL;
-
- for (int i=0; i<CFArrayGetCount(result); i++)
- {
- SecIdentityRef identity = (SecIdentityRef)CFArrayGetValueAtIndex(result, i);
- if (identity == NULL)
- {
- warnx ("identity == NULL");
- continue;
- }
-
- SecCertificateRef certificate = NULL;
- SecIdentityCopyCertificate (identity, &certificate);
- if (certificate == NULL)
- {
- warnx ("SecIdentityCopyCertificate() returned NULL");
- continue;
- }
-
- CertDataRef pCertData2 = createCertDataFromCertificate(certificate);
- if (pCertData2 == NULL)
- {
- warnx ("createCertDataFromCertificate() returned NULL");
- goto release_cert;
- }
- bool bMatches = certDataMatchesTemplate(pCertData2, pCertDataTemplate);
- bool bExpired = certExpired(certificate);
- destroyCertData(pCertData2);
-
- if (bMatches && !bExpired)
- {
- CFDateRef notBeforeDate = GetDateFieldFromCertificate(certificate, kSecOIDX509V1ValidityNotBefore);
- if (!notBeforeDate)
- {
- warnx ("GetDateFieldFromCertificate() returned NULL");
- goto release_cert;
- }
- if (bestIdentity == NULL)
- {
- CFRetain(identity);
- bestIdentity = identity;
-
- bestNotBeforeDate = notBeforeDate;
- CFRetain(notBeforeDate);
- }
- else if (CFDateCompare(bestNotBeforeDate, notBeforeDate, NULL) == kCFCompareLessThan)
- {
- CFRelease(bestIdentity);
- CFRetain(identity);
- bestIdentity = identity;
-
- bestNotBeforeDate = notBeforeDate;
- CFRetain(notBeforeDate);
- }
- CFRelease(notBeforeDate);
- }
- release_cert:
- CFRelease(certificate);
- }
- CFRelease(result);
-
- return bestIdentity;
-}
diff --git a/main/openvpn/contrib/keychain-mcd/cert_data.h b/main/openvpn/contrib/keychain-mcd/cert_data.h
deleted file mode 100644
index 407cca1c..00000000
--- a/main/openvpn/contrib/keychain-mcd/cert_data.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * OpenVPN -- An application to securely tunnel IP networks
- * over a single UDP port, with support for SSL/TLS-based
- * session authentication and key exchange,
- * packet encryption, packet authentication, and
- * packet compression.
- *
- * Copyright (C) 2010 Brian Raderman <brian@irregularexpression.org>
- * Copyright (C) 2013-2015 Vasily Kulikov <segoon@openwall.com>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-#ifndef __cert_data_h__
-#define __cert_data_h__
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/Security.h>
-
-typedef struct _CertData
-{
- CFArrayRef subject;
- CFArrayRef issuer;
- CFStringRef serial;
- CFStringRef md5, sha1;
-} CertData, *CertDataRef;
-
-CertDataRef createCertDataFromCertificate(SecCertificateRef certificate);
-CertDataRef createCertDataFromString(const char *description);
-void destroyCertData(CertDataRef pCertData);
-bool certDataMatchesTemplate(CertDataRef pCertData, CertDataRef pTemplate);
-void printCertData(CertDataRef pCertData);
-SecIdentityRef findIdentity(CertDataRef pCertDataTemplate);
-
-#endif
diff --git a/main/openvpn/contrib/keychain-mcd/common_osx.c b/main/openvpn/contrib/keychain-mcd/common_osx.c
deleted file mode 100644
index 3effa8b0..00000000
--- a/main/openvpn/contrib/keychain-mcd/common_osx.c
+++ /dev/null
@@ -1,94 +0,0 @@
-/*
- * OpenVPN -- An application to securely tunnel IP networks
- * over a single UDP port, with support for SSL/TLS-based
- * session authentication and key exchange,
- * packet encryption, packet authentication, and
- * packet compression.
