diff options
Diffstat (limited to 'main/openvpn/contrib')
m--------- | main/openvpn | 0 | ||||
-rw-r--r-- | main/openvpn/contrib/OCSP_check/OCSP_check.sh | 118 | ||||
-rw-r--r-- | main/openvpn/contrib/README | 2 | ||||
-rw-r--r-- | main/openvpn/contrib/keychain-mcd/cert_data.c | 733 | ||||
-rw-r--r-- | main/openvpn/contrib/keychain-mcd/cert_data.h | 46 | ||||
-rw-r--r-- | main/openvpn/contrib/keychain-mcd/common_osx.c | 94 | ||||
-rw-r--r-- | main/openvpn/contrib/keychain-mcd/common_osx.h | 36 | ||||
-rw-r--r-- | main/openvpn/contrib/keychain-mcd/crypto_osx.c | 75 | ||||
-rw-r--r-- | main/openvpn/contrib/keychain-mcd/crypto_osx.h | 44 | ||||
-rw-r--r-- | main/openvpn/contrib/keychain-mcd/keychain-mcd.8 | 149 | ||||
-rw-r--r-- | main/openvpn/contrib/keychain-mcd/main.c | 244 | ||||
-rw-r--r-- | main/openvpn/contrib/multilevel-init.patch | 79 | ||||
-rw-r--r-- | main/openvpn/contrib/openvpn-fwmarkroute-1.00/README | 44 | ||||
-rwxr-xr-x | main/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down | 22 | ||||
-rwxr-xr-x | main/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up | 49 | ||||
-rw-r--r-- | main/openvpn/contrib/pull-resolv-conf/client.down | 47 | ||||
-rw-r--r-- | main/openvpn/contrib/pull-resolv-conf/client.up | 101 |
17 files changed, 0 insertions, 1883 deletions
diff --git a/main/openvpn b/main/openvpn new file mode 160000 +Subproject 7aaf01766f9718375986600216607aeb6397200 diff --git a/main/openvpn/contrib/OCSP_check/OCSP_check.sh b/main/openvpn/contrib/OCSP_check/OCSP_check.sh deleted file mode 100644 index 6876c6d8..00000000 --- a/main/openvpn/contrib/OCSP_check/OCSP_check.sh +++ /dev/null @@ -1,118 +0,0 @@ -#!/bin/sh - -# Sample script to perform OCSP queries with OpenSSL -# given a certificate serial number. - -# If you run your own CA, you can set up a very simple -# OCSP server using the -port option to "openssl ocsp". - -# Full documentation and examples: -# http://www.openssl.org/docs/apps/ocsp.html - - -# Edit the following values to suit your needs - -# OCSP responder URL (mandatory) -# YOU MUST UNCOMMENT ONE OF THESE AND SET IT TO A VALID SERVER -#ocsp_url="http://ocsp.example.com/" -#ocsp_url="https://ocsp.secure.example.com/" - -# Path to issuer certificate (mandatory) -# YOU MUST SET THIS TO THE PATH TO THE CA CERTIFICATE -issuer="/path/to/CAcert.crt" - -# use a nonce in the query, set to "-no_nonce" to not use it -nonce="-nonce" - -# Verify the response -# YOU MUST SET THIS TO THE PATH TO THE RESPONSE VERIFICATION CERT -verify="/path/to/CAcert.crt" - -# Depth in the certificate chain where the cert to verify is. -# Set to -1 to run the verification at every level (NOTE that -# in that case you need a more complex script as the various -# parameters for the query will likely be different at each level) -# "0" is the usual value here, where the client certificate is -check_depth=0 - -cur_depth=$1 # this is the *CURRENT* depth -common_name=$2 # CN in case you need it - -# minimal sanity checks - -err=0 -if [ -z "$issuer" ] || [ ! -e "$issuer" ]; then - echo "Error: issuer certificate undefined or not found!" >&2 - err=1 -fi - -if [ -z "$verify" ] || [ ! -e "$verify" ]; then - echo "Error: verification certificate undefined or not found!" >&2 - err=1 -fi - -if [ -z "$ocsp_url" ]; then - echo "Error: OCSP server URL not defined!" >&2 - err=1 -fi - -if [ $err -eq 1 ]; then - echo "Did you forget to customize the variables in the script?" >&2 - exit 1 -fi - -# begin -if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then - - eval serial="\$tls_serial_${cur_depth}" - - # To successfully complete, the following must happen: - # - # - The serial number must not be empty - # - The exit status of "openssl ocsp" must be zero - # - The output of the above command must contain the line - # "${serial}: good" - # - # Everything else fails with exit status 1. - - if [ -n "$serial" ]; then - - # This is only an example; you are encouraged to run this command (without - # redirections) manually against your or your CA's OCSP server to see how - # it responds, and adapt accordingly. - # Sample output that is assumed here: - # - # Response verify OK - # 4287405: good - # This Update: Apr 24 19:38:49 2010 GMT - # Next Update: May 2 14:23:42 2010 GMT - # - # NOTE: It is needed to check the exit code of OpenSSL explicitly. OpenSSL - # can in some circumstances give a "good" result if it could not - # reach the the OSCP server. In this case, the exit code will indicate - # if OpenSSL itself failed or not. If OpenSSL's exit code is not 0, - # don't trust the OpenSSL status. - - status=$(openssl ocsp -issuer "$issuer" \ - "$nonce" \ - -CAfile "$verify" \ - -url "$ocsp_url" \ - -serial "${serial}" 2>&1) - - if [ $? -eq 0 ]; then - # check if ocsp didn't report any errors - if echo "$status" | grep -Eq "(error|fail)"; then - exit 1 - fi - # check that the reported status of certificate is ok - if echo "$status" | grep -Fq "^${serial}: good"; then - # check if signature on the OCSP response verified correctly - if echo "$status" | grep -Fq "^Response verify OK"; then - exit 0 - fi - fi - fi - fi - # if we get here, something was wrong - exit 1 -fi diff --git a/main/openvpn/contrib/README b/main/openvpn/contrib/README deleted file mode 100644 index e1a57d0e..00000000 --- a/main/openvpn/contrib/README +++ /dev/null @@ -1,2 +0,0 @@ -This directory contains scripts and patches contributed -by users. diff --git a/main/openvpn/contrib/keychain-mcd/cert_data.c b/main/openvpn/contrib/keychain-mcd/cert_data.c deleted file mode 100644 index f2b33edc..00000000 --- a/main/openvpn/contrib/keychain-mcd/cert_data.c +++ /dev/null @@ -1,733 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2010 Brian Raderman <brian@irregularexpression.org> - * Copyright (C) 2013-2015 Vasily Kulikov <segoon@openwall.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - - -#include "cert_data.h" -#include <CommonCrypto/CommonDigest.h> -#include <openssl/ssl.h> - -#include "common_osx.h" -#include "crypto_osx.h" -#include <err.h> - -CFStringRef kCertDataSubjectName = CFSTR("subject"), - kCertDataIssuerName = CFSTR("issuer"), - kCertDataSha1Name = CFSTR("SHA1"), - kCertDataMd5Name = CFSTR("MD5"), - kCertDataSerialName = CFSTR("serial"), - kCertNameFwdSlash = CFSTR("/"), - kCertNameEquals = CFSTR("="); -CFStringRef kCertNameOrganization = CFSTR("o"), - kCertNameOrganizationalUnit = CFSTR("ou"), - kCertNameCountry = CFSTR("c"), - kCertNameLocality = CFSTR("l"), - kCertNameState = CFSTR("st"), - kCertNameCommonName = CFSTR("cn"), - kCertNameEmail = CFSTR("e"); -CFStringRef kStringSpace = CFSTR(" "), - kStringEmpty = CFSTR(""); - -typedef struct _CertName -{ - CFArrayRef countryName, organization, organizationalUnit, commonName, description, emailAddress, - stateName, localityName; -} CertName, *CertNameRef; - -typedef struct _DescData -{ - CFStringRef name, value; -} DescData, *DescDataRef; - -void destroyDescData(DescDataRef pData); - -CertNameRef createCertName() -{ - CertNameRef pCertName = (CertNameRef)malloc(sizeof(CertName)); - pCertName->countryName = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); - pCertName->organization = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); - pCertName->organizationalUnit = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); - pCertName->commonName = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); - pCertName->description = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); - pCertName->emailAddress = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); - pCertName->stateName = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); - pCertName->localityName = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); - return pCertName; -} - -void destroyCertName(CertNameRef pCertName) -{ - if (!pCertName) - return; - - CFRelease(pCertName->countryName); - CFRelease(pCertName->organization); - CFRelease(pCertName->organizationalUnit); - CFRelease(pCertName->commonName); - CFRelease(pCertName->description); - CFRelease(pCertName->emailAddress); - CFRelease(pCertName->stateName); - CFRelease(pCertName->localityName); - free(pCertName); -} - -bool CFStringRefCmpCString(CFStringRef cfstr, const char *str) -{ - CFStringRef tmp = CFStringCreateWithCStringNoCopy(NULL, str, kCFStringEncodingUTF8, kCFAllocatorNull); - CFComparisonResult cresult = CFStringCompare(cfstr, tmp, 0); - bool result = cresult == kCFCompareEqualTo; - CFRelease(tmp); - return result; -} - -CFDateRef GetDateFieldFromCertificate(SecCertificateRef certificate, CFTypeRef oid) -{ - const void *keys[] = { oid }; - CFDictionaryRef dict = NULL; - CFErrorRef error; - CFDateRef date = NULL; - - CFArrayRef keySelection = CFArrayCreate(NULL, keys , sizeof(keys)/sizeof(keys[0]), &kCFTypeArrayCallBacks); - dict = SecCertificateCopyValues(certificate, keySelection, &error); - if (dict == NULL) - { - printErrorMsg("GetDateFieldFromCertificate: SecCertificateCopyValues", error); - goto release_ks; - } - CFDictionaryRef vals = dict ? CFDictionaryGetValue(dict, oid) : NULL; - CFNumberRef vals2 = vals ? CFDictionaryGetValue(vals, kSecPropertyKeyValue) : NULL; - if (vals2 == NULL) - goto release_dict; - - CFAbsoluteTime validityNotBefore; - if (CFNumberGetValue(vals2, kCFNumberDoubleType, &validityNotBefore)) - date = CFDateCreate(kCFAllocatorDefault,validityNotBefore); - -release_dict: - CFRelease(dict); -release_ks: - CFRelease(keySelection); - return date; -} - -CFArrayRef GetFieldsFromCertificate(SecCertificateRef certificate, CFTypeRef oid) -{ - CFMutableArrayRef fields = CFArrayCreateMutable(NULL, 0, NULL); - CertNameRef pCertName = createCertName(); - const void* keys[] = { oid, }; - CFDictionaryRef dict; - CFErrorRef error; - - CFArrayRef keySelection = CFArrayCreate(NULL, keys , 1, NULL); - - dict = SecCertificateCopyValues(certificate, keySelection, &error); - if (dict == NULL) { - printErrorMsg("GetFieldsFromCertificate: SecCertificateCopyValues", error); - CFRelease(keySelection); - CFRelease(fields); - return NULL; - } - CFDictionaryRef vals = CFDictionaryGetValue(dict, oid); - CFArrayRef vals2 = vals ? CFDictionaryGetValue(vals, kSecPropertyKeyValue) : NULL; - if (vals2) - { - for(int i = 0; i < CFArrayGetCount(vals2); i++) { - CFDictionaryRef subDict = CFArrayGetValueAtIndex(vals2, i); - CFStringRef label = CFDictionaryGetValue(subDict, kSecPropertyKeyLabel); - CFStringRef value = CFDictionaryGetValue(subDict, kSecPropertyKeyValue); - - if (CFStringCompare(label, kSecOIDEmailAddress, 0) == kCFCompareEqualTo) - CFArrayAppendValue((CFMutableArrayRef)pCertName->emailAddress, value); - else if (CFStringCompare(label, kSecOIDCountryName, 0) == kCFCompareEqualTo) - CFArrayAppendValue((CFMutableArrayRef)pCertName->countryName, value); - else if (CFStringCompare(label, kSecOIDOrganizationName, 0) == kCFCompareEqualTo) - CFArrayAppendValue((CFMutableArrayRef)pCertName->organization, value); - else if (CFStringCompare(label, kSecOIDOrganizationalUnitName, 0) == kCFCompareEqualTo) - CFArrayAppendValue((CFMutableArrayRef)pCertName->organizationalUnit, value); - else if (CFStringCompare(label, kSecOIDCommonName, 0) == kCFCompareEqualTo) - CFArrayAppendValue((CFMutableArrayRef)pCertName->commonName, value); - else if (CFStringCompare(label, kSecOIDDescription, 0) == kCFCompareEqualTo) - CFArrayAppendValue((CFMutableArrayRef)pCertName->description, value); - else if (CFStringCompare(label, kSecOIDStateProvinceName, 0) == kCFCompareEqualTo) - CFArrayAppendValue((CFMutableArrayRef)pCertName->stateName, value); - else if (CFStringCompare(label, kSecOIDLocalityName, 0) == kCFCompareEqualTo) - CFArrayAppendValue((CFMutableArrayRef)pCertName->localityName, value); - } - CFArrayAppendValue(fields, pCertName); - } - - CFRelease(dict); - CFRelease(keySelection); - return fields; -} - -CertDataRef createCertDataFromCertificate(SecCertificateRef certificate) -{ - CertDataRef pCertData = (CertDataRef)malloc(sizeof(CertData)); - pCertData->subject = GetFieldsFromCertificate(certificate, kSecOIDX509V1SubjectName); - pCertData->issuer = GetFieldsFromCertificate(certificate, kSecOIDX509V1IssuerName); - - CFDataRef data = SecCertificateCopyData(certificate); - if (data == NULL) - { - warnx("SecCertificateCopyData() returned NULL"); - destroyCertData(pCertData); - return NULL; - } - - unsigned char sha1[CC_SHA1_DIGEST_LENGTH]; - CC_SHA1(CFDataGetBytePtr(data), CFDataGetLength(data), sha1); - pCertData->sha1 = createHexString(sha1, CC_SHA1_DIGEST_LENGTH); - - unsigned char md5[CC_MD5_DIGEST_LENGTH]; - CC_MD5(CFDataGetBytePtr(data), CFDataGetLength(data), md5); - pCertData->md5 = createHexString((unsigned char*)md5, CC_MD5_DIGEST_LENGTH); - - CFDataRef serial = SecCertificateCopySerialNumber(certificate, NULL); - pCertData->serial = createHexString((unsigned char *)CFDataGetBytePtr(serial), CFDataGetLength(serial)); - CFRelease(serial); - - return pCertData; -} - -CFStringRef stringFromRange(const char *cstring, CFRange range) -{ - CFStringRef str = CFStringCreateWithBytes (NULL, (uint8*)&cstring[range.location], range.length, kCFStringEncodingUTF8, false); - CFMutableStringRef mutableStr = CFStringCreateMutableCopy(NULL, 0, str); - CFStringTrimWhitespace(mutableStr); - CFRelease(str); - return mutableStr; -} - -DescDataRef createDescData(const char *description, CFRange nameRange, CFRange valueRange) -{ - DescDataRef pRetVal = (DescDataRef)malloc(sizeof(DescData)); - - memset(pRetVal, 0, sizeof(DescData)); - - if (nameRange.length > 0) - pRetVal->name = stringFromRange(description, nameRange); - - if (valueRange.length > 0) - pRetVal->value = stringFromRange(description, valueRange); - -#if 0 - fprintf(stderr, "name = '%s', value = '%s'\n", - CFStringGetCStringPtr(pRetVal->name, kCFStringEncodingUTF8), - CFStringGetCStringPtr(pRetVal->value, kCFStringEncodingUTF8)); -#endif - return pRetVal; -} - -void destroyDescData(DescDataRef pData) -{ - if (pData->name) - CFRelease(pData->name); - - if (pData->value) - CFRelease(pData->value); - - free(pData); -} - -CFArrayRef createDescDataPairs(const char *description) -{ - int numChars = strlen(description); - CFRange nameRange, valueRange; - DescDataRef pData; - CFMutableArrayRef retVal = CFArrayCreateMutable(NULL, 0, NULL); - - int i = 0; - - nameRange = CFRangeMake(0, 0); - valueRange = CFRangeMake(0, 0); - bool bInValue = false; - - while(i < numChars) - { - if (!bInValue && (description[i] != ':')) - { - nameRange.length++; - } - else if (bInValue && (description[i] != ':')) - { - valueRange.length++; - } - else if(!bInValue) - { - bInValue = true; - valueRange.location = i + 1; - valueRange.length = 0; - } - else //(bInValue) - { - bInValue = false; - while(description[i] != ' ') - { - valueRange.length--; - i--; - } - - pData = createDescData(description, nameRange, valueRange); - CFArrayAppendValue(retVal, pData); - - nameRange.location = i + 1; - nameRange.length = 0; - } - - i++; - } - - pData = createDescData(description, nameRange, valueRange); - CFArrayAppendValue(retVal, pData); - return retVal; -} - -void arrayDestroyDescData(const void *val, void *context) -{ - DescDataRef pData = (DescDataRef) val; - destroyDescData(pData); -} - - -int parseNameComponent(CFStringRef dn, CFStringRef *pName, CFStringRef *pValue) -{ - CFArrayRef nameStrings = CFStringCreateArrayBySeparatingStrings(NULL, dn, kCertNameEquals); - - *pName = *pValue = NULL; - - if (CFArrayGetCount(nameStrings) != 2) - return 0; - - CFMutableStringRef str; - - str = CFStringCreateMutableCopy(NULL, 0, CFArrayGetValueAtIndex(nameStrings, 0)); - CFStringTrimWhitespace(str); - *pName = str; - - str = CFStringCreateMutableCopy(NULL, 0, CFArrayGetValueAtIndex(nameStrings, 1)); - CFStringTrimWhitespace(str); - *pValue = str; - - CFRelease(nameStrings); - return 1; -} - -int tryAppendSingleCertField(CertNameRef pCertName, CFArrayRef where, CFStringRef key, - CFStringRef name, CFStringRef value) -{ - if (CFStringCompareWithOptions(name, key, CFRangeMake(0, CFStringGetLength(name)), kCFCompareCaseInsensitive) - == kCFCompareEqualTo) { - CFArrayAppendValue((CFMutableArrayRef)where, value); - return 1; - } - return 0; -} - -int appendCertField(CertNameRef pCert, CFStringRef name, CFStringRef value) -{ - struct { - CFArrayRef field; - CFStringRef key; - } fields[] = { - { pCert->organization, kCertNameOrganization}, - { pCert->organizationalUnit, kCertNameOrganizationalUnit}, - { pCert->countryName, kCertNameCountry}, - { pCert->localityName, kCertNameLocality}, - { pCert->stateName, kCertNameState}, - { pCert->commonName, kCertNameCommonName}, - { pCert->emailAddress, kCertNameEmail}, - }; - int i; - int ret = 0; - - for (i=0; i<sizeof(fields)/sizeof(fields[0]); i++) - ret += tryAppendSingleCertField(pCert, fields[i].field, fields[i].key, name, value); - return ret; -} - -int parseCertName(CFStringRef nameDesc, CFMutableArrayRef names) -{ - CFArrayRef nameStrings = CFStringCreateArrayBySeparatingStrings(NULL, nameDesc, kCertNameFwdSlash); - int count = CFArrayGetCount(nameStrings); - int i; - int ret = 1; - - CertNameRef pCertName = createCertName(); - - for(i = 0;i < count;i++) - { - CFMutableStringRef dn = CFStringCreateMutableCopy(NULL, 0, CFArrayGetValueAtIndex(nameStrings, i)); - CFStringTrimWhitespace(dn); - - CFStringRef name, value; - - if (!parseNameComponent(dn, &name, &value)) - ret = 0; - - if (!name || !value) - { - if (name) - CFRelease(name); - - if (value) - CFRelease(value); - if (name && !value) - ret = 0; - - CFRelease(dn); - continue; - } - - if (!appendCertField(pCertName, name, value)) - ret = 0; - CFRelease(name); - CFRelease(value); - CFRelease(dn); - } - - CFArrayAppendValue(names, pCertName); - CFRelease(nameStrings); - return ret; -} - -int arrayParseDescDataPair(const void *val, void *context) -{ - DescDataRef pDescData = (DescDataRef)val; - CertDataRef pCertData = (CertDataRef)context; - int ret = 1; - - if (!pDescData->name || !pDescData->value) - return 0; - - if (CFStringCompareWithOptions(pDescData->name, kCertDataSubjectName, CFRangeMake(0, CFStringGetLength(pDescData->name)), kCFCompareCaseInsensitive) == kCFCompareEqualTo) - ret = parseCertName(pDescData->value, (CFMutableArrayRef)pCertData->subject); - else if (CFStringCompareWithOptions(pDescData->name, kCertDataIssuerName, CFRangeMake(0, CFStringGetLength(pDescData->name)), kCFCompareCaseInsensitive) == kCFCompareEqualTo) - ret = parseCertName(pDescData->value, (CFMutableArrayRef)pCertData->issuer); - else if (CFStringCompareWithOptions(pDescData->name, kCertDataSha1Name, CFRangeMake(0, CFStringGetLength(pDescData->name)), kCFCompareCaseInsensitive) == kCFCompareEqualTo) - pCertData->sha1 = CFRetain(pDescData->value); - else if (CFStringCompareWithOptions(pDescData->name, kCertDataMd5Name, CFRangeMake(0, CFStringGetLength(pDescData->name)), kCFCompareCaseInsensitive) == kCFCompareEqualTo) - pCertData->md5 = CFRetain(pDescData->value); - else if (CFStringCompareWithOptions(pDescData->name, kCertDataSerialName, CFRangeMake(0, CFStringGetLength(pDescData->name)), kCFCompareCaseInsensitive) == kCFCompareEqualTo) - pCertData->serial = CFRetain(pDescData->value); - else - return 0; - - return ret; -} - -CertDataRef createCertDataFromString(const char *description) -{ - CertDataRef pCertData = (CertDataRef)malloc(sizeof(CertData)); - pCertData->subject = CFArrayCreateMutable(NULL, 0, NULL); - pCertData->issuer = CFArrayCreateMutable(NULL, 0, NULL); - pCertData->sha1 = NULL; - pCertData->md5 = NULL; - pCertData->serial = NULL; - - CFArrayRef pairs = createDescDataPairs(description); - for (int i=0; i<CFArrayGetCount(pairs); i++) - if (!arrayParseDescDataPair(CFArrayGetValueAtIndex(pairs, i), pCertData)) { - arrayDestroyDescData(pCertData, NULL); - CFArrayApplyFunction(pairs, CFRangeMake(0, CFArrayGetCount(pairs)), arrayDestroyDescData, NULL); - CFRelease(pairs); - return 0; - } - - CFArrayApplyFunction(pairs, CFRangeMake(0, CFArrayGetCount(pairs)), arrayDestroyDescData, NULL); - CFRelease(pairs); - return pCertData; -} - -void arrayDestroyCertName(const void *val, void *context) -{ - CertNameRef pCertName = (CertNameRef)val; - destroyCertName(pCertName); -} - -void destroyCertData(CertDataRef pCertData) -{ - if (pCertData->subject) - { - CFArrayApplyFunction(pCertData->subject, CFRangeMake(0, CFArrayGetCount(pCertData->subject)), arrayDestroyCertName, NULL); - CFRelease(pCertData->subject); - } - - if (pCertData->issuer) - { - CFArrayApplyFunction(pCertData->issuer, CFRangeMake(0, CFArrayGetCount(pCertData->issuer)), arrayDestroyCertName, NULL); - CFRelease(pCertData->issuer); - } - - if (pCertData->sha1) - CFRelease(pCertData->sha1); - - if (pCertData->md5) - CFRelease(pCertData->md5); - - if (pCertData->serial) - CFRelease(pCertData->serial); - - free(pCertData); -} - -bool stringArrayMatchesTemplate(CFArrayRef strings, CFArrayRef templateArray) -{ - int templateCount, stringCount, i; - - templateCount = CFArrayGetCount(templateArray); - - if (templateCount > 0) - { - stringCount = CFArrayGetCount(strings); - if (stringCount != templateCount) - return false; - - for(i = 0;i < stringCount;i++) - { - CFStringRef str, template; - - template = (CFStringRef)CFArrayGetValueAtIndex(templateArray, i); - str = (CFStringRef)CFArrayGetValueAtIndex(strings, i); - - if (CFStringCompareWithOptions(template, str, CFRangeMake(0, CFStringGetLength(template)), kCFCompareCaseInsensitive) != kCFCompareEqualTo) - return false; - } - } - - return true; - -} - -bool certNameMatchesTemplate(CertNameRef pCertName, CertNameRef pTemplate) -{ - if (!stringArrayMatchesTemplate(pCertName->countryName, pTemplate->countryName)) - return false; - else if (!stringArrayMatchesTemplate(pCertName->organization, pTemplate->organization)) - return false; - else if (!stringArrayMatchesTemplate(pCertName->organizationalUnit, pTemplate->organizationalUnit)) - return false; - else if (!stringArrayMatchesTemplate(pCertName->commonName, pTemplate->commonName)) - return false; - else if (!stringArrayMatchesTemplate(pCertName->emailAddress, pTemplate->emailAddress)) - return false; - else if (!stringArrayMatchesTemplate(pCertName->stateName, pTemplate->stateName)) - return false; - else if (!stringArrayMatchesTemplate(pCertName->localityName, pTemplate->localityName)) - return false; - else - return true; -} - -bool certNameArrayMatchesTemplate(CFArrayRef certNameArray, CFArrayRef templateArray) -{ - int templateCount, certCount, i; - - templateCount = CFArrayGetCount(templateArray); - - if (templateCount > 0) - { - certCount = CFArrayGetCount(certNameArray); - if (certCount != templateCount) - return false; - - for(i = 0;i < certCount;i++) - { - CertNameRef pName, pTemplateName; - - pTemplateName = (CertNameRef)CFArrayGetValueAtIndex(templateArray, i); - pName = (CertNameRef)CFArrayGetValueAtIndex(certNameArray, i); - - if (!certNameMatchesTemplate(pName, pTemplateName)) - return false; - } - } - - return true; -} - -bool hexStringMatchesTemplate(CFStringRef str, CFStringRef template) -{ - if (template) - { - if (!str) - return false; - - CFMutableStringRef strMutable, templateMutable; - - strMutable = CFStringCreateMutableCopy(NULL, 0, str); - templateMutable = CFStringCreateMutableCopy(NULL, 0, template); - - CFStringFindAndReplace(strMutable, kStringSpace, kStringEmpty, CFRangeMake(0, CFStringGetLength(strMutable)), 0); - CFStringFindAndReplace(templateMutable, kStringSpace, kStringEmpty, CFRangeMake(0, CFStringGetLength(templateMutable)), 0); - - CFComparisonResult result = CFStringCompareWithOptions(templateMutable, strMutable, CFRangeMake(0, CFStringGetLength(templateMutable)), kCFCompareCaseInsensitive); - - CFRelease(strMutable); - CFRelease(templateMutable); - - if (result != kCFCompareEqualTo) - return false; - } - - return true; -} - -bool certDataMatchesTemplate(CertDataRef pCertData, CertDataRef pTemplate) -{ - if (!certNameArrayMatchesTemplate(pCertData->subject, pTemplate->subject)) - return false; - - if (!certNameArrayMatchesTemplate(pCertData->issuer, pTemplate->issuer)) - return false; - - if (!hexStringMatchesTemplate(pCertData->sha1, pTemplate->sha1)) - return false; - - if (!hexStringMatchesTemplate(pCertData->md5, pTemplate->md5)) - return false; - - if (!hexStringMatchesTemplate(pCertData->serial, pTemplate->serial)) - return false; - - return true; -} - -bool certExpired(SecCertificateRef certificate) -{ - bool result; - CFDateRef notAfter = GetDateFieldFromCertificate(certificate, kSecOIDX509V1ValidityNotAfter); - CFDateRef notBefore = GetDateFieldFromCertificate(certificate, kSecOIDX509V1ValidityNotBefore); - CFDateRef now = CFDateCreate(kCFAllocatorDefault, CFAbsoluteTimeGetCurrent()); - - if (!notAfter || !notBefore || !now) - { - warnx("GetDateFieldFromCertificate() returned NULL"); - result = true; - } - else - { - if (CFDateCompare(notBefore, now, NULL) != kCFCompareLessThan || - CFDateCompare(now, notAfter, NULL) != kCFCompareLessThan) - result = true; - else - result = false; - } - - CFRelease(notAfter); - CFRelease(notBefore); - CFRelease(now); - return result; -} - -SecIdentityRef findIdentity(CertDataRef pCertDataTemplate) -{ - const void *keys[] = { - kSecClass, - kSecReturnRef, - kSecMatchLimit - }; - const void *values[] = { - kSecClassIdentity, - kCFBooleanTrue, - kSecMatchLimitAll - }; - CFArrayRef result = NULL; - - CFDictionaryRef query = CFDictionaryCreate(NULL, keys, values, - sizeof(keys) / sizeof(*keys), - &kCFTypeDictionaryKeyCallBacks, - &kCFTypeDictionaryValueCallBacks); - OSStatus status = SecItemCopyMatching(query, (CFTypeRef*)&result); - CFRelease(query); - if (status != noErr) - { - warnx ("No identities in keychain found"); - return NULL; - } - - SecIdentityRef bestIdentity = NULL; - CFDateRef bestNotBeforeDate = NULL; - - for (int i=0; i<CFArrayGetCount(result); i++) - { - SecIdentityRef identity = (SecIdentityRef)CFArrayGetValueAtIndex(result, i); - if (identity == NULL) - { - warnx ("identity == NULL"); - continue; - } - - SecCertificateRef certificate = NULL; - SecIdentityCopyCertificate (identity, &certificate); - if (certificate == NULL) - { - warnx ("SecIdentityCopyCertificate() returned NULL"); - continue; - } - - CertDataRef pCertData2 = createCertDataFromCertificate(certificate); - if (pCertData2 == NULL) - { - warnx ("createCertDataFromCertificate() returned NULL"); - goto release_cert; - } - bool bMatches = certDataMatchesTemplate(pCertData2, pCertDataTemplate); - bool bExpired = certExpired(certificate); - destroyCertData(pCertData2); - - if (bMatches && !bExpired) - { - CFDateRef notBeforeDate = GetDateFieldFromCertificate(certificate, kSecOIDX509V1ValidityNotBefore); - if (!notBeforeDate) - { - warnx ("GetDateFieldFromCertificate() returned NULL"); - goto release_cert; - } - if (bestIdentity == NULL) - { - CFRetain(identity); - bestIdentity = identity; - - bestNotBeforeDate = notBeforeDate; - CFRetain(notBeforeDate); - } - else if (CFDateCompare(bestNotBeforeDate, notBeforeDate, NULL) == kCFCompareLessThan) - { - CFRelease(bestIdentity); - CFRetain(identity); - bestIdentity = identity; - - bestNotBeforeDate = notBeforeDate; - CFRetain(notBeforeDate); - } - CFRelease(notBeforeDate); - } - release_cert: - CFRelease(certificate); - } - CFRelease(result); - - return bestIdentity; -} diff --git a/main/openvpn/contrib/keychain-mcd/cert_data.h b/main/openvpn/contrib/keychain-mcd/cert_data.h deleted file mode 100644 index 407cca1c..00000000 --- a/main/openvpn/contrib/keychain-mcd/cert_data.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2010 Brian Raderman <brian@irregularexpression.org> - * Copyright (C) 2013-2015 Vasily Kulikov <segoon@openwall.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ -#ifndef __cert_data_h__ -#define __cert_data_h__ - -#include <CoreFoundation/CoreFoundation.h> -#include <Security/Security.h> - -typedef struct _CertData -{ - CFArrayRef subject; - CFArrayRef issuer; - CFStringRef serial; - CFStringRef md5, sha1; -} CertData, *CertDataRef; - -CertDataRef createCertDataFromCertificate(SecCertificateRef certificate); -CertDataRef createCertDataFromString(const char *description); -void destroyCertData(CertDataRef pCertData); -bool certDataMatchesTemplate(CertDataRef pCertData, CertDataRef pTemplate); -void printCertData(CertDataRef pCertData); -SecIdentityRef findIdentity(CertDataRef pCertDataTemplate); - -#endif diff --git a/main/openvpn/contrib/keychain-mcd/common_osx.c b/main/openvpn/contrib/keychain-mcd/common_osx.c deleted file mode 100644 index 3effa8b0..00000000 --- a/main/openvpn/contrib/keychain-mcd/common_osx.c +++ /dev/null @@ -1,94 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2010 Brian Raderman <brian@irregularexpression.org> - * Copyright (C) 2013-2015 Vasily Kulikov <segoon@openwall.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - -/* -#include "config.h" -#include "syshead.h" -#include "common.h" -#include "buffer.h" -#include "error.h" -*/ - -#include "common_osx.h" -#include <err.h> - -void printCFString(CFStringRef str) -{ - CFIndex bufferLength = CFStringGetLength(str) + 1; - char *pBuffer = (char*)malloc(sizeof(char) * bufferLength); - CFStringGetCString(str, pBuffer, bufferLength, kCFStringEncodingUTF8); - warnx("%s\n", pBuffer); - free(pBuffer); -} - -char* cfstringToCstr(CFStringRef str) -{ - CFIndex bufferLength = CFStringGetLength(str) + 1; - char *pBuffer = (char*)malloc(sizeof(char) * bufferLength); - CFStringGetCString(str, pBuffer, bufferLength, kCFStringEncodingUTF8); - return pBuffer; -} - -void appendHexChar(CFMutableStringRef str, unsigned char halfByte) -{ - if (halfByte < 10) - { - CFStringAppendFormat (str, NULL, CFSTR("%d"), halfByte); - } - else - { - char tmp[2] = {'A'+halfByte-10, 0}; - CFStringAppendCString(str, tmp, kCFStringEncodingUTF8); - } -} - -CFStringRef createHexString(unsigned char *pData, int length) -{ - unsigned char byte, low, high; - int i; - CFMutableStringRef str = CFStringCreateMutable(NULL, 0); - - for(i = 0;i < length;i++) - { - byte = pData[i]; - low = byte & 0x0F; - high = (byte >> 4); - - appendHexChar(str, high); - appendHexChar(str, low); - - if (i != (length - 1)) - CFStringAppendCString(str, " ", kCFStringEncodingUTF8); - } - - return str; -} - -void printHex(unsigned char *pData, int length) -{ - CFStringRef hexStr = createHexString(pData, length); - printCFString(hexStr); - CFRelease(hexStr); -} diff --git a/main/openvpn/contrib/keychain-mcd/common_osx.h b/main/openvpn/contrib/keychain-mcd/common_osx.h deleted file mode 100644 index 42735486..00000000 --- a/main/openvpn/contrib/keychain-mcd/common_osx.h +++ /dev/null @@ -1,36 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2010 Brian Raderman <brian@irregularexpression.org> - * Copyright (C) 2013-2015 Vasily Kulikov <segoon@openwall.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - -#ifndef __common_osx_h__ -#define __common_osx_h__ - -#include <CoreFoundation/CoreFoundation.h> - -void printCFString(CFStringRef str); -char* cfstringToCstr(CFStringRef str); -CFStringRef createHexString(unsigned char *pData, int length); -void printHex(unsigned char *pData, int length); - -#endif //__Common_osx_h__ diff --git a/main/openvpn/contrib/keychain-mcd/crypto_osx.c b/main/openvpn/contrib/keychain-mcd/crypto_osx.c deleted file mode 100644 index 87ba09ba..00000000 --- a/main/openvpn/contrib/keychain-mcd/crypto_osx.c +++ /dev/null @@ -1,75 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2010 Brian Raderman <brian@irregularexpression.org> - * Copyright (C) 2013-2015 Vasily Kulikov <segoon@openwall.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - - -#include <CommonCrypto/CommonDigest.h> -#include <Security/SecKey.h> -#include <Security/Security.h> - -#include "crypto_osx.h" -#include <err.h> - -void printErrorMsg(const char *func, CFErrorRef error) -{ - CFStringRef desc = CFErrorCopyDescription(error); - warnx("%s failed: %s", func, CFStringGetCStringPtr(desc, kCFStringEncodingUTF8)); - CFRelease(desc); -} - -void printErrorStatusMsg(const char *func, OSStatus status) -{ - CFStringRef error; - error = SecCopyErrorMessageString(status, NULL); - if (error) - { - warnx("%s failed: %s", func, CFStringGetCStringPtr(error, kCFStringEncodingUTF8)); - CFRelease(error); - } - else - warnx("%s failed: %X", func, (int)status); -} - -void signData(SecIdentityRef identity, const uint8_t *from, int flen, uint8_t *to, size_t *tlen) -{ - SecKeyRef privateKey = NULL; - OSStatus status; - - status = SecIdentityCopyPrivateKey(identity, &privateKey); - if (status != noErr) - { - printErrorStatusMsg("signData: SecIdentityCopyPrivateKey", status); - *tlen = 0; - return; - } - - status = SecKeyRawSign(privateKey, kSecPaddingPKCS1, from, flen, to, tlen); - CFRelease(privateKey); - if (status != noErr) - { - printErrorStatusMsg("signData: SecKeyRawSign", status); - *tlen = 0; - return; - } -} diff --git a/main/openvpn/contrib/keychain-mcd/crypto_osx.h b/main/openvpn/contrib/keychain-mcd/crypto_osx.h deleted file mode 100644 index 0da58b60..00000000 --- a/main/openvpn/contrib/keychain-mcd/crypto_osx.h +++ /dev/null @@ -1,44 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2010 Brian Raderman <brian@irregularexpression.org> - * Copyright (C) 2013-2015 Vasily Kulikov <segoon@openwall.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - -#ifndef __crypto_osx_h__ -#define __crypto_osx_h__ - -#include <CoreFoundation/CoreFoundation.h> -#include <Security/Security.h> - -extern OSStatus SecKeyRawSign ( - SecKeyRef key, - SecPadding padding, - const uint8_t *dataToSign, - size_t dataToSignLen, - uint8_t *sig, - size_t *sigLen -); - -void signData(SecIdentityRef identity, const uint8_t *from, int flen, uint8_t *to, size_t *tlen); -void printErrorMsg(const char *func, CFErrorRef error); - -#endif //__crypto_osx_h__ diff --git a/main/openvpn/contrib/keychain-mcd/keychain-mcd.8 b/main/openvpn/contrib/keychain-mcd/keychain-mcd.8 deleted file mode 100644 index c4581e7b..00000000 --- a/main/openvpn/contrib/keychain-mcd/keychain-mcd.8 +++ /dev/null @@ -1,149 +0,0 @@ -.TH keychain-mcd 8 -.SH NAME - -keychain-mcd \- Mac OS X Keychain management daemon for OpenVPN - -.SH SYNOPSIS - -.B keychain-mcd -.I identity-template management-server-ip management-server-port -[ -.I password-file -] - -.SH DESCRIPTION - -.B keychain-mcd -is Mac OS X Keychain management daemon for OpenVPN. -It loads the certificate and private key from the Mac OSX Keychain (Mac OSX Only). -.B keychain-mcd -connects to OpenVPN via management interface and handles -certificate and private key commands (namely -.B NEED-CERTIFICATE -and -.B RSA-SIGN -commands). - -.B keychain-mcd -makes it possible to use any smart card supported by Mac OSX using the tokend interface, but also any -kind of certificate, residing in the Keychain, where you have access to -the private key. This option has been tested on the client side with an Aladdin eToken -on Mac OSX Leopard and with software