Imported Upstream version 2.2.1upstream/2.2.1

8 files changed, 455 insertions, 0 deletions

diff --git a/contrib/OCSP_check/OCSP_check.sh b/contrib/OCSP_check/OCSP_check.sh
new file mode 100644
index 0000000..847be45
--- /dev/null
+++ b/contrib/OCSP_check/OCSP_check.sh
@@ -0,0 +1,111 @@
+#!/bin/sh
+
+# Sample script to perform OCSP queries with OpenSSL
+# given a certificate serial number.
+
+# If you run your own CA, you can set up a very simple
+# OCSP server using the -port option to "openssl ocsp".
+
+# Full documentation and examples:
+# http://www.openssl.org/docs/apps/ocsp.html
+
+
+# Edit the following values to suit your needs
+
+# OCSP responder URL (mandatory)
+# YOU MUST UNCOMMENT ONE OF THESE AND SET IT TO A VALID SERVER
+#ocsp_url="http://ocsp.example.com/"
+#ocsp_url="https://ocsp.secure.example.com/"
+
+# Path to issuer certificate (mandatory)
+# YOU MUST SET THIS TO THE PATH TO THE CA CERTIFICATE
+issuer="/path/to/CAcert.crt"
+
+# use a nonce in the query, set to "-no_nonce" to not use it
+nonce="-nonce"
+
+# Verify the response
+# YOU MUST SET THIS TO THE PATH TO THE RESPONSE VERIFICATION CERT
+verify="/path/to/CAcert.crt"
+
+# Depth in the certificate chain where the cert to verify is.
+# Set to -1 to run the verification at every level (NOTE that
+# in that case you need a more complex script as the various
+# parameters for the query will likely be different at each level)
+# "0" is the usual value here, where the client certificate is
+check_depth=0
+
+cur_depth=$1     # this is the *CURRENT* depth
+common_name=$2   # CN in case you need it
+
+# minimal sanity checks
+
+err=0
+if [ -z "$issuer" ] || [ ! -e "$issuer" ]; then
+  echo "Error: issuer certificate undefined or not found!" >&2
+  err=1
+fi
+
+if [ -z "$verify" ] || [ ! -e "$verify" ]; then
+  echo "Error: verification certificate undefined or not found!" >&2
+  err=1
+fi
+
+if [ -z "$ocsp_url" ]; then
+  echo "Error: OCSP server URL not defined!" >&2
+  err=1
+fi
+
+if [ $err -eq 1 ]; then
+  echo "Did you forget to customize the variables in the script?" >&2
+  exit 1
+fi
+
+# begin
+if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
+
+  eval serial="\$tls_serial_${cur_depth}"
+
+  # To successfully complete, the following must happen:
+  #
+  # - The serial number must not be empty
+  # - The exit status of "openssl ocsp" must be zero
+  # - The output of the above command must contain the line
+  #   "0x${serial}: good"
+  #
+  # Everything else fails with exit status 1.
+
+  if [ -n "$serial" ]; then
+
+    # This is only an example; you are encouraged to run this command (without
+    # redirections) manually against your or your CA's OCSP server to see how
+    # it responds, and adapt accordingly.
+    # Sample output that is assumed here:
+    #
+    # Response verify OK
+    # 0x428740A5: good
+    #      This Update: Apr 24 19:38:49 2010 GMT
+    #      Next Update: May  2 14:23:42 2010 GMT
+    #
+    # NOTE: It is needed to check the exit code of OpenSSL explicitly.  OpenSSL
+    #       can in some circumstances give a "good" result if it could not
+    #       reach the the OSCP server.  In this case, the exit code will indicate
+    #       if OpenSSL itself failed or not.  If OpenSSL's exit code is not 0,
+    #       don't trust the OpenSSL status.
+
+    status=$(openssl ocsp -issuer "$issuer" \
+                    "$nonce" \
+                    -CAfile "$verify" \
+                    -url "$ocsp_url" \
+                    -serial "0x${serial}" 2>/dev/null)
+
+    if [ $? -eq 0 ]; then
+      # check that it's good
+      if echo "$status" | grep -Fq "0x${serial}: good"; then
+        exit 0
+      fi
+    fi
+  fi
+  # if we get here, something was wrong
+  exit 1
+fi
diff --git a/contrib/README b/contrib/README
new file mode 100644
index 0000000..e1a57d0
--- /dev/null
+++ b/contrib/README
@@ -0,0 +1,2 @@
+This directory contains scripts and patches contributed
+by users.
diff --git a/contrib/multilevel-init.patch b/contrib/multilevel-init.patch
new file mode 100644
index 0000000..8d48fbc
--- /dev/null
+++ b/contrib/multilevel-init.patch
@@ -0,0 +1,79 @@
+--- /etc/init.d/openvpn	2004-05-12 20:30:06.000000000 +0200
++++ openvpn	2004-05-12 20:34:33.000000000 +0200
+@@ -58,13 +58,13 @@
+ #     returning success or failure status to caller (James Yonan).
+ 
+ # Location of openvpn binary
+-openvpn="/usr/sbin/openvpn"
++openvpn=/usr/sbin/openvpn
+ 
+ # Lockfile
+-lock="/var/lock/subsys/openvpn"
++lock=/var/lock/subsys/openvpn
+ 
+ # PID directory
+-piddir="/var/run/openvpn"
++piddir=/var/run/openvpn
+ 
+ # Our working directory
+ work=/etc/openvpn
+@@ -106,7 +106,7 @@
+ 
+ 	if [ -f $lock ]; then
+ 	    # we were not shut down correctly
+-	    for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
++	    for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
+ 	      if [ -s $pidf ]; then
+ 		kill `cat $pidf` >/dev/null 2>&1
+ 	      fi
+@@ -116,12 +116,12 @@
+ 	    sleep 2
+ 	fi
+ 
+-	rm -f $piddir/*.pid $piddir/*/*.pid
++	find $piddir -name "*.pid"|xargs rm -f
+ 
+ 	# Start every .conf in $work and run .sh if exists
+ 	errors=0
+ 	successes=0
+-	for c in `/bin/ls *.conf */*.conf 2>/dev/null`; do
++	for c in `find * -name "*.conf" 2>/dev/null`; do
+ 	    bn=${c%%.conf}
+ 	    if [ -f "$bn.sh" ]; then
+ 		. $bn.sh
+@@ -147,7 +147,7 @@
+ 	;;
+   stop)
+ 	echo -n $"Shutting down openvpn: "
+-	for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
++	for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
+ 	  if [ -s $pidf ]; then
+ 	    kill `cat $pidf` >/dev/null 2>&1
+ 	  fi
+@@ -163,7 +163,7 @@
+ 	;;
+   reload)
+ 	if [ -f $lock ]; then
+-	    for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
++	    for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
+ 		if [ -s $pidf ]; then
+ 		    kill -HUP `cat $pidf` >/dev/null 2>&1
+ 		fi
+@@ -175,7 +175,7 @@
+ 	;;
+   reopen)
+ 	if [ -f $lock ]; then
+-	    for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
++	    for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
+ 		if [ -s $pidf ]; then
+ 		    kill -USR1 `cat $pidf` >/dev/null 2>&1
+ 		fi
+@@ -195,7 +195,7 @@
+ 	;;
+   status)
+ 	if [ -f $lock ]; then
+-	    for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do
++	    for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do
+ 		if [ -s $pidf ]; then
+ 		    kill -USR2 `cat $pidf` >/dev/null 2>&1
+ 		fi
diff --git a/contrib/openvpn-fwmarkroute-1.00/README b/contrib/openvpn-fwmarkroute-1.00/README
new file mode 100644
index 0000000..66fe61a
--- /dev/null
+++ b/contrib/openvpn-fwmarkroute-1.00/README
@@ -0,0 +1,44 @@
+OpenVPN fwmark Routing
+Sean Reifschneider, <jafo@tummy.com>
+Thursday November 27, 2003
+==========================
+
+These scripts can be used with OpenVPN up and down scripts to set up
+routing on a Linux system such that the VPN traffic is sent via normal
+network connectivity, but other traffic to that network runs over the VPN.
+The idea is to allow encryption of data to the network the remote host is
+on, without interfering with the VPN traffic.  You can't simply add a route
+to the remote network, becaues that will cause the VPN traffic to also try
+to run over the VPN, and breaks the VPN.
+
+These scripts use the Linux "fwmark" iptables rules to specify routing
+based not only on IP address, but also by port and protocol.  This allows
+you to effectively say "if the packet is to this IP address on this port
+using this protocol, then use the normal default gateway, otherwise use the
+VPN gateway.
+
+This is set up on the client VPN system, not the VPN server.  These scripts
+also set up all ICMP echo-responses to run across the VPN.  You can
+comment the lines in the scripts to disable this, but I find this useful
+at coffee shops which have networks that block ICMP.
+
+To configure this, you need to set up these scripts as your up and down
+scripts in the config file.  You will need to set these values in the
+config file:
+
+   up /etc/openvpn/fwmarkroute.up
+   down /etc/openvpn/fwmarkroute.down
+   up-restart
+   up-delay
+
+   setenv remote_netmask_bits 24
+
+Note: For this to work, you can't set the "user" or "group" config options,
+because then the scripts will not run as root.
+
+The last setting allows you to control the size of the network the remote
+system is on.  The remote end has to be set up to route, probably with
+masquerading or NAT.  The network this netmask relates to is calculated
+using the value of "remote" in the conf file.
+
+Sean
diff --git a/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down b/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
new file mode 100755
index 0000000..87d67d4
--- /dev/null
+++ b/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+#  Bring down vpn routing.
+
+#  calculate the network address
+remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"`
+remote_network="${remote_network#*=}"
+
+#  clear routing via VPN
+ip route del "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out
+ip route del table vpnonly.out via "$5"
+iptables -D OUTPUT -t mangle -p "$proto" \
+		-d "$remote_network"/"$remote_netmask_bits" \
+		--dport "$remote_port" -j ACCEPT
+iptables -D OUTPUT -t mangle -d "$remote" -j MARK --set-mark 2
+
+#  undo the ICMP ping tunneling
+iptables -D OUTPUT -t mangle --protocol icmp --icmp-type echo-request \
+		-j MARK --set-mark 3
+
+#  flush route cache
+ip route flush cache
diff --git a/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up b/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
new file mode 100755
index 0000000..661ec31
--- /dev/null
+++ b/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
@@ -0,0 +1,49 @@
+#!/bin/sh
+#
+#  Bring up vpn routing.
+
+#  calculate the network address
+remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"`
+remote_network="${remote_network#*=}"
+
+#  add the stuff that doesn't change if it's not already there
+grep -q '^202 ' /etc/iproute2/rt_tables 
+if [ "$?" -ne 0 ]
+then
+	echo 202 vpn.out >> /etc/iproute2/rt_tables
+fi
+grep -q '^203 ' /etc/iproute2/rt_tables 
+if [ "$?" -ne 0 ]
+then
+	echo 203 vpnonly.out >> /etc/iproute2/rt_tables
+fi
+ip rule ls | grep -q 'lookup vpn.out *$'
+if [ "$?" -ne 0 ]
+then
+	ip rule add fwmark 2 table vpn.out
+fi
+ip rule ls | grep -q 'lookup vpnonly.out *$'
+if [ "$?" -ne 0 ]
+then
+	ip rule add fwmark 3 table vpnonly.out
+fi
+
+#  route VPN traffic using the normal table
+iptables -A OUTPUT -t mangle -p "$proto" -d "$remote" --dport "$remote_port" \
+		-j ACCEPT
+
+#  route all other traffic to that host via VPN
+iptables -A OUTPUT -t mangle -d "$remote_network"/"$remote_netmask_bits" \
+		-j MARK --set-mark 2
+
+#  route all ICMP pings over the VPN
+iptables -A OUTPUT -t mangle --protocol icmp --icmp-type echo-request \
+		-j MARK --set-mark 3
+
+#  NAT traffic going over the VPN, so it doesn't have an unknown address
+iptables -t nat -A POSTROUTING -o "$1" -j SNAT --to-source "$4"
+
+#  add routing commands
+ip route add "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out
+ip route add table vpnonly.out via "$5"
+ip route flush cache
diff --git a/contrib/pull-resolv-conf/client.down b/contrib/pull-resolv-conf/client.down
new file mode 100644
index 0000000..05f2d4d
--- /dev/null
+++ b/contrib/pull-resolv-conf/client.down
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+# Copyright (c) 2005-2010 OpenVPN Technologies, Inc.
+# Licensed under the GPL version 2
+
+# First version by Jesse Adelman
+# someone at boldandbusted dink com
+# http://www.boldandbusted.com/
+
+# PURPOSE: This script automatically removes the /etc/resolv.conf entries previously
+# set by the companion script "client.up".
+
+# INSTALL NOTES:
+# Place this in /etc/openvpn/client.down
+# Then, add the following to your /etc/openvpn/<clientconfig>.conf:
+#   client
+#   up /etc/openvpn/client.up
+#   down /etc/openvpn/client.down
+# Next, "chmod a+x /etc/openvpn/client.down"
+
+# USAGE NOTES:
+# Note that this script is best served with the companion "client.up"
+# script.
+
+# Tested under Debian lenny with OpenVPN 2.1_rc11
+# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf
+
+# This runs with the context of the OpenVPN UID/GID 
+# at the time of execution. This generally means that
+# the client "up" script will run fine, but the "down" script
+# will require the use of the OpenVPN "down-root" plugin
+# which is in the plugins/ directory of the OpenVPN source tree
+
+# A horrid work around, from a security perspective,
+# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have
+# been WARNED.
+PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
+
+if type resolvconf >/dev/null 2>&1; then
+  resolvconf -d "${1}" -f
+elif [ -e /etc/resolv.conf.ovpnsave ] ; then
+  # cp + rm rather than mv in case it's a symlink
+  cp /etc/resolv.conf.ovpnsave /etc/resolv.conf
+  rm -f /etc/resolv.conf.ovpnsave
+fi
+
+exit 0
diff --git a/contrib/pull-resolv-conf/client.up b/contrib/pull-resolv-conf/client.up
new file mode 100644
index 0000000..b28d4d1
--- /dev/null
+++ b/contrib/pull-resolv-conf/client.up
@@ -0,0 +1,101 @@
+#!/bin/sh
+
+# Copyright (c) 2005-2010 OpenVPN Technologies, Inc.
+# Licensed under the GPL version 2
+
+# First version by Jesse Adelman
+# someone at boldandbusted dink com
+# http://www.boldandbusted.com/
+
+# PURPOSE: This script automatically sets the proper /etc/resolv.conf entries
+# as pulled down from an OpenVPN server.
+
+# INSTALL NOTES:
+# Place this in /etc/openvpn/client.up
+# Then, add the following to your /etc/openvpn/<clientconfig>.conf:
+#   client
+#   up /etc/openvpn/client.up
+# Next, "chmod a+x /etc/openvpn/client.up"
+
+# USAGE NOTES:
+# Note that this script is best served with the companion "client.down"
+# script.
+
+# Tested under Debian lenny with OpenVPN 2.1_rc11
+# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf
+
+# This runs with the context of the OpenVPN UID/GID 
+# at the time of execution. This generally means that
+# the client "up" script will run fine, but the "down" script
+# will require the use of the OpenVPN "down-root" plugin
+# which is in the plugins/ directory of the OpenVPN source tree
+
+# A horrid work around, from a security perspective,
+# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have
+# been WARNED.
+PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
+
+# init variables
+
+i=1
+domains=
+fopt=
+ndoms=0
+nns=0
+nl='
+'
+
+# $foreign_option_<n> is something like
+# "dhcp-option DOMAIN example.com" (multiple allowed)
+# or
+# "dhcp-option DNS 10.10.10.10" (multiple allowed)
+
+# each DNS option becomes a "nameserver" option in resolv.con
+# if we get one DOMAIN, that becomes "domain" in resolv.conf
+# if we get multiple DOMAINS, those become "search" lines in resolv.conf
+
+while true; do
+  eval fopt=\$foreign_option_${i}
+  [ -z "${fopt}" ] && break
+
+  case ${fopt} in
+		dhcp-option\ DOMAIN\ *)
+           ndoms=$((ndoms + 1))
+           domains="${domains} ${fopt#dhcp-option DOMAIN }"
+           ;;
+		dhcp-option\ DNS\ *)
+           nns=$((nns + 1))
+           if [ $nns -le 3 ]; then
+             dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }"
+           else
+             printf "%s\n" "Too many nameservers - ignoring after third" >&2
+           fi
+           ;;
+        *)
+           printf "%s\n" "Unknown option \"${fopt}\" - ignored" >&2
+           ;;
+	esac
+  i=$((i + 1))
+done
+
+ds=domain
+if [ $ndoms -gt 1 ]; then
+  ds=search
+fi
+
+# This is the complete file - "$domains" has a leading space already
+out="# resolv.conf autogenerated by ${0} (${1})${nl}${dns}${nl}${ds}${domains}"
+
+# use resolvconf if it's available
+if type resolvconf >/dev/null 2>&1; then
+  printf "%s\n" "${out}" | resolvconf -p -a "${1}"
+else
+  # Preserve the existing resolv.conf
+  if [ -e /etc/resolv.conf ] ; then
+    cp /etc/resolv.conf /etc/resolv.conf.ovpnsave
+  fi
+  printf "%s\n" "${out}" > /etc/resolv.conf
+  chmod 644 /etc/resolv.conf
+fi
+
+exit 0