Renamed sample-keys/tmp-ca.crt to ca.crt.

Fixed bug where remove_iroutes_from_push_route_list
was missing routes if those routes had
an implied netmask (by omission) of 255.255.255.255.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@587 e7ae566f-a301-0410-adde-c780ea21d3b5

openvpn.8

@@ -3363,15 +3363,15 @@ certificate.  This file can have multiple
 certificates in .pem format, concatenated together.  You can construct your own
 certificate authority certificate and private key by using a command such as:
 
-.B openssl req -nodes -new -x509 -keyout tmp-ca.key -out tmp-ca.crt
+.B openssl req -nodes -new -x509 -keyout ca.key -out ca.crt
 
 Then edit your openssl.cnf file and edit the
 .B certificate
 variable to point to your new root certificate
-.B tmp-ca.crt.
+.B ca.crt.
 
 For testing purposes only, the OpenVPN distribution includes a sample
-CA certificate (tmp-ca.crt).
+CA certificate (ca.crt).
 Of course you should never use
 the test certificates and test keys distributed with OpenVPN in a
 production environment, since by virtue of the fact that
@@ -5001,9 +5001,9 @@ Diffie Hellman parameters (see above where
 .B --dh
 is discussed for more info).  You can also use the
 included test files client.crt, client.key,
-server.crt, server.key and tmp-ca.crt.
+server.crt, server.key and ca.crt.
 The .crt files are certificates/public-keys, the .key
-files are private keys, and tmp-ca.crt is a certification
+files are private keys, and ca.crt is a certification
 authority who has signed both
 client.crt and server.crt.  For Diffie Hellman
 parameters you can use the included file dh1024.pem.
@@ -5011,11 +5011,11 @@ parameters you can use the included file dh1024.pem.
 .LP
 On may:
 .IP
-.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --tls-client --ca tmp-ca.crt --cert client.crt --key client.key --reneg-sec 60 --verb 5
+.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --tls-client --ca ca.crt --cert client.crt --key client.key --reneg-sec 60 --verb 5
 .LP
 On june:
 .IP
-.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --tls-server --dh dh1024.pem --ca tmp-ca.crt --cert server.crt --key server.key --reneg-sec 60 --verb 5
+.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --tls-server --dh dh1024.pem --ca ca.crt --cert server.crt --key server.key --reneg-sec 60 --verb 5
 .LP
 Now verify the tunnel is working by pinging across the tunnel.
 .LP

push.c

@@ -273,12 +273,12 @@ remove_iroutes_from_push_route_list (struct options *o)
 	  if (parse_line (line, p, SIZE (p), "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc))
 	    {
 	      /* is the push item a route directive? */
-	      if (p[0] && p[1] && p[2] && !strcmp (p[0], "route"))
+	      if (p[0] && !strcmp (p[0], "route") && !p[3])
 		{
 		  /* get route parameters */
 		  bool status1, status2;
 		  const in_addr_t network = getaddr (GETADDR_HOST_ORDER, p[1], 0, &status1, NULL);
-		  const in_addr_t netmask = getaddr (GETADDR_HOST_ORDER, p[2], 0, &status2, NULL);
+		  const in_addr_t netmask = getaddr (GETADDR_HOST_ORDER, p[2] ? p[2] : "255.255.255.255", 0, &status2, NULL);
 
 		  /* did route parameters parse correctly? */
 		  if (status1 && status2)
@@ -288,7 +288,7 @@ remove_iroutes_from_push_route_list (struct options *o)
 		      /* does route match an iroute? */
 		      for (ir = o->iroutes; ir != NULL; ir = ir->next)
 			{
-			  if (network == ir->network && netmask == netbits_to_netmask (ir->netbits))
+			  if (network == ir->network && netmask == netbits_to_netmask (ir->netbits >= 0 ? ir->netbits : 32))
 			    {
 			      copy = false;
 			      break;

sample-config-files/loopback-client

@@ -17,7 +17,7 @@ dev null
 verb 3
 reneg-sec 10
 tls-client
-ca sample-keys/tmp-ca.crt
+ca sample-keys/ca.crt
 key sample-keys/client.key
 cert sample-keys/client.crt
 cipher DES-EDE3-CBC

sample-config-files/loopback-server

@@ -18,7 +18,7 @@ verb 3
 reneg-sec 10
 tls-server
 dh sample-keys/dh1024.pem
-ca sample-keys/tmp-ca.crt
+ca sample-keys/ca.crt
 key sample-keys/server.key
 cert sample-keys/server.crt
 cipher DES-EDE3-CBC

sample-keys/README

@@ -7,7 +7,7 @@ NOTE: THESE KEYS ARE FOR TESTING PURPOSES ONLY.
       DON'T USE THEM FOR ANY REAL WORK BECAUSE
       THEY ARE TOTALLY INSECURE!
 
-tmp-ca.{crt,key} -- sample CA key/cert
+ca.{crt,key}     -- sample CA key/cert
 client.{crt,key} -- sample client key/cert
 server.{crt,key} -- sample server key/cert (nsCertType=server)
 pass.{crt,key}   -- sample client key/cert with password-encrypted key