certificates stored in the Keychain on Mac OS X. - -Note that Mac OS X might need to present the user with an authentication GUI when the Keychain -is accessed by keychain-mcd. - -Use -.B keychain-mcd -along with -.B --management-external-key -and/or -.B --management-external-cert -passed to -.B openvpn. - -.SH OPTIONS - -.TP -.BR identity-template - -A select string which is used to choose a keychain identity from -Mac OS X Keychain. - -\fBSubject\fR, \fBIssuer\fR, \fBSerial\fR, \fBSHA1\fR, \fBMD5\fR selectors can be used. - -To select a certificate based on a string search in the -certificate's subject and/or issuer: - -.nf - -"SUBJECT:c=US/o=Apple Inc./ou=me.com/cn=username ISSUER:c=US/o=Apple Computer, Inc./ou=Apple Computer Certificate Authority/cn=Apple .Mac Certificate Authority" - -.fi - -.I "Distinguished Name Component Abbreviations:" -.br -o = organization -.br -ou = organizational unit -.br -c = country -.br -l = locality -.br -st = state -.br -cn = common name -.br -e = email -.br - -All of the distinguished name components are optional, although you do need to specify at least one of them. You can -add spaces around the '/' and '=' characters, e.g. "SUBJECT: c = US / o = Apple Inc.". You do not need to specify -both the subject and the issuer, one or the other will work fine. -The identity searching algorithm will return the -certificate it finds that matches all of the criteria you have specified. -If there are several certificates matching all of the criteria then the youngest certificate is returned -(i.e. with the greater "not before" validity field). -You can also include the MD5 and/or SHA1 thumbprints and/or serial number -along with the subject and issuer. - -To select a certificate based on certificate's MD5 or SHA1 thumbprint: - -.nf -"SHA1: 30 F7 3A 7A B7 73 2A 98 54 33 4A A7 00 6F 6E AC EC D1 EF 02" - -"MD5: D5 F5 11 F1 38 EB 5F 4D CF 23 B6 94 E8 33 D8 B5" -.fi - -Again, you can include both the SHA1 and the MD5 thumbprints, but you can also use just one of them. -The thumbprint hex strings can easily be copy-and-pasted from the OSX Keychain Access GUI in the Applications/Utilities folder. -The hex string comparison is not case sensitive. - -To select a certificate based on certificate's serial number: - -"Serial: 3E 9B 6F 02 00 00 00 01 1F 20" - -.TP -.BR management-server-ip -OpenVPN management IP to connect to. -Both IPv4 and IPv6 addresses can be used. - -.TP -.BR management-server-port -OpenVPN management port to connect to. -Use -.B unix -for -.I management-server-port -and socket path for -.I management-server-ip -to connect to a local unix socket. - -.TP -.BR password-file - -Password file containing the management password on first line. -The password will be used to connect to -.B openvpn -management interface. - -Pass -.I password-file -to -.B keychain-mcd -if -.I pw-file -was specified in -.B --management -option to -.B openvpn. - - -.SH AUTHOR - -Vasily Kulikov <segoon@openwall.com> - -.SH "SEE ALSO" - -.BR openvpn (8) diff --git a/main/openvpn/contrib/keychain-mcd/main.c b/main/openvpn/contrib/keychain-mcd/main.c deleted file mode 100644 index 5f59403c..00000000 --- a/main/openvpn/contrib/keychain-mcd/main.c +++ /dev/null @@ -1,244 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2015 Vasily Kulikov <segoon@openwall.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - - -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <sys/un.h> -#include <err.h> -#include <netdb.h> - -#include <Security/Security.h> -#include <CoreServices/CoreServices.h> - -#include "cert_data.h" -#include "crypto_osx.h" -#include "../../src/openvpn/base64.h" - - -SecIdentityRef template_to_identity(const char *template) -{ - SecIdentityRef identity; - CertDataRef pCertDataTemplate = createCertDataFromString(template); - if (pCertDataTemplate == NULL) - errx(1, "Bad certificate template"); - identity = findIdentity(pCertDataTemplate); - if (identity == NULL) - errx(1, "No such identify"); - fprintf(stderr, "Identity found\n"); - destroyCertData(pCertDataTemplate); - return identity; -} - -int connect_to_management_server(const char *ip, const char *port) -{ - int fd; - struct sockaddr_un addr_un; - struct sockaddr *addr; - size_t addr_len; - - if (strcmp(port, "unix") == 0) { - addr = (struct sockaddr*)&addr_un; - addr_len = sizeof(addr_un); - - addr_un.sun_family = AF_UNIX; - strncpy(addr_un.sun_path, ip, sizeof(addr_un.sun_path)); - fd = socket(AF_UNIX, SOCK_STREAM, 0); - } - else { - int rv; - struct addrinfo *result; - struct addrinfo hints; - - memset(&hints, 0, sizeof(hints)); - hints.ai_family = AF_UNSPEC; - hints.ai_socktype = SOCK_STREAM; - - rv = getaddrinfo(ip, port, &hints, &result); - if (rv < 0) - errx(1, "getaddrinfo: %s", gai_strerror(rv)); - if (result == NULL) - errx(1, "getaddrinfo returned 0 addressed"); - - /* Use the first found address */ - fd = socket(result->ai_family, result->ai_socktype, result->ai_protocol); - addr = result->ai_addr; - addr_len = result->ai_addrlen; - } - if (fd < 0) - err(1, "socket"); - - if (connect(fd, addr, addr_len) < 0) - err(1, "connect"); - - return fd; -} - -int is_prefix(const char *s, const char *prefix) -{ - return strncmp(s, prefix, strlen(prefix)) == 0; -} - -void handle_rsasign(FILE *man_file, SecIdentityRef identity, const char *input) -{ - const char *input_b64 = strchr(input, ':') + 1; - char *input_binary; - int input_len; - char *output_binary; - size_t output_len; - char *output_b64; - - input_len = strlen(input_b64)*8/6 + 4; - input_binary = malloc(input_len); - input_len = openvpn_base64_decode(input_b64, input_binary, input_len); - if (input_len < 0) - errx(1, "openvpn_base64_decode: overflow"); - - output_len = 1024; - output_binary = malloc(output_len); - signData(identity, (const uint8_t *)input_binary, input_len, (uint8_t *)output_binary, &output_len); - if (output_len == 0) - errx(1, "handle_rsasign: failed to sign data"); - - openvpn_base64_encode(output_binary, output_len, &output_b64); - fprintf(man_file, "rsa-sig\n%s\nEND\n", output_b64); - free(output_b64); - free(input_binary); - free(output_binary); - - fprintf(stderr, "Handled RSA_SIGN command\n"); -} - -void handle_needcertificate(FILE *man_file, SecIdentityRef identity) -{ - OSStatus status; - SecCertificateRef certificate = NULL; - CFDataRef data; - const unsigned char *cert; - size_t cert_len; - char *result_b64, *tmp_b64; - - status = SecIdentityCopyCertificate(identity, &certificate); - if (status != noErr) { - const char *msg = GetMacOSStatusErrorString(status); - err(1, "SecIdentityCopyCertificate() failed: %s", msg); - } - - data = SecCertificateCopyData(certificate); - if (data == NULL) - err(1, "SecCertificateCopyData() returned NULL"); - - cert = CFDataGetBytePtr(data); - cert_len = CFDataGetLength(data); - - openvpn_base64_encode(cert, cert_len, &result_b64); -#if 0 - fprintf(stderr, "certificate %s\n", result_b64); -#endif - - fprintf(man_file, "certificate\n"); - fprintf(man_file, "-----BEGIN CERTIFICATE-----\n"); - tmp_b64 = result_b64; - while (strlen(tmp_b64) > 64) { - fprintf(man_file, "%.64s\n", tmp_b64); - tmp_b64 += 64; - } - if (*tmp_b64) - fprintf(man_file, "%s\n", tmp_b64); - fprintf(man_file, "-----END CERTIFICATE-----\n"); - fprintf(man_file, "END\n"); - - free(result_b64); - CFRelease(data); - CFRelease(certificate); - - fprintf(stderr, "Handled NEED 'cert' command\n"); -} - -void management_loop(SecIdentityRef identity, int man_fd, const char *password) -{ - char *buffer = NULL; - size_t buffer_len = 0; - FILE *man = fdopen(man_fd, "w+"); - if (man == 0) - err(1, "fdopen"); - - if (password) - fprintf(man, "%s\n", password); - - while (1) { - if (getline(&buffer, &buffer_len, man) < 0) - err(1, "getline"); -#if 0 - fprintf(stderr, "M: %s", buffer); -#endif - - if (is_prefix(buffer, ">RSA_SIGN:")) - handle_rsasign(man, identity, buffer); - if (is_prefix(buffer, ">NEED-CERTIFICATE")) - handle_needcertificate(man, identity); - if (is_prefix(buffer, ">FATAL")) - fprintf(stderr, "Fatal message from OpenVPN: %s\n", buffer+7); - if (is_prefix(buffer, ">INFO")) - fprintf(stderr, "INFO message from OpenVPN: %s\n", buffer+6); - } -} - -char *read_password(const char *fname) -{ - char *password = NULL; - FILE *pwf = fopen(fname, "r"); - size_t n = 0; - - if (pwf == NULL) - errx(1, "fopen(%s) failed", fname); - if (getline(&password, &n, pwf) < 0) - err(1, "getline"); - fclose(pwf); - return password; -} - -int main(int argc, char* argv[]) -{ - if (argc < 4) - err(1, "usage: %s <identity_template> <management_ip> <management_port> [<pw-file>]", argv[0]); - - char *cert_prop = argv[1]; - char *s_ip = argv[2]; - char *s_port = argv[3]; - char *password = NULL; - int man_fd; - - if (argc > 4) { - char *s_pw_file = argv[4]; - password = read_password(s_pw_file); - } - - SecIdentityRef identity = template_to_identity(cert_prop); - man_fd = connect_to_management_server(s_ip, s_port); - fprintf(stderr, "Successfully connected to openvpn\n"); - - management_loop(identity, man_fd, password); -} diff --git a/main/openvpn/contrib/multilevel-init.patch b/main/openvpn/contrib/multilevel-init.patch deleted file mode 100644 index 8d48fbcd..00000000 --- a/main/openvpn/contrib/multilevel-init.patch +++ /dev/null @@ -1,79 +0,0 @@ ---- /etc/init.d/openvpn 2004-05-12 20:30:06.000000000 +0200 -+++ openvpn 2004-05-12 20:34:33.000000000 +0200 -@@ -58,13 +58,13 @@ - # returning success or failure status to caller (James Yonan). - - # Location of openvpn binary --openvpn="/usr/sbin/openvpn" -+openvpn=/usr/sbin/openvpn - - # Lockfile --lock="/var/lock/subsys/openvpn" -+lock=/var/lock/subsys/openvpn - - # PID directory --piddir="/var/run/openvpn" -+piddir=/var/run/openvpn - - # Our working directory - work=/etc/openvpn -@@ -106,7 +106,7 @@ - - if [ -f $lock ]; then - # we were not shut down correctly -- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do -+ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do - if [ -s $pidf ]; then - kill `cat $pidf` >/dev/null 2>&1 - fi -@@ -116,12 +116,12 @@ - sleep 2 - fi - -- rm -f $piddir/*.pid $piddir/*/*.pid -+ find $piddir -name "*.pid"|xargs rm -f - - # Start every .conf in $work and run .sh if exists - errors=0 - successes=0 -- for c in `/bin/ls *.conf */*.conf 2>/dev/null`; do -+ for c in `find * -name "*.conf" 2>/dev/null`; do - bn=${c%%.conf} - if [ -f "$bn.sh" ]; then - . $bn.sh -@@ -147,7 +147,7 @@ - ;; - stop) - echo -n $"Shutting down openvpn: " -- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do -+ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do - if [ -s $pidf ]; then - kill `cat $pidf` >/dev/null 2>&1 - fi -@@ -163,7 +163,7 @@ - ;; - reload) - if [ -f $lock ]; then -- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do -+ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do - if [ -s $pidf ]; then - kill -HUP `cat $pidf` >/dev/null 2>&1 - fi -@@ -175,7 +175,7 @@ - ;; - reopen) - if [ -f $lock ]; then -- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do -+ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do - if [ -s $pidf ]; then - kill -USR1 `cat $pidf` >/dev/null 2>&1 - fi -@@ -195,7 +195,7 @@ - ;; - status) - if [ -f $lock ]; then -- for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do -+ for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do - if [ -s $pidf ]; then - kill -USR2 `cat $pidf` >/dev/null 2>&1 - fi diff --git a/main/openvpn/contrib/openvpn-fwmarkroute-1.00/README b/main/openvpn/contrib/openvpn-fwmarkroute-1.00/README deleted file mode 100644 index 66fe61ad..00000000 --- a/main/openvpn/contrib/openvpn-fwmarkroute-1.00/README +++ /dev/null @@ -1,44 +0,0 @@ -OpenVPN fwmark Routing -Sean Reifschneider, <jafo@tummy.com> -Thursday November 27, 2003 -========================== - -These scripts can be used with OpenVPN up and down scripts to set up -routing on a Linux system such that the VPN traffic is sent via normal -network connectivity, but other traffic to that network runs over the VPN. -The idea is to allow encryption of data to the network the remote host is -on, without interfering with the VPN traffic. You can't simply add a route -to the remote network, becaues that will cause the VPN traffic to also try -to run over the VPN, and breaks the VPN. - -These scripts use the Linux "fwmark" iptables rules to specify routing -based not only on IP address, but also by port and protocol. This allows -you to effectively say "if the packet is to this IP address on this port -using this protocol, then use the normal default gateway, otherwise use the -VPN gateway. - -This is set up on the client VPN system, not the VPN server. These scripts -also set up all ICMP echo-responses to run across the VPN. You can -comment the lines in the scripts to disable this, but I find this useful -at coffee shops which have networks that block ICMP. - -To configure this, you need to set up these scripts as your up and down -scripts in the config file. You will need to set these values in the -config file: - - up /etc/openvpn/fwmarkroute.up - down /etc/openvpn/fwmarkroute.down - up-restart - up-delay - - setenv remote_netmask_bits 24 - -Note: For this to work, you can't set the "user" or "group" config options, -because then the scripts will not run as root. - -The last setting allows you to control the size of the network the remote -system is on. The remote end has to be set up to route, probably with -masquerading or NAT. The network this netmask relates to is calculated -using the value of "remote" in the conf file. - -Sean diff --git a/main/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down b/main/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down deleted file mode 100755 index 87d67d4d..00000000 --- a/main/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh -# -# Bring down vpn routing. - -# calculate the network address -remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` -remote_network="${remote_network#*=}" - -# clear routing via VPN -ip route del "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out -ip route del table vpnonly.out via "$5" -iptables -D OUTPUT -t mangle -p "$proto" \ - -d "$remote_network"/"$remote_netmask_bits" \ - --dport "$remote_port" -j ACCEPT -iptables -D OUTPUT -t mangle -d "$remote" -j MARK --set-mark 2 - -# undo the ICMP ping tunneling -iptables -D OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ - -j MARK --set-mark 3 - -# flush route cache -ip route flush cache diff --git a/main/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up b/main/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up deleted file mode 100755 index 661ec313..00000000 --- a/main/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/sh -# -# Bring up vpn routing. - -# calculate the network address -remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` -remote_network="${remote_network#*=}" - -# add the stuff that doesn't change if it's not already there -grep -q '^202 ' /etc/iproute2/rt_tables -if [ "$?" -ne 0 ] -then - echo 202 vpn.out >> /etc/iproute2/rt_tables -fi -grep -q '^203 ' /etc/iproute2/rt_tables -if [ "$?" -ne 0 ] -then - echo 203 vpnonly.out >> /etc/iproute2/rt_tables -fi -ip rule ls | grep -q 'lookup vpn.out *$' -if [ "$?" -ne 0 ] -then - ip rule add fwmark 2 table vpn.out -fi -ip rule ls | grep -q 'lookup vpnonly.out *$' -if [ "$?" -ne 0 ] -then - ip rule add fwmark 3 table vpnonly.out -fi - -# route VPN traffic using the normal table -iptables -A OUTPUT -t mangle -p "$proto" -d "$remote" --dport "$remote_port" \ - -j ACCEPT - -# route all other traffic to that host via VPN -iptables -A OUTPUT -t mangle -d "$remote_network"/"$remote_netmask_bits" \ - -j MARK --set-mark 2 - -# route all ICMP pings over the VPN -iptables -A OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ - -j MARK --set-mark 3 - -# NAT traffic going over the VPN, so it doesn't have an unknown address -iptables -t nat -A POSTROUTING -o "$1" -j SNAT --to-source "$4" - -# add routing commands -ip route add "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out -ip route add table vpnonly.out via "$5" -ip route flush cache diff --git a/main/openvpn/contrib/pull-resolv-conf/client.down b/main/openvpn/contrib/pull-resolv-conf/client.down deleted file mode 100644 index 05f2d4d5..00000000 --- a/main/openvpn/contrib/pull-resolv-conf/client.down +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2005-2010 OpenVPN Technologies, Inc. -# Licensed under the GPL version 2 - -# First version by Jesse Adelman -# someone at boldandbusted dink com -# http://www.boldandbusted.com/ - -# PURPOSE: This script automatically removes the /etc/resolv.conf entries previously -# set by the companion script "client.up". - -# INSTALL NOTES: -# Place this in /etc/openvpn/client.down -# Then, add the following to your /etc/openvpn/<clientconfig>.conf: -# client -# up /etc/openvpn/client.up -# down /etc/openvpn/client.down -# Next, "chmod a+x /etc/openvpn/client.down" - -# USAGE NOTES: -# Note that this script is best served with the companion "client.up" -# script. - -# Tested under Debian lenny with OpenVPN 2.1_rc11 -# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf - -# This runs with the context of the OpenVPN UID/GID -# at the time of execution. This generally means that -# the client "up" script will run fine, but the "down" script -# will require the use of the OpenVPN "down-root" plugin -# which is in the plugins/ directory of the OpenVPN source tree - -# A horrid work around, from a security perspective, -# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have -# been WARNED. -PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin - -if type resolvconf >/dev/null 2>&1; then - resolvconf -d "${1}" -f -elif [ -e /etc/resolv.conf.ovpnsave ] ; then - # cp + rm rather than mv in case it's a symlink - cp /etc/resolv.conf.ovpnsave /etc/resolv.conf - rm -f /etc/resolv.conf.ovpnsave -fi - -exit 0 diff --git a/main/openvpn/contrib/pull-resolv-conf/client.up b/main/openvpn/contrib/pull-resolv-conf/client.up deleted file mode 100644 index b28d4d19..00000000 --- a/main/openvpn/contrib/pull-resolv-conf/client.up +++ /dev/null @@ -1,101 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2005-2010 OpenVPN Technologies, Inc. -# Licensed under the GPL version 2 - -# First version by Jesse Adelman -# someone at boldandbusted dink com -# http://www.boldandbusted.com/ - -# PURPOSE: This script automatically sets the proper /etc/resolv.conf entries -# as pulled down from an OpenVPN server. - -# INSTALL NOTES: -# Place this in /etc/openvpn/client.up -# Then, add the following to your /etc/openvpn/<clientconfig>.conf: -# client -# up /etc/openvpn/client.up -# Next, "chmod a+x /etc/openvpn/client.up" - -# USAGE NOTES: -# Note that this script is best served with the companion "client.down" -# script. - -# Tested under Debian lenny with OpenVPN 2.1_rc11 -# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf - -# This runs with the context of the OpenVPN UID/GID -# at the time of execution. This generally means that -# the client "up" script will run fine, but the "down" script -# will require the use of the OpenVPN "down-root" plugin -# which is in the plugins/ directory of the OpenVPN source tree - -# A horrid work around, from a security perspective, -# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have -# been WARNED. -PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin - -# init variables - -i=1 -domains= -fopt= -ndoms=0 -nns=0 -nl=' -' - -# $foreign_option_<n> is something like -# "dhcp-option DOMAIN example.com" (multiple allowed) -# or -# "dhcp-option DNS 10.10.10.10" (multiple allowed) - -# each DNS option becomes a "nameserver" option in resolv.con -# if we get one DOMAIN, that becomes "domain" in resolv.conf -# if we get multiple DOMAINS, those become "search" lines in resolv.conf - -while true; do - eval fopt=\$foreign_option_${i} - [ -z "${fopt}" ] && break - - case ${fopt} in - dhcp-option\ DOMAIN\ *) - ndoms=$((ndoms + 1)) - domains="${domains} ${fopt#dhcp-option DOMAIN }" - ;; - dhcp-option\ DNS\ *) - nns=$((nns + 1)) - if [ $nns -le 3 ]; then - dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }" - else - printf "%s\n" "Too many nameservers - ignoring after third" >&2 - fi - ;; - *) - printf "%s\n" "Unknown option \"${fopt}\" - ignored" >&2 - ;; - esac - i=$((i + 1)) -done - -ds=domain -if [ $ndoms -gt 1 ]; then - ds=search -fi - -# This is the complete file - "$domains" has a leading space already -out="# resolv.conf autogenerated by ${0} (${1})${nl}${dns}${nl}${ds}${domains}" - -# use resolvconf if it's available -if type resolvconf >/dev/null 2>&1; then - printf "%s\n" "${out}" | resolvconf -p -a "${1}" -else - # Preserve the existing resolv.conf - if [ -e /etc/resolv.conf ] ; then - cp /etc/resolv.conf /etc/resolv.conf.ovpnsave - fi - printf "%s\n" "${out}" > /etc/resolv.conf - chmod 644 /etc/resolv.conf -fi - -exit 0 |