- *
- * Copyright (C) 2010 Brian Raderman <brian@irregularexpression.org>
- * Copyright (C) 2013-2015 Vasily Kulikov <segoon@openwall.com>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-/*
-#include "config.h"
-#include "syshead.h"
-#include "common.h"
-#include "buffer.h"
-#include "error.h"
-*/
-
-#include "common_osx.h"
-#include <err.h>
-
-void printCFString(CFStringRef str)
-{
- CFIndex bufferLength = CFStringGetLength(str) + 1;
- char *pBuffer = (char*)malloc(sizeof(char) * bufferLength);
- CFStringGetCString(str, pBuffer, bufferLength, kCFStringEncodingUTF8);
- warnx("%s\n", pBuffer);
- free(pBuffer);
-}
-
-char* cfstringToCstr(CFStringRef str)
-{
- CFIndex bufferLength = CFStringGetLength(str) + 1;
- char *pBuffer = (char*)malloc(sizeof(char) * bufferLength);
- CFStringGetCString(str, pBuffer, bufferLength, kCFStringEncodingUTF8);
- return pBuffer;
-}
-
-void appendHexChar(CFMutableStringRef str, unsigned char halfByte)
-{
- if (halfByte < 10)
- {
- CFStringAppendFormat (str, NULL, CFSTR("%d"), halfByte);
- }
- else
- {
- char tmp[2] = {'A'+halfByte-10, 0};
- CFStringAppendCString(str, tmp, kCFStringEncodingUTF8);
- }
-}
-
-CFStringRef createHexString(unsigned char *pData, int length)
-{
- unsigned char byte, low, high;
- int i;
- CFMutableStringRef str = CFStringCreateMutable(NULL, 0);
-
- for(i = 0;i < length;i++)
- {
- byte = pData[i];
- low = byte & 0x0F;
- high = (byte >> 4);
-
- appendHexChar(str, high);
- appendHexChar(str, low);
-
- if (i != (length - 1))
- CFStringAppendCString(str, " ", kCFStringEncodingUTF8);
- }
-
- return str;
-}
-
-void printHex(unsigned char *pData, int length)
-{
- CFStringRef hexStr = createHexString(pData, length);
- printCFString(hexStr);
- CFRelease(hexStr);
-}
diff --git a/main/openvpn/contrib/keychain-mcd/common_osx.h b/main/openvpn/contrib/keychain-mcd/common_osx.h
deleted file mode 100644
index 42735486..00000000
--- a/main/openvpn/contrib/keychain-mcd/common_osx.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * OpenVPN -- An application to securely tunnel IP networks
- * over a single UDP port, with support for SSL/TLS-based
- * session authentication and key exchange,
- * packet encryption, packet authentication, and
- * packet compression.
- *
- * Copyright (C) 2010 Brian Raderman <brian@irregularexpression.org>
- * Copyright (C) 2013-2015 Vasily Kulikov <segoon@openwall.com>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#ifndef __common_osx_h__
-#define __common_osx_h__
-
-#include <CoreFoundation/CoreFoundation.h>
-
-void printCFString(CFStringRef str);
-char* cfstringToCstr(CFStringRef str);
-CFStringRef createHexString(unsigned char *pData, int length);
-void printHex(unsigned char *pData, int length);
-
-#endif //__Common_osx_h__
diff --git a/main/openvpn/contrib/keychain-mcd/crypto_osx.c b/main/openvpn/contrib/keychain-mcd/crypto_osx.c
deleted file mode 100644
index 87ba09ba..00000000
--- a/main/openvpn/contrib/keychain-mcd/crypto_osx.c
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * OpenVPN -- An application to securely tunnel IP networks
- * over a single UDP port, with support for SSL/TLS-based
- * session authentication and key exchange,
- * packet encryption, packet authentication, and
- * packet compression.
- *
- * Copyright (C) 2010 Brian Raderman <brian@irregularexpression.org>
- * Copyright (C) 2013-2015 Vasily Kulikov <segoon@openwall.com>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-
-#include <CommonCrypto/CommonDigest.h>
-#include <Security/SecKey.h>
-#include <Security/Security.h>
-
-#include "crypto_osx.h"
-#include <err.h>
-
-void printErrorMsg(const char *func, CFErrorRef error)
-{
- CFStringRef desc = CFErrorCopyDescription(error);
- warnx("%s failed: %s", func, CFStringGetCStringPtr(desc, kCFStringEncodingUTF8));
- CFRelease(desc);
-}
-
-void printErrorStatusMsg(const char *func, OSStatus status)
-{
- CFStringRef error;
- error = SecCopyErrorMessageString(status, NULL);
- if (error)
- {
- warnx("%s failed: %s", func, CFStringGetCStringPtr(error, kCFStringEncodingUTF8));
- CFRelease(error);
- }
- else
- warnx("%s failed: %X", func, (int)status);
-}
-
-void signData(SecIdentityRef identity, const uint8_t *from, int flen, uint8_t *to, size_t *tlen)
-{
- SecKeyRef privateKey = NULL;
- OSStatus status;
-
- status = SecIdentityCopyPrivateKey(identity, &privateKey);
- if (status != noErr)
- {
- printErrorStatusMsg("signData: SecIdentityCopyPrivateKey", status);
- *tlen = 0;
- return;
- }
-
- status = SecKeyRawSign(privateKey, kSecPaddingPKCS1, from, flen, to, tlen);
- CFRelease(privateKey);
- if (status != noErr)
- {
- printErrorStatusMsg("signData: SecKeyRawSign", status);
- *tlen = 0;
- return;
- }
-}
diff --git a/main/openvpn/contrib/keychain-mcd/crypto_osx.h b/main/openvpn/contrib/keychain-mcd/crypto_osx.h
deleted file mode 100644
index 0da58b60..00000000
--- a/main/openvpn/contrib/keychain-mcd/crypto_osx.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * OpenVPN -- An application to securely tunnel IP networks
- * over a single UDP port, with support for SSL/TLS-based
- * session authentication and key exchange,
- * packet encryption, packet authentication, and
- * packet compression.
- *
- * Copyright (C) 2010 Brian Raderman <brian@irregularexpression.org>
- * Copyright (C) 2013-2015 Vasily Kulikov <segoon@openwall.com>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#ifndef __crypto_osx_h__
-#define __crypto_osx_h__
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/Security.h>
-
-extern OSStatus SecKeyRawSign (
- SecKeyRef key,
- SecPadding padding,
- const uint8_t *dataToSign,
- size_t dataToSignLen,
- uint8_t *sig,
- size_t *sigLen
-);
-
-void signData(SecIdentityRef identity, const uint8_t *from, int flen, uint8_t *to, size_t *tlen);
-void printErrorMsg(const char *func, CFErrorRef error);
-
-#endif //__crypto_osx_h__
diff --git a/main/openvpn/contrib/keychain-mcd/keychain-mcd.8 b/main/openvpn/contrib/keychain-mcd/keychain-mcd.8
deleted file mode 100644
index c4581e7b..00000000
--- a/main/openvpn/contrib/keychain-mcd/keychain-mcd.8
+++ /dev/null
@@ -1,149 +0,0 @@
-.TH keychain-mcd 8
-.SH NAME
-
-keychain-mcd \- Mac OS X Keychain management daemon for OpenVPN
-
-.SH SYNOPSIS
-
-.B keychain-mcd
-.I identity-template management-server-ip management-server-port
-[
-.I password-file
-]
-
-.SH DESCRIPTION
-
-.B keychain-mcd
-is Mac OS X Keychain management daemon for OpenVPN.
-It loads the certificate and private key from the Mac OSX Keychain (Mac OSX Only).
-.B keychain-mcd
-connects to OpenVPN via management interface and handles
-certificate and private key commands (namely
-.B NEED-CERTIFICATE
-and
-.B RSA-SIGN
-commands).
-
-.B keychain-mcd
-makes it possible to use any smart card supported by Mac OSX using the tokend interface, but also any
-kind of certificate, residing in the Keychain, where you have access to
-the private key. This option has been tested on the client side with an Aladdin eToken
-on Mac OSX Leopard and with software certificates stored in the Keychain on Mac OS X.
-
-Note that Mac OS X might need to present the user with an authentication GUI when the Keychain
-is accessed by keychain-mcd.
-
-Use
-.B keychain-mcd
-along with
-.B --management-external-key
-and/or
-.B --management-external-cert
-passed to
-.B openvpn.
-
-.SH OPTIONS
-
-.TP
-.BR identity-template
-
-A select string which is used to choose a keychain identity from
-Mac OS X Keychain.
-
-\fBSubject\fR, \fBIssuer\fR, \fBSerial\fR, \fBSHA1\fR, \fBMD5\fR selectors can be used.
-
-To select a certificate based on a string search in the
-certificate's subject and/or issuer:
-
-.nf
-
-"SUBJECT:c=US/o=Apple Inc./ou=me.com/cn=username ISSUER:c=US/o=Apple Computer, Inc./ou=Apple Computer Certificate Authority/cn=Apple .Mac Certificate Authority"
-
-.fi
-
-.I "Distinguished Name Component Abbreviations:"
-.br
-o = organization
-.br
-ou = organizational unit
-.br
-c = country
-.br
-l = locality
-.br
-st = state
-.br
-cn = common name
-.br
-e = email
-.br
-
-All of the distinguished name components are optional, although you do need to specify at least one of them. You can
-add spaces around the '/' and '=' characters, e.g. "SUBJECT: c = US / o = Apple Inc.". You do not need to specify
-both the subject and the issuer, one or the other will work fine.
-The identity searching algorithm will return the
-certificate it finds that matches all of the criteria you have specified.
-If there are several certificates matching all of the criteria then the youngest certificate is returned
-(i.e. with the greater "not before" validity field).
-You can also include the MD5 and/or SHA1 thumbprints and/or serial number
-along with the subject and issuer.
-
-To select a certificate based on certificate's MD5 or SHA1 thumbprint:
-
-.nf
-"SHA1: 30 F7 3A 7A B7 73 2A 98 54 33 4A A7 00 6F 6E AC EC D1 EF 02"
-
-"MD5: D5 F5 11 F1 38 EB 5F 4D CF 23 B6 94 E8 33 D8 B5"
-.fi
-
-Again, you can include both the SHA1 and the MD5 thumbprints, but you can also use just one of them.
-The thumbprint hex strings can easily be copy-and-pasted from the OSX Keychain Access GUI in the Applications/Utilities folder.
-The hex string comparison is not case sensitive.
-
-To select a certificate based on certificate's serial number:
-
-"Serial: 3E 9B 6F 02 00 00 00 01 1F 20"
-
-.TP
-.BR management-server-ip
-OpenVPN management IP to connect to.
-Both IPv4 and IPv6 addresses can be used.
-
-.TP
-.BR management-server-port
-OpenVPN management port to connect to.
-Use
-.B unix
-for
-.I management-server-port
-and socket path for
-.I management-server-ip
-to connect to a local unix socket.
-
-.TP
-.BR password-file
-
-Password file containing the management password on first line.
-The password will be used to connect to
-.B openvpn
-management interface.
-
-Pass
-.I password-file
-to
-.B keychain-mcd
-if
-.I pw-file
-was specified in
-.B --management
-option to
-.B openvpn.
-
-
-.SH AUTHOR
-
-Vasily Kulikov <segoon@openwall.com>
-
-.SH "SEE ALSO"
-
-.BR openvpn (8)
diff --git a/main/openvpn/contrib/keychain-mcd/main.c b/main/openvpn/contrib/keychain-mcd/main.c
deleted file mode 100644
index 5f59403c..00000000
--- a/main/openvpn/contrib/keychain-mcd/main.c
+++ /dev/null
@@ -1,244 +0,0 @@
-/*
- * OpenVPN -- An application to securely tunnel IP networks
- * over a single UDP port, with support for SSL/TLS-based
- * session authentication and key exchange,
- * packet encryption, packet authentication, and
- * packet compression.
- *
- * Copyright (C) 2015 Vasily Kulikov <segoon@openwall.com>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <sys/un.h>
-#include <err.h>
-#include <netdb.h>
-
-#include <Security/Security.h>
-#include <CoreServices/CoreServices.h>
-
-#include "cert_data.h"
-#include "crypto_osx.h"
-#include "../../src/openvpn/base64.h"
-
-
-SecIdentityRef template_to_identity(const char *template)
-{
- SecIdentityRef identity;
- CertDataRef pCertDataTemplate = createCertDataFromString(template);
- if (pCertDataTemplate == NULL)
- errx(1, "Bad certificate template");
- identity = findIdentity(pCertDataTemplate);
- if (identity == NULL)
- errx(1, "No such identify");
- fprintf(stderr, "Identity found\n");
- destroyCertData(pCertDataTemplate);
- return identity;
-}
-
-int connect_to_management_server(const char *ip, const char *port)
-{
- int fd;
- struct sockaddr_un addr_un;
- struct sockaddr *addr;
- size_t addr_len;
-
- if (strcmp(port, "unix") == 0) {
- addr = (struct sockaddr*)&addr_un;
- addr_len = sizeof(addr_un);
-
- addr_un.sun_family = AF_UNIX;
- strncpy(addr_un.sun_path, ip, sizeof(addr_un.sun_path));
- fd = socket(AF_UNIX, SOCK_STREAM, 0);
- }
- else {
- int rv;
- struct addrinfo *result;
- struct addrinfo hints;
-
- memset(&hints, 0, sizeof(hints));
- hints.ai_family = AF_UNSPEC;
- hints.ai_socktype = SOCK_STREAM;
-
- rv = getaddrinfo(ip, port, &hints, &result);
- if (rv < 0)
- errx(1, "getaddrinfo: %s", gai_strerror(rv));
- if (result == NULL)
- errx(1, "getaddrinfo returned 0 addressed");
-
- /* Use the first found address */
- fd = socket(result->ai_family, result->ai_socktype, result->ai_protocol);
- addr = result->ai_addr;
- addr_len = result->ai_addrlen;
- }
- if (fd < 0)
- err(1, "socket");
-
- if (connect(fd, addr, addr_len) < 0)
- err(1, "connect");
-
- return fd;
-}
-
-int is_prefix(const char *s, const char *prefix)
-{
- return strncmp(s, prefix, strlen(prefix)) == 0;
-}
-
-void handle_rsasign(FILE *man_file, SecIdentityRef identity, const char *input)
-{
- const char *input_b64 = strchr(input, ':') + 1;
- char *input_binary;
- int input_len;
- char *output_binary;
- size_t output_len;
- char *output_b64;
-
- input_len = strlen(input_b64)*8/6 + 4;
- input_binary = malloc(input_len);
- input_len = openvpn_base64_decode(input_b64, input_binary, input_len);
- if (input_len < 0)
- errx(1, "openvpn_base64_decode: overflow");
-
- output_len = 1024;
- output_binary = malloc(output_len);
- signData(identity, (const uint8_t *)input_binary, input_len, (uint8_t *)output_binary, &output_len);
- if (output_len == 0)
- errx(1, "handle_rsasign: failed to sign data");
-
- openvpn_base64_encode(output_binary, output_len, &output_b64);
- fprintf(man_file, "rsa-sig\n%s\nEND\n", output_b64);
- free(output_b64);
- free(input_binary);
- free(output_binary);
-
- fprintf(stderr, "Handled RSA_SIGN command\n");
-}
-
-void handle_needcertificate(FILE *man_file, SecIdentityRef identity)
-{
- OSStatus status;
- SecCertificateRef certificate = NULL;
- CFDataRef data;
- const unsigned char *cert;
- size_t cert_len;
- char *result_b64, *tmp_b64;
-
- status = SecIdentityCopyCertificate(identity, &certificate);
- if (status != noErr) {
- const char *msg = GetMacOSStatusErrorString(status);
- err(1, "SecIdentityCopyCertificate() failed: %s", msg);
- }
-
- data = SecCertificateCopyData(certificate);
- if (data == NULL)
- err(1, "SecCertificateCopyData() returned NULL");
-
- cert = CFDataGetBytePtr(data);
- cert_len = CFDataGetLength(data);
-
- openvpn_base64_encode(cert, cert_len, &result_b64);
-#if 0
- fprintf(stderr, "certificate %s\n", result_b64);
-#endif
-
- fprintf(man_file, "certificate\n");
- fprintf(man_file, "-----BEGIN CERTIFICATE-----\n");
- tmp_b64 = result_b64;
- while (strlen(tmp_b64) > 64) {
- fprintf(man_file, "%.64s\n", tmp_b64);
- tmp_b64 += 64;
- }
- if (*tmp_b64)
- fprintf(man_file, "%s\n", tmp_b64);
- fprintf(man_file, "-----END CERTIFICATE-----\n");
- fprintf(man_file, "END\n");
-
- free(result_b64);
- CFRelease(data);
- CFRelease(certificate);
-
- fprintf(stderr, "Handled NEED 'cert' command\n");
-}
-
-void management_loop(SecIdentityRef identity, int man_fd, const char *password)
-{
- char *buffer = NULL;
- size_t buffer_len = 0;
- FILE *man = fdopen(man_fd, "w+");
- if (man == 0)
- err(1, "fdopen");
-
- if (password)
- fprintf(man, "%s\n", password);
-
- while (1) {
- if (getline(&buffer, &buffer_len, man) < 0)
- err(1, "getline");
-#if 0
- fprintf(stderr, "M: %s", buffer);
-#endif
-
- if (is_prefix(buffer, ">RSA_SIGN:"))
- handle_rsasign(man, identity, buffer);
- if (is_prefix(buffer, ">NEED-CERTIFICATE"))
- handle_needcertificate(man, identity);
- if (is_prefix(buffer, ">FATAL"))
- fprintf(stderr, "Fatal message from OpenVPN: %s\n", buffer+7);
- if (is_prefix(buffer, ">INFO"))
- fprintf(stderr, "INFO message from OpenVPN: %s\n", buffer+6);
- }
-}
-
-char *read_password(const char *fname)
-{
- char *password = NULL;
- FILE *pwf = fopen(fname, "r");
- size_t n = 0;
-
- if (pwf == NULL)
- errx(1, "fopen(%s) failed", fname);
- if (getline(&password, &n, pwf) < 0)
- err(1, "getline");
- fclose(pwf);
- return password;
-}
-
-int main(int argc, char* argv[])
-{
- if (argc < 4)
- err(1, "usage: %s <identity_template> <management_ip> <management_port> [<pw-file>]", argv[0]);
-
- char *cert_prop = argv[1];
- char *s_ip = argv[2];
- char *s_port = argv[3];
- char *password = NULL;
- int man_fd;
-
- if (argc > 4) {
- char *s_pw_file = argv[4];
- password = read_password(s_pw_file);
- }
-
- SecIdentityRef identity = template_to_identity(cert_prop);
- man_fd = connect_to_management_server(s_ip, s_port);
- fprintf(stderr, "Successfully connected to openvpn\n");
-
- management_loop(identity, man_fd, password);
-}
diff --git a/main/openvpn/contrib/multilevel-init.patch b/main/openvpn/contrib/multilevel-init.patch
deleted file mode 100644
index 8d48fbcd..00000000
--- a/main/openvpn/contrib/multilevel-init.patch
+++ /dev/null
@@ -1,79 +0,0 @@
---- /etc/init.d/openvpn 2004-05-12 20:30:06.000000000 +0200
-+++ openvpn 2004-05-12 20:34:33.000000000 +0200
-@@ -58,13 +58,13 @@
- # returning success or failure status to caller (James Yonan).
-
- # Location of openvpn binary
--openvpn="/usr/sbin/openvpn"
-+openvpn=/usr/sbin/openvpn
-
- # Lockfile
--lock="/var/lock/subsys/openvpn"
-+lock=/var/lock/subsys/openvpn
-
- # PID directory
--piddir="/var/run/openvpn"
-+piddir=/var/run/openvpn
-
- # Our working directory
- work=/etc/openvpn
-@@ -106,7 +106,7 @@
-
- if [ -f $lock ]; then
- # we were not shut down correctly
-- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
-+ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
- if [ -s $pidf ]; then
- kill `cat $pidf` >/dev/null 2>&1
- fi
-@@ -116,12 +116,12 @@
- sleep 2
- fi
-
-- rm -f $piddir/*.pid $piddir/*/*.pid
-+ find $piddir -name "*.pid"|xargs rm -f
-
- # Start every .conf in $work and run .sh if exists
- errors=0
- successes=0
-- for c in `/bin/ls *.conf */*.conf 2>/dev/null`; do
-+ for c in `find * -name "*.conf" 2>/dev/null`; do
- bn=${c%%.conf}
- if [ -f "$bn.sh" ]; then
- . $bn.sh
-@@ -147,7 +147,7 @@
- ;;
- stop)
- echo -n $"Shutting down openvpn: "
-- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
-+ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
- if [ -s $pidf ]; then
- kill `cat $pidf` >/dev/null 2>&1
- fi
-@@ -163,7 +163,7 @@
- ;;
- reload)
- if [ -f $lock ]; then
-- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
-+ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
- if [ -s $pidf ]; then
- kill -HUP `cat $pidf` >/dev/null 2>&1
- fi
-@@ -175,7 +175,7 @@
- ;;
- reopen)
- if [ -f $lock ]; then
-- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
-+ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
- if [ -s $pidf ]; then
- kill -USR1 `cat $pidf` >/dev/null 2>&1
- fi
-@@ -195,7 +195,7 @@
- ;;
- status)
- if [ -f $lock ]; then
-- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
-+ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
- if [ -s $pidf ]; then
- kill -USR2 `cat $pidf` >/dev/null 2>&1
- fi
diff --git a/main/openvpn/contrib/openvpn-fwmarkroute-1.00/README b/main/openvpn/contrib/openvpn-fwmarkroute-1.00/README
deleted file mode 100644
index 66fe61ad..00000000
--- a/main/openvpn/contrib/openvpn-fwmarkroute-1.00/README
+++ /dev/null
@@ -1,44 +0,0 @@
-OpenVPN fwmark Routing
-Sean Reifschneider, <jafo@tummy.com>
-Thursday November 27, 2003
-==========================
-
-These scripts can be used with OpenVPN up and down scripts to set up
-routing on a Linux system such that the VPN traffic is sent via normal
-network connectivity, but other traffic to that network runs over the VPN.
-The idea is to allow encryption of data to the network the remote host is
-on, without interfering with the VPN traffic. You can't simply add a route
-to the remote network, becaues that will cause the VPN traffic to also try
-to run over the VPN, and breaks the VPN.
-
-These scripts use the Linux "fwmark" iptables rules to specify routing
-based not only on IP address, but also by port and protocol. This allows
-you to effectively say "if the packet is to this IP address on this port
-using this protocol, then use the normal default gateway, otherwise use the
-VPN gateway.
-
-This is set up on the client VPN system, not the VPN server. These scripts
-also set up all ICMP echo-responses to run across the VPN. You can
-comment the lines in the scripts to disable this, but I find this useful
-at coffee shops which have networks that block ICMP.
-
-To configure this, you need to set up these scripts as your up and down
-scripts in the config file. You will need to set these values in the
-config file:
-
- up /etc/openvpn/fwmarkroute.up
- down /etc/openvpn/fwmarkroute.down
- up-restart
- up-delay
-
- setenv remote_netmask_bits 24
-
-Note: For this to work, you can't set the "user" or "group" config options,
-because then the scripts will not run as root.
-
-The last setting allows you to control the size of the network the remote
-system is on. The remote end has to be set up to route, probably with
-masquerading or NAT. The network this netmask relates to is calculated
-using the value of "remote" in the conf file.
-
-Sean
diff --git a/main/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down b/main/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
deleted file mode 100755
index 87d67d4d..00000000
--- a/main/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/sh
-#
-# Bring down vpn routing.
-
-# calculate the network address
-remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"`
-remote_network="${remote_network#*=}"
-
-# clear routing via VPN
-ip route del "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out
-ip route del table vpnonly.out via "$5"
-iptables -D OUTPUT -t mangle -p "$proto" \
- -d "$remote_network"/"$remote_netmask_bits" \
- --dport "$remote_port" -j ACCEPT
-iptables -D OUTPUT -t mangle -d "$remote" -j MARK --set-mark 2
-
-# undo the ICMP ping tunneling
-iptables -D OUTPUT -t mangle --protocol icmp --icmp-type echo-request \
- -j MARK --set-mark 3
-
-# flush route cache
-ip route flush cache
diff --git a/main/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up b/main/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
deleted file mode 100755
index 661ec313..00000000
--- a/main/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/bin/sh
-#
-# Bring up vpn routing.
-
-# calculate the network address
-remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"`
-remote_network="${remote_network#*=}"
-
-# add the stuff that doesn't change if it's not already there
-grep -q '^202 ' /etc/iproute2/rt_tables
-if [ "$?" -ne 0 ]
-then
- echo 202 vpn.out >> /etc/iproute2/rt_tables
-fi
-grep -q '^203 ' /etc/iproute2/rt_tables
-if [ "$?" -ne 0 ]
-then
- echo 203 vpnonly.out >> /etc/iproute2/rt_tables
-fi
-ip rule ls | grep -q 'lookup vpn.out *$'
-if [ "$?" -ne 0 ]
-then
- ip rule add fwmark 2 table vpn.out
-fi
-ip rule ls | grep -q 'lookup vpnonly.out *$'
-if [ "$?" -ne 0 ]
-then
- ip rule add fwmark 3 table vpnonly.out
-fi
-
-# route VPN traffic using the normal table
-iptables -A OUTPUT -t mangle -p "$proto" -d "$remote" --dport "$remote_port" \
- -j ACCEPT
-
-# route all other traffic to that host via VPN
-iptables -A OUTPUT -t mangle -d "$remote_network"/"$remote_netmask_bits" \
- -j MARK --set-mark 2
-
-# route all ICMP pings over the VPN
-iptables -A OUTPUT -t mangle --protocol icmp --icmp-type echo-request \
- -j MARK --set-mark 3
-
-# NAT traffic going over the VPN, so it doesn't have an unknown address
-iptables -t nat -A POSTROUTING -o "$1" -j SNAT --to-source "$4"
-
-# add routing commands
-ip route add "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out
-ip route add table vpnonly.out via "$5"
-ip route flush cache
diff --git a/main/openvpn/contrib/pull-resolv-conf/client.down b/main/openvpn/contrib/pull-resolv-conf/client.down
deleted file mode 100644
index 05f2d4d5..00000000
--- a/main/openvpn/contrib/pull-resolv-conf/client.down
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/sh
-
-# Copyright (c) 2005-2010 OpenVPN Technologies, Inc.
-# Licensed under the GPL version 2
-
-# First version by Jesse Adelman
-# someone at boldandbusted dink com
-# http://www.boldandbusted.com/
-
-# PURPOSE: This script automatically removes the /etc/resolv.conf entries previously
-# set by the companion script "client.up".
-
-# INSTALL NOTES:
-# Place this in /etc/openvpn/client.down
-# Then, add the following to your /etc/openvpn/<clientconfig>.conf:
-# client
-# up /etc/openvpn/client.up
-# down /etc/openvpn/client.down
-# Next, "chmod a+x /etc/openvpn/client.down"
-
-# USAGE NOTES:
-# Note that this script is best served with the companion "client.up"
-# script.
-
-# Tested under Debian lenny with OpenVPN 2.1_rc11
-# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf
-
-# This runs with the context of the OpenVPN UID/GID
-# at the time of execution. This generally means that
-# the client "up" script will run fine, but the "down" script
-# will require the use of the OpenVPN "down-root" plugin
-# which is in the plugins/ directory of the OpenVPN source tree
-
-# A horrid work around, from a security perspective,
-# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have
-# been WARNED.
-PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
-
-if type resolvconf >/dev/null 2>&1; then
- resolvconf -d "${1}" -f
-elif [ -e /etc/resolv.conf.ovpnsave ] ; then
- # cp + rm rather than mv in case it's a symlink
- cp /etc/resolv.conf.ovpnsave /etc/resolv.conf
- rm -f /etc/resolv.conf.ovpnsave
-fi
-
-exit 0
diff --git a/main/openvpn/contrib/pull-resolv-conf/client.up b/main/openvpn/contrib/pull-resolv-conf/client.up
deleted file mode 100644
index b28d4d19..00000000
--- a/main/openvpn/contrib/pull-resolv-conf/client.up
+++ /dev/null
@@ -1,101 +0,0 @@
-#!/bin/sh
-
-# Copyright (c) 2005-2010 OpenVPN Technologies, Inc.
-# Licensed under the GPL version 2
-
-# First version by Jesse Adelman
-# someone at boldandbusted dink com
-# http://www.boldandbusted.com/
-
-# PURPOSE: This script automatically sets the proper /etc/resolv.conf entries
-# as pulled down from an OpenVPN server.
-
-# INSTALL NOTES:
-# Place this in /etc/openvpn/client.up
-# Then, add the following to your /etc/openvpn/<clientconfig>.conf:
-# client
-# up /etc/openvpn/client.up
-# Next, "chmod a+x /etc/openvpn/client.up"
-
-# USAGE NOTES:
-# Note that this script is best served with the companion "client.down"
-# script.
-
-# Tested under Debian lenny with OpenVPN 2.1_rc11
-# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf
-
-# This runs with the context of the OpenVPN UID/GID
-# at the time of execution. This generally means that
-# the client "up" script will run fine, but the "down" script
-# will require the use of the OpenVPN "down-root" plugin
-# which is in the plugins/ directory of the OpenVPN source tree
-
-# A horrid work around, from a security perspective,
-# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have
-# been WARNED.
-PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
-
-# init variables
-
-i=1
-domains=
-fopt=
-ndoms=0
-nns=0
-nl='
-'
-
-# $foreign_option_<n> is something like
-# "dhcp-option DOMAIN example.com" (multiple allowed)
-# or
-# "dhcp-option DNS 10.10.10.10" (multiple allowed)
-
-# each DNS option becomes a "nameserver" option in resolv.con
-# if we get one DOMAIN, that becomes "domain" in resolv.conf
-# if we get multiple DOMAINS, those become "search" lines in resolv.conf
-
-while true; do
- eval fopt=\$foreign_option_${i}
- [ -z "${fopt}" ] && break
-
- case ${fopt} in
- dhcp-option\ DOMAIN\ *)
- ndoms=$((ndoms + 1))
- domains="${domains} ${fopt#dhcp-option DOMAIN }"
- ;;
- dhcp-option\ DNS\ *)
- nns=$((nns + 1))
- if [ $nns -le 3 ]; then
- dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }"
- else
- printf "%s\n" "Too many nameservers - ignoring after third" >&2
- fi
- ;;
- *)
- printf "%s\n" "Unknown option \"${fopt}\" - ignored" >&2
- ;;
- esac
- i=$((i + 1))
-done
-
-ds=domain
-if [ $ndoms -gt 1 ]; then
- ds=search
-fi
-
-# This is the complete file - "$domains" has a leading space already
-out="# resolv.conf autogenerated by ${0} (${1})${nl}${dns}${nl}${ds}${domains}"
-
-# use resolvconf if it's available
-if type resolvconf >/dev/null 2>&1; then
- printf "%s\n" "${out}" | resolvconf -p -a "${1}"
-else
- # Preserve the existing resolv.conf
- if [ -e /etc/resolv.conf ] ; then
- cp /etc/resolv.conf /etc/resolv.conf.ovpnsave
- fi
- printf "%s\n" "${out}" > /etc/resolv.conf
- chmod 644 /etc/resolv.conf
-fi
-
-exit 0