/[smecontribs]/rpms/smeserver-openvpn-s2s/contribs10/smeserver-openvpn-s2s-0.2-sme10.patch
ViewVC logotype

Annotation of /rpms/smeserver-openvpn-s2s/contribs10/smeserver-openvpn-s2s-0.2-sme10.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Tue Mar 30 05:07:27 2021 UTC (3 years, 8 months ago) by jpp
Branch: MAIN
* Tue Mar 30 2021 Jean-Philippe Pialasse <tests@pialasse.com> 0.2-10.sme
- enforce better cipher with settings [SME: 11498]
- enforce better HMAC with setting [SME: 11498]
- enforce TLS 1.2 or better with setting [SME: 11498]
- enforce strong TLS ciphers with setting [SME: 11498]
- better list of vpn connections [SME: 11337]
- allow soft reload of individual connection [SME: 11337]
- fix incorect permission on private keys [SME: 11337]

1 jpp 1.1 diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/createlinks smeserver-openvpn-s2s-0.2/createlinks
2     --- smeserver-openvpn-s2s-0.2.old/createlinks 2021-03-30 00:12:27.731000000 -0400
3     +++ smeserver-openvpn-s2s-0.2/createlinks 2021-03-30 01:01:21.126000000 -0400
4     @@ -5,9 +5,7 @@
5     safe_symlink("restart", "root/etc/e-smith/events/openvpn-s2s-update/services2adjust/openvpn-s2s");
6     safe_symlink("adjust", "root/etc/e-smith/events/openvpn-s2s-update/services2adjust/masq");
7    
8     -#service_link_enhanced("openvpn-s2s", "S80", "7");
9     -#service_link_enhanced("openvpn-s2s", "K25", "6");
10     -#service_link_enhanced("openvpn-s2s", "K25", "0");
11     +event_link("openvpn-s2s-onelink", "openvpn-s2s-update-one", "50");
12    
13     event_link("openvpn-s2s-delete-networks", "openvpn-s2s-update", "10");
14     event_link("openvpn-s2s-genconf", "openvpn-s2s-update", "20");
15     diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/events/actions/openvpn-s2s-onelink smeserver-openvpn-s2s-0.2/root/etc/e-smith/events/actions/openvpn-s2s-onelink
16     --- smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/events/actions/openvpn-s2s-onelink 1969-12-31 19:00:00.000000000 -0500
17     +++ smeserver-openvpn-s2s-0.2/root/etc/e-smith/events/actions/openvpn-s2s-onelink 2021-03-30 00:54:13.858000000 -0400
18     @@ -0,0 +1,60 @@
19     +#!/usr/bin/perl -w
20     +
21     +#----------------------------------------------------------------------
22     +# copyright (C) 2010 Firewall Services
23     +# Daniel Berteaud <daniel@firewall-services.com>
24     +#
25     +# This program is free software; you can redistribute it and/or modify
26     +# it under the terms of the GNU General Public License as published by
27     +# the Free Software Foundation; either version 2 of the License, or
28     +# (at your option) any later version.
29     +#
30     +# This program is distributed in the hope that it will be useful,
31     +# but WITHOUT ANY WARRANTY; without even the implied warranty of
32     +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
33     +# GNU General Public License for more details.
