/[smecontribs]/rpms/smeserver-openvpn-s2s/contribs10/smeserver-openvpn-s2s-0.2-sme10.patch
ViewVC logotype

Contents of /rpms/smeserver-openvpn-s2s/contribs10/smeserver-openvpn-s2s-0.2-sme10.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.6 - (show annotations) (download)
Tue Mar 30 06:52:58 2021 UTC (3 years, 7 months ago) by jpp
Branch: MAIN
CVS Tags: smeserver-openvpn-s2s-0_2-11_el7_sme
Changes since 1.5: +1 -1 lines
* Tue Mar 30 2021 Jean-Philippe Pialasse <tests@pialasse.com> 0.2-11.sme
- enforce better cipher with settings [SME: 11498]
- enforce better HMAC with setting [SME: 11498]
- enforce TLS 1.2 or better with setting [SME: 11498]
- enforce strong TLS ciphers with setting [SME: 11498]
- better list of vpn connections [SME: 11337]
- allow soft reload of individual connection [SME: 11337]
- fix incorect permission on private keys [SME: 11337]

1 diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/createlinks smeserver-openvpn-s2s-0.2/createlinks
2 --- smeserver-openvpn-s2s-0.2.old/createlinks 2021-03-30 00:12:27.731000000 -0400
3 +++ smeserver-openvpn-s2s-0.2/createlinks 2021-03-30 01:01:21.126000000 -0400
4 @@ -5,9 +5,7 @@
5 safe_symlink("restart", "root/etc/e-smith/events/openvpn-s2s-update/services2adjust/openvpn-s2s");
6 safe_symlink("adjust", "root/etc/e-smith/events/openvpn-s2s-update/services2adjust/masq");
7
8 -#service_link_enhanced("openvpn-s2s", "S80", "7");
9 -#service_link_enhanced("openvpn-s2s", "K25", "6");
10 -#service_link_enhanced("openvpn-s2s", "K25", "0");
11 +event_link("openvpn-s2s-onelink", "openvpn-s2s-update-one", "50");
12
13 event_link("openvpn-s2s-delete-networks", "openvpn-s2s-update", "10");
14 event_link("openvpn-s2s-genconf", "openvpn-s2s-update", "20");
15 diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/events/actions/openvpn-s2s-onelink smeserver-openvpn-s2s-0.2/root/etc/e-smith/events/actions/openvpn-s2s-onelink
16 --- smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/events/actions/openvpn-s2s-onelink 1969-12-31 19:00:00.000000000 -0500
17 +++ smeserver-openvpn-s2s-0.2/root/etc/e-smith/events/actions/openvpn-s2s-onelink 2021-03-30 00:54:13.858000000 -0400
18 @@ -0,0 +1,60 @@
19 +#!/usr/bin/perl -w
20 +
21 +#----------------------------------------------------------------------
22 +# copyright (C) 2010 Firewall Services
23 +# Daniel Berteaud <daniel@firewall-services.com>
24 +#
25 +# This program is free software; you can redistribute it and/or modify
26 +# it under the terms of the GNU General Public License as published by
27 +# the Free Software Foundation; either version 2 of the License, or
28 +# (at your option) any later version.
29 +#
30 +# This program is distributed in the hope that it will be useful,
31 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
32 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
33 +# GNU General Public License for more details.
34 +#
35 +# You should have received a copy of the GNU General Public License
36 +# along with this program; if not, write to the Free Software
37 +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
38 +#----------------------------------------------------------------------
39 +
40 +use strict;
41 +use esmith::templates;
42 +use esmith::ConfigDB;
43 +
44 +
45 +my $event = $ARGV [0];
46 +my $vpn = $ARGV [1];
47 +my $lock="/var/lock/subsys/openvpn-s2s";
48 +my $piddir="/var/run/openvpn-s2s";
49 +
50 +die "missing vpn name" unless defined $vpn;
51 +
52 +my $db = esmith::ConfigDB->open_ro("openvpn-s2s");
53 +
54 +my $conf = $db->get($vpn) or die "unknown site to site vpn";
55 +
56 +my $key = $conf->key;
57 +my $status = $conf->prop('status') || 'disabled';
58 +if ($status eq 'enabled'){
59 + processTemplate(
60 + {
61 + TEMPLATE_PATH => "/etc/openvpn/s2s/openvpn-s2s.conf",
62 + MORE_DATA => {DB_KEY=>$key},
63 + OUTPUT_FILENAME => "/etc/openvpn/s2s/$key.conf",
64 + });
65 +
66 + if ( -f $lock ) {
67 + my $pidf = "$piddir/$key.pid";
68 + if ( -f $pidf ) {
69 + my $pid=`cat $pidf`;
70 + kill 'USR1', $pid || exit 1 ;
71 + exit 0;
72 + }
73 + }
74 + else {
75 + print "openvpn: service not started";
76 + exit 1
77 + }
78 +}
79 diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpns2s smeserver-openvpn-s2s-0.2/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpns2s
80 --- smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpns2s 2013-11-11 12:33:06.000000000 -0500
81 +++ smeserver-openvpn-s2s-0.2/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/openvpns2s 2021-03-30 00:54:14.068000000 -0400
82 @@ -285,4 +285,71 @@
83 <base>IP_IN_LOCAL_NET</base>
84 <trans>This IP address is part of one of your local networks</trans>
85 </entry>
86 +
87 + <entry>
88 + <base>INSECURE</base>
89 + <trans>Insecure parameter</trans>
90 + </entry>
91 + <entry>
92 + <base>SUGGESTED</base>
93 + <trans>Suggested value</trans>
94 + </entry>
95 + <entry>
96 + <base>DEFAULT</base>
97 + <trans>Default</trans>
98 + </entry>
99 + <entry>
100 + <base>DOWN</base>
101 + <trans>Down</trans>
102 + </entry>
103 + <entry>
104 + <base>UP</base>
105 + <trans>Up</trans>
106 + </entry>
107 + <entry>
108 + <base>SUCCESS_RELOAD</base>
109 + <trans>VPN connection reloaded with success</trans>
110 + </entry>
111 + <entry>
112 + <base>DESC_RELOAD</base>
113 + <trans>Do you really want to reload this vpn connection?</trans>
114 + </entry>
115 + <entry>
116 + <base>RELOAD</base>
117 + <trans>reload</trans>
118 + </entry>
119 + <entry>
120 + <base>DESC_HMAC</base>
121 + <trans>HMAC is part of the encryption of the data channel for openvpn (where your data travel) after encryption with the cipher. Default is the insecure SHA1, we suggest you to at least use SHA256. This setting should match on both the server and the client</trans>
122 + </entry>
123 + <entry>
124 + <base>LABEL_HMAC</base>
125 + <trans>HMAC algorithm</trans>
126 + </entry>
127 + <entry>
128 + <base>DESC_CIPHER</base>
129 + <trans>The cipher used for your data channel for openvpn. The default is to use the insecure BlowFish algorithm. We suggest you the AES-128-CBC or higher. This setting should match on both the server and the client.</trans>
130 + </entry>
131 + <entry>
132 + <base>LABEL_CIPHER</base>
133 + <trans>Cipher encryption algorithm</trans>
134 + </entry>
135 + <entry>
136 + <base>DESC_SNAT</base>
137 + <trans>SNAT Outbound can be enabled or disabled (default is enabled). When enabled, connections initiated by the server itself will be SNATed so they will appear to come from the internal IP. If disabled, connections from the server itself will have the virtual IP as source.</trans>
138 + </entry>
139 + <entry>
140 + <base>LABEL_SNAT</base>
141 + <trans>SNAT Outbound</trans>
142 + </entry>
143 + <entry>
144 + <base>CIPHER</base>
145 + <trans>Cipher</trans>
146 + </entry>
147 + <entry>
148 + <base>LINK</base>
149 + <trans>Link status</trans>
150 + </entry>
151 +
152 +
153 </lexicon>
154 diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key smeserver-openvpn-s2s-0.2/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key
155 --- smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key 2021-03-30 00:12:27.713000000 -0400
156 +++ smeserver-openvpn-s2s-0.2/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key 2021-03-30 00:54:12.710000000 -0400
157 @@ -5,16 +5,41 @@
158 my $checkcrt = $db->get_prop($key,'CheckCertificateUsage') || 'disabled';
159 my $tlsremote = $db->get_prop($key,'RemoteCommonName') || '';
160
161 +#HMAC default is SHA1 if empty, we really want higher on new setup, but keep empty for default on existing one...
162 +# need to be changed on both side
163 +my $HMAC = ( $db->get_prop($key,'HMAC') ) ? $db->get_prop($key,'HMAC') : undef;
164 +# cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one...
165 +# # here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
166 +my $cipher = ( $db->get_prop($key,'Cipher') && $db->get_prop($key,'Cipher') ne 'auto')? $db->get_prop($key,'Cipher') : undef;
167 +
168 +## we do not want any tls 1.1 or lower, this does not break anything to force, unless the client is very old and limited to 1.1 or lower
169 +my $tlsVmin = ( $db->get_prop($key,'tlsVmin') && ( $db->get_prop($key,'tlsVmin') =~ /^1\.[0-9]{1}$/ ) ) ? $db->get_prop($key,'tlsVmin') : "1.2";
170 +# TLS 1.3 encryption settings
171 +my $tlsCipherSuites13 = ( $db->get_prop($key,'tlsCipherSuites13') ) ? $db->get_prop($key,'tlsCipherSuites13') : "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
172 +# # TLS 1.2 encryption settings
173 +my $tlsCipher12 = ( $db->get_prop($key,'tlsCipher12') ) ? $db->get_prop($key,'tlsCipher12') : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
174 +
175 +
176 +# cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one...
177 +# here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel
178 +my $cipher = ( $db->get_prop($key,'Cipher') && $db->get_prop($key,'Cipher') ne 'auto')? $db->get_prop($key,'Cipher') : undef;
179 +
180 +
181 if ($auth eq 'SharedKey'){
182 $OUT .= "secret priv/$key"."_sharedkey.pem\n";
183 }
184 elsif ($auth eq 'TLS'){
185 if ($type eq 'server'){
186 $OUT .= "tls-server\n";
187 + $OUT .= "tls-version-min $tlsVmin\n";
188 + $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
189 + $OUT .= "tls-ciphersuites tlsCipherSuites13\n" if defined tlsCipherSuites13;
190 $OUT .= "ca pub/$key" . "_cacert.pem\n";
191 $OUT .= "cert pub/$key" . "_cert.pem\n";
192 $OUT .= "key priv/$key" . "_key.pem\n";
193 $OUT .= "dh pub/$key" . "_dh.pem\n";
194 + $OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
195 + $OUT .= "ecdh-curve secp384r1\n";
196 $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 0\n"
197 if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) &&
198 ( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' );
199 @@ -26,9 +51,14 @@
200 }
201 else{
202 $OUT .= "tls-client\n";
203 + $OUT .= "tls-version-min $tlsVmin\n";
204 + $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12;
205 + $OUT .= "tls-ciphersuites tlsCipherSuites13\n" if defined tlsCipherSuites13;
206 $OUT .= "ca pub/$key" . "_cacert.pem\n";
207 $OUT .= "cert pub/$key" . "_cert.pem\n";
208 $OUT .= "key priv/$key" . "_key.pem\n";
209 + $OUT .= "# we might be able to disable dh param with this one, NSA-'s recommended curve\n";
210 + $OUT .= "ecdh-curve secp384r1\n";
211 $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 1\n"
212 if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) &&
213 ( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' );
214 @@ -40,5 +70,12 @@
215 }
216 }
217
218 + # available for both sharedkey and tls
219 + # data channel
220 + $OUT .= "#securing data channel\n";
221 + $OUT .= (defined $cipher) ? "cipher $cipher\n" : "# no cipher defined default to Blowfish, this is INSECURE, please consider AES-128-CBC or higher on both client and server\n";
222 + #auth SHA512
223 + $OUT .= (defined $HMAC )? "auth $HMAC\n" : "# no HMAC defined, default to SHA1, please consider SHA256 or higher on both client and server\n";
224 +#
225 }
226
227 diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/60options smeserver-openvpn-s2s-0.2/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/60options
228 --- smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/60options 2013-11-11 12:33:06.000000000 -0500
229 +++ smeserver-openvpn-s2s-0.2/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/60options 2021-03-30 00:54:12.466000000 -0400
230 @@ -1,13 +1,11 @@
231 # Options
232 {
233
234 -my $cipher = $db->get_prop($key,'Cipher') || 'auto';
235 my $comp = $db->get_prop($key,'Compression') || 'enabled';
236
237
238 $OUT .= "comp-lzo adaptive\n" if ($comp eq 'enabled');
239
240 -$OUT .= "cipher $cipher\n" if ($cipher ne 'auto');
241
242 if ($type eq 'server'){
243 $OUT .= "ping-timer-rem\n";
244 diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/web/functions/openvpns2s smeserver-openvpn-s2s-0.2/root/etc/e-smith/web/functions/openvpns2s
245 --- smeserver-openvpn-s2s-0.2.old/root/etc/e-smith/web/functions/openvpns2s 2013-11-11 12:33:06.000000000 -0500
246 +++ smeserver-openvpn-s2s-0.2/root/etc/e-smith/web/functions/openvpns2s 2021-03-30 00:54:12.925000000 -0400
247 @@ -4,7 +4,7 @@
248 #----------------------------------------------------------------------
249 # heading : Configuration
250 # description : OpenVPN Site to Site
251 -# navigation : 1000 1000
252 +# navigation : 6000 6750
253 #----------------------------------------------------------------------
254
255 #----------------------------------------------------------------------
256 @@ -99,6 +99,16 @@
257 <label>LABEL_AUTH</label>
258 </field>
259
260 + <field type="select" id="hmac" options="get_digests_options()" value="get_current_hmac()">
261 + <description>DESC_HMAC</description>
262 + <label>LABEL_HMAC</label>
263 + </field>
264 +
265 + <field type="select" id="cipher" options="get_ciphers_options()" value="get_current_cipher()">
266 + <description>DESC_CIPHER</description>
267 + <label>LABEL_CIPHER</label>
268 + </field>
269 +
270 <field type="text" id="remote_host" validation="is_hostname_or_ip()">
271 <description>DESC_REMOTE_HOST</description>
272 <label>LABEL_REMOTE_HOST</label>
273 @@ -119,13 +129,18 @@
274 <label>LABEL_REMOTE_IP</label>
275 </field>
276
277 + <field type="select" id="SnatOutbound" value="" options="'disabled' => 'DISABLED', 'enabled' => 'ENABLED'">
278 + <description>DESC_SNAT</description>
279 + <label>LABEL_SNAT</label>
280 + </field>
281 +
282 +
283 <field type="text" size="53" id="remote_net" validation="is_valid_net_or_empty()">
284 <description>DESC_REMOTE_NET</description>
285 <label>LABEL_REMOTE_NET</label>
286 </field>
287
288 <subroutine src="print_button('NEXT')"/>
289 -
290 </page>
291
292 #----------------------------------------------------------------
293 @@ -156,6 +171,16 @@
294 <label>LABEL_AUTH</label>
295 </field>
296
297 + <field type="select" id="hmac" options="get_digests_options()" value="get_current_hmac()">
298 + <description>DESC_HMAC</description>
299 + <label>LABEL_HMAC</label>
300 + </field>
301 +
302 + <field type="select" id="cipher" options="get_ciphers_options()" value="get_current_cipher()">
303 + <description>DESC_CIPHER</description>
304 + <label>LABEL_CIPHER</label>
305 + </field>
306 +
307 <field type="text" id="port" validation="is_valid_and_available_port()">
308 <description>DESC_LOCAL_PORT</description>
309 <label>LABEL_LOCAL_PORT</label>
310 @@ -196,4 +221,11 @@
311 <subroutine src="print_conf_to_remove()"/>
312 </page>
313
314 + <page name="RELOAD_PAGE" pre-event="turn_off_buttons()" post-event="reload()">
315 + <field type="literal" id="conf_name">
316 + <description>DESC_RELOAD</description>
317 + </field>
318 + <subroutine src="print_button('NEXT')"/>
319 + </page>
320 +
321 </form>
322 diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/usr/lib/systemd/system/openvpn-s2s.service smeserver-openvpn-s2s-0.2/root/usr/lib/systemd/system/openvpn-s2s.service
323 --- smeserver-openvpn-s2s-0.2.old/root/usr/lib/systemd/system/openvpn-s2s.service 2021-03-30 00:12:27.732000000 -0400
324 +++ smeserver-openvpn-s2s-0.2/root/usr/lib/systemd/system/openvpn-s2s.service 2021-03-30 00:54:13.389000000 -0400
325 @@ -1,10 +1,16 @@
326 [Unit]
327 Description=OpenVPN Server to Server
328 After=network.service
329 +
330 [Service]
331 -Type=forking
332 +Type=oneshot
333 +RemainAfterExit=yes
334 +GuessMainPID=no
335 +
336 ExecStart=/usr/sbin/systemd/openvpn-s2s start
337 ExecStop=/usr/sbin/systemd/openvpn-s2s stop
338 +ExecReload=/usr/sbin/systemd/openvpn-s2s reopen
339 +
340 [Install]
341 WantedBy=sme-server.target
342
343 diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/usr/sbin/systemd/openvpn-s2s smeserver-openvpn-s2s-0.2/root/usr/sbin/systemd/openvpn-s2s
344 --- smeserver-openvpn-s2s-0.2.old/root/usr/sbin/systemd/openvpn-s2s 2021-03-30 00:12:27.732000000 -0400
345 +++ smeserver-openvpn-s2s-0.2/root/usr/sbin/systemd/openvpn-s2s 2021-03-30 00:54:13.631000000 -0400
346 @@ -90,6 +90,9 @@
347 fi
348 done
349
350 +#ncp
351 +ncp=" --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC "
352 +
353 # Lockfile
354 lock="/var/lock/subsys/openvpn-s2s"
355
356 @@ -218,6 +221,7 @@
357 kill -HUP `cat $pidf` >/dev/null 2>&1
358 fi
359 done
360 + exit 0
361 else
362 echo "openvpn: service not started"
363 exit 1
364 @@ -230,6 +234,7 @@
365 kill -USR1 `cat $pidf` >/dev/null 2>&1
366 fi
367 done
368 + exit 0
369 else
370 echo "openvpn: service not started"
371 exit 1
372 diff -Nur --no-dereference smeserver-openvpn-s2s-0.2.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpns2s.pm smeserver-openvpn-s2s-0.2/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpns2s.pm
373 --- smeserver-openvpn-s2s-0.2.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpns2s.pm 2021-03-30 00:12:27.724000000 -0400
374 +++ smeserver-openvpn-s2s-0.2/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/openvpns2s.pm 2021-03-30 01:19:05.081000000 -0400
375 @@ -26,6 +26,7 @@
376 remove_conf
377 print_conf_to_remove
378 read_file
379 + reload
380 );
381
382 our $pubdir = '/etc/openvpn/s2s/pub';
383 @@ -91,6 +92,21 @@
384 $ovpn_db->set_prop($conf, 'status', $q->param("status"));
385 $ovpn_db->set_prop($conf, 'Comment', $q->param("comment"));
386 $ovpn_db->set_prop($conf, 'RemoteNetworks', $q->param("remote_net"));
387 + $ovpn_db->set_prop($conf, 'SnatOutbound', $q->param("SnatOutbound"));
388 + if ($q->param("hmac") eq 'SHA1') {
389 + my $tmpk = $ovpn_db->get($conf);
390 + $tmpk->delete_prop('HMAC');
391 + }
392 + else {
393 + $ovpn_db->set_prop($conf, 'HMAC' , $q->param("hmac"));
394 + }
395 + if ($q->param("cipher") eq 'BF-CBC') {
396 + my $tmpk = $ovpn_db->get($conf);
397 + $tmpk->delete_prop('Cipher');
398 + }
399 + else {
400 + $ovpn_db->set_prop($conf, 'Cipher', $q->param("cipher"));
401 + }
402
403 # Now, update the main configuration entry
404 update_ports();
405 @@ -153,6 +169,9 @@
406 }
407 print KEY $q->param('key_pem');
408 close KEY;
409 + chmod(0600, "$privdir/${conf}_key.pem" );
410 + esmith::util::chownFile("root", "root","$privdir/${conf}_key.pem" );
411 +
412
413 if (! open (DH, ">$pubdir/$conf" . "_dh.pem")){
414 $fm->error('ERROR_OPEN_DH','FIRST_PAGE');
415 @@ -167,11 +186,13 @@
416 }
417 print TA $q->param('shared_key');
418 close TA;
419 + chmod(0600, "$privdir/${conf}_sharedkey.pem" );
420 + esmith::util::chownFile("root", "root","$privdir/${conf}_sharedkey.pem" );
421
422 - esmith::util::chownFile("root", "root", "$privdir/$conf*");
423 - esmith::util::chownFile("root", "root", "$pubdir/$conf*");
424 - chmod 0600, "$privdir/$conf*";
425 - chmod 0644, "$pubdir/$conf*";
426 + esmith::util::chownFile("root", "root", "$privdir");
427 + esmith::util::chownFile("root", "root", "$pubdir");
428 + chmod 0600, "$privdir";
429 + chmod 0644, "$pubdir";
430
431 $ovpn_db->set_prop($conf, 'CrlUrl', $q->param("crl_url"));
432
433 @@ -294,6 +315,22 @@
434
435
436 # Print clients or servers table
437 +sub reload{
438 + my ($fm) = @_;
439 + my $q = $fm->{cgi};
440 + my $conf = $q->param('conf_name');
441 + #$conf = $conf=~ m/^([a-zA-Z\-\_0-9]+)$/;
442 + unless (system ("/sbin/e-smith/signal-event", "openvpn-s2s-update-one", $conf) == 0 ){
443 + $fm->error('ERROR_OCCURED1','FIRST_PAGE');
444 + return undef;
445 + }
446 + $fm->success( $fm->localise('SUCCESS_RELOAD') . " $conf" ,'FIRST_PAGE');
447 + return undef;
448 +
449 +
450 +}
451 +
452 +# Print clients or servers table
453 sub print_conf_table{
454 my $fm = shift;
455 my $type = shift;
456 @@ -310,8 +347,15 @@
457 print $q->start_table({-CLASS => "sme-border"}),"\n";
458 print $q->Tr (
459 esmith::cgi::genSmallCell($q, $fm->localise('CONF_NAME'),"header"),
460 - esmith::cgi::genSmallCell($q, $fm->localise('MODIFY'),"header"),
461 - esmith::cgi::genSmallCell($q, $fm->localise('STATUS'),"header")),"\n";
462 + esmith::cgi::genSmallCell($q, $fm->localise('STATUS'),"header"),
463 + esmith::cgi::genSmallCell($q, $fm->localise('CIPHER'),"header"),
464 + esmith::cgi::genSmallCell($q, 'HMAC',"header"),
465 + esmith::cgi::genSmallCell($q, $fm->localise('LABEL_AUTH'),"header"),
466 + esmith::cgi::genSmallCell($q, $fm->localise('LINK'),"header"),
467 + esmith::cgi::genSmallCell($q, $fm->localise('ACTION'),"header", 3),
468 + ),
469 + "\n";
470 +
471
472 foreach my $config (@conf){
473 my $key = $config->key;
474 @@ -323,11 +367,28 @@
475 elsif ($status eq 'disabled'){
476 $status = $fm->localise('DISABLED');
477 }
478 + my $cipher = $config->prop('Cipher') || 'BF-CBC';
479 + $cipher = "<span style='color:red'>". $fm->localise('INSECURE'). " $cipher</span> " unless ($cipher =~ /(128|192|256|512|SEED)/ );
480 + my $hmac = $config->prop('HMAC') || 'SHA1';
481 + $hmac= "<span style='color:red'>". $fm->localise('INSECURE'). " $hmac</span> " unless ($hmac eq "whirlpool" || $hmac =~ /(512|256|384|224)$/);
482 + my $authe = $config->prop('Authentication') || '';
483 + my $linkup = "<span style='color:red'>". $fm->localise('DOWN')."</span>" ;
484 + use Net::Ping;
485 + my $p = Net::Ping->new();
486 + $linkup = "<span style='color:green'>". $fm->localise('UP') ."</span>" if $p->ping($config->prop('RemoteIP'));
487 +
488 print $q->Tr (esmith::cgi::genSmallCell($q,"$key"),
489 + esmith::cgi::genSmallCell($q,"$status"),
490 + esmith::cgi::genSmallCell($q,"$cipher"),
491 + esmith::cgi::genSmallCell($q,"$hmac"),
492 + esmith::cgi::genSmallCell($q,"$authe"),
493 + esmith::cgi::genSmallCell($q,"$linkup"),
494 + esmith::cgi::genSmallCell ($q, $q->a ({href => $q->url (-absolute => 1).
495 + $base_url."RELOAD_PAGE&action=reload&conf_name=".
496 + $key}, $fm->localise('RELOAD'))),
497 esmith::cgi::genSmallCell ($q, $q->a ({href => $q->url (-absolute => 1).
498 $base_url."CREATE_OR_MODIFY_".uc($type)."_CONF_PAGE&action=modify&conf_name=".
499 $key}, $fm->localise('MODIFY'))),
500 - esmith::cgi::genSmallCell($q,"$status"),
501 esmith::cgi::genSmallCell ($q, $q->a ({href => $q->url (-absolute => 1).
502 $base_url."REMOVE_CONF_PAGE&conf_name=".
503 $key}, $fm->localise('REMOVE'))));
504 @@ -376,6 +437,13 @@
505 $rec->prop('status'));
506 $q->param(-name=>'remote_net',-value=>
507 $rec->prop('RemoteNetworks'));
508 + $q->param(-name=>'hmac',-value=>
509 + get_current_hmac($fm));
510 + $q->param(-name=>'cipher',-value=>
511 + get_current_cipher($fm));
512 + $q->param(-name=>'SnatOutbound',-value=>
513 + $rec->prop('SnatOutbound'));
514 +
515 }
516 }
517 else {
518 @@ -487,7 +555,7 @@
519 sub is_url_or_empty{
520 my ($fm, $url) = @_;
521 my $ret = 'OK';
522 - if (($url !~ /^(http:\/\/)|(https:\/\/)/) && ($url ne '')){
523 + if (defined $url && ($url !~ /^(http:\/\/)|(https:\/\/)/) && ($url ne '')){
524 $ret = $fm->localise('NOT_A_VALID_URL',{string => $url});
525 }
526 return $ret;
527 @@ -604,4 +672,110 @@
528 return $ret;
529 }
530
531 +
532 +
533 +###### those are copy paste for bridge and s2s
534 +#
535 +=head2 get_current_hmac
536 +
537 +=cut
538 +sub get_current_hmac{
539 + my ($self) = @_;
540 + my $name = $self->cgi->param('conf_name') or return "SHA256";
541 + my $cvpn= $ovpn_db->get($name);
542 + return "SHA1" unless defined $cvpn->prop('HMAC');
543 + return $cvpn->prop('HMAC') ;
544 +}
545 +
546 +
547 +=head2 get_digests_options
548 +
549 +=cut
550 +sub get_digests_options{
551 + my ($self) = @_;
552 + my $translate = $self->localise('DEFAULT');
553 + my $suggested = $self->localise('SUGGESTED');
554 + my %options= (
555 + 'whirlpool' => 'whirlpool (512)',
556 + 'SHA512' => 'SHA512',
557 + 'SHA384' => 'SHA384',
558 + 'SHA256' => 'SHA256' . ": $suggested",
559 + 'SHA224' => 'SHA224',
560 + 'SHA1' => 'SHA1 (160)' . ": $translate",
561 + 'SHA' => 'SHA (160)',
562 + 'ecdsa-with-SHA1' => 'ecdsa-with-SHA1 (160)',
563 + 'RIPEMD160' => 'RIPEMD160',
564 + 'MD5' => 'MD5 (128)',
565 + 'MD4' => 'MD4 (128)',
566 + );
567 + return \%options;
568 +}
569 +
570 +
571 +=head2 get_current_cipher
572 +list obtained using
573 +openvpn --show-digests | egrep 'digest size' | awk {'print "'\''" $1 "'\'' => '\''" $1 "'\''," '}
574 +=cut
575 +sub get_current_cipher{
576 + my ($self) = @_;
577 + my $name = $self->cgi->param('conf_name') or return "AES-128-CBC";
578 + my $cvpn= $ovpn_db->get($name);
579 + return "BF-CBC" unless defined $cvpn->prop('Cipher');
580 + return $cvpn->prop('Cipher') ;
581 +}
582 +
583 +=head2 get_ciphers_options
584 +list obtained using
585 +openvpn --show-ciphers | egrep '^[A-Z]{2}' | sed 's/ by//; s/ default//; s/block,/block/; s/)// ' | awk {'print " '\''" $1 "'\'' => '\''" $1 $2 " " $4 " " $5 " " $7")'\''," '}
586 +then reduced to remove most of insecure ciphers
587 +Using a CBC or GCM mode is recommended.
588 +In static key mode only CBC mode is allowed.
589 +
590 +=cut
591 +sub get_ciphers_options{
592 + my ($self) = @_;
593 + my $translate = $self->localise('DEFAULT');
594 + my $suggested = $self->localise('SUGGESTED');
595 + my %options= (
596 + 'AES-128-CBC' => 'AES-128-CBC (128 key, 128 block)'.": $suggested",
597 + 'AES-128-CFB' => 'AES-128-CFB (128 key, 128 block)',
598 + 'AES-128-CFB1' => 'AES-128-CFB1 (128 key, 128 block)',
599 + 'AES-128-CFB8' => 'AES-128-CFB8 (128 key, 128 block)',
600 + 'AES-128-GCM' => 'AES-128-GCM (128 key, 128 block)',
601 + 'AES-128-OFB' => 'AES-128-OFB (128 key, 128 block)',
602 + 'AES-192-CBC' => 'AES-192-CBC (192 key, 128 block)',
603 + 'AES-192-CFB' => 'AES-192-CFB (192 key, 128 block)',
604 + 'AES-192-CFB1' => 'AES-192-CFB1 (192 key, 128 block)',
605 + 'AES-192-CFB8' => 'AES-192-CFB8 (192 key, 128 block)',
606 + 'AES-192-GCM' => 'AES-192-GCM (192 key, 128 block)',
607 + 'AES-192-OFB' => 'AES-192-OFB (192 key, 128 block)',
608 + 'AES-256-CBC' => 'AES-256-CBC (256 key, 128 block)',
609 + 'AES-256-CFB' => 'AES-256-CFB (256 key, 128 block)',
610 + 'AES-256-CFB1' => 'AES-256-CFB1 (256 key, 128 block)',
611 + 'AES-256-CFB8' => 'AES-256-CFB8 (256 key, 128 block)',
612 + 'AES-256-GCM' => 'AES-256-GCM (256 key, 128 block)',
613 + 'AES-256-OFB' => 'AES-256-OFB (256 key, 128 block)',
614 + 'CAMELLIA-128-CBC' => 'CAMELLIA-128-CBC (128 key, 128 block)',
615 + 'CAMELLIA-128-CFB' => 'CAMELLIA-128-CFB (128 key, 128 block)',
616 + 'CAMELLIA-128-CFB1' => 'CAMELLIA-128-CFB1 (128 key, 128 block)',
617 + 'CAMELLIA-128-CFB8' => 'CAMELLIA-128-CFB8 (128 key, 128 block)',
618 + 'CAMELLIA-128-OFB' => 'CAMELLIA-128-OFB (128 key, 128 block)',
619 + 'CAMELLIA-192-CBC' => 'CAMELLIA-192-CBC (192 key, 128 block)',
620 + 'CAMELLIA-192-CFB' => 'CAMELLIA-192-CFB (192 key, 128 block)',
621 + 'CAMELLIA-192-CFB1' => 'CAMELLIA-192-CFB1 (192 key, 128 block)',
622 + 'CAMELLIA-192-CFB8' => 'CAMELLIA-192-CFB8 (192 key, 128 block)',
623 + 'CAMELLIA-192-OFB' => 'CAMELLIA-192-OFB (192 key, 128 block)',
624 + 'CAMELLIA-256-CBC' => 'CAMELLIA-256-CBC (256 key, 128 block)',
625 + 'CAMELLIA-256-CFB' => 'CAMELLIA-256-CFB (256 key, 128 block)',
626 + 'CAMELLIA-256-CFB1' => 'CAMELLIA-256-CFB1 (256 key, 128 block)',
627 + 'CAMELLIA-256-CFB8' => 'CAMELLIA-256-CFB8 (256 key, 128 block)',
628 + 'CAMELLIA-256-OFB' => 'CAMELLIA-256-OFB (256 key, 128 block)',
629 + 'SEED-CBC' => 'SEED-CBC (128 key, 128 block)',
630 + 'SEED-CFB' => 'SEED-CFB (128 key, 128 block)',
631 + 'SEED-OFB' => 'SEED-OFB (128 key, 128 block)',
632 + 'BF-CBC' => 'BF-CBC(128 key, 64 block)'. ": $translate ",
633 + );
634 + return \%options;
635 +}
636 +
637 1;

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed