diff options
102 files changed, 1743 insertions, 1520 deletions
@@ -1,6 +1,64 @@ OpenVPN Change Log Copyright (C) 2002-2016 OpenVPN Technologies, Inc. <sales@openvpn.net> +2016.12.01 -- Version 2.4_rc1 +Antonio Quartulli (1): + reload CRL only if file was modified + +Christian Hesse (3): + update year in copyright message + Use systemd service manager notification + Refuse to daemonize when running from systemd + +Gert Doering (1): + Fix windows path in Changes.rst + +Samuli Seppänen (1): + Mention that OpenVPN 2.4 requires Windows Vista or higher + +Selva Nair (4): + Map restart signals from event loop to SIGTERM during exit-notification wait + When parsing '--setenv opt xx ..' make sure a third parameter is present + Force 'def1' method when --redirect-gateway is done through service + Do not restart dns client service as a part of --register-dns processing + +Steffan Karger (4): + tls_process: don't set variable that's never read + Unconditionally enable TLS_AGGREGATE_ACK + Clean up format_hex_ex() + Introduce and use secure_memzero() to erase secrets + + +2016.11.24 -- Version 2.4_beta2 +Arne Schwabe (5): + Document that tls-crypt also supports inline + Fix warning that RAND_bytes is undeclared + Remove compat-stdbool.h. + Fix various compiler warnings + Handle DNS6 option on Android + +David Sommerseth (2): + Changes.rst: Fixing wrong formatting + Document the --auth-token option + +Gert Doering (2): + Remove remaining traces of compat-stdbool.h + Stub implementation of "--dhcp-option DNS6 <v6addr>" + +Selva Nair (3): + Do not set ipv6 address if '--ip-win32 manual' is used + Handle --dhcp-option DNS6 on Windows using netsh + Set IPv6 DNS servers using interactive service + +Steffan Karger (6): + multi_process_float: revert part of c14c4a9e + --tls-crypt fixes + Change cmocka remote to use https in stead of git protocol + generate_key_expansion: make assumption explicit, use C99 features + Poor man's NCP for non-NCP peers + Refactor data channel key generation API + + 2016.11.17 -- Version 2.4_beta1 Arne Schwabe (1): Make Changes.rst nicer for 2.4 release @@ -59,7 +59,8 @@ SUPPORTED PLATFORMS: (4) Mac OS X Darwin 10.5+ (5) FreeBSD 7.4+ (6) NetBSD 5.0+ - (7) Windows (WinXP and higher) + (7) Windows Vista or later for OpenVPN 2.4 + (8) Windows XP or later for OpenVPN 2.3 SUPPORTED PROCESSOR ARCHITECTURES: In general, OpenVPN is word size and endian independent, so diff --git a/Makefile.in b/Makefile.in index 8cb1c6e..f275dda 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -110,8 +110,8 @@ DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/configure $(am__configure_deps) \ $(srcdir)/config.h.in $(srcdir)/version.sh.in $(dist_doc_DATA) \ $(dist_noinst_DATA) $(dist_noinst_HEADERS) AUTHORS COPYING \ - ChangeLog INSTALL NEWS README config.guess config.sub depcomp \ - install-sh missing ltmain.sh + ChangeLog INSTALL NEWS README compile config.guess config.sub \ + depcomp install-sh missing ltmain.sh ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ @@ -521,8 +521,8 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) $(am__aclocal_m4_deps): config.h: stamp-h1 - @if test ! -f $@; then rm -f stamp-h1; else :; fi - @if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) stamp-h1; else :; fi + @test -f $@ || rm -f stamp-h1 + @test -f $@ || $(MAKE) $(AM_MAKEFLAGS) stamp-h1 stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status @rm -f stamp-h1 @@ -775,10 +775,16 @@ dist-xz: distdir $(am__post_remove_distdir) dist-tarZ: distdir + @echo WARNING: "Support for shar distribution archives is" \ + "deprecated." >&2 + @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z $(am__post_remove_distdir) dist-shar: distdir + @echo WARNING: "Support for distribution archives compressed with" \ + "legacy program 'compress' is deprecated." >&2 + @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz $(am__post_remove_distdir) @@ -820,9 +826,10 @@ distcheck: dist && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \ && am__cwd=`pwd` \ && $(am__cd) $(distdir)/_build \ - && ../configure --srcdir=.. --prefix="$$dc_install_base" \ + && ../configure \ $(AM_DISTCHECK_CONFIGURE_FLAGS) \ $(DISTCHECK_CONFIGURE_FLAGS) \ + --srcdir=.. --prefix="$$dc_install_base" \ && $(MAKE) $(AM_MAKEFLAGS) \ && $(MAKE) $(AM_MAKEFLAGS) dvi \ && $(MAKE) $(AM_MAKEFLAGS) check \ @@ -1,4 +1,4 @@ -# generated automatically by aclocal 1.13.4 -*- Autoconf -*- +# generated automatically by aclocal 1.14.1 -*- Autoconf -*- # Copyright (C) 1996-2013 Free Software Foundation, Inc. @@ -32,10 +32,10 @@ To do so, use the procedure documented by the package, typically 'autoreconf'.]) # generated from the m4 files accompanying Automake X.Y. # (This private macro should not be called outside this file.) AC_DEFUN([AM_AUTOMAKE_VERSION], -[am__api_version='1.13' +[am__api_version='1.14' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.13.4], [], +m4_if([$1], [1.14.1], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -51,7 +51,7 @@ m4_define([_AM_AUTOCONF_VERSION], []) # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.13.4])dnl +[AM_AUTOMAKE_VERSION([1.14.1])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) @@ -103,10 +103,9 @@ _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # configured tree to be moved without reconfiguration. AC_DEFUN([AM_AUX_DIR_EXPAND], -[dnl Rely on autoconf to set up CDPATH properly. -AC_PREREQ([2.50])dnl -# expand $ac_aux_dir to an absolute path -am_aux_dir=`cd $ac_aux_dir && pwd` +[AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl +# Expand $ac_aux_dir to an absolute path. +am_aux_dir=`cd "$ac_aux_dir" && pwd` ]) # AM_CONDITIONAL -*- Autoconf -*- @@ -418,6 +417,12 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS], # This macro actually does too much. Some checks are only needed if # your package does certain things. But this isn't really a big deal. +dnl Redefine AC_PROG_CC to automatically invoke _AM_PROG_CC_C_O. +m4_define([AC_PROG_CC], +m4_defn([AC_PROG_CC]) +[_AM_PROG_CC_C_O +]) + # AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE]) # AM_INIT_AUTOMAKE([OPTIONS]) # ----------------------------------------------- @@ -526,6 +531,48 @@ dnl macro is hooked onto _AC_COMPILER_EXEEXT early, see below. AC_CONFIG_COMMANDS_PRE(dnl [m4_provide_if([_AM_COMPILER_EXEEXT], [AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])])])dnl + +# POSIX will say in a future version that running "rm -f" with no argument +# is OK; and we want to be able to make that assumption in our Makefile +# recipes. So use an aggressive probe to check that the usage we want is +# actually supported "in the wild" to an acceptable degree. +# See automake bug#10828. +# To make any issue more visible, cause the running configure to be aborted +# by default if the 'rm' program in use doesn't match our expectations; the +# user can still override this though. +if rm -f && rm -fr && rm -rf; then : OK; else + cat >&2 <<'END' +Oops! + +Your 'rm' program seems unable to run without file operands specified +on the command line, even when the '-f' option is present. This is contrary +to the behaviour of most rm programs out there, and not conforming with +the upcoming POSIX standard: <http://austingroupbugs.net/view.php?id=542> + +Please tell bug-automake@gnu.org about your system, including the value +of your $PATH and any error possibly output before this message. This +can help us improve future automake versions. + +END + if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then + echo 'Configuration will proceed anyway, since you have set the' >&2 + echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2 + echo >&2 + else + cat >&2 <<'END' +Aborting the configuration process, to ensure you take notice of the issue. + +You can download and install GNU coreutils to get an 'rm' implementation +that behaves properly: <http://www.gnu.org/software/coreutils/>. + +If you want to complete the configuration process using your problematic +'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM +to "yes", and re-run configure. + +END + AC_MSG_ERROR([Your 'rm' program is bad, sorry.]) + fi +fi ]) dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion. Do not @@ -534,7 +581,6 @@ dnl mangled by Autoconf and run in a shell conditional statement. m4_define([_AC_COMPILER_EXEEXT], m4_defn([_AC_COMPILER_EXEEXT])[m4_provide([_AM_COMPILER_EXEEXT])]) - # When config.status generates a header, we must update the stamp-h file. # This file resides in the same directory as the config header # that is generated. The stamp files are numbered to have different names. @@ -716,6 +762,70 @@ AC_DEFUN([_AM_SET_OPTIONS], AC_DEFUN([_AM_IF_OPTION], [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])]) +# Copyright (C) 1999-2013 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# _AM_PROG_CC_C_O +# --------------- +# Like AC_PROG_CC_C_O, but changed for automake. We rewrite AC_PROG_CC +# to automatically call this. +AC_DEFUN([_AM_PROG_CC_C_O], +[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl +AC_REQUIRE_AUX_FILE([compile])dnl +AC_LANG_PUSH([C])dnl +AC_CACHE_CHECK( + [whether $CC understands -c and -o together], + [am_cv_prog_cc_c_o], + [AC_LANG_CONFTEST([AC_LANG_PROGRAM([])]) + # Make sure it works both with $CC and with simple cc. + # Following AC_PROG_CC_C_O, we do the test twice because some + # compilers refuse to overwrite an existing .o file with -o, + # though they will create one. + am_cv_prog_cc_c_o=yes + for am_i in 1 2; do + if AM_RUN_LOG([$CC -c conftest.$ac_ext -o conftest2.$ac_objext]) \ + && test -f conftest2.$ac_objext; then + : OK + else + am_cv_prog_cc_c_o=no + break + fi + done + rm -f core conftest* + unset am_i]) +if test "$am_cv_prog_cc_c_o" != yes; then + # Losing compiler, so override with the script. + # FIXME: It is wrong to rewrite CC. + # But if we don't then we get into trouble of one sort or another. + # A longer-term fix would be to have automake use am__CC in this case, + # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)" + CC="$am_aux_dir/compile $CC" +fi +AC_LANG_POP([C])]) + +# For backward compatibility. +AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])]) + +# Copyright (C) 2001-2013 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# AM_RUN_LOG(COMMAND) +# ------------------- +# Run COMMAND, save the exit status in ac_status, and log it. +# (This has been adapted from Autoconf's _AC_RUN_LOG macro.) +AC_DEFUN([AM_RUN_LOG], +[{ echo "$as_me:$LINENO: $1" >&AS_MESSAGE_LOG_FD + ($1) >&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD + (exit $ac_status); }]) + # Check to make sure that the build environment is sane. -*- Autoconf -*- # Copyright (C) 1996-2013 Free Software Foundation, Inc. diff --git a/build/Makefile.in b/build/Makefile.in index 2127ae8..0d3892a 100644 --- a/build/Makefile.in +++ b/build/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. diff --git a/build/msvc/Makefile.in b/build/msvc/Makefile.in index e4a9303..d2b5393 100644 --- a/build/msvc/Makefile.in +++ b/build/msvc/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. diff --git a/build/msvc/msvc-generate/Makefile.in b/build/msvc/msvc-generate/Makefile.in index 54a8e19..d63281e 100644 --- a/build/msvc/msvc-generate/Makefile.in +++ b/build/msvc/msvc-generate/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -0,0 +1,347 @@ +#! /bin/sh +# Wrapper for compilers which do not understand '-c -o'. + +scriptversion=2012-10-14.11; # UTC + +# Copyright (C) 1999-2013 Free Software Foundation, Inc. +# Written by Tom Tromey <tromey@cygnus.com>. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# This file is maintained in Automake, please report +# bugs to <bug-automake@gnu.org> or send patches to +# <automake-patches@gnu.org>. + +nl=' +' + +# We need space, tab and new line, in precisely that order. Quoting is +# there to prevent tools from complaining about whitespace usage. +IFS=" "" $nl" + +file_conv= + +# func_file_conv build_file lazy +# Convert a $build file to $host form and store it in $file +# Currently only supports Windows hosts. If the determined conversion +# type is listed in (the comma separated) LAZY, no conversion will +# take place. +func_file_conv () +{ + file=$1 + case $file in + / | /[!/]*) # absolute file, and not a UNC file + if test -z "$file_conv"; then + # lazily determine how to convert abs files + case `uname -s` in + MINGW*) + file_conv=mingw + ;; + CYGWIN*) + file_conv=cygwin + ;; + *) + file_conv=wine + ;; + esac + fi + case $file_conv/,$2, in + *,$file_conv,*) + ;; + mingw/*) + file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` + ;; + cygwin/*) + file=`cygpath -m "$file" || echo "$file"` + ;; + wine/*) + file=`winepath -w "$file" || echo "$file"` + ;; + esac + ;; + esac +} + +# func_cl_dashL linkdir +# Make cl look for libraries in LINKDIR +func_cl_dashL () +{ + func_file_conv "$1" + if test -z "$lib_path"; then + lib_path=$file + else + lib_path="$lib_path;$file" + fi + linker_opts="$linker_opts -LIBPATH:$file" +} + +# func_cl_dashl library +# Do a library search-path lookup for cl +func_cl_dashl () +{ + lib=$1 + found=no + save_IFS=$IFS + IFS=';' + for dir in $lib_path $LIB + do + IFS=$save_IFS + if $shared && test -f "$dir/$lib.dll.lib"; then + found=yes + lib=$dir/$lib.dll.lib + break + fi + if test -f "$dir/$lib.lib"; then + found=yes + lib=$dir/$lib.lib + break + fi + if test -f "$dir/lib$lib.a"; then + found=yes + lib=$dir/lib$lib.a + break + fi + done + IFS=$save_IFS + + if test "$found" != yes; then + lib=$lib.lib + fi +} + +# func_cl_wrapper cl arg... +# Adjust compile command to suit cl +func_cl_wrapper () +{ + # Assume a capable shell + lib_path= + shared=: + linker_opts= + for arg + do + if test -n "$eat"; then + eat= + else + case $1 in + -o) + # configure might choose to run compile as 'compile cc -o foo foo.c'. + eat=1 + case $2 in + *.o | *.[oO][bB][jJ]) + func_file_conv "$2" + set x "$@" -Fo"$file" + shift + ;; + *) + func_file_conv "$2" + set x "$@" -Fe"$file" + shift + ;; + esac + ;; + -I) + eat=1 + func_file_conv "$2" mingw + set x "$@" -I"$file" + shift + ;; + -I*) + func_file_conv "${1#-I}" mingw + set x "$@" -I"$file" + shift + ;; + -l) + eat=1 + func_cl_dashl "$2" + set x "$@" "$lib" + shift + ;; + -l*) + func_cl_dashl "${1#-l}" + set x "$@" "$lib" + shift + ;; + -L) + eat=1 + func_cl_dashL "$2" + ;; + -L*) + func_cl_dashL "${1#-L}" + ;; + -static) + shared=false + ;; + -Wl,*) + arg=${1#-Wl,} + save_ifs="$IFS"; IFS=',' + for flag in $arg; do + IFS="$save_ifs" + linker_opts="$linker_opts $flag" + done + IFS="$save_ifs" + ;; + -Xlinker) + eat=1 + linker_opts="$linker_opts $2" + ;; + -*) + set x "$@" "$1" + shift + ;; + *.cc | *.CC | *.cxx | *.CXX | *.[cC]++) + func_file_conv "$1" + set x "$@" -Tp"$file" + shift + ;; + *.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO]) + func_file_conv "$1" mingw + set x "$@" "$file" + shift + ;; + *) + set x "$@" "$1" + shift + ;; + esac + fi + shift + done + if test -n "$linker_opts"; then + linker_opts="-link$linker_opts" + fi + exec "$@" $linker_opts + exit 1 +} + +eat= + +case $1 in + '') + echo "$0: No command. Try '$0 --help' for more information." 1>&2 + exit 1; + ;; + -h | --h*) + cat <<\EOF +Usage: compile [--help] [--version] PROGRAM [ARGS] + +Wrapper for compilers which do not understand '-c -o'. +Remove '-o dest.o' from ARGS, run PROGRAM with the remaining +arguments, and rename the output as expected. + +If you are trying to build a whole package this is not the +right script to run: please start by reading the file 'INSTALL'. + +Report bugs to <bug-automake@gnu.org>. +EOF + exit $? + ;; + -v | --v*) + echo "compile $scriptversion" + exit $? + ;; + cl | *[/\\]cl | cl.exe | *[/\\]cl.exe ) + func_cl_wrapper "$@" # Doesn't return... + ;; +esac + +ofile= +cfile= + +for arg +do + if test -n "$eat"; then + eat= + else + case $1 in + -o) + # configure might choose to run compile as 'compile cc -o foo foo.c'. + # So we strip '-o arg' only if arg is an object. + eat=1 + case $2 in + *.o | *.obj) + ofile=$2 + ;; + *) + set x "$@" -o "$2" + shift + ;; + esac + ;; + *.c) + cfile=$1 + set x "$@" "$1" + shift + ;; + *) + set x "$@" "$1" + shift + ;; + esac + fi + shift +done + +if test -z "$ofile" || test -z "$cfile"; then + # If no '-o' option was seen then we might have been invoked from a + # pattern rule where we don't need one. That is ok -- this is a + # normal compilation that the losing compiler can handle. If no + # '.c' file was seen then we are probably linking. That is also + # ok. + exec "$@" +fi + +# Name of file we expect compiler to create. +cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'` + +# Create the lock directory. +# Note: use '[/\\:.-]' here to ensure that we don't use the same name +# that we are using for the .o file. Also, base the name on the expected +# object file name, since that is what matters with a parallel build. +lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d +while true; do + if mkdir "$lockdir" >/dev/null 2>&1; then + break + fi + sleep 1 +done +# FIXME: race condition here if user kills between mkdir and trap. +trap "rmdir '$lockdir'; exit 1" 1 2 15 + +# Run the compile. +"$@" +ret=$? + +if test -f "$cofile"; then + test "$cofile" = "$ofile" || mv "$cofile" "$ofile" +elif test -f "${cofile}bj"; then + test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile" +fi + +rmdir "$lockdir" +exit $ret + +# Local Variables: +# mode: shell-script +# sh-indentation: 2 +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-time-zone: "UTC" +# time-stamp-end: "; # UTC" +# End: diff --git a/config.guess b/config.guess index b79252d..1f5c50c 100755 --- a/config.guess +++ b/config.guess @@ -1,8 +1,8 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2013 Free Software Foundation, Inc. +# Copyright 1992-2014 Free Software Foundation, Inc. -timestamp='2013-06-10' +timestamp='2014-03-23' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -50,7 +50,7 @@ version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2013 Free Software Foundation, Inc. +Copyright 1992-2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -149,7 +149,7 @@ Linux|GNU|GNU/*) LIBC=gnu #endif EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'` + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` ;; esac @@ -826,7 +826,7 @@ EOF *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; - i*:MSYS*:*) + *:MSYS*:*) echo ${UNAME_MACHINE}-pc-msys exit ;; i*:windows32*:*) @@ -969,10 +969,10 @@ EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } ;; - or1k:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + openrisc*:Linux:*:*) + echo or1k-unknown-linux-${LIBC} exit ;; - or32:Linux:*:*) + or32:Linux:*:* | or1k*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; padre:Linux:*:*) @@ -1260,16 +1260,26 @@ EOF if test "$UNAME_PROCESSOR" = unknown ; then UNAME_PROCESSOR=powerpc fi - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then - if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ - grep IS_64BIT_ARCH >/dev/null - then - case $UNAME_PROCESSOR in - i386) UNAME_PROCESSOR=x86_64 ;; - powerpc) UNAME_PROCESSOR=powerpc64 ;; - esac + if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then + if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + case $UNAME_PROCESSOR in + i386) UNAME_PROCESSOR=x86_64 ;; + powerpc) UNAME_PROCESSOR=powerpc64 ;; + esac + fi fi + elif test "$UNAME_PROCESSOR" = i386 ; then + # Avoid executing cc on OS X 10.9, as it ships with a stub + # that puts up a graphical alert prompting to install + # developer tools. Any system running Mac OS X 10.7 or + # later (Darwin 11 and later) is required to have a 64-bit + # processor. This is not true of the ARM version of Darwin + # that Apple uses in portable devices. + UNAME_PROCESSOR=x86_64 fi echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} exit ;; @@ -1361,154 +1371,6 @@ EOF exit ;; esac -eval $set_cc_for_build -cat >$dummy.c <<EOF -#ifdef _SEQUENT_ -# include <sys/types.h> -# include <sys/utsname.h> -#endif -main () -{ -#if defined (sony) -#if defined (MIPSEB) - /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, - I don't know.... */ - printf ("mips-sony-bsd\n"); exit (0); -#else -#include <sys/param.h> - printf ("m68k-sony-newsos%s\n", -#ifdef NEWSOS4 - "4" -#else - "" -#endif - ); exit (0); -#endif -#endif - -#if defined (__arm) && defined (__acorn) && defined (__unix) - printf ("arm-acorn-riscix\n"); exit (0); -#endif - -#if defined (hp300) && !defined (hpux) - printf ("m68k-hp-bsd\n"); exit (0); -#endif - -#if defined (NeXT) -#if !defined (__ARCHITECTURE__) -#define __ARCHITECTURE__ "m68k" -#endif - int version; - version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; - if (version < 4) - printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); - else - printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); - exit (0); -#endif - -#if defined (MULTIMAX) || defined (n16) -#if defined (UMAXV) - printf ("ns32k-encore-sysv\n"); exit (0); -#else -#if defined (CMU) - printf ("ns32k-encore-mach\n"); exit (0); -#else - printf ("ns32k-encore-bsd\n"); exit (0); -#endif -#endif -#endif - -#if defined (__386BSD__) - printf ("i386-pc-bsd\n"); exit (0); -#endif - -#if defined (sequent) -#if defined (i386) - printf ("i386-sequent-dynix\n"); exit (0); -#endif -#if defined (ns32000) - printf ("ns32k-sequent-dynix\n"); exit (0); -#endif -#endif - -#if defined (_SEQUENT_) - struct utsname un; - - uname(&un); - - if (strncmp(un.version, "V2", 2) == 0) { - printf ("i386-sequent-ptx2\n"); exit (0); - } - if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ - printf ("i386-sequent-ptx1\n"); exit (0); - } - printf ("i386-sequent-ptx\n"); exit (0); - -#endif - -#if defined (vax) -# if !defined (ultrix) -# include <sys/param.h> -# if defined (BSD) -# if BSD == 43 - printf ("vax-dec-bsd4.3\n"); exit (0); -# else -# if BSD == 199006 - printf ("vax-dec-bsd4.3reno\n"); exit (0); -# else - printf ("vax-dec-bsd\n"); exit (0); -# endif -# endif -# else - printf ("vax-dec-bsd\n"); exit (0); -# endif -# else - printf ("vax-dec-ultrix\n"); exit (0); -# endif -#endif - -#if defined (alliant) && defined (i860) - printf ("i860-alliant-bsd\n"); exit (0); -#endif - - exit (1); -} -EOF - -$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` && - { echo "$SYSTEM_NAME"; exit; } - -# Apollos put the system type in the environment. - -test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; } - -# Convex versions that predate uname can use getsysinfo(1) - -if [ -x /usr/convex/getsysinfo ] -then - case `getsysinfo -f cpu_type` in - c1*) - echo c1-convex-bsd - exit ;; - c2*) - if getsysinfo -f scalar_acc - then echo c32-convex-bsd - else echo c2-convex-bsd - fi - exit ;; - c34*) - echo c34-convex-bsd - exit ;; - c38*) - echo c38-convex-bsd - exit ;; - c4*) - echo c4-convex-bsd - exit ;; - esac -fi - cat >&2 <<EOF $0: unable to guess system type diff --git a/config.h.in b/config.h.in index 88a53da..073784d 100644 --- a/config.h.in +++ b/config.h.in @@ -463,9 +463,6 @@ /* Define to 1 if you have the <stdarg.h> header file. */ #undef HAVE_STDARG_H -/* Define to 1 if you have the <stdbool.h> header file. */ -#undef HAVE_STDBOOL_H - /* Define to 1 if you have the <stdint.h> header file. */ #undef HAVE_STDINT_H @@ -1,8 +1,8 @@ #! /bin/sh # Configuration validation subroutine script. -# Copyright 1992-2013 Free Software Foundation, Inc. +# Copyright 1992-2014 Free Software Foundation, Inc. -timestamp='2013-04-24' +timestamp='2014-09-11' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -68,7 +68,7 @@ Report bugs and patches to <config-patches@gnu.org>." version="\ GNU config.sub ($timestamp) -Copyright 1992-2013 Free Software Foundation, Inc. +Copyright 1992-2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -257,7 +257,7 @@ case $basic_machine in | avr | avr32 \ | be32 | be64 \ | bfin \ - | c4x | clipper \ + | c4x | c8051 | clipper \ | d10v | d30v | dlx | dsp16xx \ | epiphany \ | fido | fr30 | frv \ @@ -265,6 +265,7 @@ case $basic_machine in | hexagon \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ + | k1om \ | le32 | le64 \ | lm32 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ @@ -282,8 +283,10 @@ case $basic_machine in | mips64vr5900 | mips64vr5900el \ | mipsisa32 | mipsisa32el \ | mipsisa32r2 | mipsisa32r2el \ + | mipsisa32r6 | mipsisa32r6el \ | mipsisa64 | mipsisa64el \ | mipsisa64r2 | mipsisa64r2el \ + | mipsisa64r6 | mipsisa64r6el \ | mipsisa64sb1 | mipsisa64sb1el \ | mipsisa64sr71k | mipsisa64sr71kel \ | mipsr5900 | mipsr5900el \ @@ -295,11 +298,11 @@ case $basic_machine in | nds32 | nds32le | nds32be \ | nios | nios2 | nios2eb | nios2el \ | ns16k | ns32k \ - | open8 \ - | or1k | or32 \ + | open8 | or1k | or1knd | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ | pyramid \ + | riscv32 | riscv64 \ | rl78 | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ @@ -324,7 +327,7 @@ case $basic_machine in c6x) basic_machine=tic6x-unknown ;; - m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip) + m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip) basic_machine=$basic_machine-unknown os=-none ;; @@ -372,7 +375,7 @@ case $basic_machine in | be32-* | be64-* \ | bfin-* | bs2000-* \ | c[123]* | c30-* | [cjt]90-* | c4x-* \ - | clipper-* | craynv-* | cydra-* \ + | c8051-* | clipper-* | craynv-* | cydra-* \ | d10v-* | d30v-* | dlx-* \ | elxsi-* \ | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ @@ -381,6 +384,7 @@ case $basic_machine in | hexagon-* \ | i*86-* | i860-* | i960-* | ia64-* \ | ip2k-* | iq2000-* \ + | k1om-* \ | le32-* | le64-* \ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ @@ -400,8 +404,10 @@ case $basic_machine in | mips64vr5900-* | mips64vr5900el-* \ | mipsisa32-* | mipsisa32el-* \ | mipsisa32r2-* | mipsisa32r2el-* \ + | mipsisa32r6-* | mipsisa32r6el-* \ | mipsisa64-* | mipsisa64el-* \ | mipsisa64r2-* | mipsisa64r2el-* \ + | mipsisa64r6-* | mipsisa64r6el-* \ | mipsisa64sb1-* | mipsisa64sb1el-* \ | mipsisa64sr71k-* | mipsisa64sr71kel-* \ | mipsr5900-* | mipsr5900el-* \ @@ -413,6 +419,7 @@ case $basic_machine in | nios-* | nios2-* | nios2eb-* | nios2el-* \ | none-* | np1-* | ns16k-* | ns32k-* \ | open8-* \ + | or1k*-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ @@ -794,7 +801,7 @@ case $basic_machine in os=-mingw64 ;; mingw32) - basic_machine=i386-pc + basic_machine=i686-pc os=-mingw32 ;; mingw32ce) @@ -822,6 +829,10 @@ case $basic_machine in basic_machine=powerpc-unknown os=-morphos ;; + moxiebox) + basic_machine=moxie-unknown + os=-moxiebox + ;; msdos) basic_machine=i386-pc os=-msdos @@ -830,7 +841,7 @@ case $basic_machine in basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` ;; msys) - basic_machine=i386-pc + basic_machine=i686-pc os=-msys ;; mvs) @@ -1006,7 +1017,7 @@ case $basic_machine in ;; ppc64) basic_machine=powerpc64-unknown ;; - ppc64-* | ppc64p7-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` + ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64le | powerpc64little | ppc64-le | powerpc64-little) basic_machine=powerpc64le-unknown @@ -1367,14 +1378,14 @@ case $os in | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ | -linux-newlib* | -linux-musl* | -linux-uclibc* \ - | -uxpv* | -beos* | -mpeix* | -udk* \ + | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ - | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*) + | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1546,6 +1557,9 @@ case $basic_machine in c4x-* | tic4x-*) os=-coff ;; + c8051-*) + os=-elf + ;; hexagon-*) os=-elf ;; @@ -1589,9 +1603,6 @@ case $basic_machine in mips*-*) os=-elf ;; - or1k-*) - os=-elf - ;; or32-*) os=-coff ;; @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for OpenVPN 2.4_beta1. +# Generated by GNU Autoconf 2.69 for OpenVPN 2.4_rc1. # # Report bugs to <openvpn-users@lists.sourceforge.net>. # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='OpenVPN' PACKAGE_TARNAME='openvpn' -PACKAGE_VERSION='2.4_beta1' -PACKAGE_STRING='OpenVPN 2.4_beta1' +PACKAGE_VERSION='2.4_rc1' +PACKAGE_STRING='OpenVPN 2.4_rc1' PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net' PACKAGE_URL='' @@ -1443,7 +1443,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures OpenVPN 2.4_beta1 to adapt to many kinds of systems. +\`configure' configures OpenVPN 2.4_rc1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1513,7 +1513,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of OpenVPN 2.4_beta1:";; + short | recursive ) echo "Configuration of OpenVPN 2.4_rc1:";; esac cat <<\_ACEOF @@ -1712,7 +1712,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -OpenVPN configure 2.4_beta1 +OpenVPN configure 2.4_rc1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2551,7 +2551,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by OpenVPN $as_me 2.4_beta1, which was +It was created by OpenVPN $as_me 2.4_rc1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2921,7 +2921,7 @@ OPENVPN_VERSION_MAJOR=2 OPENVPN_VERSION_MINOR=4 -OPENVPN_VERSION_PATCH=_beta1 +OPENVPN_VERSION_PATCH=_rc1 $as_echo "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h @@ -2930,7 +2930,7 @@ $as_echo "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h $as_echo "#define OPENVPN_VERSION_MINOR 4" >>confdefs.h -$as_echo "#define OPENVPN_VERSION_PATCH \"_beta1\"" >>confdefs.h +$as_echo "#define OPENVPN_VERSION_PATCH \"_rc1\"" >>confdefs.h ac_aux_dir= @@ -2968,7 +2968,7 @@ ac_config_headers="$ac_config_headers config.h include/openvpn-plugin.h" -am__api_version='1.13' +am__api_version='1.14' # Find a good install program. We prefer a C program (faster), # so one script is as good as another. But avoid the broken or @@ -3140,8 +3140,8 @@ test "$program_suffix" != NONE && ac_script='s/[\\$]/&&/g;s/;s,x,x,$//' program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"` -# expand $ac_aux_dir to an absolute path -am_aux_dir=`cd $ac_aux_dir && pwd` +# Expand $ac_aux_dir to an absolute path. +am_aux_dir=`cd "$ac_aux_dir" && pwd` if test x"${MISSING+set}" != xset; then case $am_aux_dir in @@ -3454,7 +3454,7 @@ fi # Define the identity of the package. PACKAGE='openvpn' - VERSION='2.4_beta1' + VERSION='2.4_rc1' cat >>confdefs.h <<_ACEOF @@ -3504,6 +3504,48 @@ am__tar='$${TAR-tar} chof - "$$tardir"' am__untar='$${TAR-tar} xf -' + +# POSIX will say in a future version that running "rm -f" with no argument +# is OK; and we want to be able to make that assumption in our Makefile +# recipes. So use an aggressive probe to check that the usage we want is +# actually supported "in the wild" to an acceptable degree. +# See automake bug#10828. +# To make any issue more visible, cause the running configure to be aborted +# by default if the 'rm' program in use doesn't match our expectations; the +# user can still override this though. +if rm -f && rm -fr && rm -rf; then : OK; else + cat >&2 <<'END' +Oops! + +Your 'rm' program seems unable to run without file operands specified +on the command line, even when the '-f' option is present. This is contrary +to the behaviour of most rm programs out there, and not conforming with +the upcoming POSIX standard: <http://austingroupbugs.net/view.php?id=542> + +Please tell bug-automake@gnu.org about your system, including the value +of your $PATH and any error possibly output before this message. This +can help us improve future automake versions. + +END + if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then + echo 'Configuration will proceed anyway, since you have set the' >&2 + echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2 + echo >&2 + else + cat >&2 <<'END' +Aborting the configuration process, to ensure you take notice of the issue. + +You can download and install GNU coreutils to get an 'rm' implementation +that behaves properly: <http://www.gnu.org/software/coreutils/>. + +If you want to complete the configuration process using your problematic +'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM +to "yes", and re-run configure. + +END + as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5 + fi +fi # Make sure we can run config.sub. $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5 @@ -4427,6 +4469,65 @@ ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC understands -c and -o together" >&5 +$as_echo_n "checking whether $CC understands -c and -o together... " >&6; } +if ${am_cv_prog_cc_c_o+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF + # Make sure it works both with $CC and with simple cc. + # Following AC_PROG_CC_C_O, we do the test twice because some + # compilers refuse to overwrite an existing .o file with -o, + # though they will create one. + am_cv_prog_cc_c_o=yes + for am_i in 1 2; do + if { echo "$as_me:$LINENO: $CC -c conftest.$ac_ext -o conftest2.$ac_objext" >&5 + ($CC -c conftest.$ac_ext -o conftest2.$ac_objext) >&5 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } \ + && test -f conftest2.$ac_objext; then + : OK + else + am_cv_prog_cc_c_o=no + break + fi + done + rm -f core conftest* + unset am_i +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_prog_cc_c_o" >&5 +$as_echo "$am_cv_prog_cc_c_o" >&6; } +if test "$am_cv_prog_cc_c_o" != yes; then + # Losing compiler, so override with the script. + # FIXME: It is wrong to rewrite CC. + # But if we don't then we get into trouble of one sort or another. + # A longer-term fix would be to have automake use am__CC in this case, + # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)" + CC="$am_aux_dir/compile $CC" +fi +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + depcc="$CC" am_compiler_list= { $as_echo "$as_me:${as_lineno-$LINENO}: checking dependency style of $depcc" >&5 @@ -6849,7 +6950,8 @@ else ;; *) lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` - if test -n "$lt_cv_sys_max_cmd_len"; then + if test -n "$lt_cv_sys_max_cmd_len" && \ + test undefined != "$lt_cv_sys_max_cmd_len"; then lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` else @@ -7247,10 +7349,6 @@ freebsd* | dragonfly*) fi ;; -gnu*) - lt_cv_deplibs_check_method=pass_all - ;; - haiku*) lt_cv_deplibs_check_method=pass_all ;; @@ -7289,11 +7387,11 @@ irix5* | irix6* | nonstopux*) ;; # This must be glibc/ELF. -linux* | k*bsd*-gnu | kopensolaris*-gnu) +linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) lt_cv_deplibs_check_method=pass_all ;; -netbsd*) +netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$' else @@ -8367,7 +8465,7 @@ ia64-*-hpux*) rm -rf conftest* ;; -x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \ +x86_64-*kfreebsd*-gnu|x86_64-*linux*|powerpc*-*linux*| \ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) # Find out which ABI we are using. echo 'int i;' > conftest.$ac_ext @@ -8383,9 +8481,19 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) LD="${LD-ld} -m elf_i386_fbsd" ;; x86_64-*linux*) - LD="${LD-ld} -m elf_i386" + case `/usr/bin/file conftest.o` in + *x86-64*) + LD="${LD-ld} -m elf32_x86_64" + ;; + *) + LD="${LD-ld} -m elf_i386" + ;; + esac ;; - ppc64-*linux*|powerpc64-*linux*) + powerpc64le-*) + LD="${LD-ld} -m elf32lppclinux" + ;; + powerpc64-*) LD="${LD-ld} -m elf32ppclinux" ;; s390x-*linux*) @@ -8404,7 +8512,10 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) x86_64-*linux*) LD="${LD-ld} -m elf_x86_64" ;; - ppc*-*linux*|powerpc*-*linux*) + powerpcle-*) + LD="${LD-ld} -m elf64lppc" + ;; + powerpc-*) LD="${LD-ld} -m elf64ppc" ;; s390*-*linux*|s390*-*tpf*) @@ -10243,7 +10354,7 @@ lt_prog_compiler_static= lt_prog_compiler_static='-non_shared' ;; - linux* | k*bsd*-gnu | kopensolaris*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) case $cc_basename in # old Intel for x86_64 which still supported -KPIC. ecc*) @@ -10721,6 +10832,9 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie openbsd*) with_gnu_ld=no ;; + linux* | k*bsd*-gnu | gnu*) + link_all_deplibs=no + ;; esac ld_shlibs=yes @@ -10942,7 +11056,7 @@ _LT_EOF fi ;; - netbsd*) + netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' wlarc= @@ -11119,6 +11233,7 @@ _LT_EOF if test "$aix_use_runtimelinking" = yes; then shared_flag="$shared_flag "'${wl}-G' fi + link_all_deplibs=no else # not using gcc if test "$host_cpu" = ia64; then @@ -11572,7 +11687,7 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; } link_all_deplibs=yes ;; - netbsd*) + netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out else @@ -12409,17 +12524,6 @@ freebsd* | dragonfly*) esac ;; -gnu*) - version_type=linux # correct to gnu/linux during the next big refactor - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - ;; - haiku*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no @@ -12536,7 +12640,7 @@ linux*oldld* | linux*aout* | linux*coff*) ;; # This must be glibc/ELF. -linux* | k*bsd*-gnu | kopensolaris*-gnu) +linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no @@ -12585,14 +12689,10 @@ fi # before this can be enabled. hardcode_into_libs=yes - # Add ABI-specific directories to the system library path. - sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" - # Append ld.so.conf contents to the search path if test -f /etc/ld.so.conf; then lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` - sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" - + sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" fi # We used to test for /lib/ld.so.1 and disable shared libraries on @@ -12604,6 +12704,18 @@ fi dynamic_linker='GNU/Linux ld.so' ;; +netbsdelf*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + dynamic_linker='NetBSD ld.elf_so' + ;; + netbsd*) version_type=sunos need_lib_prefix=no @@ -14381,7 +14493,7 @@ _ACEOF for ac_header in \ - stdio.h stdarg.h stdbool.h limits.h \ + stdio.h stdarg.h limits.h \ time.h errno.h fcntl.h io.h direct.h \ ctype.h sys/types.h sys/socket.h \ signal.h unistd.h dlfcn.h \ @@ -17756,7 +17868,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by OpenVPN $as_me 2.4_beta1, which was +This file was extended by OpenVPN $as_me 2.4_rc1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -17822,7 +17934,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -OpenVPN config.status 2.4_beta1 +OpenVPN config.status 2.4_rc1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 4a45f05..f4073d0 100644 --- a/configure.ac +++ b/configure.ac @@ -435,7 +435,7 @@ AX_EMPTY_ARRAY AC_CHECK_SIZEOF([unsigned int]) AC_CHECK_SIZEOF([unsigned long]) AC_CHECK_HEADERS([ \ - stdio.h stdarg.h stdbool.h limits.h \ + stdio.h stdarg.h limits.h \ time.h errno.h fcntl.h io.h direct.h \ ctype.h sys/types.h sys/socket.h \ signal.h unistd.h dlfcn.h \ diff --git a/distro/Makefile.in b/distro/Makefile.in index 66d04fd..31a0e9d 100644 --- a/distro/Makefile.in +++ b/distro/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. diff --git a/distro/rpm/Makefile.in b/distro/rpm/Makefile.in index ac2eace..27beb20 100644 --- a/distro/rpm/Makefile.in +++ b/distro/rpm/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. diff --git a/distro/rpm/openvpn.spec b/distro/rpm/openvpn.spec index 3c29313..2d97d5d 100644 --- a/distro/rpm/openvpn.spec +++ b/distro/rpm/openvpn.spec @@ -13,7 +13,7 @@ Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan. Name: openvpn -Version: 2.4_beta1 +Version: 2.4_rc1 Release: 1 URL: http://openvpn.net/ Source0: http://prdownloads.sourceforge.net/openvpn/%{name}-%{version}.tar.gz diff --git a/distro/systemd/openvpn-client@.service b/distro/systemd/openvpn-client@.service index 18b84dd..5618af3 100644 --- a/distro/systemd/openvpn-client@.service +++ b/distro/systemd/openvpn-client@.service @@ -7,11 +7,11 @@ Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] +Type=notify PrivateTmp=true RuntimeDirectory=openvpn-client RuntimeDirectoryMode=0710 WorkingDirectory=/etc/openvpn/client -ExecStartPre=/bin/sh -c 'grep -q -E ^daemon %i.conf || exit 0 && /usr/bin/echo "OpenVPN configuration cannot contain --daemon when being managed by systemd" ; exit 1' ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 diff --git a/distro/systemd/openvpn-server@.service b/distro/systemd/openvpn-server@.service index a2b7b52..b9b4dba 100644 --- a/distro/systemd/openvpn-server@.service +++ b/distro/systemd/openvpn-server@.service @@ -7,11 +7,11 @@ Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] +Type=notify PrivateTmp=true RuntimeDirectory=openvpn-server RuntimeDirectoryMode=0710 WorkingDirectory=/etc/openvpn/server -ExecStartPre=/bin/sh -c 'grep -q -E ^daemon %i.conf || exit 0 && /usr/bin/echo "OpenVPN configuration cannot contain --daemon when being managed by systemd" ; exit 1' ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 diff --git a/doc/Makefile.in b/doc/Makefile.in index 8e37bca..1282a54 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. diff --git a/doc/openvpn.8 b/doc/openvpn.8 index e997b09..e61b6bb 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4,7 +4,7 @@ .\" packet encryption, packet authentication, and .\" packet compression. .\" -.\" Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> +.\" Copyright (C) 2002-2016 OpenVPN Technologies, Inc. <sales@openvpn.net> .\" .\" This program is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License version 2 @@ -34,7 +34,7 @@ .\" .ft -- normal face .\" .in +|-{n} -- indent .\" -.TH openvpn 8 "17 November 2008" +.TH openvpn 8 "25 August 2016" .\"********************************************************* .SH NAME openvpn \- secure IP tunnel daemon. @@ -2928,6 +2928,7 @@ This is a partial list of options which can currently be pushed: .B \-\-ip\-win32, \-\-dhcp\-option, .B \-\-inactive, \-\-ping, \-\-ping\-exit, \-\-ping\-restart, .B \-\-setenv, +.B \-\-auth\-token, .B \-\-persist\-key, \-\-persist\-tun, \-\-echo, .B \-\-comp\-lzo, .B \-\-socket\-flags, @@ -4147,9 +4148,9 @@ to disable encryption. As of OpenVPN 2.4, cipher negotiation (NCP) can override the cipher specified by .B \-\-cipher\fR. See -.B \-\-ncp-ciphers +.B \-\-ncp\-ciphers and -.B \-\-ncp-disable +.B \-\-ncp\-disable for more on NCP. .\"********************************************************* @@ -4177,6 +4178,16 @@ If both peers support and do not disable NCP, the negotiated cipher will override the cipher specified by .B \-\-cipher\fR. +Additionally, to allow for more smooth transition, if NCP is enabled, OpenVPN +will inherit the cipher of the peer if that cipher is different from the local +.B \-\-cipher +setting, but the peer cipher is one of the ciphers specified in +.B \-\-ncp\-ciphers\fR. +E.g. a non-NCP client (<=2.3, or with \-\-ncp\-disabled set) connecting to a +NCP server (2.4+) with "\-\-cipher BF-CBC" and "\-\-ncp-ciphers +AES-256-GCM:AES-256-CBC" set can either specify "\-\-cipher BF-CBC" or +"\-\-cipher AES-256-CBC" and both will work. + .\"********************************************************* .TP .B \-\-ncp\-disable @@ -5089,6 +5100,57 @@ This directive does not affect the username/password. It is always cached. .\"********************************************************* .TP +.B \-\-auth\-token token +This is not an option to be used directly in any configuration files, +but rather push this option from a +.B \-\-client\-connect +script or a +.B \-\-plugin +which hooks into the OPENVPN_PLUGIN_CLIENT_CONNECT or +OPENVPN_PLUGIN_CLIENT_CONNECT_V2 calls. This option provides +a possibility to replace the clients password with an authentication +token during the lifetime of the OpenVPN client. + +Whenever the connection is renegotiated and the +.B \-\-auth\-user\-pass\-verify +script or +.B \-\-plugin +making use of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook is +triggered, it will pass over this token as the password +instead of the password the user provided. The authentication +token can only be reset by a full reconnect where the server +can push new options to the client. The password the user entered +is never preserved once an authentication token have been set. If +the OpenVPN server side rejects the authentication token, the +client will receive an AUTH_FAIL and disconnect. + +The purpose of this is to enable two factor authentication +methods, such as HOTP or TOTP, to be used without needing to +retrieve a new OTP code each time the connection is renegotiated. +Another use case is to cache authentication data on the client +without needing to have the users password cached in memory +during the life time of the session. + +To make use of this feature, the +.B \-\-client\-connect +script or +.B \-\-plugin +needs to put + +.nf +.ft 3 +.in +4 +push "auth\-token UNIQUE_TOKEN_VALUE" +.in -4 +.ft +.fi + +into the file/buffer for dynamic configuration data. This +will then make the OpenVPN server to push this value to the +client, which replaces the local password with the +UNIQUE_TOKEN_VALUE. +.\"********************************************************* +.TP .B \-\-tls\-verify cmd Run command .B cmd @@ -5627,9 +5689,20 @@ across the VPN. Set Connection-specific DNS Suffix. .B DNS addr \-\- -Set primary domain name server address. Repeat +Set primary domain name server IPv4 address. Repeat this option to set secondary DNS server addresses. +.B DNS6 addr \-\- +Set primary domain name server IPv6 address. Repeat +this option to set secondary DNS server IPv6 addresses. + +Note: currently this is handled using netsh (the +existing DHCP code can only do IPv4 DHCP, and that protocol only +permits IPv4 addresses anywhere). The option will be put into the +environment, so an +.B \-\-up +script could act upon it if needed. + .B WINS addr \-\- Set primary WINS server address (NetBIOS over TCP/IP Name Server). Repeat this option to set secondary WINS server addresses. @@ -5738,8 +5811,7 @@ above. .\"********************************************************* .TP .B \-\-register\-dns -Run net stop dnscache, net start dnscache, ipconfig /flushdns -and ipconfig /registerdns on connection initiation. +Run ipconfig /flushdns and ipconfig /registerdns on connection initiation. This is known to kick Windows into recognizing pushed DNS servers. .\"********************************************************* @@ -6613,9 +6685,9 @@ X509_1_C=KG .SH INLINE FILE SUPPORT OpenVPN allows including files in the main configuration for the .B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret, -.B \-\-crl\-verify, \-\-http\-proxy\-user\-pass +.B \-\-crl\-verify, \-\-http\-proxy\-user\-pass, \-\-tls-auth and -.B \-\-tls\-auth +.B \-\-tls\-crypt options. Each inline file started by the line diff --git a/include/Makefile.in b/include/Makefile.in index 051cf1f..f381a43 100644 --- a/include/Makefile.in +++ b/include/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -392,8 +392,8 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) $(am__aclocal_m4_deps): openvpn-plugin.h: stamp-h2 - @if test ! -f $@; then rm -f stamp-h2; else :; fi - @if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) stamp-h2; else :; fi + @test -f $@ || rm -f stamp-h2 + @test -f $@ || $(MAKE) $(AM_MAKEFLAGS) stamp-h2 stamp-h2: $(srcdir)/openvpn-plugin.h.in $(top_builddir)/config.status @rm -f stamp-h2 diff --git a/include/openvpn-msg.h b/include/openvpn-msg.h index 4c13acf..f7fbdd2 100644 --- a/include/openvpn-msg.h +++ b/include/openvpn-msg.h @@ -79,10 +79,9 @@ typedef struct { message_header_t header; interface_t iface; char domains[512]; - struct in_addr primary_ipv4; - struct in_addr secondary_ipv4; - struct in_addr6 primary_ipv6; - struct in_addr6 secondary_ipv6; + short family; + int addr_len; + inet_address_t addr[4]; /* support up to 4 dns addresses */ } dns_cfg_message_t; typedef struct { diff --git a/include/openvpn-plugin.h b/include/openvpn-plugin.h index 9df3fb4..dc5887b 100644 --- a/include/openvpn-plugin.h +++ b/include/openvpn-plugin.h @@ -55,7 +55,7 @@ extern "C" { */ #define OPENVPN_VERSION_MAJOR 2 #define OPENVPN_VERSION_MINOR 4 -#define OPENVPN_VERSION_PATCH "_beta1" +#define OPENVPN_VERSION_PATCH "_rc1" /* * Plug-in types. These types correspond to the set of script callbacks @@ -345,34 +345,41 @@ do # is incompatible with FreeBSD 'install' when (umask & 300) != 0. ;; *) + # $RANDOM is not portable (e.g. dash); use it when possible to + # lower collision chance tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ - trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0 + trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0 + # As "mkdir -p" follows symlinks and we work in /tmp possibly; so + # create the $tmpdir first (and fail if unsuccessful) to make sure + # that nobody tries to guess the $tmpdir name. if (umask $mkdir_umask && - exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1 + $mkdirprog $mkdir_mode "$tmpdir" && + exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 then if test -z "$dir_arg" || { # Check for POSIX incompatibilities with -m. # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or # other-writable bit of parent directory when it shouldn't. # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. - ls_ld_tmpdir=`ls -ld "$tmpdir"` + test_tmpdir="$tmpdir/a" + ls_ld_tmpdir=`ls -ld "$test_tmpdir"` case $ls_ld_tmpdir in d????-?r-*) different_mode=700;; d????-?--*) different_mode=755;; *) false;; esac && - $mkdirprog -m$different_mode -p -- "$tmpdir" && { - ls_ld_tmpdir_1=`ls -ld "$tmpdir"` + $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { + ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" } } then posix_mkdir=: fi - rmdir "$tmpdir/d" "$tmpdir" + rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" else # Remove any dirs left behind by ancient mkdir implementations. - rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null + rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null fi trap '' 0;; esac;; @@ -70,7 +70,7 @@ # compiler: $LTCC # compiler flags: $LTCFLAGS # linker: $LD (gnu? $with_gnu_ld) -# $progname: (GNU libtool) 2.4.2 +# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.11 # automake: $automake_version # autoconf: $autoconf_version # @@ -80,7 +80,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION=2.4.2 +VERSION="2.4.2 Debian-2.4.2-1.11" TIMESTAMP="" package_revision=1.3337 @@ -6124,7 +6124,10 @@ func_mode_link () case $pass in dlopen) libs="$dlfiles" ;; dlpreopen) libs="$dlprefiles" ;; - link) libs="$deplibs %DEPLIBS% $dependency_libs" ;; + link) + libs="$deplibs %DEPLIBS%" + test "X$link_all_deplibs" != Xno && libs="$libs $dependency_libs" + ;; esac fi if test "$linkmode,$pass" = "lib,dlpreopen"; then @@ -6444,19 +6447,19 @@ func_mode_link () # It is a libtool convenience library, so add in its objects. func_append convenience " $ladir/$objdir/$old_library" func_append old_convenience " $ladir/$objdir/$old_library" + tmp_libs= + for deplib in $dependency_libs; do + deplibs="$deplib $deplibs" + if $opt_preserve_dup_deps ; then + case "$tmp_libs " in + *" $deplib "*) func_append specialdeplibs " $deplib" ;; + esac + fi + func_append tmp_libs " $deplib" + done elif test "$linkmode" != prog && test "$linkmode" != lib; then func_fatal_error "\`$lib' is not a convenience library" fi - tmp_libs= - for deplib in $dependency_libs; do - deplibs="$deplib $deplibs" - if $opt_preserve_dup_deps ; then - case "$tmp_libs " in - *" $deplib "*) func_append specialdeplibs " $deplib" ;; - esac - fi - func_append tmp_libs " $deplib" - done continue fi # $pass = conv @@ -7349,6 +7352,9 @@ func_mode_link () revision="$number_minor" lt_irix_increment=no ;; + *) + func_fatal_configuration "$modename: unknown library version type \`$version_type'" + ;; esac ;; no) diff --git a/m4/libtool.m4 b/m4/libtool.m4 index 56666f0..d7c043f 100644 --- a/m4/libtool.m4 +++ b/m4/libtool.m4 @@ -1312,7 +1312,7 @@ ia64-*-hpux*) rm -rf conftest* ;; -x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \ +x86_64-*kfreebsd*-gnu|x86_64-*linux*|powerpc*-*linux*| \ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) # Find out which ABI we are using. echo 'int i;' > conftest.$ac_ext @@ -1324,9 +1324,19 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) LD="${LD-ld} -m elf_i386_fbsd" ;; x86_64-*linux*) - LD="${LD-ld} -m elf_i386" + case `/usr/bin/file conftest.o` in + *x86-64*) + LD="${LD-ld} -m elf32_x86_64" + ;; + *) + LD="${LD-ld} -m elf_i386" + ;; + esac + ;; + powerpc64le-*) + LD="${LD-ld} -m elf32lppclinux" ;; - ppc64-*linux*|powerpc64-*linux*) + powerpc64-*) LD="${LD-ld} -m elf32ppclinux" ;; s390x-*linux*) @@ -1345,7 +1355,10 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) x86_64-*linux*) LD="${LD-ld} -m elf_x86_64" ;; - ppc*-*linux*|powerpc*-*linux*) + powerpcle-*) + LD="${LD-ld} -m elf64lppc" + ;; + powerpc-*) LD="${LD-ld} -m elf64ppc" ;; s390*-*linux*|s390*-*tpf*) @@ -1688,7 +1701,8 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl ;; *) lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` - if test -n "$lt_cv_sys_max_cmd_len"; then + if test -n "$lt_cv_sys_max_cmd_len" && \ + test undefined != "$lt_cv_sys_max_cmd_len"; then lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` else @@ -2512,17 +2526,6 @@ freebsd* | dragonfly*) esac ;; -gnu*) - version_type=linux # correct to gnu/linux during the next big refactor - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - ;; - haiku*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no @@ -2639,7 +2642,7 @@ linux*oldld* | linux*aout* | linux*coff*) ;; # This must be glibc/ELF. -linux* | k*bsd*-gnu | kopensolaris*-gnu) +linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no @@ -2669,14 +2672,10 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu) # before this can be enabled. hardcode_into_libs=yes - # Add ABI-specific directories to the system library path. - sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" - # Append ld.so.conf contents to the search path if test -f /etc/ld.so.conf; then lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` - sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" - + sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" fi # We used to test for /lib/ld.so.1 and disable shared libraries on @@ -2688,6 +2687,18 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu) dynamic_linker='GNU/Linux ld.so' ;; +netbsdelf*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + dynamic_linker='NetBSD ld.elf_so' + ;; + netbsd*) version_type=sunos need_lib_prefix=no @@ -3247,10 +3258,6 @@ freebsd* | dragonfly*) fi ;; -gnu*) - lt_cv_deplibs_check_method=pass_all - ;; - haiku*) lt_cv_deplibs_check_method=pass_all ;; @@ -3289,11 +3296,11 @@ irix5* | irix6* | nonstopux*) ;; # This must be glibc/ELF. -linux* | k*bsd*-gnu | kopensolaris*-gnu) +linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) lt_cv_deplibs_check_method=pass_all ;; -netbsd*) +netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$' else @@ -4041,7 +4048,7 @@ m4_if([$1], [CXX], [ ;; esac ;; - linux* | k*bsd*-gnu | kopensolaris*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) case $cc_basename in KCC*) # KAI C++ Compiler @@ -4105,7 +4112,7 @@ m4_if([$1], [CXX], [ ;; esac ;; - netbsd*) + netbsd* | netbsdelf*-gnu) ;; *qnx* | *nto*) # QNX uses GNU C++, but need to define -shared option too, otherwise @@ -4340,7 +4347,7 @@ m4_if([$1], [CXX], [ _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' ;; - linux* | k*bsd*-gnu | kopensolaris*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) case $cc_basename in # old Intel for x86_64 which still supported -KPIC. ecc*) @@ -4582,6 +4589,9 @@ m4_if([$1], [CXX], [ ;; esac ;; + linux* | k*bsd*-gnu | gnu*) + _LT_TAGVAR(link_all_deplibs, $1)=no + ;; *) _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' ;; @@ -4644,6 +4654,9 @@ dnl Note also adjust exclude_expsyms for C++ above. openbsd*) with_gnu_ld=no ;; + linux* | k*bsd*-gnu | gnu*) + _LT_TAGVAR(link_all_deplibs, $1)=no + ;; esac _LT_TAGVAR(ld_shlibs, $1)=yes @@ -4865,7 +4878,7 @@ _LT_EOF fi ;; - netbsd*) + netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' wlarc= @@ -5042,6 +5055,7 @@ _LT_EOF if test "$aix_use_runtimelinking" = yes; then shared_flag="$shared_flag "'${wl}-G' fi + _LT_TAGVAR(link_all_deplibs, $1)=no else # not using gcc if test "$host_cpu" = ia64; then @@ -5346,7 +5360,7 @@ _LT_EOF _LT_TAGVAR(link_all_deplibs, $1)=yes ;; - netbsd*) + netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out else @@ -6226,9 +6240,6 @@ if test "$_lt_caught_CXX_error" != yes; then _LT_TAGVAR(ld_shlibs, $1)=yes ;; - gnu*) - ;; - haiku*) _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' _LT_TAGVAR(link_all_deplibs, $1)=yes @@ -6390,7 +6401,7 @@ if test "$_lt_caught_CXX_error" != yes; then _LT_TAGVAR(inherit_rpath, $1)=yes ;; - linux* | k*bsd*-gnu | kopensolaris*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) case $cc_basename in KCC*) # Kuck and Associates, Inc. (KAI) C++ Compiler @@ -1,7 +1,7 @@ #! /bin/sh # Common wrapper for a few potentially missing GNU programs. -scriptversion=2012-06-26.16; # UTC +scriptversion=2013-10-28.13; # UTC # Copyright (C) 1996-2013 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996. @@ -160,7 +160,7 @@ give_advice () ;; autom4te*) echo "You might have modified some maintainer files that require" - echo "the 'automa4te' program to be rebuilt." + echo "the 'autom4te' program to be rebuilt." program_details 'autom4te' ;; bison*|yacc*) diff --git a/sample/Makefile.in b/sample/Makefile.in index 28d710e..f210f15 100644 --- a/sample/Makefile.in +++ b/sample/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. diff --git a/sample/sample-keys/sample-ca/01.pem b/sample/sample-keys/sample-ca/01.pem deleted file mode 100644 index 6613831..0000000 --- a/sample/sample-keys/sample-ca/01.pem +++ /dev/null @@ -1,113 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1 (0x1) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me@myhost.mydomain - Validity - Not Before: Oct 28 12:54:32 2016 GMT - Not After : Oct 26 12:54:32 2026 GMT - Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server/emailAddress=me@myhost.mydomain - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:a6:74:d1:c9:77:5d:ff:d6:22:e3:69:38:8f:e1: - 15:0c:e3:46:2c:19:61:31:af:ef:f9:34:5b:0c:bd: - 20:d1:76:6a:64:62:f6:89:aa:5b:c9:42:10:44:6f: - 07:0f:fe:62:59:96:0b:16:ec:62:3e:18:08:ad:67: - 37:b6:53:2d:3d:d9:81:b7:6b:11:d6:fa:23:6a:23: - 6c:3c:be:54:91:e3:04:c6:f5:8c:a6:6a:80:9f:ef: - e8:5b:63:1e:68:37:09:ef:4d:5c:44:82:e6:2e:0d: - e5:d7:94:3f:31:74:50:d1:10:5c:99:4d:b5:9f:80: - 2b:46:25:37:8b:a2:3d:ce:02:b2:0a:21:63:82:9c: - a1:35:b9:3d:9e:ad:a4:19:3c:f5:b2:3a:d7:aa:d4: - b7:6d:c2:95:4d:94:4b:38:6f:b0:60:cf:22:d7:37: - 66:62:1d:1a:86:c2:a8:6a:2a:56:e5:d6:c3:e2:31: - 34:a6:42:5d:79:da:12:e0:a1:95:d1:17:07:f6:cc: - f8:63:fa:01:8a:26:7b:bf:b8:a4:87:8c:b5:a3:59: - 23:60:67:07:4a:4c:c1:55:be:60:a1:56:92:6c:97: - 53:fb:fe:eb:d3:25:fd:28:23:3e:38:4d:e9:92:90: - 8b:a6:5e:22:2f:02:1f:69:c6:fa:88:a5:52:88:cc: - 61:a1 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - Netscape Cert Type: - SSL Server - Netscape Comment: - OpenSSL Generated Server Certificate - X509v3 Subject Key Identifier: - 7D:4C:17:FE:59:B2:58:FF:08:BC:F4:88:FC:A3:8F:9F:CA:3B:3B:5E - X509v3 Authority Key Identifier: - keyid:08:C4:94:ED:23:0A:23:0D:D0:FA:D2:13:E2:3C:B6:65:E7:53:25:10 - DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain - serial:A4:CC:46:13:89:24:40:73 - - X509v3 Extended Key Usage: - TLS Web Server Authentication - X509v3 Key Usage: - Digital Signature, Key Encipherment - Signature Algorithm: sha256WithRSAEncryption - 82:2e:11:99:f4:56:98:ad:23:97:74:5c:69:00:7b:fc:9a:93: - 15:20:93:db:d6:83:04:9a:6c:cb:55:cd:5c:07:d6:31:5a:00: - 1d:35:eb:8e:74:cd:7a:08:db:cd:1f:89:8c:04:70:f7:35:e0: - a7:cc:cf:76:2b:8a:a5:80:7b:c1:72:4e:9a:c6:b7:a2:f5:9c: - 23:dc:d7:0d:93:a3:0f:f4:10:7d:8b:1d:85:5e:bb:2f:09:c8: - 67:41:38:12:72:14:29:f6:6d:68:b5:8a:97:1c:a1:8f:3d:74: - 14:95:c6:88:4f:4c:cd:8b:2e:db:95:b0:98:55:d7:5b:22:1f: - f3:de:5c:b4:7b:a0:d9:f2:56:2c:ff:85:b0:16:52:63:11:2b: - 14:8e:d0:f8:03:d2:cc:89:35:c0:d5:a3:b9:ec:11:55:e0:17: - 43:95:b2:6e:f2:db:80:73:f2:b3:3f:9d:fa:4d:24:6a:60:25: - 24:1a:53:10:38:08:d4:fe:fa:06:1a:1e:d3:cc:15:64:c7:9e: - 8b:51:ee:b3:50:25:60:88:70:46:39:bd:79:f1:5a:74:67:3d: - f0:7e:22:a9:b4:2e:f5:06:45:c3:46:fe:e6:32:40:e6:e1:00: - dc:e8:a8:43:fe:f4:66:64:4f:41:45:d5:d2:7b:ab:a0:62:f7: - dc:f0:28:d3:c6:9c:21:3e:bd:44:95:4c:20:b4:8f:c3:ae:ee: - eb:d7:7a:11:88:2d:3d:18:49:5d:e6:09:b8:5f:c7:24:32:83: - dd:5f:ae:03:02:c1:b6:51:0d:62:a2:41:f4:13:12:b2:f2:9a: - c1:50:04:63:42:de:41:b3:b3:ab:45:57:9e:8b:01:e0:c5:70: - d9:70:0e:ea:84:39:07:08:03:e9:99:b1:60:ce:a9:c6:ce:a4: - 61:29:36:3c:58:52:a2:c3:01:4f:4e:c1:e8:af:3b:ca:7c:34: - 9c:2a:21:c9:40:17:ce:8c:10:b2:fc:c2:39:43:55:50:19:2d: - c9:f0:ab:48:b2:86:e6:cf:1e:13:6c:6a:ed:85:e9:f6:dd:b9: - ba:6e:70:6a:e9:78:43:40:a3:c8:64:50:1f:5b:88:0d:88:55: - 0f:94:9c:92:44:83:79:0c:38:79:09:c4:93:6a:a8:dc:f3:8b: - c4:af:bf:0c:20:7b:76:7b:31:52:01:70:4f:09:be:38:d0:14: - ce:62:c6:00:35:cd:fc:eb:68:f1:45:d5:de:6a:3f:8b:3f:dc: - 1c:c9:e3:8a:7c:f1:17:53:71:f8:af:c9:43:9f:91:5a:16:0b: - 3a:c0:d7:b0:e7:74:54:12:f0:9a:71:5f:f3:dd:6b:c0:69:ec: - 9d:4d:14:61:bd:10:21:80 ------BEGIN CERTIFICATE----- -MIIFgDCCA2igAwIBAgIBATANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLRzEL -MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t -VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MTAy -ODEyNTQzMloXDTI2MTAyNjEyNTQzMlowajELMAkGA1UEBhMCS0cxCzAJBgNVBAgT -Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFDASBgNVBAMTC1Rlc3QtU2VydmVy -MSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQCmdNHJd13/1iLjaTiP4RUM40YsGWExr+/5NFsM -vSDRdmpkYvaJqlvJQhBEbwcP/mJZlgsW7GI+GAitZze2Uy092YG3axHW+iNqI2w8 -vlSR4wTG9YymaoCf7+hbYx5oNwnvTVxEguYuDeXXlD8xdFDREFyZTbWfgCtGJTeL -oj3OArIKIWOCnKE1uT2eraQZPPWyOteq1LdtwpVNlEs4b7BgzyLXN2ZiHRqGwqhq -Klbl1sPiMTSmQl152hLgoZXRFwf2zPhj+gGKJnu/uKSHjLWjWSNgZwdKTMFVvmCh -VpJsl1P7/uvTJf0oIz44TemSkIumXiIvAh9pxvqIpVKIzGGhAgMBAAGjggEzMIIB -LzAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYk -T3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBR9 -TBf+WbJY/wi89Ij8o4+fyjs7XjCBmAYDVR0jBIGQMIGNgBQIxJTtIwojDdD60hPi -PLZl51MlEKFqpGgwZjELMAkGA1UEBhMCS0cxCzAJBgNVBAgTAk5BMRAwDgYDVQQH -EwdCSVNIS0VLMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxITAfBgkqhkiG9w0BCQEW -Em1lQG15aG9zdC5teWRvbWFpboIJAKTMRhOJJEBzMBMGA1UdJQQMMAoGCCsGAQUF -BwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQsFAAOCAgEAgi4RmfRWmK0jl3Rc -aQB7/JqTFSCT29aDBJpsy1XNXAfWMVoAHTXrjnTNegjbzR+JjARw9zXgp8zPdiuK -pYB7wXJOmsa3ovWcI9zXDZOjD/QQfYsdhV67LwnIZ0E4EnIUKfZtaLWKlxyhjz10 -FJXGiE9MzYsu25WwmFXXWyIf895ctHug2fJWLP+FsBZSYxErFI7Q+APSzIk1wNWj -uewRVeAXQ5WybvLbgHPysz+d+k0kamAlJBpTEDgI1P76Bhoe08wVZMeei1Hus1Al -YIhwRjm9efFadGc98H4iqbQu9QZFw0b+5jJA5uEA3OioQ/70ZmRPQUXV0nuroGL3 -3PAo08acIT69RJVMILSPw67u69d6EYgtPRhJXeYJuF/HJDKD3V+uAwLBtlENYqJB -9BMSsvKawVAEY0LeQbOzq0VXnosB4MVw2XAO6oQ5BwgD6ZmxYM6pxs6kYSk2PFhS -osMBT07B6K87ynw0nCohyUAXzowQsvzCOUNVUBktyfCrSLKG5s8eE2xq7YXp9t25 -um5waul4Q0CjyGRQH1uIDYhVD5SckkSDeQw4eQnEk2qo3POLxK+/DCB7dnsxUgFw -Twm+ONAUzmLGADXN/Oto8UXV3mo/iz/cHMnjinzxF1Nx+K/JQ5+RWhYLOsDXsOd0 -VBLwmnFf891rwGnsnU0UYb0QIYA= ------END CERTIFICATE----- diff --git a/sample/sample-keys/sample-ca/02.pem b/sample/sample-keys/sample-ca/02.pem deleted file mode 100644 index 295f720..0000000 --- a/sample/sample-keys/sample-ca/02.pem +++ /dev/null @@ -1,103 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 2 (0x2) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me@myhost.mydomain - Validity - Not Before: Oct 28 12:54:33 2016 GMT - Not After : Oct 26 12:54:33 2026 GMT - Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Client/emailAddress=me@myhost.mydomain - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:e5:4f:5f:c9:2c:3f:8e:1a:3e:0b:f8:7f:82:d5: - ca:c5:6e:94:a4:fd:98:85:c0:1d:eb:94:b5:93:5b: - df:c2:c0:3f:9b:8e:5e:a3:d0:91:ca:3e:f4:74:93: - 63:86:df:a7:ae:0d:15:28:6d:38:6e:3b:ac:c9:5c: - 1f:c7:f7:d5:66:64:b9:07:00:41:6d:b6:a6:1a:ee: - f1:bb:ce:bd:39:cc:70:1f:9b:65:d7:3c:3c:97:2e: - 8e:1e:31:90:7f:cc:a7:b8:d9:2f:4e:b3:4a:98:6d: - a0:15:04:9d:cb:e1:7a:e1:63:f4:96:7a:bb:9e:a8: - d8:f0:33:97:67:6d:bf:39:82:0e:a3:b7:2a:15:2d: - 99:2b:f8:53:b1:e8:14:0f:d9:b3:a2:4f:2a:f1:63: - fd:d5:72:a6:22:b9:d6:be:e4:7b:9e:c8:85:1e:06: - 1a:31:24:3d:f3:82:ac:d7:28:7d:a4:4f:4b:c3:fd: - 72:27:07:ef:9d:51:71:56:d4:a4:b6:66:d2:74:4f: - 97:7f:3f:90:a8:56:8b:5b:14:4a:4f:c0:3d:2d:5a: - 90:74:db:da:59:83:4d:dd:2b:0a:81:24:ce:19:ce: - 8e:56:10:0f:cd:0d:83:01:d8:75:8b:66:16:40:1b: - 47:af:77:1f:d7:c5:cf:0a:d7:7c:f2:7e:a0:a0:5d: - fa:67 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - X509v3 Subject Key Identifier: - B8:DE:77:EB:43:83:FF:95:59:BB:28:78:E4:4D:F2:E5:C7:2E:06:EF - X509v3 Authority Key Identifier: - keyid:08:C4:94:ED:23:0A:23:0D:D0:FA:D2:13:E2:3C:B6:65:E7:53:25:10 - DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain - serial:A4:CC:46:13:89:24:40:73 - - Signature Algorithm: sha256WithRSAEncryption - a7:24:5d:b2:2f:49:63:55:90:e0:95:0e:fa:fc:d7:d8:0c:89: - 01:15:90:73:39:e9:32:3a:f9:8d:4b:cd:e7:3a:32:c0:fd:bb: - ed:3c:d9:cf:ea:0f:f3:6e:18:18:1d:1c:9c:e2:39:e6:c0:1d: - 2e:54:14:ec:1b:b2:5a:fd:1a:ac:65:45:9b:d4:0d:4a:3a:53: - 95:8d:bd:d3:44:20:17:70:d0:79:b5:f7:2c:dd:2a:0d:bf:b3: - d0:a8:1f:5c:db:33:5b:5d:56:24:84:2b:c8:43:32:fc:f3:dc: - b5:da:dc:7f:0a:1c:2a:2f:9b:60:ca:2d:6e:fe:98:55:26:d5: - 62:a7:3e:f4:49:5c:a9:76:54:87:19:0b:dd:74:ff:02:f0:75: - 8a:36:01:cf:29:67:9b:ae:c0:e5:da:da:2b:d9:57:61:92:69: - 1d:e3:b2:f4:66:8e:f8:dd:11:13:4c:1d:a5:7f:37:df:4e:fd: - 7d:96:ba:ac:6c:39:83:89:8f:05:47:1a:4b:4f:68:38:1a:99: - c8:68:1a:31:b9:78:9a:f5:12:ea:23:c2:c6:83:6b:e4:e0:9a: - fc:70:aa:bb:ef:00:1f:c9:18:ef:48:c2:fc:ec:e8:4c:e8:92: - d6:64:ab:5c:b3:ac:03:da:5f:a9:92:f2:ff:ef:a7:39:6f:d6: - 95:fb:44:89:c7:2b:c4:c4:45:b3:49:1a:c1:23:96:0d:f4:0b: - 0f:75:3b:6e:2c:4c:60:be:e7:0f:63:f2:3c:f0:9c:58:af:dd: - 5e:41:9e:f7:3f:e0:fb:28:be:f0:02:03:01:8c:9e:c5:52:e0: - a4:90:e0:b2:04:1b:58:3e:13:49:87:7b:20:27:73:f4:a8:cd: - c2:be:c7:c0:e9:8e:2d:d0:58:4b:9e:2f:fa:94:63:b2:99:16: - 08:5d:a1:49:1a:3d:29:9a:34:a3:63:ef:fd:79:da:0a:3e:79: - b1:cd:6f:f6:11:b7:c0:e8:67:41:36:36:94:a1:09:7a:cc:b9: - 4b:63:47:ce:49:c8:02:f9:d9:df:49:c1:04:82:09:f8:5b:92: - 4b:98:af:86:5e:fe:2e:48:fe:d6:69:7b:76:a8:c5:32:f6:b0: - ed:7e:bf:14:65:ca:fe:fa:bb:43:33:7e:c8:f4:98:a3:f8:0b: - 65:85:3d:5a:ed:33:45:12:76:90:9a:ca:34:fe:5a:ae:f6:ac: - 4d:9d:b6:28:7f:ac:e3:43:60:9a:dd:ec:a9:21:49:44:4a:74: - 48:12:6b:93:3b:08:70:ac:2e:58:f7:68:eb:8e:ba:9f:41:5a: - f9:a9:43:46:73:7a:1f:40:74:ce:87:c9:5e:51:67:8e:a3:cc: - b8:ea:ac:fe:7b:d8:2b:78 ------BEGIN CERTIFICATE----- -MIIFFDCCAvygAwIBAgIBAjANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLRzEL -MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t -VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MTAy -ODEyNTQzM1oXDTI2MTAyNjEyNTQzM1owajELMAkGA1UEBhMCS0cxCzAJBgNVBAgT -Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFDASBgNVBAMTC1Rlc3QtQ2xpZW50 -MSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQDlT1/JLD+OGj4L+H+C1crFbpSk/ZiFwB3rlLWT -W9/CwD+bjl6j0JHKPvR0k2OG36euDRUobThuO6zJXB/H99VmZLkHAEFttqYa7vG7 -zr05zHAfm2XXPDyXLo4eMZB/zKe42S9Os0qYbaAVBJ3L4XrhY/SWerueqNjwM5dn -bb85gg6jtyoVLZkr+FOx6BQP2bOiTyrxY/3VcqYiuda+5HueyIUeBhoxJD3zgqzX -KH2kT0vD/XInB++dUXFW1KS2ZtJ0T5d/P5CoVotbFEpPwD0tWpB029pZg03dKwqB -JM4Zzo5WEA/NDYMB2HWLZhZAG0evdx/Xxc8K13zyfqCgXfpnAgMBAAGjgcgwgcUw -CQYDVR0TBAIwADAdBgNVHQ4EFgQUuN5360OD/5VZuyh45E3y5ccuBu8wgZgGA1Ud -IwSBkDCBjYAUCMSU7SMKIw3Q+tIT4jy2ZedTJRChaqRoMGYxCzAJBgNVBAYTAktH -MQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMMT3BlblZQ -Ti1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQCkzEYT -iSRAczANBgkqhkiG9w0BAQsFAAOCAgEApyRdsi9JY1WQ4JUO+vzX2AyJARWQcznp -Mjr5jUvN5zoywP277TzZz+oP824YGB0cnOI55sAdLlQU7BuyWv0arGVFm9QNSjpT -lY2900QgF3DQebX3LN0qDb+z0KgfXNszW11WJIQryEMy/PPctdrcfwocKi+bYMot -bv6YVSbVYqc+9ElcqXZUhxkL3XT/AvB1ijYBzylnm67A5draK9lXYZJpHeOy9GaO -+N0RE0wdpX833079fZa6rGw5g4mPBUcaS09oOBqZyGgaMbl4mvUS6iPCxoNr5OCa -/HCqu+8AH8kY70jC/OzoTOiS1mSrXLOsA9pfqZLy/++nOW/WlftEiccrxMRFs0ka -wSOWDfQLD3U7bixMYL7nD2PyPPCcWK/dXkGe9z/g+yi+8AIDAYyexVLgpJDgsgQb -WD4TSYd7ICdz9KjNwr7HwOmOLdBYS54v+pRjspkWCF2hSRo9KZo0o2Pv/XnaCj55 -sc1v9hG3wOhnQTY2lKEJesy5S2NHzknIAvnZ30nBBIIJ+FuSS5ivhl7+Lkj+1ml7 -dqjFMvaw7X6/FGXK/vq7QzN+yPSYo/gLZYU9Wu0zRRJ2kJrKNP5arvasTZ22KH+s -40Ngmt3sqSFJREp0SBJrkzsIcKwuWPdo6466n0Fa+alDRnN6H0B0zofJXlFnjqPM -uOqs/nvYK3g= ------END CERTIFICATE----- diff --git a/sample/sample-keys/sample-ca/03.pem b/sample/sample-keys/sample-ca/03.pem deleted file mode 100644 index e4f5a82..0000000 --- a/sample/sample-keys/sample-ca/03.pem +++ /dev/null @@ -1,103 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3 (0x3) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me@myhost.mydomain - Validity - Not Before: Oct 28 12:54:33 2016 GMT - Not After : Oct 26 12:54:33 2026 GMT - Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=client-revoked/emailAddress=me@myhost.mydomain - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:c1:a8:94:78:8a:48:84:7a:54:ab:34:a5:bc:8a: - 81:ca:30:8b:9f:df:8f:fd:25:ca:d3:9c:6c:06:b0: - d4:b2:64:5a:7b:09:6e:74:23:41:0e:e5:3d:13:73: - d5:34:7d:f7:42:e3:65:61:e9:3f:d8:e4:be:85:79: - f3:d0:27:bd:8b:de:ce:34:2d:b2:b0:dc:a9:58:1a: - 28:95:62:33:4f:4e:05:1a:16:fe:dd:19:2c:d4:ff: - e9:c2:77:3d:43:77:6d:65:04:d9:fd:a1:f1:fc:a8: - 5b:da:44:43:90:f3:16:a4:b7:48:ee:a7:84:67:ec: - 01:85:22:a7:69:a7:1b:bb:4b:8f:8f:ca:61:1c:50: - 8b:1a:ed:2d:fb:bd:ac:25:7e:4f:16:a7:63:8b:c7: - 34:8d:53:c8:5e:c8:8c:e4:36:70:02:34:f7:f7:0a: - 58:58:57:f1:02:65:5a:00:32:e5:62:94:b3:97:b8: - e7:f3:75:5c:fc:a5:33:41:4c:c2:5b:fc:e6:f2:7f: - f7:a8:4b:db:b2:01:0c:bd:7c:28:dc:c6:83:4c:4f: - 43:34:db:2a:e5:38:24:52:96:43:7d:fc:b7:a2:db: - 9d:6a:18:89:03:cc:8c:60:22:7f:e8:95:79:14:3e: - ad:62:6d:00:6e:d9:b2:be:62:29:65:56:e3:41:3b: - 6b:37 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - X509v3 Subject Key Identifier: - C9:DD:AB:FE:FA:1E:B1:21:9E:93:E4:21:3E:36:9A:1B:A2:85:0D:1F - X509v3 Authority Key Identifier: - keyid:08:C4:94:ED:23:0A:23:0D:D0:FA:D2:13:E2:3C:B6:65:E7:53:25:10 - DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain - serial:A4:CC:46:13:89:24:40:73 - - Signature Algorithm: sha256WithRSAEncryption - 6c:e6:8b:2e:58:5e:60:77:bf:b8:9a:88:8c:c9:bd:40:66:cb: - c0:d4:5b:21:00:bc:d8:24:39:04:57:ee:9c:65:d1:03:1f:70: - e6:5d:e2:ef:08:5c:31:d1:8b:c0:44:30:96:e0:a1:e8:0f:d1: - 0e:95:9a:2f:02:6b:06:d6:8c:4d:0a:1f:b8:7b:d9:98:ca:79: - f9:30:4d:88:8f:c8:36:6a:4d:b0:f6:df:cf:ac:a3:67:40:e9: - 54:4f:61:73:b6:16:9b:e1:35:fe:f3:a4:9b:17:df:e5:bb:a8: - f6:63:91:10:c5:b0:5a:00:6e:00:d8:77:f3:35:6b:f4:db:0e: - ef:b6:93:6e:41:65:7d:66:82:2d:04:83:d9:d1:fc:ed:26:1c: - 04:61:9c:1d:30:dd:8a:e4:9f:0d:81:0d:57:eb:d2:64:f5:42: - 69:a1:e4:20:af:0a:20:6b:87:22:85:82:f3:53:19:bd:8f:24: - dd:48:bd:98:71:e9:9a:97:15:c4:f5:e5:56:f5:61:f4:3b:1b: - 06:e9:8e:cb:00:2f:c4:4e:43:82:f8:a9:c4:9c:ba:96:0a:c7: - bf:89:f1:3a:0c:43:aa:3f:96:2e:a3:a7:1d:ef:3c:a1:52:10: - dc:d0:c7:19:94:77:75:25:fa:d7:d4:35:ee:54:d3:32:7d:b5: - 80:cf:5e:ed:b0:f6:1f:e5:8b:b4:8b:3d:f2:31:74:1f:ef:e5: - bb:50:de:5f:24:6e:c7:e0:f2:31:88:9f:25:11:8e:a9:f4:58: - 8b:88:e2:5a:34:75:ba:f4:91:b8:80:4c:e3:59:e6:47:e6:3b: - 00:c1:30:cd:c1:65:dc:18:e7:f9:d3:af:6f:46:e0:e3:3e:5d: - 79:b8:08:19:a4:ac:dc:2b:ad:d3:32:a3:7d:e8:c7:64:4f:92: - 83:a4:b8:a3:f2:01:f3:3a:5c:64:0f:13:27:e4:b6:b2:e7:4b: - a4:d6:8d:b3:18:ec:3e:2d:17:6a:cc:70:4e:a5:69:f8:f1:5c: - 09:b4:18:25:e7:fe:e3:33:dd:a6:82:6d:ed:6a:01:33:45:24: - f5:7e:5f:96:59:6d:ea:79:e4:b2:d4:5c:11:68:91:76:1d:19: - c9:13:15:44:32:f6:5e:75:72:4e:5f:30:59:e8:05:81:be:3c: - 19:41:36:c0:e9:f5:9b:4d:19:8e:b2:72:dc:63:bf:37:05:ac: - 88:0a:1f:8c:19:71:2e:24:b7:ad:7a:14:a4:1b:82:26:6d:ed: - bd:ba:80:55:b4:09:b3:75:68:38:8b:db:f8:55:27:72:76:85: - 2d:9e:db:18:be:ba:c8:d3:93:0d:f5:c9:8f:34:a8:8e:a8:92: - 53:ec:5a:a2:cd:16:48:9d ------BEGIN CERTIFICATE----- -MIIFFzCCAv+gAwIBAgIBAzANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLRzEL -MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t -VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MTAy -ODEyNTQzM1oXDTI2MTAyNjEyNTQzM1owbTELMAkGA1UEBhMCS0cxCzAJBgNVBAgT -Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFzAVBgNVBAMTDmNsaWVudC1yZXZv -a2VkMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBqJR4ikiEelSrNKW8ioHKMIuf34/9JcrT -nGwGsNSyZFp7CW50I0EO5T0Tc9U0ffdC42Vh6T/Y5L6FefPQJ72L3s40LbKw3KlY -GiiVYjNPTgUaFv7dGSzU/+nCdz1Dd21lBNn9ofH8qFvaREOQ8xakt0jup4Rn7AGF -Iqdppxu7S4+PymEcUIsa7S37vawlfk8Wp2OLxzSNU8heyIzkNnACNPf3ClhYV/EC -ZVoAMuVilLOXuOfzdVz8pTNBTMJb/Obyf/eoS9uyAQy9fCjcxoNMT0M02yrlOCRS -lkN9/Lei251qGIkDzIxgIn/olXkUPq1ibQBu2bK+YillVuNBO2s3AgMBAAGjgcgw -gcUwCQYDVR0TBAIwADAdBgNVHQ4EFgQUyd2r/voesSGek+QhPjaaG6KFDR8wgZgG -A1UdIwSBkDCBjYAUCMSU7SMKIw3Q+tIT4jy2ZedTJRChaqRoMGYxCzAJBgNVBAYT -AktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMMT3Bl -blZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQCk -zEYTiSRAczANBgkqhkiG9w0BAQsFAAOCAgEAbOaLLlheYHe/uJqIjMm9QGbLwNRb -IQC82CQ5BFfunGXRAx9w5l3i7whcMdGLwEQwluCh6A/RDpWaLwJrBtaMTQofuHvZ -mMp5+TBNiI/INmpNsPbfz6yjZ0DpVE9hc7YWm+E1/vOkmxff5buo9mOREMWwWgBu -ANh38zVr9NsO77aTbkFlfWaCLQSD2dH87SYcBGGcHTDdiuSfDYENV+vSZPVCaaHk -IK8KIGuHIoWC81MZvY8k3Ui9mHHpmpcVxPXlVvVh9DsbBumOywAvxE5DgvipxJy6 -lgrHv4nxOgxDqj+WLqOnHe88oVIQ3NDHGZR3dSX619Q17lTTMn21gM9e7bD2H+WL -tIs98jF0H+/lu1DeXyRux+DyMYifJRGOqfRYi4jiWjR1uvSRuIBM41nmR+Y7AMEw -zcFl3Bjn+dOvb0bg4z5debgIGaSs3Cut0zKjfejHZE+Sg6S4o/IB8zpcZA8TJ+S2 -sudLpNaNsxjsPi0XasxwTqVp+PFcCbQYJef+4zPdpoJt7WoBM0Uk9X5flllt6nnk -stRcEWiRdh0ZyRMVRDL2XnVyTl8wWegFgb48GUE2wOn1m00ZjrJy3GO/NwWsiAof -jBlxLiS3rXoUpBuCJm3tvbqAVbQJs3VoOIvb+FUncnaFLZ7bGL66yNOTDfXJjzSo -jqiSU+xaos0WSJ0= ------END CERTIFICATE----- diff --git a/sample/sample-keys/sample-ca/ca.crl b/sample/sample-keys/sample-ca/ca.crl deleted file mode 100644 index 7ad9d35..0000000 --- a/sample/sample-keys/sample-ca/ca.crl +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN X509 CRL----- -MIIDZzCCAU8CAQEwDQYJKoZIhvcNAQELBQAwZjELMAkGA1UEBhMCS0cxCzAJBgNV -BAgTAk5BMRAwDgYDVQQHEwdCSVNIS0VLMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1Qx -ITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbhcNMTYxMDI4MTI1NDMz -WhcNMTYxMTI3MTI1NDMzWjAUMBICAQMXDTE2MTAyODEyNTQzM1qggZ4wgZswgZgG -A1UdIwSBkDCBjYAUCMSU7SMKIw3Q+tIT4jy2ZedTJRChaqRoMGYxCzAJBgNVBAYT -AktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMMT3Bl -blZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQCk -zEYTiSRAczANBgkqhkiG9w0BAQsFAAOCAgEA8GGYfeiPmEidbPxLFQDIIvnz4QEa -9mKuB5VFa0l2yNlyMYoN2uXV2bqIzuQ94mnzc5xsMLVRkiSX4lq7HZY3VyTo57Ps -dpRGKsVOM5rsWgDFycAT4+9OuZMnpntKzmbAlYvaKwnvpQj0xuXP5l1QJSANrtAK -c/EQ2EmEwrHtcE4HEwOeMzC5ON5EceneLqMg+JTkZURoBW7e9Hk0MJh8HDewRcN0 -0D/+e7/ZuRFt68XDfDhjbXPQVv4vbPKR9OXaXClwJgw+LYvhGe+0s4Lumhb4sP6Z -oOTjGCXxQOtZJEC1vCb0cahFkuYJu6fCOh0crspGNt0wTgDKp7LXbEJhwv+6wQ6k -zu+4a6ES8wj2DwXqQaV5txG55S1Q5PMLCw7L7VDrKJr2DXi4PKdToj5b35aS1DU/ -q6JjcxiuzjN7sHfC7elQIudaVEuE2XkpxaQPNdKC4xKLvck7zZMqGUWOwuI1mqya -WGBfgrkeAllq4cWEF5SWR8iFREo2FBs3CxETgrkWGWWRgu3UsrLC9AXVHntud21e -dXwTCIbiYZ2Vv7iYI06W+pOwdeQNc6X/sg2QFpWMLLblYlhPy6yu/3zg7TKilDfS -tu0hmTrsgRKciB5lKWZAuylGUGIGLrmG+LzOq2b9j5yhS9WA5qL83fMVrCoyB3W+ -ISfJElodA9n+UM8= ------END X509 CRL----- diff --git a/sample/sample-keys/sample-ca/ca.crt b/sample/sample-keys/sample-ca/ca.crt deleted file mode 100644 index 2775ca2..0000000 --- a/sample/sample-keys/sample-ca/ca.crt +++ /dev/null @@ -1,35 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIGKDCCBBCgAwIBAgIJAKTMRhOJJEBzMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNV -BAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMM -T3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4w -HhcNMTYxMDI4MTI1NDMyWhcNMjYxMDI2MTI1NDMyWjBmMQswCQYDVQQGEwJLRzEL -MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t -VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMIICIjANBgkq -hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9EOM8PfRM8VrxwyesCSodTSlBcuyUJ43 -hVW9XBfOJP/PPVv3vgJKCyu/2B5XlP3L2NqJ/TesFGAN9ZBX+fzYJIzNxa6yUjaZ -HuAXRA7IxlKvO+l92Pl4RazpYELuKiS54RBhhChmxfRo2xEx2cPghFtJWNK2IAcH -4mKLUYIWGEKhpT/bMqazqlHDGmPkD4HfeLNwTNFDrNi4N5iF1bbfUjwNJF1PGCOz -o1Ka54TF9KTrTf1Ii8bM5ttUtjsTh0zyxOc/N5yw4Is9VEDIuvndrBDgq+yxLZjO -13KY+oO5M4uTf4QmM6yPFn4ZyZ23oW3CNF4ytVnfhR5W4rFeHtibbOjOwXBQ+NRw -jatZqVRpE1gwFR0Z7767cc2OosupM3YR/pTflXAyThVtU5uM1rMxuyedpNWPN5QN -5qhwyu1qVq1Y2mIWHS8rkN+6Zek4TZ9W05paR8zpjJ1Z8pbtjIFu1RM77cnLoOAT -KpoyO6avqo3vIDRHoYdoj044ff/0JAOyj049vcdd06KWLPsmNj4FzCyVUQOHR+LA -6plBJgGf3vyaZfs1ZwwcA/WQHtf1ztrkDPVUWaXixeipsg8CWZb4eIuYbzloc6Ot -b22wQ7C0cDO5pUjNGJZLYYDX0zIO9rwZSPGQ/gthlwQXg8zrM4MASLLw0hqZ45c0 -ems4nt0QDi8CAwEAAaOB2DCB1TAdBgNVHQ4EFgQUCMSU7SMKIw3Q+tIT4jy2ZedT -JRAwgZgGA1UdIwSBkDCBjYAUCMSU7SMKIw3Q+tIT4jy2ZedTJRChaqRoMGYxCzAJ -BgNVBAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UE -ChMMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21h -aW6CCQCkzEYTiSRAczAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG -9w0BAQsFAAOCAgEAmavYB0InmvVooI0Ukm9x8qF3ql0LDKwfm1T79aUybOUxscId -MT26djkAln0abo4mYXPaMYISVTrNNrBMX80Y+aa4DfXW392mKqrPf1L3fVD6jsoi -5kofqdiojSJs0uHfy+A32XVPrIzTeV3lvE/yDfKDBNb9f+3U8UIyIARXryYm4H6z -mCqUgocMAB1hFu8Lpf8eeGxrCfsD6yR6PMO8YNGdBfinbhXjfzCFD1ZJ+JxPePww -ydtL+Z0/dZvVzVehxdHCe8+vdpAjoI/YJk5UPSlAVGooaR+kH6BPbL/7QoVFUBxO -mDMnTpNFt5GLM5pMExZo2Ef89D9dsXDa9lgv4KTxfbF/Xn5ODQ5rW5i0i+p6REZs -FND1M0H/0DC14fhTdb8llpJzK0ZAwSf59SaUgrooVMCWzN2Xl4+zVCUik4gvjs6A -AHXdqL6dHEIG41+BAJHHoS0kkbvw03td1SbktKtbgaDWW7CkGcNhBmkMB7HZiVoW -yMV8X0WQoEntZfEq+kNePx68D51VR3htiOhBrO88rOXZAAJBoeke8K/CbLRm3av7 -LHM5Q2Ki821yjFpGFGgvMJBt3xvFajG5DwWLsGNXrlGA781UXdZBwmsvg8Z+iIMu -9+sidZJU68slPre6hQcFPAO4c21csr6yV7LVyOS1We6akeseYAR90fGNrI4= ------END CERTIFICATE----- diff --git a/sample/sample-keys/sample-ca/ca.key b/sample/sample-keys/sample-ca/ca.key deleted file mode 100644 index 29e7d2d..0000000 --- a/sample/sample-keys/sample-ca/ca.key +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQD0Q4zw99EzxWvH -DJ6wJKh1NKUFy7JQnjeFVb1cF84k/889W/e+AkoLK7/YHleU/cvY2on9N6wUYA31 -kFf5/NgkjM3FrrJSNpke4BdEDsjGUq876X3Y+XhFrOlgQu4qJLnhEGGEKGbF9Gjb -ETHZw+CEW0lY0rYgBwfiYotRghYYQqGlP9syprOqUcMaY+QPgd94s3BM0UOs2Lg3 -mIXVtt9SPA0kXU8YI7OjUprnhMX0pOtN/UiLxszm21S2OxOHTPLE5z83nLDgiz1U -QMi6+d2sEOCr7LEtmM7Xcpj6g7kzi5N/hCYzrI8WfhnJnbehbcI0XjK1Wd+FHlbi -sV4e2Jts6M7BcFD41HCNq1mpVGkTWDAVHRnvvrtxzY6iy6kzdhH+lN+VcDJOFW1T -m4zWszG7J52k1Y83lA3mqHDK7WpWrVjaYhYdLyuQ37pl6ThNn1bTmlpHzOmMnVny -lu2MgW7VEzvtycug4BMqmjI7pq+qje8gNEehh2iPTjh9//QkA7KPTj29x13TopYs -+yY2PgXMLJVRA4dH4sDqmUEmAZ/e/Jpl+zVnDBwD9ZAe1/XO2uQM9VRZpeLF6Kmy -DwJZlvh4i5hvOWhzo61vbbBDsLRwM7mlSM0YlkthgNfTMg72vBlI8ZD+C2GXBBeD -zOszgwBIsvDSGpnjlzR6azie3RAOLwIDAQABAoICAQCUZC1Nft/i+b6eMDZ/f+Wv -Poo6WSM9AsFsCUh+mB+uLpIyDpsVHcLpwmxL2TMP2pdqaGmIIbgysKAKXOR1hHuy -yK+Btr2yYGTpcu3vdKPYiAbY+OJxXC0K9x7YUhDqHWGnLxJu/TRicjb5Txrf1rWg -8uw+P9RQ5LSPfZpxq/vMRT56a664uLlRcVZ7w8+a9CVU6H4CzOa2LPrNG6XCzdQh -20WIn/8bBSVuxRJCMFEqbL5epM7by6xTW0+9XWphugeKQ4oOOOzjnPNnKexIWt+m -VqKHD8Ybk0elb4MsPbXXcKXsw9WJcv2Chp0X9O7H7SwcMFXSAoVeE65pDaPGTYUt -luwtsw+82zYtorqtiRc6YV7DutokHaCHME3C7x9o1kyGFnuCFY6JlDlLS7fgEPhZ -19p5eIcieJ4GQfmASVxGWB0C1AKQHWqeSlr7DF5OEPy5+9a9JjO6pfh/kcfC5WWI -6vllb+ISrd+XcXTPL/sSKDEb5EFZ4MsBhVXYWMmqKDuyaCuyWy3BiQuz2vEI0tXY -YZF9Y+/HM61Jy2363ittxC455fYdpB9tVqOKDIYiXDctoaQDkbIfZMzCiozj9zi8 -H4o87i1EmBlyKNWzd3aiuxs581vboG8aCE5HmvYr+pFDfwvf8O4OYJZGehErwZz0 -K74E1IW79Mlec4UBl/HxEQKCAQEA/aj5MBoiXVF3aPxJDpCn67ZsjIDsFlyHyMrf -qDJIMHhplTI+LAcaJYu4Dj6fsj3ATHUIWjvP/T86Lf2E6qy0ZEmr3KaIskeGgh6e -YyJXGXH88BKOWgqaE/EEYPXKs1fdZTVfmpFGjoZ0ifJzJ50qJhSeM3jJGeOJdebL -O0XxsG5blpicwZcyLLQTAETH4a00TXgdqbL1BeALL/Pay5ErZKLw+txOFpDnKsu0 -D2XCHhRMk2ZqpjS6IUnWqUIA4/cn/H+vKTkxEMCNFkB3yLcPE/Hd/SAL9viDO2DY -jn+b0CObtapEA/eqEXkaBGvCrNNtcg6l1D3yzS8dl2K9qxsq3QKCAQEA9oRjRInp -nszUijKTs14Ml3vgSe8XcAPV9v+kcwnrbZXMe3fXKbma3/SKU4GNdGfXacWRxqRJ -TkzziqRvT5MOmdlEdBeHN3gIbjCBvOKzdrbYfNQ5Zcy4ODFhD1QSvLaer8xZbOTR -lKZ8kszZ3Wj7m3byXQE3ZYCVjRFS/07mP1Jh2/KUhg059a0JQhReydE12FZ40r4Y -OcL21ldzfLHDod5kjW7LZnIQpuiTD1eDLI2j59qIgg3yh3KIn5Xkmaq1SbqGAuzF -Gt2x73qfXYB/I/xeR1s3UKSM+bs9S85f/yAqQUSSNbjP4WU0u/zMmV6Ze+VYe7yN -nGyoS8GuwL3uewKCAQB5aM8cfuXD1KJa1aYCGqrE32PFPE/DxDYZnUC/uJFk4b1n -c8zeNegF4IIQD1lQbs4DymBdEBPVGtY1/QoJaPBOsBRaYDs9WY6/6PfWazFVNIHk -Rn1sC3cD5HA8GGkUvhFxx8IisTYcMa7F+A22ADuUTnoKGN3oTkgU7oqHrEqqL6gW -xKUC4+NYEjimAEXLdqN6EOvhtY4hacLxCL7IgItMd9DvwVJ+6ow6p5VfaU0oKH8e -bf7N3p7YIAdmq/jRJBM3f8XO7VjWs9LTu7eZkkTdPv8JkLUpWHk3insceWeSj/iP -UxeK7pewFU6mnw1muyu/U9N7assz+kEnnFM7+pzhAoIBAQCL3hF0kcs7jnwI7Slg -W7xJNr/LMxzZMVP1EJb9rmMlihi69QPfaK+24ciaGKdppIFUQgSz8AKnqoGD6Eg/ -nfBq2hs8wxy1HCWsX1k9EmNAt/2c1cy7NaxQNbQcPldjOzpOBGO4pRtEfDGyGQiD -10zqqFJa8pW7wXkY0PuGX/3Db7qWUMx0QozgF41pMKWXXFxwop9q8vBL1ZK3ima8 -GSAmd0gV9wbw2UcZbFwEGGMUpEibBCLvp3oz34glA6bwiSrS6kGe5zfuRlruxWQm -aQG6KTZUxixcVQCnsNTWbgGJf3Z6Ea3jTTilagbBom1zl3j+EuJhUloGpp/WW84L -DbiBAoIBAQDo0UOrrWHBmqOg5A9Z7Vub/Oi1Wdfhla4huaTn534Ml63NXpXkYts6 -sYGyyuSdWh0f1bLusWCs5COT5fZFVNvH59/6a7TVlKr/5B9jGNh9+LdP6Qpttd0B -Xfs7X2u/HiCUgDPj1cVOc9kQuOc+vw9t0WHdsVm+kCutjDd63LItIMbn4Vj9kxJq -wJiC+x/5Jpw8VjLQ0aPUosU9ZLV2L0g7XgdUPAJbkrb2HGaoxS9uh0bSnOFw9DQh -eFWCG9EAmyDBh975q8e9kmAOPCVUP2sdOSKgGC5FzSOwRdwkjHI8wa1F3NnxH4rC -Kt9XP5gPhxALZWWSk4h9gCJDmsl5dMJc ------END PRIVATE KEY----- diff --git a/sample/sample-keys/sample-ca/client-pass.key b/sample/sample-keys/sample-ca/client-pass.key deleted file mode 100644 index 14be4dc..0000000 --- a/sample/sample-keys/sample-ca/client-pass.key +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-256-CBC,78F6C09B62F40C57290E71382D07BF4D - -McT4Z3IZnCc//AXZGGPviFDPorHDv91H3zQcoMtbNzjGnJSMmfXxuQpUcDgOZln9 -dgKchPjPX8/X3X0tEnPVwZP8OjT5gVHhlDxiMP35FummwUNqE9srmGnApQky687b -Y3bGuhdqAPPtn86rxXCZiKBLzlDXL//6yOd80jDBMTJJB0/tpIdCtxSRqu3uAv73 -TbphSe9TTl77nifGZpDlSba8l9T+jSn7QnLDO0HauNeuMW9NJysqI6QwmRPlcELi -RAAAEt6ncd6H+a2KmzXJ8exRrLkKyAEbzMCUxtUQ7cADDUoKJKNnkza1yGdMacZc -IM16AzTJZQU7qS4H6058VOW5NmzWU+rmyz/2OftuRwgiuXaZWYc2TtgA/mHdTOHu -wpDkWefmDZz2yLzvvJDoaGHHS12R60UP/XSiIVayRBYOZBFxchXnfcvvHRfWP3Az -NILFUBLjVQTwb0N99s+VLJlr7WM9f12uM7SC6i+f1nPiGToSQw/1UP7XCYGi3ORA -2U3e1VrzaxwccR9tjwE4j7T/mYV/XU9W5Nk2FtFk3DT0iNe0jxdBfD9aEpa+Pnq4 -c5SeAyXEfF0+50VJ6RM/SKmU8tya1P6gLaHdcjLVa9b2j4X4iYrbkkZJ8ew7pmJu -2Natn8bcvYRIcS8rherrX9DZGM1Z3lwBWG1xrvoumdBlbxNS+ea0UeYtvm9QUpOK -0kMBiiiAkO9gG6fE55DZuIKHdssKsxpXnoM+JgZf2xI+aqOaXWG0SWyaamzuCHdl -cchA3YI7QXDZDMvByR2MMjpqGh/tAEpPGAsZA1TC8QyqhmiWc+9uuXpsIOGNwSse -4jVS2B2rxu9oRKQDjEh+qS/1Fr10WgWAZfnF0jZi2c+yJng1KgJ8UzlFKICvbHxp -nDlmqDazhIYtYlYzyjac2wHuNRBAPU2MELgnudIW2L9pIcEiyG7L7vxGtBiCPmfb -1mTw00NYXy1G5ZvDo58jdQeM3L9YekM8LMJY11AMSPJFzcmAUL8X/Zc3YBcljTRR -ZgnkVXkeHB21lj+BRyCBVowoAW9jDWz5u/pzIbLKpfBr+CuzQ53mjEFgmSrB/jro -mTvtz5hmm1IeJXGxPbemLCgiMzFp32aFMIF+R2op0wxDaZo8J5e7gIVIX0VowEh9 -ohukxyl3h3sOIYXMme8EN7PYv9BDdzHt2Eah5ICcmJ8VWPBItztgnHYqDN+igMMG -dW8RtAtcvc+a71v4MqOE98pFtAx/lPeu5+DgVjWwSB9uaN5Ik5NE6aRd2M0QrR+f -D+5s8LsjA6UKP1qVrmykNpt7JVy49TSLWpiEQZNBHSJkcc39yjU8dLt2cdDPUZGp -Iycv7WsOyZcJAdtIGiZuoO2qxFgSBXm+mWIvLmkomwVrdS4MFlOgtehlQkZzXw5x -0UxgG5XYI3zVa0oILR9ooPM+nDXtnE1ePN3NgNanemi6/2cJZc1eJyDCpH2iMHQY -O3GwCyuJcGvHXqypB1jENVOQ/VLC9M8z6Td//V/xmF/nPtuRL2xg8nUPpzJbfWti -ehUZ09cewyyN/W86MZdA9TdzzT/i1YvvZEb+2c2joD1MwqPp6TNw2Y/Hj786td0L ------END RSA PRIVATE KEY----- diff --git a/sample/sample-keys/sample-ca/client-revoked.crt b/sample/sample-keys/sample-ca/client-revoked.crt deleted file mode 100644 index e4f5a82..0000000 --- a/sample/sample-keys/sample-ca/client-revoked.crt +++ /dev/null @@ -1,103 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3 (0x3) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me@myhost.mydomain - Validity - Not Before: Oct 28 12:54:33 2016 GMT - Not After : Oct 26 12:54:33 2026 GMT - Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=client-revoked/emailAddress=me@myhost.mydomain - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:c1:a8:94:78:8a:48:84:7a:54:ab:34:a5:bc:8a: - 81:ca:30:8b:9f:df:8f:fd:25:ca:d3:9c:6c:06:b0: - d4:b2:64:5a:7b:09:6e:74:23:41:0e:e5:3d:13:73: - d5:34:7d:f7:42:e3:65:61:e9:3f:d8:e4:be:85:79: - f3:d0:27:bd:8b:de:ce:34:2d:b2:b0:dc:a9:58:1a: - 28:95:62:33:4f:4e:05:1a:16:fe:dd:19:2c:d4:ff: - e9:c2:77:3d:43:77:6d:65:04:d9:fd:a1:f1:fc:a8: - 5b:da:44:43:90:f3:16:a4:b7:48:ee:a7:84:67:ec: - 01:85:22:a7:69:a7:1b:bb:4b:8f:8f:ca:61:1c:50: - 8b:1a:ed:2d:fb:bd:ac:25:7e:4f:16:a7:63:8b:c7: - 34:8d:53:c8:5e:c8:8c:e4:36:70:02:34:f7:f7:0a: - 58:58:57:f1:02:65:5a:00:32:e5:62:94:b3:97:b8: - e7:f3:75:5c:fc:a5:33:41:4c:c2:5b:fc:e6:f2:7f: - f7:a8:4b:db:b2:01:0c:bd:7c:28:dc:c6:83:4c:4f: - 43:34:db:2a:e5:38:24:52:96:43:7d:fc:b7:a2:db: - 9d:6a:18:89:03:cc:8c:60:22:7f:e8:95:79:14:3e: - ad:62:6d:00:6e:d9:b2:be:62:29:65:56:e3:41:3b: - 6b:37 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - X509v3 Subject Key Identifier: - C9:DD:AB:FE:FA:1E:B1:21:9E:93:E4:21:3E:36:9A:1B:A2:85:0D:1F - X509v3 Authority Key Identifier: - keyid:08:C4:94:ED:23:0A:23:0D:D0:FA:D2:13:E2:3C:B6:65:E7:53:25:10 - DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain - serial:A4:CC:46:13:89:24:40:73 - - Signature Algorithm: sha256WithRSAEncryption - 6c:e6:8b:2e:58:5e:60:77:bf:b8:9a:88:8c:c9:bd:40:66:cb: - c0:d4:5b:21:00:bc:d8:24:39:04:57:ee:9c:65:d1:03:1f:70: - e6:5d:e2:ef:08:5c:31:d1:8b:c0:44:30:96:e0:a1:e8:0f:d1: - 0e:95:9a:2f:02:6b:06:d6:8c:4d:0a:1f:b8:7b:d9:98:ca:79: - f9:30:4d:88:8f:c8:36:6a:4d:b0:f6:df:cf:ac:a3:67:40:e9: - 54:4f:61:73:b6:16:9b:e1:35:fe:f3:a4:9b:17:df:e5:bb:a8: - f6:63:91:10:c5:b0:5a:00:6e:00:d8:77:f3:35:6b:f4:db:0e: - ef:b6:93:6e:41:65:7d:66:82:2d:04:83:d9:d1:fc:ed:26:1c: - 04:61:9c:1d:30:dd:8a:e4:9f:0d:81:0d:57:eb:d2:64:f5:42: - 69:a1:e4:20:af:0a:20:6b:87:22:85:82:f3:53:19:bd:8f:24: - dd:48:bd:98:71:e9:9a:97:15:c4:f5:e5:56:f5:61:f4:3b:1b: - 06:e9:8e:cb:00:2f:c4:4e:43:82:f8:a9:c4:9c:ba:96:0a:c7: - bf:89:f1:3a:0c:43:aa:3f:96:2e:a3:a7:1d:ef:3c:a1:52:10: - dc:d0:c7:19:94:77:75:25:fa:d7:d4:35:ee:54:d3:32:7d:b5: - 80:cf:5e:ed:b0:f6:1f:e5:8b:b4:8b:3d:f2:31:74:1f:ef:e5: - bb:50:de:5f:24:6e:c7:e0:f2:31:88:9f:25:11:8e:a9:f4:58: - 8b:88:e2:5a:34:75:ba:f4:91:b8:80:4c:e3:59:e6:47:e6:3b: - 00:c1:30:cd:c1:65:dc:18:e7:f9:d3:af:6f:46:e0:e3:3e:5d: - 79:b8:08:19:a4:ac:dc:2b:ad:d3:32:a3:7d:e8:c7:64:4f:92: - 83:a4:b8:a3:f2:01:f3:3a:5c:64:0f:13:27:e4:b6:b2:e7:4b: - a4:d6:8d:b3:18:ec:3e:2d:17:6a:cc:70:4e:a5:69:f8:f1:5c: - 09:b4:18:25:e7:fe:e3:33:dd:a6:82:6d:ed:6a:01:33:45:24: - f5:7e:5f:96:59:6d:ea:79:e4:b2:d4:5c:11:68:91:76:1d:19: - c9:13:15:44:32:f6:5e:75:72:4e:5f:30:59:e8:05:81:be:3c: - 19:41:36:c0:e9:f5:9b:4d:19:8e:b2:72:dc:63:bf:37:05:ac: - 88:0a:1f:8c:19:71:2e:24:b7:ad:7a:14:a4:1b:82:26:6d:ed: - bd:ba:80:55:b4:09:b3:75:68:38:8b:db:f8:55:27:72:76:85: - 2d:9e:db:18:be:ba:c8:d3:93:0d:f5:c9:8f:34:a8:8e:a8:92: - 53:ec:5a:a2:cd:16:48:9d ------BEGIN CERTIFICATE----- -MIIFFzCCAv+gAwIBAgIBAzANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLRzEL -MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t -VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MTAy -ODEyNTQzM1oXDTI2MTAyNjEyNTQzM1owbTELMAkGA1UEBhMCS0cxCzAJBgNVBAgT -Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFzAVBgNVBAMTDmNsaWVudC1yZXZv -a2VkMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBqJR4ikiEelSrNKW8ioHKMIuf34/9JcrT -nGwGsNSyZFp7CW50I0EO5T0Tc9U0ffdC42Vh6T/Y5L6FefPQJ72L3s40LbKw3KlY -GiiVYjNPTgUaFv7dGSzU/+nCdz1Dd21lBNn9ofH8qFvaREOQ8xakt0jup4Rn7AGF -Iqdppxu7S4+PymEcUIsa7S37vawlfk8Wp2OLxzSNU8heyIzkNnACNPf3ClhYV/EC -ZVoAMuVilLOXuOfzdVz8pTNBTMJb/Obyf/eoS9uyAQy9fCjcxoNMT0M02yrlOCRS -lkN9/Lei251qGIkDzIxgIn/olXkUPq1ibQBu2bK+YillVuNBO2s3AgMBAAGjgcgw -gcUwCQYDVR0TBAIwADAdBgNVHQ4EFgQUyd2r/voesSGek+QhPjaaG6KFDR8wgZgG -A1UdIwSBkDCBjYAUCMSU7SMKIw3Q+tIT4jy2ZedTJRChaqRoMGYxCzAJBgNVBAYT -AktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMMT3Bl -blZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQCk -zEYTiSRAczANBgkqhkiG9w0BAQsFAAOCAgEAbOaLLlheYHe/uJqIjMm9QGbLwNRb -IQC82CQ5BFfunGXRAx9w5l3i7whcMdGLwEQwluCh6A/RDpWaLwJrBtaMTQofuHvZ -mMp5+TBNiI/INmpNsPbfz6yjZ0DpVE9hc7YWm+E1/vOkmxff5buo9mOREMWwWgBu -ANh38zVr9NsO77aTbkFlfWaCLQSD2dH87SYcBGGcHTDdiuSfDYENV+vSZPVCaaHk -IK8KIGuHIoWC81MZvY8k3Ui9mHHpmpcVxPXlVvVh9DsbBumOywAvxE5DgvipxJy6 -lgrHv4nxOgxDqj+WLqOnHe88oVIQ3NDHGZR3dSX619Q17lTTMn21gM9e7bD2H+WL -tIs98jF0H+/lu1DeXyRux+DyMYifJRGOqfRYi4jiWjR1uvSRuIBM41nmR+Y7AMEw -zcFl3Bjn+dOvb0bg4z5debgIGaSs3Cut0zKjfejHZE+Sg6S4o/IB8zpcZA8TJ+S2 -sudLpNaNsxjsPi0XasxwTqVp+PFcCbQYJef+4zPdpoJt7WoBM0Uk9X5flllt6nnk -stRcEWiRdh0ZyRMVRDL2XnVyTl8wWegFgb48GUE2wOn1m00ZjrJy3GO/NwWsiAof -jBlxLiS3rXoUpBuCJm3tvbqAVbQJs3VoOIvb+FUncnaFLZ7bGL66yNOTDfXJjzSo -jqiSU+xaos0WSJ0= ------END CERTIFICATE----- diff --git a/sample/sample-keys/sample-ca/client-revoked.csr b/sample/sample-keys/sample-ca/client-revoked.csr deleted file mode 100644 index 83f39c2..0000000 --- a/sample/sample-keys/sample-ca/client-revoked.csr +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIICsjCCAZoCAQAwbTELMAkGA1UEBhMCS0cxCzAJBgNVBAgTAk5BMRUwEwYDVQQK -EwxPcGVuVlBOLVRFU1QxFzAVBgNVBAMTDmNsaWVudC1yZXZva2VkMSEwHwYJKoZI -hvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQDBqJR4ikiEelSrNKW8ioHKMIuf34/9JcrTnGwGsNSyZFp7CW50 -I0EO5T0Tc9U0ffdC42Vh6T/Y5L6FefPQJ72L3s40LbKw3KlYGiiVYjNPTgUaFv7d -GSzU/+nCdz1Dd21lBNn9ofH8qFvaREOQ8xakt0jup4Rn7AGFIqdppxu7S4+PymEc -UIsa7S37vawlfk8Wp2OLxzSNU8heyIzkNnACNPf3ClhYV/ECZVoAMuVilLOXuOfz -dVz8pTNBTMJb/Obyf/eoS9uyAQy9fCjcxoNMT0M02yrlOCRSlkN9/Lei251qGIkD -zIxgIn/olXkUPq1ibQBu2bK+YillVuNBO2s3AgMBAAGgADANBgkqhkiG9w0BAQsF -AAOCAQEAVdY5lxOQyI2WIkH2xtTaUGzo7fOQsY3YFZdguAtc6mywKQj6v7d08uG2 -qaRxzpccpo2HKpWXG9pbKwtCmv9/akxI0NgACmCUnXVzPCJHVcg/Ogd7jDA7Piyc -fDltLGWmAmoIk+tUM9bnkpR/FSzhu8kewxzI6ukb2lsRG0D49XFj2w6zfcgB1Wgy -5jwJ//9QxJSqjWw+HX5tMAameqG/gs6uYCx5LF2f7IcM8ezq4k8cmtwu3A9JfZqF -Vmgnw2SCQ6YSdIxhsyW8lt51TDOySg26FAodnM5TED5jvt+Eu6VqEpAWpbQ8wLUC -gPGjtAfFdE/LegfC8mn0ZvQNBwv3/Q== ------END CERTIFICATE REQUEST----- diff --git a/sample/sample-keys/sample-ca/client-revoked.key b/sample/sample-keys/sample-ca/client-revoked.key deleted file mode 100644 index 2a88c90..0000000 --- a/sample/sample-keys/sample-ca/client-revoked.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBqJR4ikiEelSr -NKW8ioHKMIuf34/9JcrTnGwGsNSyZFp7CW50I0EO5T0Tc9U0ffdC42Vh6T/Y5L6F -efPQJ72L3s40LbKw3KlYGiiVYjNPTgUaFv7dGSzU/+nCdz1Dd21lBNn9ofH8qFva -REOQ8xakt0jup4Rn7AGFIqdppxu7S4+PymEcUIsa7S37vawlfk8Wp2OLxzSNU8he -yIzkNnACNPf3ClhYV/ECZVoAMuVilLOXuOfzdVz8pTNBTMJb/Obyf/eoS9uyAQy9 -fCjcxoNMT0M02yrlOCRSlkN9/Lei251qGIkDzIxgIn/olXkUPq1ibQBu2bK+Yill -VuNBO2s3AgMBAAECggEBAIgnu0NIjhW+YFsCp+f4RapfGTutFfI4qPLAjl7h4pkN -32OTzPmQc8RCPf+4N9UxHzAC6pu9P2uB38W+aUIXPrfhTX74BiM88T8FHTVyFnsS -cpnWQxg2BAQ5bSORbBxMEjitAYrGWnl18SZzSkHV9zyVtIw+cOQT1TnClIu+tsul -6P3WeMFrkEjypgwZo1pc37mMJ97IGw6hAERQ1o2EJDEEJ8uK2SlO1WhywfKGbPqY -A0LxmC1PPuJHpeT85FuFIB9mHf97cgZKGdD4Ue5VdLum6pIVCsiCsnxj8LUPp37u -rlpqB3Hb66C6t+mOvwAw9OjXL+WNeNeemDvVgD293iECgYEA9BmtCduzs6KHUFM5 -vvUzmiLm7IzEVfw8tm8pRc3Qty5vHA2Nowajiq4MCIccc5yJJMt1phyC9n3HX9UA -qxgvtq+b3vMnH/N4kBE6NELrAicDyWCa/5FoakMwp28y4NxjMTqe0tiHlH3G3VnF -8oBgSPahhkBxZzwZagJ25D/HqHECgYEAyxlmg7eNTazXMJ7gqGacWyqLgOWqTazr -XLvLxpgEwwE6vtbxh1T7kpYbmdZWC7eEN2ooOhs4oEedkhqo5orv0g7MIbMEx0p6 -/yRgNT77kqba7xp5W2e84v7jTl6O68G4F4HW/DDcuEx2gs3jjTp3/CvElXZX5x5Y -8xCjRP9t4icCgYA/FXejyZS6gvFnb+rHkAUC+6wkTAjdk+940mefM56SCL0MSfBl -xmxzhaF0fr56nmTPDoncIRgzbbQd7yVaEkkadG3bA4oD9t8clGcvZG/pwX14CLBm -BgUvGSg0zUcf17UG3vh20yDO3maLhAzlLAo2MQ7zbCoinOSQggyJ1nXZ8QKBgDwX -vORWKAIGlPk22SQakELNOM+fpJ8s/crHagjNrAMC1x3mPTqco38A2RPQfk8jMoSu -7U4cBcouxmmXZ8gm7cSKSk3iSRSqbfAWFD1M8GS45+h9PdEUxaeoYRssET+iZtTV -vwWJc5U4UoxrXNvJo/zB+n16sZGZwhnRH23n4dxbAoGAFjjwQtKjOP5kemsbqDtr -T3ELIwnjPY0q4mgxNIFc+6UpT+Piv5i2mIq10zmFLijMlLTA058lshHS7RxGTd+/ -NI8gufOuS6iZpGjXwvtfzgXAoaGzXv4MR1ErElK7n2XK3a9GoXVJ0L/+nLdp5Qmj -nsYL/BDXdn8Fstx4RPcgLMc= ------END PRIVATE KEY----- diff --git a/sample/sample-keys/sample-ca/client.crt b/sample/sample-keys/sample-ca/client.crt deleted file mode 100644 index 295f720..0000000 --- a/sample/sample-keys/sample-ca/client.crt +++ /dev/null @@ -1,103 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 2 (0x2) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me@myhost.mydomain - Validity - Not Before: Oct 28 12:54:33 2016 GMT - Not After : Oct 26 12:54:33 2026 GMT - Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Client/emailAddress=me@myhost.mydomain - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:e5:4f:5f:c9:2c:3f:8e:1a:3e:0b:f8:7f:82:d5: - ca:c5:6e:94:a4:fd:98:85:c0:1d:eb:94:b5:93:5b: - df:c2:c0:3f:9b:8e:5e:a3:d0:91:ca:3e:f4:74:93: - 63:86:df:a7:ae:0d:15:28:6d:38:6e:3b:ac:c9:5c: - 1f:c7:f7:d5:66:64:b9:07:00:41:6d:b6:a6:1a:ee: - f1:bb:ce:bd:39:cc:70:1f:9b:65:d7:3c:3c:97:2e: - 8e:1e:31:90:7f:cc:a7:b8:d9:2f:4e:b3:4a:98:6d: - a0:15:04:9d:cb:e1:7a:e1:63:f4:96:7a:bb:9e:a8: - d8:f0:33:97:67:6d:bf:39:82:0e:a3:b7:2a:15:2d: - 99:2b:f8:53:b1:e8:14:0f:d9:b3:a2:4f:2a:f1:63: - fd:d5:72:a6:22:b9:d6:be:e4:7b:9e:c8:85:1e:06: - 1a:31:24:3d:f3:82:ac:d7:28:7d:a4:4f:4b:c3:fd: - 72:27:07:ef:9d:51:71:56:d4:a4:b6:66:d2:74:4f: - 97:7f:3f:90:a8:56:8b:5b:14:4a:4f:c0:3d:2d:5a: - 90:74:db:da:59:83:4d:dd:2b:0a:81:24:ce:19:ce: - 8e:56:10:0f:cd:0d:83:01:d8:75:8b:66:16:40:1b: - 47:af:77:1f:d7:c5:cf:0a:d7:7c:f2:7e:a0:a0:5d: - fa:67 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - X509v3 Subject Key Identifier: - B8:DE:77:EB:43:83:FF:95:59:BB:28:78:E4:4D:F2:E5:C7:2E:06:EF - X509v3 Authority Key Identifier: - keyid:08:C4:94:ED:23:0A:23:0D:D0:FA:D2:13:E2:3C:B6:65:E7:53:25:10 - DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain - serial:A4:CC:46:13:89:24:40:73 - - Signature Algorithm: sha256WithRSAEncryption - a7:24:5d:b2:2f:49:63:55:90:e0:95:0e:fa:fc:d7:d8:0c:89: - 01:15:90:73:39:e9:32:3a:f9:8d:4b:cd:e7:3a:32:c0:fd:bb: - ed:3c:d9:cf:ea:0f:f3:6e:18:18:1d:1c:9c:e2:39:e6:c0:1d: - 2e:54:14:ec:1b:b2:5a:fd:1a:ac:65:45:9b:d4:0d:4a:3a:53: - 95:8d:bd:d3:44:20:17:70:d0:79:b5:f7:2c:dd:2a:0d:bf:b3: - d0:a8:1f:5c:db:33:5b:5d:56:24:84:2b:c8:43:32:fc:f3:dc: - b5:da:dc:7f:0a:1c:2a:2f:9b:60:ca:2d:6e:fe:98:55:26:d5: - 62:a7:3e:f4:49:5c:a9:76:54:87:19:0b:dd:74:ff:02:f0:75: - 8a:36:01:cf:29:67:9b:ae:c0:e5:da:da:2b:d9:57:61:92:69: - 1d:e3:b2:f4:66:8e:f8:dd:11:13:4c:1d:a5:7f:37:df:4e:fd: - 7d:96:ba:ac:6c:39:83:89:8f:05:47:1a:4b:4f:68:38:1a:99: - c8:68:1a:31:b9:78:9a:f5:12:ea:23:c2:c6:83:6b:e4:e0:9a: - fc:70:aa:bb:ef:00:1f:c9:18:ef:48:c2:fc:ec:e8:4c:e8:92: - d6:64:ab:5c:b3:ac:03:da:5f:a9:92:f2:ff:ef:a7:39:6f:d6: - 95:fb:44:89:c7:2b:c4:c4:45:b3:49:1a:c1:23:96:0d:f4:0b: - 0f:75:3b:6e:2c:4c:60:be:e7:0f:63:f2:3c:f0:9c:58:af:dd: - 5e:41:9e:f7:3f:e0:fb:28:be:f0:02:03:01:8c:9e:c5:52:e0: - a4:90:e0:b2:04:1b:58:3e:13:49:87:7b:20:27:73:f4:a8:cd: - c2:be:c7:c0:e9:8e:2d:d0:58:4b:9e:2f:fa:94:63:b2:99:16: - 08:5d:a1:49:1a:3d:29:9a:34:a3:63:ef:fd:79:da:0a:3e:79: - b1:cd:6f:f6:11:b7:c0:e8:67:41:36:36:94:a1:09:7a:cc:b9: - 4b:63:47:ce:49:c8:02:f9:d9:df:49:c1:04:82:09:f8:5b:92: - 4b:98:af:86:5e:fe:2e:48:fe:d6:69:7b:76:a8:c5:32:f6:b0: - ed:7e:bf:14:65:ca:fe:fa:bb:43:33:7e:c8:f4:98:a3:f8:0b: - 65:85:3d:5a:ed:33:45:12:76:90:9a:ca:34:fe:5a:ae:f6:ac: - 4d:9d:b6:28:7f:ac:e3:43:60:9a:dd:ec:a9:21:49:44:4a:74: - 48:12:6b:93:3b:08:70:ac:2e:58:f7:68:eb:8e:ba:9f:41:5a: - f9:a9:43:46:73:7a:1f:40:74:ce:87:c9:5e:51:67:8e:a3:cc: - b8:ea:ac:fe:7b:d8:2b:78 ------BEGIN CERTIFICATE----- -MIIFFDCCAvygAwIBAgIBAjANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLRzEL -MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t -VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MTAy -ODEyNTQzM1oXDTI2MTAyNjEyNTQzM1owajELMAkGA1UEBhMCS0cxCzAJBgNVBAgT -Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFDASBgNVBAMTC1Rlc3QtQ2xpZW50 -MSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQDlT1/JLD+OGj4L+H+C1crFbpSk/ZiFwB3rlLWT -W9/CwD+bjl6j0JHKPvR0k2OG36euDRUobThuO6zJXB/H99VmZLkHAEFttqYa7vG7 -zr05zHAfm2XXPDyXLo4eMZB/zKe42S9Os0qYbaAVBJ3L4XrhY/SWerueqNjwM5dn -bb85gg6jtyoVLZkr+FOx6BQP2bOiTyrxY/3VcqYiuda+5HueyIUeBhoxJD3zgqzX -KH2kT0vD/XInB++dUXFW1KS2ZtJ0T5d/P5CoVotbFEpPwD0tWpB029pZg03dKwqB -JM4Zzo5WEA/NDYMB2HWLZhZAG0evdx/Xxc8K13zyfqCgXfpnAgMBAAGjgcgwgcUw -CQYDVR0TBAIwADAdBgNVHQ4EFgQUuN5360OD/5VZuyh45E3y5ccuBu8wgZgGA1Ud -IwSBkDCBjYAUCMSU7SMKIw3Q+tIT4jy2ZedTJRChaqRoMGYxCzAJBgNVBAYTAktH -MQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMMT3BlblZQ -Ti1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQCkzEYT -iSRAczANBgkqhkiG9w0BAQsFAAOCAgEApyRdsi9JY1WQ4JUO+vzX2AyJARWQcznp -Mjr5jUvN5zoywP277TzZz+oP824YGB0cnOI55sAdLlQU7BuyWv0arGVFm9QNSjpT -lY2900QgF3DQebX3LN0qDb+z0KgfXNszW11WJIQryEMy/PPctdrcfwocKi+bYMot -bv6YVSbVYqc+9ElcqXZUhxkL3XT/AvB1ijYBzylnm67A5draK9lXYZJpHeOy9GaO -+N0RE0wdpX833079fZa6rGw5g4mPBUcaS09oOBqZyGgaMbl4mvUS6iPCxoNr5OCa -/HCqu+8AH8kY70jC/OzoTOiS1mSrXLOsA9pfqZLy/++nOW/WlftEiccrxMRFs0ka -wSOWDfQLD3U7bixMYL7nD2PyPPCcWK/dXkGe9z/g+yi+8AIDAYyexVLgpJDgsgQb -WD4TSYd7ICdz9KjNwr7HwOmOLdBYS54v+pRjspkWCF2hSRo9KZo0o2Pv/XnaCj55 -sc1v9hG3wOhnQTY2lKEJesy5S2NHzknIAvnZ30nBBIIJ+FuSS5ivhl7+Lkj+1ml7 -dqjFMvaw7X6/FGXK/vq7QzN+yPSYo/gLZYU9Wu0zRRJ2kJrKNP5arvasTZ22KH+s -40Ngmt3sqSFJREp0SBJrkzsIcKwuWPdo6466n0Fa+alDRnN6H0B0zofJXlFnjqPM -uOqs/nvYK3g= ------END CERTIFICATE----- diff --git a/sample/sample-keys/sample-ca/client.csr b/sample/sample-keys/sample-ca/client.csr deleted file mode 100644 index 3968434..0000000 --- a/sample/sample-keys/sample-ca/client.csr +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIICrzCCAZcCAQAwajELMAkGA1UEBhMCS0cxCzAJBgNVBAgTAk5BMRUwEwYDVQQK -EwxPcGVuVlBOLVRFU1QxFDASBgNVBAMTC1Rlc3QtQ2xpZW50MSEwHwYJKoZIhvcN -AQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQDlT1/JLD+OGj4L+H+C1crFbpSk/ZiFwB3rlLWTW9/CwD+bjl6j0JHK -PvR0k2OG36euDRUobThuO6zJXB/H99VmZLkHAEFttqYa7vG7zr05zHAfm2XXPDyX -Lo4eMZB/zKe42S9Os0qYbaAVBJ3L4XrhY/SWerueqNjwM5dnbb85gg6jtyoVLZkr -+FOx6BQP2bOiTyrxY/3VcqYiuda+5HueyIUeBhoxJD3zgqzXKH2kT0vD/XInB++d -UXFW1KS2ZtJ0T5d/P5CoVotbFEpPwD0tWpB029pZg03dKwqBJM4Zzo5WEA/NDYMB -2HWLZhZAG0evdx/Xxc8K13zyfqCgXfpnAgMBAAGgADANBgkqhkiG9w0BAQsFAAOC -AQEAakLYqsUoaxXNwYnm7QVL8KXe32m1+ot1CUt0XF65YaHLPcDBffpwqCb8jULv -lRKDbVmqf4SygnIXtTJ2Ii1sB4MPGj94L+y0l9xYn84/sScGety6Trr+Plp5vNMJ -aafv+NAxZquu/DKtGthdYt1uwgCMa4lm3Kg+E48DddO/XfFIaD/x0Bl7RPIhqiDu -gKYP4P6uwL9OzD0485wjaYKp85fZ96FCdDTVbNfpwoYXgDihAqf6sUfahtM+o7t+ -BFX60knfbWMPu8O9URq8QzYk6JOG9cW2ngTATXLmz7NslG+5GhtTEzaoromYR3Za -So7PnagMqjpz1WXvkKCLXvkoMA== ------END CERTIFICATE REQUEST----- diff --git a/sample/sample-keys/sample-ca/client.key b/sample/sample-keys/sample-ca/client.key deleted file mode 100644 index a497a9c..0000000 --- a/sample/sample-keys/sample-ca/client.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDlT1/JLD+OGj4L -+H+C1crFbpSk/ZiFwB3rlLWTW9/CwD+bjl6j0JHKPvR0k2OG36euDRUobThuO6zJ -XB/H99VmZLkHAEFttqYa7vG7zr05zHAfm2XXPDyXLo4eMZB/zKe42S9Os0qYbaAV -BJ3L4XrhY/SWerueqNjwM5dnbb85gg6jtyoVLZkr+FOx6BQP2bOiTyrxY/3VcqYi -uda+5HueyIUeBhoxJD3zgqzXKH2kT0vD/XInB++dUXFW1KS2ZtJ0T5d/P5CoVotb -FEpPwD0tWpB029pZg03dKwqBJM4Zzo5WEA/NDYMB2HWLZhZAG0evdx/Xxc8K13zy -fqCgXfpnAgMBAAECggEAFsgW/RaPTd/fkDLlACubVJgS3n1vXMJkdpY0n+o9xcxx -xVOUpXPAODae9MH73ld0Aj+8fWK0e4ckOHEVmzlNEzoog8CLv4mo4P4iOAVnGUnt -TcaTjJmob2Cpr+g+seO0OhIhuBDp9VDW2Z+2yZ2iJqhWkWiqIS4nN134ycbGe8D2 -4wThVA2SV0umZRxhBo4m14GLtwoTxuLKz7aSsL862Z3LtT7M7ofWcyZTw3A4vQmP -77GLBxMyNv0qX+f3LZIi+jtsAk5tYqMVL0ZEgZwi5em+KRCwU/2o2BgJDRrRwSU6 -hrK5ycUuuAMUEQjC4ck3u/vcsXmSyjkjue+C1jfsGQKBgQD8LALHK1RAp3nAdxHK -0MzPiYkrSeiSK+I81NdWqNJ73ReCWUniqT7Q/jh68mBTpYfbSl2mvLbOLZuMvGWh -5rlaGUWSDj2NzA+yfZoa2z9o1hdcRYNM9c5LCEm/CKKAAoeshemO1i87m+76xwnI -IwSrflmuy6VzTzbjZVxq5HC8RQKBgQDoyoSFyo5Fpm0hS6J/tFRG6qNZyZ5Ni9E4 -LRQQhzsaLzTK0TfnlYxzF5+Oz79PfpceVF8CZaEXmX2dUReQdAPKhBJO0dTEqB9g -+GRzeu0XamKduOLvvJEAj5EoqzHxxgHQKYKvf1eshDv3Pl8PiXv9sVjdKKkswX0O -6a3WW+vkuwKBgQDWUUVPJsklZfD5HXlWqRzYaejVjKwHxxoxXydg9HxnXyGC3AYK -iJLlppo0C9jIXo/XVR3A/vRSyLpB40BxWBlBtObG2imAYOUaattVZe8/V21lM4MD -HonkhTfAD0OkjgHnI6y7g9eCzuVN52mt2e03H1xzTYrhNHrOyq+//US/DQKBgHII -GiiLk2us3ZJMwXn69LmUYJYv/DqSPdddxZFfHOVzsFGVcOQhTp5mOQO04krngNEb -lTrQW7v6tRylx3w8SEsgrPMtOCNpE43lvxcOZStuMoZ+NbQn04PJz9pzGdEMJIE6 -hEjBgUoBsHopdFlhCHq6MASN0WkaEs+GSmBRwNjXAoGBALQEU7fOApGoakwPyuhU -RZYFf/EFun7Zvt6lF1SWwJ02lTYmCh91lacWVLLwR/fCphp7orlynaAIofJSPsl6 -fTyKv1rpqMS3wMdD/LFGZPh1oyUmweTxsF/0aNVnSS9O9i46ihxLMRMu7wSguLIw -ycorZrB2bB1WnfmF6bB5qcKC ------END PRIVATE KEY----- diff --git a/sample/sample-keys/sample-ca/client.p12 b/sample/sample-keys/sample-ca/client.p12 Binary files differdeleted file mode 100644 index f8ac2a9..0000000 --- a/sample/sample-keys/sample-ca/client.p12 +++ /dev/null diff --git a/sample/sample-keys/sample-ca/index.txt b/sample/sample-keys/sample-ca/index.txt deleted file mode 100644 index 30063b2..0000000 --- a/sample/sample-keys/sample-ca/index.txt +++ /dev/null @@ -1,3 +0,0 @@ -V 261026125432Z 01 unknown /C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server/emailAddress=me@myhost.mydomain -V 261026125433Z 02 unknown /C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client/emailAddress=me@myhost.mydomain -R 261026125433Z 161028125433Z 03 unknown /C=KG/ST=NA/O=OpenVPN-TEST/CN=client-revoked/emailAddress=me@myhost.mydomain diff --git a/sample/sample-keys/sample-ca/index.txt.attr b/sample/sample-keys/sample-ca/index.txt.attr deleted file mode 100644 index 8f7e63a..0000000 --- a/sample/sample-keys/sample-ca/index.txt.attr +++ /dev/null @@ -1 +0,0 @@ -unique_subject = yes diff --git a/sample/sample-keys/sample-ca/index.txt.attr.old b/sample/sample-keys/sample-ca/index.txt.attr.old deleted file mode 100644 index 8f7e63a..0000000 --- a/sample/sample-keys/sample-ca/index.txt.attr.old +++ /dev/null @@ -1 +0,0 @@ -unique_subject = yes diff --git a/sample/sample-keys/sample-ca/index.txt.old b/sample/sample-keys/sample-ca/index.txt.old deleted file mode 100644 index 3bfd8f8..0000000 --- a/sample/sample-keys/sample-ca/index.txt.old +++ /dev/null @@ -1,3 +0,0 @@ -V 261026125432Z 01 unknown /C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server/emailAddress=me@myhost.mydomain -V 261026125433Z 02 unknown /C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client/emailAddress=me@myhost.mydomain -V 261026125433Z 03 unknown /C=KG/ST=NA/O=OpenVPN-TEST/CN=client-revoked/emailAddress=me@myhost.mydomain diff --git a/sample/sample-keys/sample-ca/secp256k1.pem b/sample/sample-keys/sample-ca/secp256k1.pem deleted file mode 100644 index e69de29..0000000 --- a/sample/sample-keys/sample-ca/secp256k1.pem +++ /dev/null diff --git a/sample/sample-keys/sample-ca/serial b/sample/sample-keys/sample-ca/serial deleted file mode 100644 index 6496923..0000000 --- a/sample/sample-keys/sample-ca/serial +++ /dev/null @@ -1 +0,0 @@ -04 diff --git a/sample/sample-keys/sample-ca/serial.old b/sample/sample-keys/sample-ca/serial.old deleted file mode 100644 index 75016ea..0000000 --- a/sample/sample-keys/sample-ca/serial.old +++ /dev/null @@ -1 +0,0 @@ -03 diff --git a/sample/sample-keys/sample-ca/server.crt b/sample/sample-keys/sample-ca/server.crt deleted file mode 100644 index 6613831..0000000 --- a/sample/sample-keys/sample-ca/server.crt +++ /dev/null @@ -1,113 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1 (0x1) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST/emailAddress=me@myhost.mydomain - Validity - Not Before: Oct 28 12:54:32 2016 GMT - Not After : Oct 26 12:54:32 2026 GMT - Subject: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Server/emailAddress=me@myhost.mydomain - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:a6:74:d1:c9:77:5d:ff:d6:22:e3:69:38:8f:e1: - 15:0c:e3:46:2c:19:61:31:af:ef:f9:34:5b:0c:bd: - 20:d1:76:6a:64:62:f6:89:aa:5b:c9:42:10:44:6f: - 07:0f:fe:62:59:96:0b:16:ec:62:3e:18:08:ad:67: - 37:b6:53:2d:3d:d9:81:b7:6b:11:d6:fa:23:6a:23: - 6c:3c:be:54:91:e3:04:c6:f5:8c:a6:6a:80:9f:ef: - e8:5b:63:1e:68:37:09:ef:4d:5c:44:82:e6:2e:0d: - e5:d7:94:3f:31:74:50:d1:10:5c:99:4d:b5:9f:80: - 2b:46:25:37:8b:a2:3d:ce:02:b2:0a:21:63:82:9c: - a1:35:b9:3d:9e:ad:a4:19:3c:f5:b2:3a:d7:aa:d4: - b7:6d:c2:95:4d:94:4b:38:6f:b0:60:cf:22:d7:37: - 66:62:1d:1a:86:c2:a8:6a:2a:56:e5:d6:c3:e2:31: - 34:a6:42:5d:79:da:12:e0:a1:95:d1:17:07:f6:cc: - f8:63:fa:01:8a:26:7b:bf:b8:a4:87:8c:b5:a3:59: - 23:60:67:07:4a:4c:c1:55:be:60:a1:56:92:6c:97: - 53:fb:fe:eb:d3:25:fd:28:23:3e:38:4d:e9:92:90: - 8b:a6:5e:22:2f:02:1f:69:c6:fa:88:a5:52:88:cc: - 61:a1 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - Netscape Cert Type: - SSL Server - Netscape Comment: - OpenSSL Generated Server Certificate - X509v3 Subject Key Identifier: - 7D:4C:17:FE:59:B2:58:FF:08:BC:F4:88:FC:A3:8F:9F:CA:3B:3B:5E - X509v3 Authority Key Identifier: - keyid:08:C4:94:ED:23:0A:23:0D:D0:FA:D2:13:E2:3C:B6:65:E7:53:25:10 - DirName:/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain - serial:A4:CC:46:13:89:24:40:73 - - X509v3 Extended Key Usage: - TLS Web Server Authentication - X509v3 Key Usage: - Digital Signature, Key Encipherment - Signature Algorithm: sha256WithRSAEncryption - 82:2e:11:99:f4:56:98:ad:23:97:74:5c:69:00:7b:fc:9a:93: - 15:20:93:db:d6:83:04:9a:6c:cb:55:cd:5c:07:d6:31:5a:00: - 1d:35:eb:8e:74:cd:7a:08:db:cd:1f:89:8c:04:70:f7:35:e0: - a7:cc:cf:76:2b:8a:a5:80:7b:c1:72:4e:9a:c6:b7:a2:f5:9c: - 23:dc:d7:0d:93:a3:0f:f4:10:7d:8b:1d:85:5e:bb:2f:09:c8: - 67:41:38:12:72:14:29:f6:6d:68:b5:8a:97:1c:a1:8f:3d:74: - 14:95:c6:88:4f:4c:cd:8b:2e:db:95:b0:98:55:d7:5b:22:1f: - f3:de:5c:b4:7b:a0:d9:f2:56:2c:ff:85:b0:16:52:63:11:2b: - 14:8e:d0:f8:03:d2:cc:89:35:c0:d5:a3:b9:ec:11:55:e0:17: - 43:95:b2:6e:f2:db:80:73:f2:b3:3f:9d:fa:4d:24:6a:60:25: - 24:1a:53:10:38:08:d4:fe:fa:06:1a:1e:d3:cc:15:64:c7:9e: - 8b:51:ee:b3:50:25:60:88:70:46:39:bd:79:f1:5a:74:67:3d: - f0:7e:22:a9:b4:2e:f5:06:45:c3:46:fe:e6:32:40:e6:e1:00: - dc:e8:a8:43:fe:f4:66:64:4f:41:45:d5:d2:7b:ab:a0:62:f7: - dc:f0:28:d3:c6:9c:21:3e:bd:44:95:4c:20:b4:8f:c3:ae:ee: - eb:d7:7a:11:88:2d:3d:18:49:5d:e6:09:b8:5f:c7:24:32:83: - dd:5f:ae:03:02:c1:b6:51:0d:62:a2:41:f4:13:12:b2:f2:9a: - c1:50:04:63:42:de:41:b3:b3:ab:45:57:9e:8b:01:e0:c5:70: - d9:70:0e:ea:84:39:07:08:03:e9:99:b1:60:ce:a9:c6:ce:a4: - 61:29:36:3c:58:52:a2:c3:01:4f:4e:c1:e8:af:3b:ca:7c:34: - 9c:2a:21:c9:40:17:ce:8c:10:b2:fc:c2:39:43:55:50:19:2d: - c9:f0:ab:48:b2:86:e6:cf:1e:13:6c:6a:ed:85:e9:f6:dd:b9: - ba:6e:70:6a:e9:78:43:40:a3:c8:64:50:1f:5b:88:0d:88:55: - 0f:94:9c:92:44:83:79:0c:38:79:09:c4:93:6a:a8:dc:f3:8b: - c4:af:bf:0c:20:7b:76:7b:31:52:01:70:4f:09:be:38:d0:14: - ce:62:c6:00:35:cd:fc:eb:68:f1:45:d5:de:6a:3f:8b:3f:dc: - 1c:c9:e3:8a:7c:f1:17:53:71:f8:af:c9:43:9f:91:5a:16:0b: - 3a:c0:d7:b0:e7:74:54:12:f0:9a:71:5f:f3:dd:6b:c0:69:ec: - 9d:4d:14:61:bd:10:21:80 ------BEGIN CERTIFICATE----- -MIIFgDCCA2igAwIBAgIBATANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJLRzEL -MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t -VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MTAy -ODEyNTQzMloXDTI2MTAyNjEyNTQzMlowajELMAkGA1UEBhMCS0cxCzAJBgNVBAgT -Ak5BMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxFDASBgNVBAMTC1Rlc3QtU2VydmVy -MSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQCmdNHJd13/1iLjaTiP4RUM40YsGWExr+/5NFsM -vSDRdmpkYvaJqlvJQhBEbwcP/mJZlgsW7GI+GAitZze2Uy092YG3axHW+iNqI2w8 -vlSR4wTG9YymaoCf7+hbYx5oNwnvTVxEguYuDeXXlD8xdFDREFyZTbWfgCtGJTeL -oj3OArIKIWOCnKE1uT2eraQZPPWyOteq1LdtwpVNlEs4b7BgzyLXN2ZiHRqGwqhq -Klbl1sPiMTSmQl152hLgoZXRFwf2zPhj+gGKJnu/uKSHjLWjWSNgZwdKTMFVvmCh -VpJsl1P7/uvTJf0oIz44TemSkIumXiIvAh9pxvqIpVKIzGGhAgMBAAGjggEzMIIB -LzAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYk -T3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBR9 -TBf+WbJY/wi89Ij8o4+fyjs7XjCBmAYDVR0jBIGQMIGNgBQIxJTtIwojDdD60hPi -PLZl51MlEKFqpGgwZjELMAkGA1UEBhMCS0cxCzAJBgNVBAgTAk5BMRAwDgYDVQQH -EwdCSVNIS0VLMRUwEwYDVQQKEwxPcGVuVlBOLVRFU1QxITAfBgkqhkiG9w0BCQEW -Em1lQG15aG9zdC5teWRvbWFpboIJAKTMRhOJJEBzMBMGA1UdJQQMMAoGCCsGAQUF -BwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQsFAAOCAgEAgi4RmfRWmK0jl3Rc -aQB7/JqTFSCT29aDBJpsy1XNXAfWMVoAHTXrjnTNegjbzR+JjARw9zXgp8zPdiuK -pYB7wXJOmsa3ovWcI9zXDZOjD/QQfYsdhV67LwnIZ0E4EnIUKfZtaLWKlxyhjz10 -FJXGiE9MzYsu25WwmFXXWyIf895ctHug2fJWLP+FsBZSYxErFI7Q+APSzIk1wNWj -uewRVeAXQ5WybvLbgHPysz+d+k0kamAlJBpTEDgI1P76Bhoe08wVZMeei1Hus1Al -YIhwRjm9efFadGc98H4iqbQu9QZFw0b+5jJA5uEA3OioQ/70ZmRPQUXV0nuroGL3 -3PAo08acIT69RJVMILSPw67u69d6EYgtPRhJXeYJuF/HJDKD3V+uAwLBtlENYqJB -9BMSsvKawVAEY0LeQbOzq0VXnosB4MVw2XAO6oQ5BwgD6ZmxYM6pxs6kYSk2PFhS -osMBT07B6K87ynw0nCohyUAXzowQsvzCOUNVUBktyfCrSLKG5s8eE2xq7YXp9t25 -um5waul4Q0CjyGRQH1uIDYhVD5SckkSDeQw4eQnEk2qo3POLxK+/DCB7dnsxUgFw -Twm+ONAUzmLGADXN/Oto8UXV3mo/iz/cHMnjinzxF1Nx+K/JQ5+RWhYLOsDXsOd0 -VBLwmnFf891rwGnsnU0UYb0QIYA= ------END CERTIFICATE----- diff --git a/sample/sample-keys/sample-ca/server.csr b/sample/sample-keys/sample-ca/server.csr deleted file mode 100644 index d54b7c0..0000000 --- a/sample/sample-keys/sample-ca/server.csr +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIICrzCCAZcCAQAwajELMAkGA1UEBhMCS0cxCzAJBgNVBAgTAk5BMRUwEwYDVQQK -EwxPcGVuVlBOLVRFU1QxFDASBgNVBAMTC1Rlc3QtU2VydmVyMSEwHwYJKoZIhvcN -AQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQCmdNHJd13/1iLjaTiP4RUM40YsGWExr+/5NFsMvSDRdmpkYvaJqlvJ -QhBEbwcP/mJZlgsW7GI+GAitZze2Uy092YG3axHW+iNqI2w8vlSR4wTG9YymaoCf -7+hbYx5oNwnvTVxEguYuDeXXlD8xdFDREFyZTbWfgCtGJTeLoj3OArIKIWOCnKE1 -uT2eraQZPPWyOteq1LdtwpVNlEs4b7BgzyLXN2ZiHRqGwqhqKlbl1sPiMTSmQl15 -2hLgoZXRFwf2zPhj+gGKJnu/uKSHjLWjWSNgZwdKTMFVvmChVpJsl1P7/uvTJf0o -Iz44TemSkIumXiIvAh9pxvqIpVKIzGGhAgMBAAGgADANBgkqhkiG9w0BAQsFAAOC -AQEAd1l8S0ApIlcKg8G/WU65NIN7fcUQ5IDHNjzXv2J/yj4s6W/1yBUenm5TIAcp -CwIFCRl6bcsXIHZbQDgIiLYS1gW7E+oK8JVTRtyDVRxA6+yTf/rv+gJjgr5bE39b -rtSUxacdbTeiKo1ulo/wEi9uYAL4HoI8LQUK0lbq9w6PLOl6M2N9nhZS/W6RQqSC -T/2cGMCizAbkbZ/o44intbMkntzR+ISSirXxHjCsLaZptB67v1xdDHShP2aztmyB -rIs/KG4oUYlt2rwIr2ejpp7HrigmTbw4yXZIqMdp8/THHS8XgoVWuHv0h9GLuuy+ -fMIqE3HCbBtAtQlmYw4RtWBFQg== ------END CERTIFICATE REQUEST----- diff --git a/sample/sample-keys/sample-ca/server.key b/sample/sample-keys/sample-ca/server.key deleted file mode 100644 index 9a0dd80..0000000 --- a/sample/sample-keys/sample-ca/server.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCmdNHJd13/1iLj -aTiP4RUM40YsGWExr+/5NFsMvSDRdmpkYvaJqlvJQhBEbwcP/mJZlgsW7GI+GAit -Zze2Uy092YG3axHW+iNqI2w8vlSR4wTG9YymaoCf7+hbYx5oNwnvTVxEguYuDeXX -lD8xdFDREFyZTbWfgCtGJTeLoj3OArIKIWOCnKE1uT2eraQZPPWyOteq1LdtwpVN -lEs4b7BgzyLXN2ZiHRqGwqhqKlbl1sPiMTSmQl152hLgoZXRFwf2zPhj+gGKJnu/ -uKSHjLWjWSNgZwdKTMFVvmChVpJsl1P7/uvTJf0oIz44TemSkIumXiIvAh9pxvqI -pVKIzGGhAgMBAAECggEAS9AfEIxuYqyMHVl6KoXQiZsmBcXVb8T7HlyLL6UgQmaV -lH1CXncZ8PNG53ROGim5b6YYDOvC3xchNKEzTbZaf7YGD50Tdf9di+TwUkY5zGxC -a7/AvLb7OF0TTjQ50CtpOfXZFVctMUKhMWvS0FpyyJWUJzqugyPkEcG3p8BQN/hj -/ccVxtUhviB6pkzVT4iULcrq78C1LEu4KYatC0z+5FI3VjTCaMJX+nXDshcPGfdQ -9ablCQcuYRbtiJ/USZj+ZL5jeo9PtxDHtuEmlpkLJ1us7XLgNr0mF3+1E/W2rUjG -eEFry5BSq7BhnOGmKQ9gn/XQwCBNTH6nw4Jqlc7XMQKBgQDaFT83JnXnZQrCOsgK -Up0wApmqVJi4Q189+2mugwVEWSUwOGZuNTCVDQzJyTdiAgqMaFMMUFszFZgR9GIJ -jwvX42c6XwaQdpKudkHSw/6LefLggHFdyN89CluBhaefBR0+dBx8rSZ3OOw/v8fT -SMET5MnAx0lswKTmVFUDA3AWjQKBgQDDZbK5K3AB0j2XZykO5upj5vSuJD63VCpE -5YMbsUpCKlIRN7wHZySw7yr2me1Pxlnbt2E1jXfhygqGg6eZSDL//4cNLk8Culw+ -xi9N9CuLroIbT3SxDDFG4ZRjJW/JuPDyrPYvd9EjsvbmNKN2ErxwcjNHoh5RNSdK -jV7dOFBsZQKBgQChXelZuIazgmt0jqQoJzsSJEpp45Dhf1CA/4ASVfZWvZOr23/H -emoJUA+vW8k0JwiBHkydJvRkl0zftDG6mvMLesOOSHQF/wbIOs630riNod2aStAX -siOk+f39l9UQ8GrUJHxTsJduzlrZTOHiL8pWGwtCLvPgmacqmyoQQcH1nQKBgC1M -9KSNd4hUj8b8Ob6kto62yt9cs9WZA7u5Yi4XalnwqdooC8XDmfQTXuiRQz2NhOO1 -ninmRHbqeoo5F7An1vsW6N6bb+H4Bs7e77So+TeHG87tGua5JuuB/P8HfOVNpT79 -7o2Ov8QBB9DTP1pueZWwREdFRLYbFqLoJ6guGCcpAoGAb/86lf8HhVZKeJ2S49cl -HBaynzn4FGiVZl/HekmOyHw1ymJCBS3lQMvw2pIDqPqGUReIjJwJVfRYazCQmdSY -hdlNcrn6nXAN5CVFolStJNpZIQBvTsAwl3dYjs7ycSh8pwDiPUKqmW0FiW1u7i8i -eyXzuBIBkRx6w+ky7J70VpU= ------END PRIVATE KEY----- diff --git a/src/Makefile.in b/src/Makefile.in index 8aeb7f5..c9d3d06 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. diff --git a/src/compat/Makefile.am b/src/compat/Makefile.am index 06bab5c..0a9d1c2 100644 --- a/src/compat/Makefile.am +++ b/src/compat/Makefile.am @@ -20,7 +20,6 @@ noinst_LTLIBRARIES = libcompat.la libcompat_la_SOURCES = \ compat.h \ - compat-stdbool.h \ compat-dirname.c \ compat-basename.c \ compat-gettimeofday.c \ diff --git a/src/compat/Makefile.in b/src/compat/Makefile.in index c7236ed..9232d31 100644 --- a/src/compat/Makefile.in +++ b/src/compat/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -361,7 +361,6 @@ EXTRA_DIST = \ noinst_LTLIBRARIES = libcompat.la libcompat_la_SOURCES = \ compat.h \ - compat-stdbool.h \ compat-dirname.c \ compat-basename.c \ compat-gettimeofday.c \ @@ -439,14 +438,14 @@ distclean-compile: @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/src/compat/compat-stdbool.h b/src/compat/compat-stdbool.h deleted file mode 100644 index 9941218..0000000 --- a/src/compat/compat-stdbool.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef __COMPAT_STDBOOL_H -#define __COMPAT_STDBOOL_H - -#ifdef HAVE_STDBOOL_H -#include <stdbool.h> -#else -typedef int bool; -#define false 0 -#define true 1 -#endif - -#endif diff --git a/src/openvpn/Makefile.in b/src/openvpn/Makefile.in index ff15d6d..9ef9b28 100644 --- a/src/openvpn/Makefile.in +++ b/src/openvpn/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -655,14 +655,14 @@ distclean-compile: @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/src/openvpn/basic.h b/src/openvpn/basic.h index 298cf10..48d4d9b 100644 --- a/src/openvpn/basic.h +++ b/src/openvpn/basic.h @@ -30,7 +30,7 @@ /* size of an array */ #define SIZE(x) (sizeof(x)/sizeof(x[0])) -/* clear an object */ +/* clear an object (may be optimized away, use secure_memzero() to erase secrets) */ #define CLEAR(x) memset(&(x), 0, sizeof(x)) #define IPV4_NETMASK_HOST 0xffffffffU diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index 52c6ab9..6af8dbb 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -155,7 +155,9 @@ void buf_clear (struct buffer *buf) { if (buf->capacity > 0) - memset (buf->data, 0, buf->capacity); + { + secure_memzero (buf->data, buf->capacity); + } buf->len = 0; buf->offset = 0; } @@ -438,13 +440,16 @@ format_hex_ex (const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char* separator, struct gc_arena *gc) { - struct buffer out = alloc_buf_gc (maxoutput ? maxoutput : - ((size * 2) + (size / (space_break_flags & FHE_SPACE_BREAK_MASK)) * (int) strlen (separator) + 2), - gc); - int i; - for (i = 0; i < size; ++i) + const size_t bytes_per_hexblock = space_break_flags & FHE_SPACE_BREAK_MASK; + const size_t separator_len = separator ? strlen (separator) : 0; + static_assert (INT_MAX <= SIZE_MAX, "Code assumes INT_MAX <= SIZE_MAX"); + const size_t out_len = maxoutput > 0 ? maxoutput : + ((size * 2) + ((size / bytes_per_hexblock) * separator_len) + 2); + + struct buffer out = alloc_buf_gc (out_len, gc); + for (int i = 0; i < size; ++i) { - if (separator && i && !(i % (space_break_flags & FHE_SPACE_BREAK_MASK))) + if (separator && i && !(i % bytes_per_hexblock)) buf_printf (&out, "%s", separator); if (space_break_flags & FHE_CAPS) buf_printf (&out, "%02X", data[i]); @@ -616,9 +621,7 @@ string_clear (char *str) { if (str) { - const int len = strlen (str); - if (len > 0) - memset (str, 0, len); + secure_memzero (str, strlen (str)); } } diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h index 8070439..7747003 100644 --- a/src/openvpn/buffer.h +++ b/src/openvpn/buffer.h @@ -328,6 +328,49 @@ has_digit (const unsigned char* src) return false; } +/** + * Securely zeroise memory. + * + * This code and description are based on code supplied by Zhaomo Yang, of the + * University of California, San Diego (which was released into the public + * domain). + * + * The secure_memzero function attempts to ensure that an optimizing compiler + * does not remove the intended operation if cleared memory is not accessed + * again by the program. This code has been tested under Clang 3.9.0 and GCC + * 6.2 with optimization flags -O, -Os, -O0, -O1, -O2, and -O3 on + * Ubuntu 16.04.1 LTS; under Clang 3.9.0 with optimization flags -O, -Os, + * -O0, -O1, -O2, and -O3 on FreeBSD 10.2-RELEASE; under Microsoft Visual Studio + * 2015 with optimization flags /O1, /O2 and /Ox on Windows 10. + * + * Theory of operation: + * + * 1. On Windows, use the SecureZeroMemory which ensures that data is + * overwritten. + * 2. Under GCC or Clang, use a memory barrier, which forces the preceding + * memset to be carried out. The overhead of a memory barrier is usually + * negligible. + * 3. If none of the above are available, use the volatile pointer + * technique to zero memory one byte at a time. + * + * @param data Pointer to data to zeroise. + * @param len Length of data, in bytes. + */ +static inline void +secure_memzero (void *data, size_t len) +{ +#if defined(_WIN32) + SecureZeroMemory (data, len); +#elif defined(__GNUC__) || defined(__clang__) + memset(data, 0, len); + __asm__ __volatile__("" : : "r"(data) : "memory"); +#else + volatile char *p = (volatile char *) data; + while (len--) + *p++ = 0; +#endif +} + /* * printf append to a buffer with overflow check, * due to usage of vsnprintf, it will leave space for diff --git a/src/openvpn/console_builtin.c b/src/openvpn/console_builtin.c index 6b0211d..06994fd 100644 --- a/src/openvpn/console_builtin.c +++ b/src/openvpn/console_builtin.c @@ -218,7 +218,7 @@ static bool get_console_input (const char *prompt, const bool echo, char *input, if (gp) { strncpynt (input, gp, capacity); - memset (gp, 0, strlen (gp)); + secure_memzero (gp, strlen (gp)); ret = true; } } diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 05622ce..708cc92 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -86,12 +86,11 @@ openvpn_encrypt_aead (struct buffer *buf, struct buffer work, { struct buffer iv_buffer; struct packet_id_net pin; - uint8_t iv[OPENVPN_MAX_IV_LENGTH]; + uint8_t iv[OPENVPN_MAX_IV_LENGTH] = {0}; const int iv_len = cipher_ctx_iv_length (ctx->cipher); ASSERT (iv_len >= OPENVPN_AEAD_MIN_IV_LEN && iv_len <= OPENVPN_MAX_IV_LENGTH); - memset(iv, 0, sizeof(iv)); buf_set_write (&iv_buffer, iv, iv_len); /* IV starts with packet id to make the IV unique for packet */ @@ -175,7 +174,7 @@ openvpn_encrypt_v1 (struct buffer *buf, struct buffer work, /* Do Encrypt from buf -> work */ if (ctx->cipher) { - uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH]; + uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH] = {0}; const int iv_size = cipher_ctx_iv_length (ctx->cipher); const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt (ctx->cipher); int outlen; @@ -190,8 +189,6 @@ openvpn_encrypt_v1 (struct buffer *buf, struct buffer work, if (cipher_kt_mode_cbc(cipher_kt)) { - CLEAR (iv_buf); - /* generate pseudo-random IV */ if (opt->flags & CO_USE_IV) prng_bytes (iv_buf, iv_size); @@ -214,7 +211,6 @@ openvpn_encrypt_v1 (struct buffer *buf, struct buffer work, ASSERT (packet_id_initialized(&opt->packet_id)); packet_id_alloc_outgoing (&opt->packet_id.send, &pin, true); - memset (iv_buf, 0, iv_size); buf_set_write (&b, iv_buf, iv_size); ASSERT (packet_id_write (&pin, &b, true, false)); } @@ -550,14 +546,13 @@ openvpn_decrypt_v1 (struct buffer *buf, struct buffer work, { const int iv_size = cipher_ctx_iv_length (ctx->cipher); const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt (ctx->cipher); - uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH]; + uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH] = { 0 }; int outlen; /* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */ ASSERT (buf_init (&work, FRAME_HEADROOM_ADJ (frame, FRAME_HEADROOM_MARKER_DECRYPT))); /* use IV if user requested it */ - CLEAR (iv_buf); if (opt->flags & CO_USE_IV) { if (buf->len < iv_size) @@ -1128,7 +1123,7 @@ crypto_read_openvpn_key (const struct key_type *key_type, init_key_ctx (&ctx->decrypt, &key2.keys[kds.in_key], key_type, OPENVPN_OP_DECRYPT, log_prefix); - CLEAR (key2); + secure_memzero (&key2, sizeof (key2)); } /* header and footer for static key file */ @@ -1380,8 +1375,8 @@ write_key_file (const int nkeys, const char *filename) buf_printf (&out, "%s\n", fmt); /* zero memory which held key component (will be freed by GC) */ - memset (fmt, 0, strlen(fmt)); - CLEAR (key); + secure_memzero (fmt, strlen (fmt)); + secure_memzero (&key, sizeof (key)); } buf_printf (&out, "%s\n", static_key_foot); diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 1ea06bb..306b6c6 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -47,6 +47,7 @@ #include <openssl/err.h> #include <openssl/evp.h> #include <openssl/objects.h> +#include <openssl/rand.h> #include <openssl/ssl.h> /* diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 470dc89..74f1139 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -30,6 +30,10 @@ #include "syshead.h" +#ifdef ENABLE_SYSTEMD +#include <systemd/sd-daemon.h> +#endif + #include "win32.h" #include "init.h" #include "sig.h" @@ -926,6 +930,13 @@ bool possibly_become_daemon (const struct options *options) { bool ret = false; + +#ifdef ENABLE_SYSTEMD + /* return without forking if we are running from systemd */ + if (sd_notify(0, "READY=0") > 0) + return ret; +#endif + if (options->daemon) { ASSERT (!options->inetd); @@ -1251,11 +1262,19 @@ initialization_sequence_completed (struct context *c, const unsigned int flags) show_adapters (M_INFO|M_NOPREFIX); msg (M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message); #else +#ifdef ENABLE_SYSTEMD + sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message); +#endif /* HAVE_SYSTEMD_SD_DAEMON_H */ msg (M_INFO, "%s With Errors", message); #endif } else - msg (M_INFO, "%s", message); + { +#ifdef ENABLE_SYSTEMD + sd_notifyf(0, "READY=1\nSTATUS=%s\nMAINPID=%lu", message, (unsigned long) getpid()); +#endif + msg (M_INFO, "%s", message); + } /* Flag that we initialized */ if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0) @@ -1932,8 +1951,14 @@ do_deferred_options (struct context *c, const unsigned int found) { struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; if (found & OPT_P_NCP) - msg (D_PUSH, "OPTIONS IMPORT: data channel crypto options modified"); - /* Do not regenerate keys if server sends an extra push request */ + { + msg (D_PUSH, "OPTIONS IMPORT: data channel crypto options modified"); + } + else if (c->options.ncp_enabled) + { + tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername); + } + /* Do not regenerate keys if server sends an extra push reply */ if (!session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized && !tls_session_update_crypto_params(session, &c->options, &c->c2.frame)) { diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 77a8006..4918ed2 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -3154,7 +3154,7 @@ management_query_user_pass (struct management *man, man->connection.up_query.nocache = up->nocache; /* preserve caller's nocache setting */ *up = man->connection.up_query; } - CLEAR (man->connection.up_query); + secure_memzero (&man->connection.up_query, sizeof (man->connection.up_query)); } gc_free (&gc); diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 56d43e0..4e06c91 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -501,7 +501,7 @@ remove_env_item (const char *str, const bool do_free, struct env_item **list) *list = current->next; if (do_free) { - memset (current->string, 0, strlen (current->string)); + secure_memzero (current->string, strlen (current->string)); free (current->string); free (current); } @@ -1342,7 +1342,7 @@ purge_user_pass (struct user_pass *up, const bool force) static bool warn_shown = false; if (nocache || force) { - CLEAR (*up); + secure_memzero (up, sizeof(*up)); up->nocache = nocache; } else if (!warn_shown) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 8f3d34e..4fc8b02 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2317,6 +2317,10 @@ void multi_process_float (struct multi_context* m, struct multi_instance* mi) mroute_addr_print (&mi->real, &gc), print_link_socket_actual (&m->top.c2.from, &gc)); + /* remove old address from hash table before changing address */ + ASSERT (hash_remove (m->hash, &mi->real)); + ASSERT (hash_remove (m->iter, &mi->real)); + /* change external network address of the remote peer */ mi->real = real; generate_prefix (mi); @@ -2330,8 +2334,8 @@ void multi_process_float (struct multi_context* m, struct multi_instance* mi) tls_update_remote_addr (mi->context.c2.tls_multi, &mi->context.c2.from); - ASSERT (hash_add (m->hash, &mi->real, mi, true)); - ASSERT (hash_add (m->iter, &mi->real, mi, true)); + ASSERT (hash_add (m->hash, &mi->real, mi, false)); + ASSERT (hash_add (m->iter, &mi->real, mi, false)); #ifdef MANAGEMENT_DEF_AUTH ASSERT (hash_add (m->cid_hash, &mi->context.c2.mda_context.cid, mi, true)); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 7f128c3..47acd97 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -704,7 +704,8 @@ static const char usage_message[] = " which allow multiple addresses,\n" " --dhcp-option must be repeated.\n" " DOMAIN name : Set DNS suffix\n" - " DNS addr : Set domain name server address(es)\n" + " DNS addr : Set domain name server address(es) (IPv4)\n" + " DNS6 addr : Set domain name server address(es) (IPv6)\n" " NTP : Set NTP server address(es)\n" " NBDD : Set NBDD server address(es)\n" " WINS addr : Set WINS server address(es)\n" @@ -716,8 +717,8 @@ static const char usage_message[] = "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n" " startup.\n" "--dhcp-release : Ask Windows to release the TAP adapter lease on shutdown.\n" - "--register-dns : Run net stop dnscache, net start dnscache, ipconfig /flushdns\n" - " and ipconfig /registerdns on connection initiation.\n" + "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n" + " on connection initiation.\n" "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n" " attempting to set adapter properties.\n" "--pause-exit : When run from a console window, pause before exiting.\n" @@ -1642,6 +1643,8 @@ show_settings (const struct options *o) SHOW_STR (shared_secret_file); SHOW_INT (key_direction); SHOW_STR (ciphername); + SHOW_BOOL (ncp_enabled); + SHOW_STR (ncp_ciphers); SHOW_STR (authname); SHOW_STR (prng_hash); SHOW_INT (prng_nonce_secret_len); @@ -2523,6 +2526,22 @@ options_postprocess_mutate_ce (struct options *o, struct connection_entry *ce) } +#ifdef _WIN32 +/* If iservice is in use, we need def1 method for redirect-gateway */ +static void +remap_redirect_gateway_flags (struct options *opt) +{ + if (opt->routes + && opt->route_method == ROUTE_METHOD_SERVICE + && opt->routes->flags & RG_REROUTE_GW + && !(opt->routes->flags & RG_DEF1)) + { + msg (M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)"); + opt->routes->flags |= RG_DEF1; + } +} +#endif + static void options_postprocess_mutate_invariant (struct options *options) { @@ -2552,6 +2571,8 @@ options_postprocess_mutate_invariant (struct options *options) options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL; options->ifconfig_noexec = false; } + + remap_redirect_gateway_flags (options); #endif #if P2MP_SERVER @@ -3444,6 +3465,36 @@ options_string_version (const char* s, struct gc_arena *gc) #endif /* ENABLE_OCC */ +char * +options_string_extract_option (const char *options_string,const char *opt_name, + struct gc_arena *gc) +{ + char *ret = NULL; + const size_t opt_name_len = strlen(opt_name); + + const char *p = options_string; + while (p) + { + if (0 == strncmp(p, opt_name, opt_name_len) && + strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ') + { + /* option found, extract value */ + const char *start = &p[opt_name_len+1]; + const char *end = strchr (p, ','); + size_t val_len = end ? end - start : strlen (start); + ret = gc_malloc (val_len+1, true, gc); + memcpy (ret, start, val_len); + break; + } + p = strchr (p, ','); + if (p) + { + p++; /* skip delimiter */ + } + } + return ret; +} + static void foreign_option (struct options *o, char *argv[], int len, struct env_set *es) { @@ -3652,7 +3703,7 @@ usage_version (void) show_windows_version( M_INFO|M_NOPREFIX ); #endif msg (M_INFO|M_NOPREFIX, "Originally developed by James Yonan"); - msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>"); + msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2016 OpenVPN Technologies, Inc. <sales@openvpn.net>"); #ifndef ENABLE_SMALL #ifdef CONFIGURE_DEFINES msg (M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES); @@ -3935,7 +3986,7 @@ read_inline_file (struct in_src *is, const char *close_tag, struct gc_arena *gc) ret = string_alloc (BSTR (&buf), gc); buf_clear (&buf); free_buf (&buf); - CLEAR (line); + secure_memzero (line, sizeof (line)); return ret; } @@ -4050,7 +4101,7 @@ read_config_file (struct options *options, { msg (msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file); } - CLEAR (line); + secure_memzero (line, sizeof (line)); CLEAR (p); } @@ -4082,7 +4133,7 @@ read_config_string (const char *prefix, } CLEAR (p); } - CLEAR (line); + secure_memzero (line, sizeof (line)); } void @@ -4374,6 +4425,8 @@ add_option (struct options *options, */ if (streq (p[0], "setenv") && p[1] && streq (p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE)) { + if (!p[2]) + p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */ p += 2; msglevel_fc = M_WARN; } @@ -5672,6 +5725,10 @@ add_option (struct options *options, goto err; } } +#ifdef _WIN32 + /* we need this here to handle pushed --redirect-gateway */ + remap_redirect_gateway_flags (options); +#endif options->routes->flags |= RG_ENABLE; } else if (streq (p[0], "remote-random-hostname") && !p[1]) @@ -6406,6 +6463,20 @@ add_option (struct options *options, { dhcp_option_address_parse ("DNS", p[2], o->dns, &o->dns_len, msglevel); } + else if (streq (p[1], "DNS6") && p[2] && ipv6_addr_safe(p[2])) + { + struct in6_addr addr; + foreign_option (options, p, 3, es); + if (o->dns6_len >= N_DHCP_ADDR) + { + msg (msglevel, "--dhcp-option DNS6: maximum of %d dns servers can be specified", + N_DHCP_ADDR); + } + else if (get_ipv6_addr (p[2], &addr, NULL, msglevel)) + { + o->dns6[o->dns6_len++] = addr; + } + } else if (streq (p[1], "WINS") && p[2]) { dhcp_option_address_parse ("WINS", p[2], o->wins, &o->wins_len, msglevel); @@ -6427,7 +6498,14 @@ add_option (struct options *options, msg (msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]); goto err; } - o->dhcp_options = true; + + /* flag that we have options to give to the TAP driver's DHCPv4 server + * - skipped for "DNS6", as that's not a DHCPv4 option + */ + if (!streq (p[1], "DNS6")) + { + o->dhcp_options = true; + } } #endif #ifdef _WIN32 diff --git a/src/openvpn/options.h b/src/openvpn/options.h index a028556..067728a 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -726,6 +726,20 @@ void options_warning (char *actual, const char *expected); #endif +/** + * Given an OpenVPN options string, extract the value of an option. + * + * @param options_string Zero-terminated, comma-separated options string + * @param opt_name The name of the option to extract + * @param gc The gc to allocate the return value + * + * @return gc-allocated value of option with name opt_name if option was found, + * or NULL otherwise. + */ +char *options_string_extract_option (const char *options_string, + const char *opt_name, struct gc_arena *gc); + + void options_postprocess (struct options *options); void pre_pull_save (struct options *o); diff --git a/src/openvpn/push.c b/src/openvpn/push.c index f86bdd3..9953079 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -42,31 +42,6 @@ static char push_reply_cmd[] = "PUSH_REPLY"; -/** - * Add an option to the given push list by providing a format string. - * - * The string added to the push options is allocated in o->gc, so the caller - * does not have to preserve anything. - * - * @param gc GC arena where options are allocated - * @param push_list Push list containing options - * @param msglevel The message level to use when printing errors - * @param fmt Format string for the option - * @param ... Format string arguments - * - * @return true on success, false on failure. - */ -static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list, - int msglevel, const char *fmt, ...) -#ifdef __GNUC__ -#if __USE_MINGW_ANSI_STDIO - __attribute__ ((format (gnu_printf, 4, 5))) -#else - __attribute__ ((format (__printf__, 4, 5))) -#endif -#endif - ; - /* * Auth username/password * @@ -177,6 +152,30 @@ server_pushed_signal (struct context *c, const struct buffer *buffer, const bool } #if P2MP_SERVER +/** + * Add an option to the given push list by providing a format string. + * + * The string added to the push options is allocated in o->gc, so the caller + * does not have to preserve anything. + * + * @param gc GC arena where options are allocated + * @param push_list Push list containing options + * @param msglevel The message level to use when printing errors + * @param fmt Format string for the option + * @param ... Format string arguments + * + * @return true on success, false on failure. + */ +static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list, + int msglevel, const char *fmt, ...) +#ifdef __GNUC__ +#if __USE_MINGW_ANSI_STDIO + __attribute__ ((format (gnu_printf, 4, 5))) +#else + __attribute__ ((format (__printf__, 4, 5))) +#endif +#endif + ; /* * Send auth failed message from server to client. @@ -263,7 +262,7 @@ incoming_push_message (struct context *c, const struct buffer *buffer) !tls_session_update_crypto_params (session, &c->options, &c->c2.frame)) { - msg (D_TLS_ERRORS, "TLS Error: server generate_key_expansion failed"); + msg (D_TLS_ERRORS, "TLS Error: initializing data channel failed"); goto error; } } @@ -371,6 +370,10 @@ prepare_push_reply (struct context *c, struct gc_arena *gc, push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername); } } + else if (o->ncp_enabled) + { + tls_poor_mans_ncp (o, tls_multi->remote_ciphername); + } /* If server uses --auth-gen-token and we have an auth token * to send to the client diff --git a/src/openvpn/push.h b/src/openvpn/push.h index d6cb4b1..1dfd80e 100644 --- a/src/openvpn/push.h +++ b/src/openvpn/push.h @@ -51,10 +51,9 @@ void receive_auth_failed (struct context *c, const struct buffer *buffer); void server_pushed_signal (struct context *c, const struct buffer *buffer, const bool restart, const int adv); -#if P2MP_SERVER - void incoming_push_message (struct context *c, const struct buffer *buffer); +#if P2MP_SERVER void clone_push_list (struct options *o); void push_option (struct options *o, const char *opt, int msglevel); diff --git a/src/openvpn/sig.c b/src/openvpn/sig.c index 0ff1437..b3ae645 100644 --- a/src/openvpn/sig.c +++ b/src/openvpn/sig.c @@ -378,7 +378,8 @@ process_sigterm (struct context *c) /** * If a restart signal is received during exit-notification, reset the - * signal and return true. + * signal and return true. If its a soft restart signal from the event loop + * which implies the loop cannot continue, remap to SIGTERM to exit promptly. */ static bool ignore_restart_signals (struct context *c) @@ -388,10 +389,20 @@ ignore_restart_signals (struct context *c) if ( (c->sig->signal_received == SIGUSR1 || c->sig->signal_received == SIGHUP) && event_timeout_defined(&c->c2.explicit_exit_notification_interval) ) { - msg (M_INFO, "Ignoring %s received during exit notification", - signal_name(c->sig->signal_received, true)); - signal_reset (c->sig); - ret = true; + if (c->sig->source == SIG_SOURCE_HARD) + { + msg (M_INFO, "Ignoring %s received during exit notification", + signal_name(c->sig->signal_received, true)); + signal_reset (c->sig); + ret = true; + } + else + { + msg (M_INFO, "Converting soft %s received during exit notification to SIGTERM", + signal_name(c->sig->signal_received, true)); + register_signal(c, SIGTERM, "exit-with-notification"); + ret = false; + } } #endif return ret; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index dc06350..34d163f 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -512,6 +512,54 @@ tls_version_parse(const char *vstr, const char *extra) return TLS_VER_BAD; } +/** + * Load (or possibly reload) the CRL file into the SSL context. + * No reload is performed under the following conditions: + * - the CRL file was passed inline + * - the CRL file was not modified since the last (re)load + * + * @param ssl_ctx The TLS context to use when reloading the CRL + * @param crl_file The file name to load the CRL from, or + * "[[INLINE]]" in the case of inline files. + * @param crl_inline A string containing the CRL + */ +static void +tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, + const char *crl_file_inline) +{ + /* if something goes wrong with stat(), we'll store 0 as mtime */ + platform_stat_t crl_stat = {0}; + + /* + * an inline CRL can't change at runtime, therefore there is no need to + * reload it. It will be reloaded upon config change + SIGHUP. + * Use always '1' as dummy timestamp in this case: it will trigger the + * first load, but will prevent any future reload. + */ + if (crl_file_inline) + { + crl_stat.st_mtime = 1; + } + else if (platform_stat(crl_file, &crl_stat) < 0) + { + msg(M_WARN, "WARNING: Failed to stat CRL file, not (re)loading CRL."); + return; + } + + /* + * Store the CRL if this is the first time or if the file was changed since + * the last load. + * Note: Windows does not support tv_nsec. + */ + if ((ssl_ctx->crl_last_size == crl_stat.st_size) && + (ssl_ctx->crl_last_mtime.tv_sec == crl_stat.st_mtime)) + return; + + ssl_ctx->crl_last_mtime.tv_sec = crl_stat.st_mtime; + ssl_ctx->crl_last_size = crl_stat.st_size; + backend_tls_ctx_reload_crl(ssl_ctx, crl_file, crl_file_inline); +} + /* * Initialize SSL context. * All files are in PEM format. @@ -894,7 +942,7 @@ key_state_free (struct key_state *ks, bool clear) #endif if (clear) - CLEAR (*ks); + secure_memzero (ks, sizeof (*ks)); } /** @} name Functions for initialization and cleanup of key_state structures */ @@ -973,7 +1021,7 @@ tls_session_init (struct tls_multi *multi, struct tls_session *session) /* Initialize control channel authentication parameters */ session->tls_wrap = session->opt->tls_wrap; - session->tls_wrap.work = alloc_buf (TLS_CHANNEL_BUF_SIZE); + session->tls_wrap.work = alloc_buf (BUF_SIZE (&session->opt->frame)); /* initialize packet ID replay window for --tls-auth */ packet_id_init (&session->tls_wrap.opt.packet_id, @@ -1024,7 +1072,7 @@ tls_session_free (struct tls_session *session, bool clear) cert_hash_free (session->cert_hash_set); if (clear) - CLEAR (*session); + secure_memzero (session, sizeof (*session)); } /** @} name Functions for initialization and cleanup of tls_session structures */ @@ -1048,7 +1096,7 @@ move_session (struct tls_multi* multi, int dest, int src, bool reinit_src) if (reinit_src) tls_session_init (multi, &multi->session[src]); else - CLEAR (multi->session[src]); + secure_memzero (&multi->session[src], sizeof (multi->session[src])); dmsg (D_TLS_DEBUG, "TLS: move_session: exit"); } @@ -1212,15 +1260,17 @@ tls_multi_free (struct tls_multi *multi, bool clear) if (multi->auth_token) { - memset (multi->auth_token, 0, AUTH_TOKEN_SIZE); + secure_memzero (multi->auth_token, AUTH_TOKEN_SIZE); free (multi->auth_token); } + free (multi->remote_ciphername); + for (i = 0; i < TM_SIZE; ++i) tls_session_free (&multi->session[i], false); if (clear) - CLEAR (*multi); + secure_memzero (multi, sizeof (*multi)); free(multi); } @@ -1320,13 +1370,20 @@ write_control_auth (struct tls_session *session, } else if (session->tls_wrap.mode == TLS_WRAP_CRYPT) { - buf_init (&session->tls_wrap.work, buf->offset); + ASSERT (buf_init (&session->tls_wrap.work, buf->offset)); ASSERT (buf_write (&session->tls_wrap.work, &header, sizeof(header))); ASSERT (session_id_write (&session->session_id, &session->tls_wrap.work)); - ASSERT (tls_crypt_wrap (buf, &session->tls_wrap.work, &session->tls_wrap.opt)); - /* Don't change the original data in buf, it's used by the reliability - * layer to resend on failure. */ - *buf = session->tls_wrap.work; + if (tls_crypt_wrap (buf, &session->tls_wrap.work, &session->tls_wrap.opt)) + { + /* Don't change the original data in buf, it's used by the reliability + * layer to resend on failure. */ + *buf = session->tls_wrap.work; + } + else + { + buf->len = 0; + return; + } } *to_link_addr = &ks->remote_addr; } @@ -1503,7 +1560,7 @@ tls1_P_hash(const md_kt_t *md_kt, } hmac_ctx_cleanup(&ctx); hmac_ctx_cleanup(&ctx_tmp); - CLEAR (A1); + secure_memzero (A1, sizeof (A1)); dmsg (D_SHOW_KEY_SOURCE, "tls1_P_hash out: %s", format_hex (out_orig, olen_orig, 0, &gc)); gc_free (&gc); @@ -1556,7 +1613,7 @@ tls1_PRF(const uint8_t *label, for (i=0; i<olen; i++) out1[i]^=out2[i]; - memset (out2, 0, olen); + secure_memzero (out2, olen); dmsg (D_SHOW_KEY_SOURCE, "tls1_PRF out[%d]: %s", olen, format_hex (out1, olen, 0, &gc)); @@ -1613,13 +1670,15 @@ generate_key_expansion (struct key_ctx_bi *key, const struct session_id *server_sid, bool server) { - uint8_t master[48]; - struct key2 key2; + uint8_t master[48] = { 0 }; + struct key2 key2 = { 0 }; bool ret = false; - int i; - CLEAR (master); - CLEAR (key2); + if (key->initialized) + { + msg (D_TLS_ERRORS, "TLS Error: key already initialized"); + goto exit; + } /* debugging print of source key material */ key_source2_print (key_src); @@ -1655,7 +1714,7 @@ generate_key_expansion (struct key_ctx_bi *key, key2_print (&key2, key_type, "Master Encrypt", "Master Decrypt"); /* check for weak keys */ - for (i = 0; i < 2; ++i) + for (int i = 0; i < 2; ++i) { fixup_key (&key2.keys[i], key_type); if (!check_key (&key2.keys[i], key_type)) @@ -1691,8 +1750,8 @@ generate_key_expansion (struct key_ctx_bi *key, ret = true; exit: - CLEAR (master); - CLEAR (key2); + secure_memzero (&master, sizeof (master)); + secure_memzero (&key2, sizeof (key2)); return ret; } @@ -1714,8 +1773,8 @@ key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len) { } } -static bool -item_in_list(const char *item, const char *list) +bool +tls_item_in_cipher_list(const char *item, const char *list) { char *tmp_ciphers = string_alloc (list, NULL); char *tmp_ciphers_orig = tmp_ciphers; @@ -1732,18 +1791,61 @@ item_in_list(const char *item, const char *list) return token != NULL; } -bool -tls_session_update_crypto_params(struct tls_session *session, - const struct options *options, struct frame *frame) +void +tls_poor_mans_ncp(struct options *o, const char *remote_ciphername) +{ + if (o->ncp_enabled && remote_ciphername && + 0 != strcmp(o->ciphername, remote_ciphername)) + { + if (tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers)) + { + o->ciphername = string_alloc(remote_ciphername, &o->gc); + msg (D_TLS_DEBUG_LOW, "Using peer cipher '%s'", o->ciphername); + } + } +} + +/** + * Generate data channel keys for the supplied TLS session. + * + * This erases the source material used to generate the data channel keys, and + * can thus be called only once per session. + */ +static bool +tls_session_generate_data_channel_keys(struct tls_session *session) { bool ret = false; struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ + const struct session_id *client_sid = session->opt->server ? + &ks->session_id_remote : &session->session_id; + const struct session_id *server_sid = !session->opt->server ? + &ks->session_id_remote : &session->session_id; ASSERT (ks->authenticated); + if (!generate_key_expansion (&ks->crypto_options.key_ctx_bi, + &session->opt->key_type, ks->key_src, client_sid, server_sid, + session->opt->server)) + { + msg (D_TLS_ERRORS, "TLS Error: generate_key_expansion failed"); + goto cleanup; + } + tls_limit_reneg_bytes (session->opt->key_type.cipher, + &session->opt->renegotiate_bytes); + + ret = true; +cleanup: + secure_memzero (ks->key_src, sizeof (*ks->key_src)); + return ret; +} + +bool +tls_session_update_crypto_params(struct tls_session *session, + const struct options *options, struct frame *frame) +{ if (!session->opt->server && 0 != strcmp(options->ciphername, session->opt->config_ciphername) && - !item_in_list(options->ciphername, options->ncp_ciphers)) + !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers)) { msg (D_TLS_ERRORS, "Error: pushed cipher not allowed - %s not in %s or %s", options->ciphername, session->opt->config_ciphername, @@ -1768,23 +1870,7 @@ tls_session_update_crypto_params(struct tls_session *session, frame_init_mssfix(frame, options); frame_print (frame, D_MTU_INFO, "Data Channel MTU parms"); - const struct session_id *client_sid = session->opt->server ? - &ks->session_id_remote : &session->session_id; - const struct session_id *server_sid = !session->opt->server ? - &ks->session_id_remote : &session->session_id; - if (!generate_key_expansion (&ks->crypto_options.key_ctx_bi, - &session->opt->key_type, ks->key_src, client_sid, server_sid, - session->opt->server)) - { - msg (D_TLS_ERRORS, "TLS Error: server generate_key_expansion failed"); - goto cleanup; - } - tls_limit_reneg_bytes (session->opt->key_type.cipher, - &session->opt->renegotiate_bytes); - ret = true; -cleanup: - CLEAR (*ks->key_src); - return ret; + return tls_session_generate_data_channel_keys (session); } static bool @@ -1979,7 +2065,7 @@ key_method_1_write (struct buffer *buf, struct tls_session *session) init_key_ctx (&ks->crypto_options.key_ctx_bi.encrypt, &key, &session->opt->key_type, OPENVPN_OP_ENCRYPT, "Data Channel Encrypt"); - CLEAR (key); + secure_memzero (&key, sizeof (key)); /* send local options string */ { @@ -2152,28 +2238,19 @@ key_method_2_write (struct buffer *buf, struct tls_session *session) { if (ks->authenticated) { - if (!generate_key_expansion (&ks->crypto_options.key_ctx_bi, - &session->opt->key_type, - ks->key_src, - &ks->session_id_remote, - &session->session_id, - true)) + if (!tls_session_generate_data_channel_keys (session)) { msg (D_TLS_ERRORS, "TLS Error: server generate_key_expansion failed"); goto error; } } - - CLEAR (*ks->key_src); - tls_limit_reneg_bytes (session->opt->key_type.cipher, - &session->opt->renegotiate_bytes); } return true; error: msg (D_TLS_ERRORS, "TLS Error: Key Method #2 write failed"); - CLEAR (*ks->key_src); + secure_memzero (ks->key_src, sizeof (*ks->key_src)); return false; } @@ -2228,13 +2305,13 @@ key_method_1_read (struct buffer *buf, struct tls_session *session) init_key_ctx (&ks->crypto_options.key_ctx_bi.decrypt, &key, &session->opt->key_type, OPENVPN_OP_DECRYPT, "Data Channel Decrypt"); - CLEAR (key); + secure_memzero (&key, sizeof (key)); ks->authenticated = true; return true; error: buf_clear (buf); - CLEAR (key); + secure_memzero (&key, sizeof (key)); return false; } @@ -2303,10 +2380,20 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi if ( multi->peer_info ) output_peer_info_env (session->opt->es, multi->peer_info); + free (multi->remote_ciphername); + multi->remote_ciphername = + options_string_extract_option (options, "cipher", NULL); + if (tls_peer_info_ncp_ver (multi->peer_info) < 2) { - /* Peer does not support NCP */ - session->opt->ncp_enabled = false; + /* Peer does not support NCP, but leave NCP enabled if the local and + * remote cipher do not match to attempt 'poor-man's NCP'. + */ + if (multi->remote_ciphername == NULL || + 0 == strcmp(multi->remote_ciphername, multi->opt.config_ciphername)) + { + session->opt->ncp_enabled = false; + } } #endif @@ -2338,7 +2425,7 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi } /* clear username and password from memory */ - CLEAR (*up); + secure_memzero (up, sizeof (*up)); /* Perform final authentication checks */ if (ks->authenticated) @@ -2383,27 +2470,18 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi */ if (!session->opt->server && (!session->opt->pull || ks->key_id > 0)) { - if (!generate_key_expansion (&ks->crypto_options.key_ctx_bi, - &session->opt->key_type, - ks->key_src, - &session->session_id, - &ks->session_id_remote, - false)) + if (!tls_session_generate_data_channel_keys (session)) { msg (D_TLS_ERRORS, "TLS Error: client generate_key_expansion failed"); goto error; } - - CLEAR (*ks->key_src); - tls_limit_reneg_bytes (session->opt->key_type.cipher, - &session->opt->renegotiate_bytes); } gc_free (&gc); return true; error: - CLEAR (*ks->key_src); + secure_memzero (ks->key_src, sizeof (*ks->key_src)); buf_clear (buf); gc_free (&gc); return false; @@ -2551,7 +2629,10 @@ tls_process (struct tls_multi *multi, ks->state = S_START; state_change = true; - /* Reload the CRL before TLS negotiation */ + /* + * Attempt CRL reload before TLS negotiation. Won't be performed if + * the file was not modified since the last reload + */ if (session->opt->crl_file && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR)) { @@ -2609,22 +2690,6 @@ tls_process (struct tls_multi *multi, break; } -#ifndef TLS_AGGREGATE_ACK - /* Send 1 or more ACKs (each received control packet gets one ACK) */ - if (!to_link->len && !reliable_ack_empty (ks->rec_ack)) - { - buf = &ks->ack_write_buf; - ASSERT (buf_init (buf, FRAME_HEADROOM (&multi->opt.frame))); - write_control_auth (session, ks, buf, to_link_addr, P_ACK_V1, - RELIABLE_ACK_SIZE, false); - *to_link = *buf; - active = true; - state_change = true; - dmsg (D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP"); - break; - } -#endif - /* Write incoming ciphertext to TLS object */ buf = reliable_get_buf_sequenced (ks->rec_reliable); if (buf) @@ -2769,7 +2834,6 @@ tls_process (struct tls_multi *multi, update_time (); -#ifdef TLS_AGGREGATE_ACK /* Send 1 or more ACKs (each received control packet gets one ACK) */ if (!to_link->len && !reliable_ack_empty (ks->rec_ack)) { @@ -2779,10 +2843,8 @@ tls_process (struct tls_multi *multi, RELIABLE_ACK_SIZE, false); *to_link = buf; active = true; - state_change = true; dmsg (D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP"); } -#endif /* When should we wake up again? */ { diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 777b621..c971b75 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -70,15 +70,8 @@ #define P_FIRST_OPCODE 1 #define P_LAST_OPCODE 9 -/* Should we aggregate TLS - * acknowledgements, and tack them onto - * control packets? */ -#define TLS_AGGREGATE_ACK - /* - * If TLS_AGGREGATE_ACK, set the - * max number of acknowledgments that - * can "hitch a ride" on an outgoing + * Set the max number of acknowledgments that can "hitch a ride" on an outgoing * non-P_ACK_V1 control packet. */ #define CONTROL_SEND_ACK_MAX 4 @@ -489,6 +482,15 @@ void tls_update_remote_addr (struct tls_multi *multi, bool tls_session_update_crypto_params(struct tls_session *session, const struct options *options, struct frame *frame); +/** + * "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher. + * Allows non-NCP peers to upgrade their cipher individually. + * + * Make sure to call tls_session_update_crypto_params() after calling this + * function. + */ +void tls_poor_mans_ncp(struct options *o, const char *remote_ciphername); + #ifdef MANAGEMENT_DEF_AUTH static inline char * tls_get_peer_info(const struct tls_multi *multi) @@ -512,6 +514,13 @@ int tls_peer_info_ncp_ver(const char *peer_info); */ bool tls_check_ncp_cipher_list(const char *list); +/** + * Return true iff item is present in the colon-separated zero-terminated + * cipher list. + */ +bool tls_item_in_cipher_list(const char *item, const char *list); + + /* * inline functions */ diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 0777c61..3fbd2b4 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -353,7 +353,7 @@ void key_state_ssl_free(struct key_state_ssl *ks_ssl); * "[[INLINE]]" in the case of inline files. * @param crl_inline A string containing the CRL */ -void tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, +void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, const char *crl_inline); /** diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 28702af..7938f41 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -540,6 +540,8 @@ struct tls_multi uint32_t peer_id; bool use_peer_id; + char *remote_ciphername; /**< cipher specified in peer's config file */ + char *auth_token; /**< If server sends a generated auth-token, * this is the token to use for future * user/pass authentications in this session. diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 7fa35a7..11ee65b 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -771,7 +771,7 @@ static void tls_version_to_major_minor(int tls_ver, int *major, int *minor) { } void -tls_ctx_reload_crl(struct tls_root_ctx *ctx, const char *crl_file, +backend_tls_ctx_reload_crl(struct tls_root_ctx *ctx, const char *crl_file, const char *crl_inline) { ASSERT (crl_file); diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h index 3edeedc..a4a7f05 100644 --- a/src/openvpn/ssl_mbedtls.h +++ b/src/openvpn/ssl_mbedtls.h @@ -74,6 +74,8 @@ struct tls_root_ctx { mbedtls_x509_crt *ca_chain; /**< CA chain for remote verification */ mbedtls_pk_context *priv_key; /**< Local private key */ mbedtls_x509_crl *crl; /**< Certificate Revocation List */ + struct timespec crl_last_mtime; /**< CRL last modification time */ + off_t crl_last_size; /**< size of last loaded CRL */ #if defined(ENABLE_PKCS11) mbedtls_pkcs11_context *priv_key_pkcs11; /**< PKCS11 private key */ #endif diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 51669fc..4f472ff 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -772,7 +772,7 @@ end: } void -tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, +backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, const char *crl_inline) { X509_CRL *crl = NULL; diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h index 97dc742..115ac43 100644 --- a/src/openvpn/ssl_openssl.h +++ b/src/openvpn/ssl_openssl.h @@ -49,6 +49,8 @@ */ struct tls_root_ctx { SSL_CTX *ctx; + struct timespec crl_last_mtime; + off_t crl_last_size; }; struct key_state_ssl { diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index a099776..4328828 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1176,7 +1176,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, if (memcmp_constant_time(multi->auth_token, up->password, strlen(multi->auth_token)) != 0) { - memset (multi->auth_token, 0, AUTH_TOKEN_SIZE); + secure_memzero (multi->auth_token, AUTH_TOKEN_SIZE); free (multi->auth_token); multi->auth_token = NULL; multi->auth_token_sent = false; @@ -1262,7 +1262,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, "No auth-token will be activated now"); if (multi->auth_token) { - memset (multi->auth_token, 0, AUTH_TOKEN_SIZE); + secure_memzero (multi->auth_token, AUTH_TOKEN_SIZE); free (multi->auth_token); multi->auth_token = NULL; } diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index 332f04b..4260823 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -348,12 +348,10 @@ x509_setenv (struct env_set *es, int cert_depth, mbedtls_x509_crt *cert) int i; unsigned char c; const mbedtls_x509_name *name; - char s[128]; + char s[128] = { 0 }; name = &cert->subject; - memset( s, 0, sizeof( s ) ); - while( name != NULL ) { char name_expand[64+8]; diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index 8de7d87..f5008b7 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -26,7 +26,7 @@ #define SYSHEAD_H #include "compat.h" -#include "compat-stdbool.h" +#include <stdbool.h> /* branch prediction hints */ #if defined(__GNUC__) diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 77ae72f..572e168 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -68,6 +68,9 @@ static void netsh_ifconfig (const struct tuntap_options *to, const in_addr_t ip, const in_addr_t netmask, const unsigned int flags); +static void netsh_set_dns6_servers (const struct in6_addr *addr_list, + const int addr_len, + const char *flex_name); static void netsh_command (const struct argv *a, int n, int msglevel); static const char *netsh_get_id (const char *dev_node, struct gc_arena *gc); @@ -132,6 +135,74 @@ out: return ret; } +static bool +do_dns6_service (bool add, const struct tuntap *tt) +{ + DWORD len; + bool ret = false; + ack_message_t ack; + struct gc_arena gc = gc_new (); + HANDLE pipe = tt->options.msg_channel; + int addr_len = add ? tt->options.dns6_len : 0; + + if (addr_len == 0 && add) /* no addresses to add */ + return true; + + dns_cfg_message_t dns = { + .header = { + (add ? msg_add_dns_cfg : msg_del_dns_cfg), + sizeof (dns_cfg_message_t), + 0 }, + .iface = { .index = tt->adapter_index, .name = "" }, + .domains = "", + .family = AF_INET6, + .addr_len = addr_len + }; + + /* interface name is required */ + strncpy (dns.iface.name, tt->actual_name, sizeof (dns.iface.name)); + dns.iface.name[sizeof (dns.iface.name) - 1] = '\0'; + + if (addr_len > _countof(dns.addr)) + { + addr_len = _countof(dns.addr); + dns.addr_len = addr_len; + msg(M_WARN, "Number of IPv6 DNS addresses sent to service truncated to %d", + addr_len); + } + + for (int i = 0; i < addr_len; ++i) + { + dns.addr[i].ipv6 = tt->options.dns6[i]; + } + + msg (D_LOW, "%s IPv6 dns servers on '%s' (if_index = %d) using service", + (add ? "Setting" : "Deleting"), dns.iface.name, dns.iface.index); + + if (!WriteFile (pipe, &dns, sizeof (dns), &len, NULL) || + !ReadFile (pipe, &ack, sizeof (ack), &len, NULL)) + { + msg (M_WARN, "TUN: could not talk to service: %s [%lu]", + strerror_win32 (GetLastError (), &gc), GetLastError ()); + goto out; + } + + if (ack.error_number != NO_ERROR) + { + msg (M_WARN, "TUN: %s IPv6 dns failed using service: %s [status=%u if_name=%s]", + (add ? "adding" : "deleting"), strerror_win32 (ack.error_number, &gc), + ack.error_number, dns.iface.name); + goto out; + } + + msg (M_INFO, "IPv6 dns servers %s using service", (add ? "set" : "deleted")); + ret = true; + +out: + gc_free (&gc); + return ret; +} + #endif #ifdef TARGET_SOLARIS @@ -1372,9 +1443,16 @@ do_ifconfig (struct tuntap *tt, if ( do_ipv6 ) { - if (tt->options.msg_channel) + if (tt->options.ip_win32_type == IPW32_SET_MANUAL) + { + msg (M_INFO, "******** NOTE: Please manually set the v6 IP of '%s' to %s (if it is not already set)", + actual, + ifconfig_ipv6_local); + } + else if (tt->options.msg_channel) { do_address_service (true, AF_INET6, tt); + do_dns6_service (true, tt); } else { @@ -1388,10 +1466,15 @@ do_ifconfig (struct tuntap *tt, iface, ifconfig_ipv6_local ); netsh_command (&argv, 4, M_FATAL); + /* set ipv6 dns servers if any are specified */ + netsh_set_dns6_servers(tt->options.dns6, tt->options.dns6_len, actual); } /* explicit route needed */ - add_route_connected_v6_net(tt, es); + if (tt->options.ip_win32_type != IPW32_SET_MANUAL) + { + add_route_connected_v6_net(tt, es); + } } #else msg (M_FATAL, "Sorry, but I don't know how to do 'ifconfig' commands on this operating system. You should ifconfig your TUN/TAP device manually or use an --up script."); @@ -1623,14 +1706,20 @@ void open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) { #define ANDROID_TUNNAME "vpnservice-tun" - int i; struct user_pass up; struct gc_arena gc = gc_new (); bool opentun; int oldtunfd = tt->fd; - for (i = 0; i < tt->options.dns_len; ++i) { + /* Prefer IPv6 DNS servers, + * Android will use the DNS server in the order we specify*/ + for (int i = 0; i < tt->options.dns6_len; i++) { + management_android_control (management, "DNS6SERVER", + print_in6_addr (tt->options.dns6[i], 0, &gc)); + } + + for (int i = 0; i < tt->options.dns_len; i++) { management_android_control (management, "DNSSERVER", print_in_addr_t(tt->options.dns[i], 0, &gc)); } @@ -4508,23 +4597,9 @@ ipconfig_register_dns (const struct env_set *es) bool status; const char err[] = "ERROR: Windows ipconfig command failed"; - msg (D_TUNTAP_INFO, "Start net commands..."); + msg (D_TUNTAP_INFO, "Start ipconfig commands for register-dns..."); netcmd_semaphore_lock (); - argv_printf (&argv, "%s%sc stop dnscache", - get_win_sys_path(), - WIN_NET_PATH_SUFFIX); - argv_msg (D_TUNTAP_INFO, &argv); - status = openvpn_execve_check (&argv, es, 0, err); - argv_reset(&argv); - - argv_printf (&argv, "%s%sc start dnscache", - get_win_sys_path(), - WIN_NET_PATH_SUFFIX); - argv_msg (D_TUNTAP_INFO, &argv); - status = openvpn_execve_check (&argv, es, 0, err); - argv_reset(&argv); - argv_printf (&argv, "%s%sc /flushdns", get_win_sys_path(), WIN_IPCONFIG_PATH_SUFFIX); @@ -4540,7 +4615,7 @@ ipconfig_register_dns (const struct env_set *es) argv_reset(&argv); netcmd_semaphore_release (); - msg (D_TUNTAP_INFO, "End net commands..."); + msg (D_TUNTAP_INFO, "End ipconfig commands for register-dns..."); } void @@ -4617,6 +4692,41 @@ ip_addr_member_of (const in_addr_t addr, const IP_ADDR_STRING *ias) return false; } +/** + * Set the ipv6 dns servers on the specified interface. + * The list of dns servers currently set on the interface + * are cleared first. + * No action is taken if number of addresses (addr_len) < 1. + */ +static void +netsh_set_dns6_servers (const struct in6_addr *addr_list, + const int addr_len, + const char *flex_name) +{ + struct gc_arena gc = gc_new (); + struct argv argv = argv_new (); + + for (int i = 0; i < addr_len; ++i) + { + const char *fmt = (i == 0) ? + "%s%sc interface ipv6 set dns %s static %s" + : "%s%sc interface ipv6 add dns %s %s"; + argv_printf (&argv, fmt, get_win_sys_path(), + NETSH_PATH_SUFFIX, flex_name, + print_in6_addr (addr_list[i], 0, &gc)); + + /* disable slow address validation on Windows 7 and higher */ + if (win32_version_info() >= WIN_7) + argv_printf_cat (&argv, "%s", "validate=no"); + + /* Treat errors while adding as non-fatal as we do not check for duplicates */ + netsh_command (&argv, 1, (i==0)? M_FATAL : M_NONFATAL); + } + + argv_reset (&argv); + gc_free (&gc); +} + static void netsh_ifconfig_options (const char *type, const in_addr_t *addr_list, @@ -5540,6 +5650,8 @@ close_tun (struct tuntap *tt) if (tt->options.msg_channel) { do_address_service (false, AF_INET6, tt); + if (tt->options.dns6_len > 0) + do_dns6_service (false, tt); } else { @@ -5563,6 +5675,17 @@ close_tun (struct tuntap *tt) ifconfig_ipv6_local); netsh_command (&argv, 1, M_WARN); + + /* delete ipv6 dns servers if any were set */ + if (tt->options.dns6_len > 0) + { + argv_printf (&argv, + "%s%sc interface ipv6 delete dns %s all", + get_win_sys_path(), + NETSH_PATH_SUFFIX, + tt->actual_name); + netsh_command (&argv, 1, M_WARN); + } argv_reset (&argv); } } diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h index dedd915..9b5a1b7 100644 --- a/src/openvpn/tun.h +++ b/src/openvpn/tun.h @@ -107,6 +107,9 @@ struct tuntap_options { bool dhcp_release; bool register_dns; + + struct in6_addr dns6[N_DHCP_ADDR]; + int dns6_len; }; #elif TARGET_LINUX diff --git a/src/openvpnserv/Makefile.am b/src/openvpnserv/Makefile.am index 3521a34..58ecd91 100644 --- a/src/openvpnserv/Makefile.am +++ b/src/openvpnserv/Makefile.am @@ -26,7 +26,7 @@ openvpnserv_CFLAGS = \ -municode -D_UNICODE \ -UNTDDI_VERSION -U_WIN32_WINNT \ -D_WIN32_WINNT=_WIN32_WINNT_VISTA -openvpnserv_LDADD = -ladvapi32 -luserenv -liphlpapi -lfwpuclnt -lrpcrt4 -lshlwapi -lnetapi32 -lws2_32 +openvpnserv_LDADD = -ladvapi32 -luserenv -liphlpapi -lfwpuclnt -lrpcrt4 -lshlwapi -lnetapi32 -lws2_32 -lntdll endif openvpnserv_SOURCES = \ diff --git a/src/openvpnserv/Makefile.in b/src/openvpnserv/Makefile.in index 74a802b..b38a76a 100644 --- a/src/openvpnserv/Makefile.in +++ b/src/openvpnserv/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -387,7 +387,7 @@ AM_CPPFLAGS = \ @WIN32_TRUE@ -UNTDDI_VERSION -U_WIN32_WINNT \ @WIN32_TRUE@ -D_WIN32_WINNT=_WIN32_WINNT_VISTA -@WIN32_TRUE@openvpnserv_LDADD = -ladvapi32 -luserenv -liphlpapi -lfwpuclnt -lrpcrt4 -lshlwapi -lnetapi32 -lws2_32 +@WIN32_TRUE@openvpnserv_LDADD = -ladvapi32 -luserenv -liphlpapi -lfwpuclnt -lrpcrt4 -lshlwapi -lnetapi32 -lws2_32 -lntdll openvpnserv_SOURCES = \ common.c \ automatic.c \ @@ -504,14 +504,14 @@ distclean-compile: @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/src/openvpnserv/common.c b/src/openvpnserv/common.c index dba4724..eafee20 100644 --- a/src/openvpnserv/common.c +++ b/src/openvpnserv/common.c @@ -216,3 +216,15 @@ MsgToEventLog (DWORD flags, LPCTSTR format, ...) return error; } + +/* Convert a utf8 string to utf16. Caller should free the result */ +wchar_t * +utf8to16 (const char *utf8) +{ + int n = MultiByteToWideChar (CP_UTF8, 0, utf8, -1, NULL, 0); + wchar_t *utf16 = malloc (n * sizeof (wchar_t)); + if (!utf16) + return NULL; + MultiByteToWideChar (CP_UTF8, 0, utf8, -1, utf16, n); + return utf16; +} diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index ffaa171..ec54216 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -35,6 +35,12 @@ #include <sddl.h> #include <shellapi.h> +#ifdef HAVE_VERSIONHELPERS_H +#include <versionhelpers.h> +#else +#include "compat-versionhelpers.h" +#endif + #include "openvpn-msg.h" #include "validate.h" #include "block_dns.h" @@ -82,6 +88,8 @@ typedef enum { address, route, block_dns, + undo_dns4, + undo_dns6, _undo_type_max } undo_type_t; typedef list_item_t* undo_lists_t[_undo_type_max]; @@ -891,8 +899,7 @@ RegisterDNS (LPVOID unused) WCHAR sys_path[MAX_PATH]; DWORD timeout = RDNS_TIMEOUT * 1000; /* in milliseconds */ - /* default paths of net and ipconfig commands */ - WCHAR net[MAX_PATH] = L"C:\\Windows\\system32\\net.exe"; + /* default path of ipconfig command */ WCHAR ipcfg[MAX_PATH] = L"C:\\Windows\\system32\\ipconfig.exe"; struct @@ -901,8 +908,6 @@ RegisterDNS (LPVOID unused) WCHAR *cmdline; DWORD timeout; } cmds [] = { - { net, L"net stop dnscache", timeout }, - { net, L"net start dnscache", timeout }, { ipcfg, L"ipconfig /flushdns", timeout }, { ipcfg, L"ipconfig /registerdns", timeout }, }; @@ -912,9 +917,6 @@ RegisterDNS (LPVOID unused) if(GetSystemDirectory(sys_path, MAX_PATH)) { - _snwprintf (net, MAX_PATH, L"%s\\%s", sys_path, L"net.exe"); - net[MAX_PATH-1] = L'\0'; - _snwprintf (ipcfg, MAX_PATH, L"%s\\%s", sys_path, L"ipconfig.exe"); ipcfg[MAX_PATH-1] = L'\0'; } @@ -962,6 +964,156 @@ HandleRegisterDNSMessage (void) return err; } +/** + * Run the command: netsh interface $proto $action dns $if_name $addr [validate=no] + * @param action "delete" or "add" + * @param proto "ipv6" or "ip" + * @param if_name "name_of_interface" + * @param addr IPv4 (for proto = ip) or IPv6 address as a string + * + * If addr is null and action = "delete" all addresses are deleted. + */ +static DWORD +netsh_dns_cmd (const wchar_t *action, const wchar_t *proto, const wchar_t *if_name, const wchar_t *addr) +{ + DWORD err = 0; + int timeout = 30000; /* in msec */ + wchar_t argv0[MAX_PATH]; + + if (!addr) + { + if (wcscmp(action, L"delete") == 0) + addr = L"all"; + else /* nothing to do -- return success*/ + goto out; + } + + /* Path of netsh */ + int n = GetSystemDirectory (argv0, MAX_PATH); + if (n > 0 && n < MAX_PATH) /* got system directory */ + { + wcsncat(argv0, L"\\netsh.exe", MAX_PATH - n - 1); + } + else + { + wcsncpy(argv0, L"C:\\Windows\\system32\\netsh.exe", MAX_PATH); + } + + /* cmd template: + * netsh interface $proto $action dns $if_name $addr [validate=no] + */ + const wchar_t *fmt = L"netsh interface %s %s dns \"%s\" %s"; + + /* max cmdline length in wchars -- include room for worst case and some */ + int ncmdline = wcslen(fmt) + wcslen(if_name) + wcslen(addr) + 32 + 1; + wchar_t *cmdline = malloc(ncmdline*sizeof(wchar_t)); + if (!cmdline) + { + err = ERROR_OUTOFMEMORY; + goto out; + } + + openvpn_sntprintf (cmdline, ncmdline, fmt, proto, action, if_name, addr); + + if (IsWindows7OrGreater()) + { + wcsncat(cmdline, L" validate=no", ncmdline - wcslen(cmdline) - 1); + } + err = ExecCommand (argv0, cmdline, timeout); + +out: + free (cmdline); + return err; +} + +/* Delete all IPv4 or IPv6 dns servers for an interface */ +static DWORD +DeleteDNS(short family, wchar_t *if_name) +{ + wchar_t *proto = (family == AF_INET6) ? L"ipv6" : L"ip"; + return netsh_dns_cmd (L"delete", proto, if_name, NULL); +} + +/* Add an IPv4 or IPv6 dns server to an interface */ +static DWORD +AddDNS(short family, wchar_t *if_name, wchar_t *addr) +{ + wchar_t *proto = (family == AF_INET6) ? L"ipv6" : L"ip"; + return netsh_dns_cmd (L"add", proto, if_name, addr); +} + +static BOOL +CmpWString (LPVOID item, LPVOID str) +{ + return (wcscmp (item, str) == 0) ? TRUE : FALSE; +} + +static DWORD +HandleDNSConfigMessage (const dns_cfg_message_t *msg, undo_lists_t *lists) +{ + DWORD err = 0; + wchar_t addr[46]; /* large enough to hold string representation of an ipv4 / ipv6 address */ + undo_type_t undo_type = (msg->family == AF_INET6) ? undo_dns4 : undo_dns6; + int addr_len = msg->addr_len; + + /* sanity check */ + if (addr_len > _countof(msg->addr)) + addr_len = _countof(msg->addr); + + if (!msg->iface.name[0]) /* interface name is required */ + return ERROR_MESSAGE_DATA; + + wchar_t *wide_name = utf8to16(msg->iface.name); /* utf8 to wide-char */ + if (!wide_name) + return ERROR_OUTOFMEMORY; + + /* We delete all current addresses before adding any + * OR if the message type is del_dns_cfg + */ + if (addr_len > 0 || msg->header.type == msg_del_dns_cfg) + { + err = DeleteDNS(msg->family, wide_name); + if (err) + goto out; + free (RemoveListItem (&(*lists)[undo_type], CmpWString, wide_name)); + } + + if (msg->header.type == msg_del_dns_cfg) /* job done */ + goto out; + + for (int i = 0; i < addr_len; ++i) + { + if (msg->family == AF_INET6) + RtlIpv6AddressToStringW (&msg->addr[i].ipv6, addr); + else + RtlIpv4AddressToStringW (&msg->addr[i].ipv4, addr); + err = AddDNS(msg->family, wide_name, addr); + if (i == 0 && err) + goto out; + /* We do not check for duplicate addresses, so any error in adding + * additional addresses is ignored. + */ + } + + if (msg->addr_len > 0) + { + wchar_t *tmp_name = wcsdup(wide_name); + if (!tmp_name || AddListItem(&(*lists)[undo_type], tmp_name)) + { + free(tmp_name); + DeleteDNS(msg->family, wide_name); + err = ERROR_OUTOFMEMORY; + goto out; + } + } + + err = 0; + +out: + free(wide_name); + return err; +} + static VOID HandleMessage (HANDLE pipe, DWORD bytes, DWORD count, LPHANDLE events, undo_lists_t *lists) { @@ -972,6 +1124,7 @@ HandleMessage (HANDLE pipe, DWORD bytes, DWORD count, LPHANDLE events, undo_list route_message_t route; flush_neighbors_message_t flush_neighbors; block_dns_message_t block_dns; + dns_cfg_message_t dns; } msg; ack_message_t ack = { .header = { @@ -1017,6 +1170,11 @@ HandleMessage (HANDLE pipe, DWORD bytes, DWORD count, LPHANDLE events, undo_list ack.error_number = HandleRegisterDNSMessage (); break; + case msg_add_dns_cfg: + case msg_del_dns_cfg: + ack.error_number = HandleDNSConfigMessage (&msg.dns, lists); + break; + default: ack.error_number = ERROR_MESSAGE_TYPE; MsgToEventLog (MSG_FLAGS_ERROR, TEXT("Unknown message type %d"), msg.header.type); @@ -1048,6 +1206,14 @@ Undo (undo_lists_t *lists) DeleteRoute (item->data); break; + case undo_dns4: + DeleteDNS(AF_INET, item->data); + break; + + case undo_dns6: + DeleteDNS(AF_INET6, item->data); + break; + case block_dns: delete_block_dns_filters (item->data); item->data = NULL; diff --git a/src/openvpnserv/service.h b/src/openvpnserv/service.h index 94bfb07..c5d745f 100644 --- a/src/openvpnserv/service.h +++ b/src/openvpnserv/service.h @@ -89,4 +89,7 @@ BOOL ReportStatusToSCMgr (SERVICE_STATUS_HANDLE service, SERVICE_STATUS *status) LPCTSTR GetLastErrorText (); DWORD MsgToEventLog (DWORD flags, LPCTSTR lpszMsg, ...); +/* Convert a utf8 string to utf16. Caller should free the result */ +wchar_t *utf8to16 (const char *utf8); + #endif diff --git a/src/plugins/Makefile.in b/src/plugins/Makefile.in index 0d1d59b..7f80a5c 100644 --- a/src/plugins/Makefile.in +++ b/src/plugins/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. diff --git a/src/plugins/auth-pam/Makefile.in b/src/plugins/auth-pam/Makefile.in index 90d5058..3a3c656 100644 --- a/src/plugins/auth-pam/Makefile.in +++ b/src/plugins/auth-pam/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -494,14 +494,14 @@ distclean-compile: @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/src/plugins/down-root/Makefile.in b/src/plugins/down-root/Makefile.in index e5c0ad5..043dbb4 100644 --- a/src/plugins/down-root/Makefile.in +++ b/src/plugins/down-root/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -485,14 +485,14 @@ distclean-compile: @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/tests/Makefile.in b/tests/Makefile.in index 49f79d8..960808d 100644 --- a/tests/Makefile.in +++ b/tests/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. diff --git a/tests/t_client.sh b/tests/t_client.sh index b51813e..09dd26f 100755 --- a/tests/t_client.sh +++ b/tests/t_client.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # run OpenVPN client against ``test reference'' server # - check that ping, http, ... via tunnel works @@ -133,12 +133,12 @@ fail() get_ifconfig_route() { # linux / iproute2? (-> if configure got a path) - if [ -n "/usr/sbin/ip" ] + if [ -n "/bin/ip" ] then echo "-- linux iproute2 --" - /usr/sbin/ip addr show | grep -v valid_lft - /usr/sbin/ip route show - /usr/sbin/ip -o -6 route show | grep -v ' cache' | sed -E -e 's/ expires [0-9]*sec//' -e 's/ (mtu|hoplimit|cwnd|ssthresh) [0-9]+//g' -e 's/ (rtt|rttvar) [0-9]+ms//g' + /bin/ip addr show | grep -v valid_lft + /bin/ip route show + /bin/ip -o -6 route show | grep -v ' cache' | sed -E -e 's/ expires [0-9]*sec//' -e 's/ (mtu|hoplimit|cwnd|ssthresh) [0-9]+//g' -e 's/ (rtt|rttvar) [0-9]+ms//g' return fi @@ -146,32 +146,32 @@ get_ifconfig_route() case `uname -s` in Linux) echo "-- linux / ifconfig --" - LANG=C /usr/sbin/ifconfig -a |egrep "( addr:|encap:)" + LANG=C /sbin/ifconfig -a |egrep "( addr:|encap:)" LANG=C netstat -rn -4 -6 return ;; FreeBSD|NetBSD|Darwin) echo "-- FreeBSD/NetBSD/Darwin [MacOS X] --" - /usr/sbin/ifconfig -a | egrep "(flags=|inet)" + /sbin/ifconfig -a | egrep "(flags=|inet)" netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }' return ;; OpenBSD) echo "-- OpenBSD --" - /usr/sbin/ifconfig -a | egrep "(flags=|inet)" | \ + /sbin/ifconfig -a | egrep "(flags=|inet)" | \ sed -e 's/pltime [0-9]*//' -e 's/vltime [0-9]*//' netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }' return ;; SunOS) echo "-- Solaris --" - /usr/sbin/ifconfig -a | egrep "(flags=|inet)" + /sbin/ifconfig -a | egrep "(flags=|inet)" netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }' return ;; AIX) echo "-- AIX --" - /usr/sbin/ifconfig -a | egrep "(flags=|inet)" + /sbin/ifconfig -a | egrep "(flags=|inet)" netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }' return ;; diff --git a/tests/unit_tests/Makefile.in b/tests/unit_tests/Makefile.in index 6cc6043..0d5674c 100644 --- a/tests/unit_tests/Makefile.in +++ b/tests/unit_tests/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. diff --git a/tests/unit_tests/example_test/Makefile.in b/tests/unit_tests/example_test/Makefile.in index ff4f6c4..6ac7504 100644 --- a/tests/unit_tests/example_test/Makefile.in +++ b/tests/unit_tests/example_test/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -446,14 +446,14 @@ distclean-compile: @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/tests/unit_tests/openvpn/Makefile.in b/tests/unit_tests/openvpn/Makefile.in index 3816fef..198d387 100644 --- a/tests/unit_tests/openvpn/Makefile.in +++ b/tests/unit_tests/openvpn/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -499,14 +499,14 @@ distclean-compile: @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/tests/unit_tests/plugins/Makefile.in b/tests/unit_tests/plugins/Makefile.in index 1f44c58..16acc0b 100644 --- a/tests/unit_tests/plugins/Makefile.in +++ b/tests/unit_tests/plugins/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. diff --git a/tests/unit_tests/plugins/auth-pam/Makefile.in b/tests/unit_tests/plugins/auth-pam/Makefile.in index dfe7eba..34156b5 100644 --- a/tests/unit_tests/plugins/auth-pam/Makefile.in +++ b/tests/unit_tests/plugins/auth-pam/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -434,14 +434,14 @@ distclean-compile: @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/vendor/Makefile.in b/vendor/Makefile.in index b5baef3..d510d51 100644 --- a/vendor/Makefile.in +++ b/vendor/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [4]) -define([PRODUCT_VERSION_PATCH], [_beta1]) +define([PRODUCT_VERSION_PATCH], [_rc1]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) |