smeserver-openvpn-s2s/contribs7/smeserver-openvpn-s2s-0.1-implement_crl_verification.patch

diff -Nur -x '*.orig' -x '*.rej' smeserver-openvpn-s2s-0.1/createlinks mezzanine_patched_smeserver-openvpn-s2s-0.1/createlinks
--- smeserver-openvpn-s2s-0.1/createlinks       2010-10-17 23:38:54.000000000 +0200
+++ mezzanine_patched_smeserver-openvpn-s2s-0.1/createlinks     2010-10-17 23:27:55.000000000 +0200
@@ -11,9 +11,11 @@
 
 event_link("openvpn-s2s-delete-networks", "openvpn-s2s-update", "10");
 event_link("openvpn-s2s-genconf", "openvpn-s2s-update", "20");
+event_link("openvpn-s2s-update-crl", "openvpn-s2s-update", "30");
 event_link("openvpn-s2s-genconf", "bootstrap-console-save", "80");
 
 templates2events("/etc/rc.d/init.d/masq", qw/openvpn-s2s-update/);
+templates2events("/etc/crontab", qw/openvpn-s2s-update/);
 
 panel_link("openvpns2s", 'manager');
 
diff -Nur -x '*.orig' -x '*.rej' smeserver-openvpn-s2s-0.1/root/etc/e-smith/events/actions/openvpn-s2s-update-crl mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/events/actions/openvpn-s2s-update-crl
--- smeserver-openvpn-s2s-0.1/root/etc/e-smith/events/actions/openvpn-s2s-update-crl    1970-01-01 01:00:00.000000000 +0100
+++ mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/events/actions/openvpn-s2s-update-crl  2010-10-17 23:35:10.000000000 +0200
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+DOMAIN=$(/sbin/e-smith/db configuration get DomainName)
+
+for VPN in $(/sbin/e-smith/db openvpn-s2s keys); do
+    URL=$(/sbin/e-smith/db openvpn-s2s getprop $VPN CrlUrl)
+    AUTH=$(/sbin/e-smith/db openvpn-s2s getprop $VPN Authentication)
+
+    if [ ! -z "$URL" -a "$AUTH" == 'TLS' ]; then
+
+        /usr/bin/wget $URL -O /tmp/cacrl.pem > /dev/null 2>&1
+
+        /usr/bin/openssl crl -inform PEM -in /tmp/cacrl.pem -text > /dev/null 2>&1
+
+        if [ "$?" -eq "0" ]; then
+            /bin/mv -f /tmp/cacrl.pem /etc/openvpn/s2s/pub/"$VPN"_cacrl.pem > /dev/null 2>&1
+        else
+            cat > /tmp/crlmail <<END
+
+An error occured while updating the CRL for the VPN ID $VPN
+because openssl didn't recognize the file as a valid CRL.
+Below is the copy of the latest CRL downloaded from
+$URL
+
+END
+            cat /tmp/cacrl.pem >> /tmp/crlmail
+            mail -s 'CRL update failed' admin@$DOMAIN < /tmp/crlmail
+        fi
+
+    rm -f /tmp/cacrl.pem
+    rm -f /tmp/crlmail
+    fi
+done
+
diff -Nur -x '*.orig' -x '*.rej' smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/crontab/openvpn-s2s-crl mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/crontab/openvpn-s2s-crl
--- smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/crontab/openvpn-s2s-crl    1970-01-01 01:00:00.000000000 +0100
+++ mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/crontab/openvpn-s2s-crl  2010-10-17 23:38:48.000000000 +0200
@@ -0,0 +1,15 @@
+{
+if ((${'openvpn-s2s'}{'status'} || 'disabled') eq 'enabled'){
+    $OUT .=<<"HERE";
+# Update OpenVPN Site To Site CRLs
+10 * * * * root /etc/e-smith/events/actions/openvpn-s2s-update-crl 2>&1 /dev/null
+
+HERE
+else{
+    $OUT .=<<"HERE";
+# OpenVPN Site to Site service is disabled
+# CRL updates are not running
+
+HERE
+}
+}
diff -Nur -x '*.orig' -x '*.rej' smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key
--- smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key 2010-10-17 23:38:54.000000000 +0200
+++ mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key       2010-10-17 23:23:40.000000000 +0200
@@ -8,23 +8,29 @@
 }
 elsif ($auth eq 'TLS'){
     if ($type eq 'server'){
-       $OUT .= "tls-server\n";
-       $OUT .= "ca pub/$key" . "_cacert.pem\n";
-       $OUT .= "cert pub/$key" . "_cert.pem\n";
-       $OUT .= "key priv/$key" . "_key.pem\n";
-       $OUT .= "dh pub/$key" . "_dh.pem\n";
-       $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 0\n"
+        $OUT .= "tls-server\n";
+        $OUT .= "ca pub/$key" . "_cacert.pem\n";
+        $OUT .= "cert pub/$key" . "_cert.pem\n";
+        $OUT .= "key priv/$key" . "_key.pem\n";
+        $OUT .= "dh pub/$key" . "_dh.pem\n";
+        $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 0\n"
            if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) &&
               ( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' );
+        $OUT .= "crl-verify pub/$key" . "_cacrl.pem\n"
+           if ( -e "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' ) &&
+              ( ! -z "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' );
     }
     else{
-       $OUT .= "tls-client\n";
-       $OUT .= "ca pub/$key" . "_cacert.pem\n";
-       $OUT .= "cert pub/$key" . "_cert.pem\n";
-       $OUT .= "key priv/$key" . "_key.pem\n";
-       $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 1\n"
+        $OUT .= "tls-client\n";
+        $OUT .= "ca pub/$key" . "_cacert.pem\n";
+        $OUT .= "cert pub/$key" . "_cert.pem\n";
+        $OUT .= "key priv/$key" . "_key.pem\n";
+        $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 1\n"
            if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) &&
               ( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' );
+                $OUT .= "crl-verify pub/$key" . "_cacrl.pem\n"
+           if ( -e "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' ) &&
+              ( ! -z "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' );
     }
 }
 
1	diff -Nur -x '.orig' -x '.rej' smeserver-openvpn-s2s-0.1/createlinks mezzanine_patched_smeserver-openvpn-s2s-0.1/createlinks
2	--- smeserver-openvpn-s2s-0.1/createlinks 2010-10-17 23:38:54.000000000 +0200
3	+++ mezzanine_patched_smeserver-openvpn-s2s-0.1/createlinks 2010-10-17 23:27:55.000000000 +0200
4	@@ -11,9 +11,11 @@
5
6	event_link("openvpn-s2s-delete-networks", "openvpn-s2s-update", "10");
7	event_link("openvpn-s2s-genconf", "openvpn-s2s-update", "20");
8	+event_link("openvpn-s2s-update-crl", "openvpn-s2s-update", "30");
9	event_link("openvpn-s2s-genconf", "bootstrap-console-save", "80");
10
11	templates2events("/etc/rc.d/init.d/masq", qw/openvpn-s2s-update/);
12	+templates2events("/etc/crontab", qw/openvpn-s2s-update/);
13
14	panel_link("openvpns2s", 'manager');
15
16	diff -Nur -x '.orig' -x '.rej' smeserver-openvpn-s2s-0.1/root/etc/e-smith/events/actions/openvpn-s2s-update-crl mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/events/actions/openvpn-s2s-update-crl
17	--- smeserver-openvpn-s2s-0.1/root/etc/e-smith/events/actions/openvpn-s2s-update-crl 1970-01-01 01:00:00.000000000 +0100
18	+++ mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/events/actions/openvpn-s2s-update-crl 2010-10-17 23:35:10.000000000 +0200
19	@@ -0,0 +1,34 @@
20	+#!/bin/bash
21	+
22	+DOMAIN=$(/sbin/e-smith/db configuration get DomainName)
23	+
24	+for VPN in $(/sbin/e-smith/db openvpn-s2s keys); do
25	+ URL=$(/sbin/e-smith/db openvpn-s2s getprop $VPN CrlUrl)
26	+ AUTH=$(/sbin/e-smith/db openvpn-s2s getprop $VPN Authentication)
27	+
28	+ if [ ! -z "$URL" -a "$AUTH" == 'TLS' ]; then
29	+
30	+ /usr/bin/wget $URL -O /tmp/cacrl.pem > /dev/null 2>&1
31	+
32	+ /usr/bin/openssl crl -inform PEM -in /tmp/cacrl.pem -text > /dev/null 2>&1
33	+
34	+ if [ "$?" -eq "0" ]; then
35	+ /bin/mv -f /tmp/cacrl.pem /etc/openvpn/s2s/pub/"$VPN"_cacrl.pem > /dev/null 2>&1
36	+ else
37	+ cat > /tmp/crlmail <<END
38	+
39	+An error occured while updating the CRL for the VPN ID $VPN
40	+because openssl didn't recognize the file as a valid CRL.
41	+Below is the copy of the latest CRL downloaded from
42	+$URL
43	+
44	+END
45	+ cat /tmp/cacrl.pem >> /tmp/crlmail
46	+ mail -s 'CRL update failed' admin@$DOMAIN < /tmp/crlmail
47	+ fi
48	+
49	+ rm -f /tmp/cacrl.pem
50	+ rm -f /tmp/crlmail
51	+ fi
52	+done
53	+
54	diff -Nur -x '.orig' -x '.rej' smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/crontab/openvpn-s2s-crl mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/crontab/openvpn-s2s-crl
55	--- smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/crontab/openvpn-s2s-crl 1970-01-01 01:00:00.000000000 +0100
56	+++ mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/crontab/openvpn-s2s-crl 2010-10-17 23:38:48.000000000 +0200
57	@@ -0,0 +1,15 @@
58	+{
59	+if ((${'openvpn-s2s'}{'status'} \|\| 'disabled') eq 'enabled'){
60	+ $OUT .=<<"HERE";
61	+# Update OpenVPN Site To Site CRLs
62	+10 * * * * root /etc/e-smith/events/actions/openvpn-s2s-update-crl 2>&1 /dev/null
63	+
64	+HERE
65	+else{
66	+ $OUT .=<<"HERE";
67	+# OpenVPN Site to Site service is disabled
68	+# CRL updates are not running
69	+
70	+HERE
71	+}
72	+}
73	diff -Nur -x '.orig' -x '.rej' smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key
74	--- smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key 2010-10-17 23:38:54.000000000 +0200
75	+++ mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key 2010-10-17 23:23:40.000000000 +0200
76	@@ -8,23 +8,29 @@
77	}
78	elsif ($auth eq 'TLS'){
79	if ($type eq 'server'){
80	- $OUT .= "tls-server\n";
81	- $OUT .= "ca pub/$key" . "_cacert.pem\n";
82	- $OUT .= "cert pub/$key" . "_cert.pem\n";
83	- $OUT .= "key priv/$key" . "_key.pem\n";
84	- $OUT .= "dh pub/$key" . "_dh.pem\n";
85	- $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 0\n"
86	+ $OUT .= "tls-server\n";
87	+ $OUT .= "ca pub/$key" . "_cacert.pem\n";
88	+ $OUT .= "cert pub/$key" . "_cert.pem\n";
89	+ $OUT .= "key priv/$key" . "_key.pem\n";
90	+ $OUT .= "dh pub/$key" . "_dh.pem\n";
91	+ $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 0\n"
92	if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) &&
93	( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' );
94	+ $OUT .= "crl-verify pub/$key" . "_cacrl.pem\n"
95	+ if ( -e "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' ) &&
96	+ ( ! -z "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' );
97	}
98	else{
99	- $OUT .= "tls-client\n";
100	- $OUT .= "ca pub/$key" . "_cacert.pem\n";
101	- $OUT .= "cert pub/$key" . "_cert.pem\n";
102	- $OUT .= "key priv/$key" . "_key.pem\n";
103	- $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 1\n"
104	+ $OUT .= "tls-client\n";
105	+ $OUT .= "ca pub/$key" . "_cacert.pem\n";
106	+ $OUT .= "cert pub/$key" . "_cert.pem\n";
107	+ $OUT .= "key priv/$key" . "_key.pem\n";
108	+ $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 1\n"
109	if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) &&
110	( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' );
111	+ $OUT .= "crl-verify pub/$key" . "_cacrl.pem\n"
112	+ if ( -e "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' ) &&
113	+ ( ! -z "/etc/openvpn/s2s/pub/$key".'_cacrl.pem' );
114	}
115	}
116