34     +#
35     +# You should have received a copy of the GNU General Public License
36     +# along with this program; if not, write to the Free Software
37     +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
38     +#----------------------------------------------------------------------
39     +
40     +use strict;
41     +use esmith::templates;
42     +use esmith::ConfigDB;
43     +
44     +
45     +my $event = $ARGV [0];
46     +my $vpn = $ARGV [1];
47     +my $lock="/var/lock/subsys/openvpn-s2s";
48     +my $piddir="/var/run/openvpn-s2s";
49     +
50     +die "missing vpn name" unless defined $vpn;
51     +
52     +my $db = esmith::ConfigDB->open_ro("openvpn-s2s");
53     +
54     +my $conf = $db->get($vpn) or die "unknown site to site vpn";
55     +
56     +my $key = $conf->key;
57     +my $status = $conf->prop('status') || 'disabled';
58     +if ($status eq 'enabled'){
59     + processTemplate(
60     + {
61     + TEMPLATE_PATH => "/etc/openvpn/s2s/openvpn-s2s.conf",
62     + MORE_DATA => {DB_KEY=>$key},
63     + OUTPUT_FILENAME => "/etc/openvpn/s2s/$key.conf",
64     + });
65     +
66     + if ( -f $lock ) {
67     + my $pidf = "$piddir/$key.pid";
68     + if ( -f $pidf ) {
69     + my $pid=`cat $pidf`;
70     + kill 'USR1', $pid || exit 1 ;
71     + exit 0;
72     + }
73     + }
74     + else {
75     + print "openvpn: service not started";
76     + exit 1
77     + }
78     +}
79     diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpns2s smeserver-openvpn-s2s-0.2/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpns2s
80     --- smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpns2s 2013-11-11 12:33:06.000000000 -0500
81     +++ smeserver-openvpn-s2s-0.2/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpns2s 2021-03-30 00:54:14.068000000 -0400
82     @@ -285,4 +285,71 @@
83     <base>IP_IN_LOCAL_NET</base>
84     <trans>This IP address is part of one of your local networks</trans>
85     </entry>
86     +
87     + <entry>
88     + <base>UNSECURE</base>
89     + <trans>Unsecure parameter</trans>
90     + </entry>
91     + <entry>
92     + <base>SUGGESTED</base>
93     + <trans>Sugested value</trans>
94     + </entry>
95     + <entry>
96     + <base>DEFAULT</base>
97     + <trans>Default</trans>
98     + </entry>
99     + <entry>
100     + <base>DOWN</base>
101     + <trans>Down</trans>
102     + </entry>
103     + <entry>
104     + <base>UP</base>
105     + <trans>Up</trans>
106     + </entry>
107     + <entry>
108     + <base>SUCCESS_RELOAD</base>
109     + <trans>VPN connection reloaded with success</trans>
110     + </entry>
111     + <entry>
112     + <base>DESC_RELOAD</base>
113     + <trans>Do you really want to reload this vpn connection?</trans>
114     + </entry>
115     + <entry>
116     + <base>RELOAD</base>
117     + <trans>reload</trans>
118     + </entry>
119     + <entry>
120     + <base>DESC_HMAC</base>
121     + <trans>HMAC is part of the encryption of the data channel for openvpn (where your data travel) after encryption with the cipher. Default is the insecure SHA1, we suggest you to at least use SHA256. This setting should match on both the server and the client</trans>
122     + </entry>
123     + <entry>
124     + <base>LABEL_HMAC</base>
125     + <trans>HMAC algorithm</trans>
126     + </entry>
127     + <entry>
128     + <base>DESC_CIPHER</base>
129     + <trans>The cipher used for your data channel for openvpn. The default is to use the insecure BlowFish algorithm. We suggest you the AES-128-CBC or higher. This setting should match on both the server and the client.</trans>
130     + </entry>
131     + <entry>
132     + <base>LABEL_CIPHER</base>
133     + <trans>Cipher encryption algorithm</trans>
134     + </entry>
135     + <entry>
136     + <base>DESC_SNAT</base>
137     + <trans>SNAT Outbound can be enabled or disabled (default is enabled). When enabled, connections initiated by the server itself will be SNATed so they will appear to come from the internal IP. If disabled, connections from the server itself will have the virtual IP as source.</trans>
138     + </entry>
139     + <entry>
140     + <base>LABEL_SNAT</base>
141     + <trans>SNAT Outbound</trans>
142     + </entry>
143     + <entry>
144     + <base>CIPHER</base>
145     + <trans>Cipher</trans>
146     + </entry>
147     + <entry>
148     + <base>LINK</base>
149     + <trans>Link status</trans>
150     + </entry>
151     +
152     +
153     </lexicon>
154     diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key smeserver-openvpn-s2s-0.2/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key
155     --- smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key 2021-03-30 00:12:27.713000000 -0400
156     +++ smeserver-openvpn-s2s-0.2/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key 2021-03-30 00:54:12.710000000 -0400
157     @@ -5,16 +5,41 @@
158     my $checkcrt = $db->get_prop($key,'CheckCertificateUsage') || 'disabled';
159     my $tlsremote = $db->get_prop($key,'RemoteCommonName') || '';
160    
161     +#HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one...
162     +# need to be changed on both side
163     +my $HMAC = ( $db->get_prop($key,'HMAC') ) ? $db->get_prop($key,'HMAC') : undef;
164     +# cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one...
165     +# # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
166     +my $cipher = ( $db->get_prop($key,'Cipher') && $db->get_prop($key,'Cipher') ne 'auto')? $db->get_prop($key,'Cipher') : undef;
167     +
168     +## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower
169     +my $tlsVmin = ( $db->get_prop($key,'tlsVmin') && ( $db->get_prop($key,'tlsVmin') =~ /^1\.[0-9]{1}$/ ) ) ? $db->get_prop($key,'tlsVmin') : "1.2";
170     +# TLS 1.3 encryption settings
171     +my $tlsCipherSuites13 = ( $db->get_prop($key,'tlsCipherSuites13') ) ? $db->get_prop($key,'tlsCipherSuites13') : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
172     +# # TLS 1.2 encryption settings
173     +my $tlsCipher12 = ( $db->get_prop($key,'tlsCipher12') ) ? $db->get_prop($key,'tlsCipher12') : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
174     +
175     +
176     +# cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one...
177     +# here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
178     +my $cipher = ( $db->get_prop($key,'Cipher') && $db->get_prop($key,'Cipher') ne 'auto')? $db->get_prop($key,'Cipher') : undef;
179     +
180     +
181     if ($auth eq 'SharedKey'){
182     $OUT .= "secret priv/$key"."_sharedkey.pem\n";
183     }
184     elsif ($auth eq 'TLS'){
185     if ($type eq 'server'){
186     $OUT .= "tls-server\n";
187     + $OUT .= "tls-version-min $tlsVmin\n";
188     + $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
189     + $OUT .= "tls-ciphersuites tlsCipherSuites13\n" if defined tlsCipherSuites13;
190     $OUT .= "ca pub/$key" . "_cacert.pem\n";
191     $OUT .= "cert pub/$key" . "_cert.pem\n";
192     $OUT .= "key priv/$key" . "_key.pem\n";
193     $OUT .= "dh pub/$key" . "_dh.pem\n";
194     + $OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
195     + $OUT .= "ecdh-curve secp384r1\n";
196     $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 0\n"
197     if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) &&
198     ( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' );
199     @@ -26,9 +51,14 @@
200     }
201     else{
202     $OUT .= "tls-client\n";
203     + $OUT .= "tls-version-min $tlsVmin\n";
204     + $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
205     + $OUT .= "tls-ciphersuites tlsCipherSuites13\n" if defined tlsCipherSuites13;
206     $OUT .= "ca pub/$key" . "_cacert.pem\n";
207     $OUT .= "cert pub/$key" . "_cert.pem\n";
208     $OUT .= "key priv/$key" . "_key.pem\n";
209     + $OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
210     + $OUT .= "ecdh-curve secp384r1\n";
211     $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 1\n"
212     if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) &&
213     ( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' );
214     @@ -40,5 +70,12 @@
215     }
216     }
217    
218     + # available for both sharedkey and tls
219     + # data channel
220     + $OUT .= "#securing data channel\n";
221     + $OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n";
222     + #auth SHA512
223     + $OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n";
224     +#
225     }
226    
227     diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/60options smeserver-openvpn-s2s-0.2/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/60options
228     --- smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/60options 2013-11-11 12:33:06.000000000 -0500
229     +++ smeserver-openvpn-s2s-0.2/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/60options 2021-03-30 00:54:12.466000000 -0400
230     @@ -1,13 +1,11 @@
231     # Options
232     {
233    
234     -my $cipher = $db->get_prop($key,'Cipher') || 'auto';
235     my $comp = $db->get_prop($key,'Compression') || 'enabled';
236    
237    
238     $OUT .= "comp-lzo adaptive\n" if ($comp eq 'enabled');
239    
240     -$OUT .= "cipher $cipher\n" if ($cipher ne 'auto');
241    
242     if ($type eq 'server'){
243     $OUT .= "ping-timer-rem\n";
244     diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/web/functions/openvpns2s smeserver-openvpn-s2s-0.2/root/etc/e-smith/web/functions/openvpns2s
245     --- smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/web/functions/openvpns2s 2013-11-11 12:33:06.000000000 -0500
246     +++ smeserver-openvpn-s2s-0.2/root/etc/e-smith/web/functions/openvpns2s 2021-03-30 00:54:12.925000000 -0400
247     @@ -4,7 +4,7 @@
248     #----------------------------------------------------------------------
249     # heading : Configuration
250     # description : OpenVPN Site to Site
251     -# navigation : 1000 1000
252     +# navigation : 6000 6750
253     #----------------------------------------------------------------------
254    
255     #----------------------------------------------------------------------
256     @@ -99,6 +99,16 @@
257     <label>LABEL_AUTH</label>
258     </field>
259    
260     + <field type="select" id="hmac" options="get_digests_options()" value="get_current_hmac()">
261     + <description>DESC_HMAC</description>
262     + <label>LABEL_HMAC</label>
263     + </field>
264     +
265     + <field type="select" id="cipher" options="get_ciphers_options()" value="get_current_cipher()">
266     + <description>DESC_CIPHER</description>
267     + <label>LABEL_CIPHER</label>
268     + </field>
269     +
270     <field type="text" id="remote_host" validation="is_hostname_or_ip()">
271     <description>DESC_REMOTE_HOST</description>
272     <label>LABEL_REMOTE_HOST</label>
273     @@ -119,13 +129,18 @@
274     <label>LABEL_REMOTE_IP</label>
275     </field>
276    
277     + <field type="select" id="SnatOutbound" value="" options="'disabled' => 'DISABLED', 'enabled' => 'ENABLED'">
278     + <description>DESC_SNAT</description>
279     + <label>LABEL_SNAT</label>
280     + </field>
281     +
282     +
283     <field type="text" size="53" id="remote_net" validation="is_valid_net_or_empty()">
284     <description>DESC_REMOTE_NET</description>
285     <label>LABEL_REMOTE_NET</label>
286     </field>
287    
288     <subroutine src="print_button('NEXT')"/>
289     -
290     </page>
291    
292     #----------------------------------------------------------------
293     @@ -156,6 +171,16 @@
294     <label>LABEL_AUTH</label>
295     </field>
296    
297     + <field type="select" id="hmac" options="get_digests_options()" value="get_current_hmac()">
298     + <description>DESC_HMAC</description>
299     + <label>LABEL_HMAC</label>
300     + </field>
301     +
302     + <field type="select" id="cipher" options="get_ciphers_options()" value="get_current_cipher()">
303     + <description>DESC_CIPHER</description>
304     + <label>LABEL_CIPHER</label>
305     + </field>
306     +
307     <field type="text" id="port" validation="is_valid_and_available_port()">
308     <description>DESC_LOCAL_PORT</description>
309     <label>LABEL_LOCAL_PORT</label>
310     @@ -196,4 +221,11 @@
311     <subroutine src="print_conf_to_remove()"/>
312     </page>
313    
314     + <page name="RELOAD_PAGE" pre-event="turn_off_buttons()" post-event="reload()">
315     + <field type="literal" id="conf_name">
316     + <description>DESC_RELOAD</description>
317     + </field>
318     + <subroutine src="print_button('NEXT')"/>
319     + </page>
320     +
321     </form>
322     diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/usr/lib/systemd/system/openvpn-s2s.service smeserver-openvpn-s2s-0.2/root/usr/lib/systemd/system/openvpn-s2s.service
323     --- smeserver-openvpn-s2s-0.2.old/root/usr/lib/systemd/system/openvpn-s2s.service 2021-03-30 00:12:27.732000000 -0400
324     +++ smeserver-openvpn-s2s-0.2/root/usr/lib/systemd/system/openvpn-s2s.service 2021-03-30 00:54:13.389000000 -0400
325     @@ -1,10 +1,16 @@
326     [Unit]
327     Description=OpenVPN Server to Server
328     After=network.service
329     +
330     [Service]
331     -Type=forking
332     +Type=oneshot
333     +RemainAfterExit=yes
334     +GuessMainPID=no
335     +
336     ExecStart=/usr/sbin/systemd/openvpn-s2s start
337     ExecStop=/usr/sbin/systemd/openvpn-s2s stop
338     +ExecReload=/usr/sbin/systemd/openvpn-s2s reopen
339     +
340     [Install]
341     WantedBy=sme-server.target
342    
343     diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/usr/sbin/systemd/openvpn-s2s smeserver-openvpn-s2s-0.2/root/usr/sbin/systemd/openvpn-s2s
344     --- smeserver-openvpn-s2s-0.2.old/root/usr/sbin/systemd/openvpn-s2s 2021-03-30 00:12:27.732000000 -0400
345     +++ smeserver-openvpn-s2s-0.2/root/usr/sbin/systemd/openvpn-s2s 2021-03-30 00:54:13.631000000 -0400
346     @@ -90,6 +90,9 @@
347     fi
348     done
349    
350     +#ncp
351     +ncp=" --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC "
352     +
353     # Lockfile
354     lock="/var/lock/subsys/openvpn-s2s"
355    
356     @@ -218,6 +221,7 @@
357     kill -HUP `cat $pidf` >/dev/null 2>&1
358     fi
359     done
360     + exit 0
361     else
362     echo "openvpn: service not started"
363     exit 1
364     @@ -230,6 +234,7 @@
365     kill -USR1 `cat $pidf` >/dev/null 2>&1
366     fi
367     done
368     + exit 0
369     else
370     echo "openvpn: service not started"
371     exit 1
372     diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpns2s.pm smeserver-openvpn-s2s-0.2/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpns2s.pm
373     --- smeserver-openvpn-s2s-0.2.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpns2s.pm 2021-03-30 00:12:27.724000000 -0400
374     +++ smeserver-openvpn-s2s-0.2/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpns2s.pm 2021-03-30 00:54:13.155000000 -0400
375     @@ -26,6 +26,7 @@
376     remove_conf
377     print_conf_to_remove
378     read_file
379     + reload
380     );
381    
382     our $pubdir = '/etc/openvpn/s2s/pub';
383     @@ -91,6 +92,21 @@
384     $ovpn_db->set_prop($conf, 'status', $q->param("status"));
385     $ovpn_db->set_prop($conf, 'Comment', $q->param("comment"));
386     $ovpn_db->set_prop($conf, 'RemoteNetworks', $q->param("remote_net"));
387     + $ovpn_db->set_prop($conf, 'SnatOutbound', $q->param("SnatOutbound"));
388     + if ($q->param("hmac") eq 'SHA1') {
389     + my $tmpk = $ovpn_db->get($conf);
390     + $tmpk->delete_prop('HMAC');
391     + }
392     + else {
393     + $ovpn_db->set_prop($conf, 'HMAC' , $q->param("hmac"));
394     + }
395     + if ($q->param("cipher") eq 'BF-CBC') {
396     + my $tmpk = $ovpn_db->get($conf);
397     + $tmpk->delete_prop('cipher');
398     + }
399     + else {
400     + $ovpn_db->set_prop($conf, 'cipher', $q->param("cipher"));
401     + }
402    
403     # Now, update the main configuration entry
404     update_ports();
405     @@ -153,6 +169,9 @@
406     }
407     print KEY $q->param('key_pem');
408     close KEY;
409     + chmod(0600, "$privdir/${conf}_key.pem" );
410     + esmith::util::chownFile("root", "root","$privdir/${conf}_key.pem" );
411     +
412    
413     if (! open (DH, ">$pubdir/$conf" . "_dh.pem")){
414     $fm->error('ERROR_OPEN_DH','FIRST_PAGE');
415     @@ -167,11 +186,13 @@
416     }
417     print TA $q->param('shared_key');
418     close TA;
419     + chmod(0600, "$privdir/${conf}_sharedkey.pem" );
420     + esmith::util::chownFile("root", "root","$privdir/${conf}_sharedkey.pem" );
421    
422     - esmith::util::chownFile("root", "root", "$privdir/$conf*");
423     - esmith::util::chownFile("root", "root", "$pubdir/$conf*");
424     - chmod 0600, "$privdir/$conf*";
425     - chmod 0644, "$pubdir/$conf*";
426     + esmith::util::chownFile("root", "root", "$privdir");
427     + esmith::util::chownFile("root", "root", "$pubdir");
428     + chmod 0600, "$privdir";
429     + chmod 0644, "$pubdir";
430    
431     $ovpn_db->set_prop($conf, 'CrlUrl', $q->param("crl_url"));
432    
433     @@ -294,6 +315,22 @@
434    
435    
436     # Print clients or servers table
437     +sub reload{
438     + my ($fm) = @_;
439     + my $q = $fm->{cgi};
440     + my $conf = $q->param('conf_name');
441     + #$conf = $conf=~ m/^([a-zA-Z\-\_0-9]+)$/;
442     + unless (system ("/sbin/e-smith/signal-event", "openvpn-s2s-update-one", $conf) == 0 ){
443     + $fm->error('ERROR_OCCURED1','FIRST_PAGE');
444     + return undef;
445     + }
446     + $fm->success( $fm->localise('SUCCESS_RELOAD') . " $conf" ,'FIRST_PAGE');
447     + return undef;
448     +
449     +
450     +}
451     +
452     +# Print clients or servers table
453     sub print_conf_table{
454     my $fm = shift;
455     my $type = shift;
456     @@ -310,8 +347,15 @@
457     print $q->start_table({-CLASS => "sme-border"}),"\n";
458     print $q->Tr (
459     esmith::cgi::genSmallCell($q, $fm->localise('CONF_NAME'),"header"),
460     - esmith::cgi::genSmallCell($q, $fm->localise('MODIFY'),"header"),
461     - esmith::cgi::genSmallCell($q, $fm->localise('STATUS'),"header")),"\n";
462     + esmith::cgi::genSmallCell($q, $fm->localise('STATUS'),"header"),
463     + esmith::cgi::genSmallCell($q, $fm->localise('CIPHER'),"header"),
464     + esmith::cgi::genSmallCell($q, 'HMAC',"header"),
465     + esmith::cgi::genSmallCell($q, $fm->localise('LABEL_AUTH'),"header"),
466     + esmith::cgi::genSmallCell($q, $fm->localise('LINK'),"header"),
467     + esmith::cgi::genSmallCell($q, $fm->localise('ACTION'),"header", 3),
468     + ),
469     + "\n";
470     +
471    
472     foreach my $config (@conf){
473     my $key = $config->key;
474     @@ -323,11 +367,28 @@
475     elsif ($status eq 'disabled'){
476     $status = $fm->localise('DISABLED');
477     }
478     + my $cipher = $config->prop('cipher') || 'BF-CBC';
479     + $cipher = "<span style='color:red'>". $fm->localise('UNSECURE'). " $cipher</span> " unless ($cipher =~ /(128|192|256|512|SEED)/ );
480     + my $hmac = $config->prop('hmac') || 'SHA1';
481     + $hmac= "<span style='color:red'>". $fm->localise('UNSECURE'). " $hmac</span> " unless ($hmac eq "whirlpool" || $hmac =~ /(512|256|384|224)$/);
482     + my $authe = $config->prop('Authentication') || '';
483     + my $linkup = "<span style='color:red'>". $fm->localise('DOWN')."</span>" ;
484     + use Net::Ping;
485     + my $p = Net::Ping->new();
486     + $linkup = "<span style='color:green'>". $fm->localise('UP') ."</span>" if $p->ping($config->prop('RemoteIP'));
487     +
488     print $q->Tr (esmith::cgi::genSmallCell($q,"$key"),
489     + esmith::cgi::genSmallCell($q,"$status"),
490     + esmith::cgi::genSmallCell($q,"$cipher"),
491     + esmith::cgi::genSmallCell($q,"$hmac"),
492     + esmith::cgi::genSmallCell($q,"$authe"),
493     + esmith::cgi::genSmallCell($q,"$linkup"),
494     + esmith::cgi::genSmallCell ($q, $q->a ({href => $q->url (-absolute => 1).
495     + $base_url."RELOAD_PAGE&action=reload&conf_name=".
496     + $key}, $fm->localise('RELOAD'))),
497     esmith::cgi::genSmallCell ($q, $q->a ({href => $q->url (-absolute => 1).
498     $base_url."CREATE_OR_MODIFY_".uc($type)."_CONF_PAGE&action=modify&conf_name=".
499     $key}, $fm->localise('MODIFY'))),
500     - esmith::cgi::genSmallCell($q,"$status"),
501     esmith::cgi::genSmallCell ($q, $q->a ({href => $q->url (-absolute => 1).
502     $base_url."REMOVE_CONF_PAGE&conf_name=".
503     $key}, $fm->localise('REMOVE'))));
504     @@ -376,6 +437,13 @@
505     $rec->prop('status'));
506     $q->param(-name=>'remote_net',-value=>
507     $rec->prop('RemoteNetworks'));
508     + $q->param(-name=>'hmac',-value=>
509     + get_current_hmac($fm));
510     + $q->param(-name=>'cipher',-value=>
511     + get_current_cipher($fm));
512     + $q->param(-name=>'SnatOutbound',-value=>
513     + $rec->prop('SnatOutbound'));
514     +
515     }
516     }
517     else {
518     @@ -487,7 +555,7 @@
519     sub is_url_or_empty{
520     my ($fm, $url) = @_;
521     my $ret = 'OK';
522     - if (($url !~ /^(http:\/\/)|(https:\/\/)/) && ($url ne '')){
523     + if (defined $url && ($url !~ /^(http:\/\/)|(https:\/\/)/) && ($url ne '')){
524     $ret = $fm->localise('NOT_A_VALID_URL',{string => $url});
525     }
526     return $ret;
527     @@ -604,4 +672,115 @@
528     return $ret;
529     }
530    
531     +
532     +
533     +###### those are copy paste for bridge and s2s
534     +#
535     +=head2 get_current_hmac
536     +
537     +=cut
538     +sub get_current_hmac{
539     + my ($self) = @_;
540     + my $name = $self->cgi->param('conf_name') or return "SHA256";
541     + my $cvpn= $ovpn_db->get($name);
542     + return "SHA1" unless defined $cvpn->prop('HMAC');
543     + return $cvpn->prop('HMAC') ;
544     +}
545     +
546     +
547     +=head2 get_digests_options
548     +
549     +=cut
550     +sub get_digests_options{
551     + my ($self) = @_;
552     + my $translate = $self->localise('DEFAULT');
553     + my $suggested = $self->localise('SUGGESTED');
554     + my %options= (
555     + 'whirlpool' => 'whirlpool (512)',
556     + 'SHA512' => 'SHA512',
557     + 'SHA384' => 'SHA384',
558     + 'SHA256' => 'SHA256' . ": $suggested",
559     + 'SHA224' => 'SHA224',
560     + 'SHA1' => 'SHA1 (160)' . ": $translate",
561     + 'SHA' => 'SHA (160)',
562     + 'ecdsa-with-SHA1' => 'ecdsa-with-SHA1 (160)',
563     + 'RIPEMD160' => 'RIPEMD160',
564     + 'MD5' => 'MD5 (128)',
565     + 'MD4' => 'MD4 (128)',
566     + );
567     + return \%options;
568     +}
569     +
570     +
571     +=head2 get_current_cipher
572     +list obtained using
573     +openvpn --show-digests | egrep 'digest size' | awk {'print "'\''" $1 "'\'' => '\''" $1 "'\''," '}
574     +=cut
575     +sub get_current_cipher{
576     + my ($self) = @_;
577     + my $name = $self->cgi->param('conf_name') or return "AES-128-CBC";
578     + my $cvpn= $ovpn_db->get($name);
579     + return "BF-CBC" unless defined $cvpn->prop('cipher');
580     + return $cvpn->prop('cipher') ;
581     +}
582     +
583     +=head2 get_ciphers_options
584     +list obtained using
585     +openvpn --show-ciphers | egrep '^[A-Z]{2}' | sed 's/ by//; s/ default//; s/block,/block/; s/)// ' | awk {'print " '\''" $1 "'\'' => '\''" $1 $2 " " $4 " " $5 " " $7")'\''," '}
586     +then reduced to remove most of unsecure ciphers
587     +Using a CBC or GCM mode is recommended.
588     +In static key mode only CBC mode is allowed.
589     +
590     +=cut
591     +sub get_ciphers_options{
592     + my ($self) = @_;
593     + my $translate = $self->localise('DEFAULT');
594     + my $suggested = $self->localise('SUGGESTED');
595     + my %options= (
596     + 'AES-128-CBC' => 'AES-128-CBC (128 key, 128 block)'.": $suggested",
597     + 'AES-128-CFB' => 'AES-128-CFB (128 key, 128 block)',
598     + 'AES-128-CFB1' => 'AES-128-CFB1 (128 key, 128 block)',
599     + 'AES-128-CFB8' => 'AES-128-CFB8 (128 key, 128 block)',
600     + 'AES-128-GCM' => 'AES-128-GCM (128 key, 128 block)',
601     + 'AES-128-OFB' => 'AES-128-OFB (128 key, 128 block)',
602     + 'AES-192-CBC' => 'AES-192-CBC (192 key, 128 block)',
603     + 'AES-192-CFB' => 'AES-192-CFB (192 key, 128 block)',
604     + 'AES-192-CFB1' => 'AES-192-CFB1 (192 key, 128 block)',
605     + 'AES-192-CFB8' => 'AES-192-CFB8 (192 key, 128 block)',
606     + 'AES-192-GCM' => 'AES-192-GCM (192 key, 128 block)',
607     + 'AES-192-OFB' => 'AES-192-OFB (192 key, 128 block)',
608     + 'AES-256-CBC' => 'AES-256-CBC (256 key, 128 block)',
609     + 'AES-256-CFB' => 'AES-256-CFB (256 key, 128 block)',
610     + 'AES-256-CFB1' => 'AES-256-CFB1 (256 key, 128 block)',
611     + 'AES-256-CFB8' => 'AES-256-CFB8 (256 key, 128 block)',
612     + 'AES-256-GCM' => 'AES-256-GCM (256 key, 128 block)',
613     + 'AES-256-OFB' => 'AES-256-OFB (256 key, 128 block)',
614     + 'CAMELLIA-128-CBC' => 'CAMELLIA-128-CBC (128 key, 128 block)',
615     + 'CAMELLIA-128-CFB' => 'CAMELLIA-128-CFB (128 key, 128 block)',
616     + 'CAMELLIA-128-CFB1' => 'CAMELLIA-128-CFB1 (128 key, 128 block)',
617     + 'CAMELLIA-128-CFB8' => 'CAMELLIA-128-CFB8 (128 key, 128 block)',
618     + 'CAMELLIA-128-OFB' => 'CAMELLIA-128-OFB (128 key, 128 block)',
619     + 'CAMELLIA-192-CBC' => 'CAMELLIA-192-CBC (192 key, 128 block)',
620     + 'CAMELLIA-192-CFB' => 'CAMELLIA-192-CFB (192 key, 128 block)',
621     + 'CAMELLIA-192-CFB1' => 'CAMELLIA-192-CFB1 (192 key, 128 block)',
622     + 'CAMELLIA-192-CFB8' => 'CAMELLIA-192-CFB8 (192 key, 128 block)',
623     + 'CAMELLIA-192-OFB' => 'CAMELLIA-192-OFB (192 key, 128 block)',
624     + 'CAMELLIA-256-CBC' => 'CAMELLIA-256-CBC (256 key, 128 block)',
625     + 'CAMELLIA-256-CFB' => 'CAMELLIA-256-CFB (256 key, 128 block)',
626     + 'CAMELLIA-256-CFB1' => 'CAMELLIA-256-CFB1 (256 key, 128 block)',
627     + 'CAMELLIA-256-CFB8' => 'CAMELLIA-256-CFB8 (256 key, 128 block)',
628     + 'CAMELLIA-256-OFB' => 'CAMELLIA-256-OFB (256 key, 128 block)',
629     + 'SEED-CBC' => 'SEED-CBC (128 key, 128 block)',
630     + 'SEED-CFB' => 'SEED-CFB (128 key, 128 block)',
631     + 'SEED-OFB' => 'SEED-OFB (128 key, 128 block)',
632     + 'BF-CBC' => 'BF-CBC(128 key, 64 block)'. ": $translate ",
633     + );
634     + return \%options;
635     +}
636     +
637     +sub debugme{
638     + my ($self) = @_;
639     +use Data::Dumper;
640     +return print Data::Dumper->Dump(\@_);
641     +}
642     1;

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed