[Astlinux-commits] SF.net SVN: astlinux:[5958] branches/1.0/package/webinterface/altweb

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 5958
          http://astlinux.svn.sourceforge.net/astlinux/?rev=5958&view=rev
Author:   abelbeck
Date:     2013-02-18 00:08:17 +0000 (Mon, 18 Feb 2013)
Log Message:
-----------
openvpn, add optional TLS-Auth support for server and client

Modified Paths:
--------------
    branches/1.0/package/webinterface/altweb/admin/openvpn.php
    branches/1.0/package/webinterface/altweb/admin/openvpnclient.php
    branches/1.0/package/webinterface/altweb/common/openssl-openvpn.php
    branches/1.0/package/webinterface/altweb/common/openssl-openvpnclient.php
    branches/1.0/package/webinterface/altweb/common/openssl.php

Modified: branches/1.0/package/webinterface/altweb/admin/openvpn.php
===================================================================

--- branches/1.0/package/webinterface/altweb/admin/openvpn.php	2013-02-16 20:53:24 UTC (rev 5957)
+++ branches/1.0/package/webinterface/altweb/admin/openvpn.php	2013-02-18 00:08:17 UTC (rev 5958)
@@ -223,6 +223,12 @@
   fwrite($fp, "### Key File\n".$value."\n");
   $value = 'OVPN_DH="'.$openssl['dh_pem'].'"';
   fwrite($fp, "### DH File\n".$value."\n");
+  if ($_POST['tls_auth'] === 'yes' && openvpnCREATEtls_auth($openssl)) {
+    $value = 'OVPN_TA="'.$openssl['key_dir'].'/ta.key"';
+  } else {
+    $value = 'OVPN_TA=""';
+  }
+  fwrite($fp, "### TLS-Auth File\n".$value."\n");
   if (! is_null($disabled)) {
     if (count($disabled) > 0) {
       $value = 'OVPN_VALIDCLIENTS="';
@@ -256,8 +262,15 @@
   $value = isset($_POST['dh']) ? trim($_POST['dh']) : $base.'/dh1024.pem';
   $value = 'OVPN_DH="'.$value.'"';
   fwrite($fp, "### DH File\n".$value."\n");
+  if ($_POST['tls_auth'] === 'yes') {
+    $value = isset($_POST['ta']) ? trim($_POST['ta']) : $base.'/ta.key';
+    $value = 'OVPN_TA="'.$value.'"';
+  } else {
+    $value = 'OVPN_TA=""';
+  }
+  fwrite($fp, "### TLS-Auth File\n".$value."\n");
 }
-  
+
   fwrite($fp, "### gui.openvpn.conf - end ###\n");
   fclose($fp);
   
@@ -285,7 +298,7 @@
 
 // Function: ovpnProfile
 //
-function ovpnProfile($db, $ca_file) {
+function ovpnProfile($db, $ssl, &$ta_file) {
 
   $default = array (
     'client',
@@ -297,6 +310,13 @@
     'verb 3'
   );
 
+  $ca_file = $ssl['key_dir'].'/ca.crt';
+  if (($ta_file = getVARdef($db, 'OVPN_TA')) !== '') {
+    if (! is_file($ta_file)) {
+      $ta_file = '';
+    }
+  }
+
   if (($server_hostname = getVARdef($db, 'OVPN_HOSTNAME')) === '') {
     $server_hostname = get_HOSTNAME_DOMAIN();
   }
@@ -319,6 +339,9 @@
   if (($cipher = getVARdef($db, 'OVPN_CIPHER')) !== '') {
     $str .= "cipher $cipher\n";
   }
+  if ($ta_file !== '') {
+    $str .= "key-direction 1\n";
+  }
   foreach ($default as $value) {
     $str .= "$value\n";
   }
@@ -327,6 +350,13 @@
     $str .= $caStr;
     $str .= "</ca>\n";
   }
+  if ($ta_file !== '') {
+    if (($taStr = @file_get_contents($ta_file)) !== FALSE) {
+      $str .= "<tls-auth>\n";
+      $str .= $taStr;
+      $str .= "</tls-auth>\n";
+    }
+  }
   return($str);
 }
 
@@ -382,7 +412,8 @@
   } elseif (isset($_POST['submit_new_client'])) {
     if (($value = trim($_POST['new_client'])) !== '') {
       if (preg_match('/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/', $value)) {
-        if (! is_file($openssl['key_dir'].'/'.$value.'.crt') &&
+        if ($value !== 'ta' &&
+            ! is_file($openssl['key_dir'].'/'.$value.'.crt') &&
             ! is_file($openssl['key_dir'].'/'.$value.'.key')) {
           if (opensslCREATEclientCert($value, $openssl)) {
             $disabled = isset($_POST['disabled']) ? $_POST['disabled'] : NULL;
@@ -425,9 +456,14 @@
       $p12pass = opensslRANDOMpass(12);
       if (($p12 = opensslPKCS12str($openssl, $value, $p12pass)) !== '') {
         $zip->addFromString($value.'/'.$value.'.p12', $p12);
-        if (($ovpn = ovpnProfile($db, $openssl['key_dir'].'/ca.crt')) !== FALSE) {
+        if (($ovpn = ovpnProfile($db, $openssl, $tls_auth_file)) !== FALSE) {
           $zip->addFromString($value.'/'.$value.'.ovpn', $ovpn);
-          $zip->addFromString($value.'/README.txt', opensslREADMEstr('ovpn', $value, $p12pass));
+          if ($tls_auth_file !== '') {
+            $zip->addFile($tls_auth_file, $value.'/'.$value.'-ta.key');
+            $zip->addFromString($value.'/README.txt', opensslREADMEstr('ovpn-ta', $value, $p12pass));
+          } else {
+            $zip->addFromString($value.'/README.txt', opensslREADMEstr('ovpn', $value, $p12pass));
+          }
         } else {
           $zip->addFromString($value.'/README.txt', opensslREADMEstr('p12', $value, $p12pass));
         }
@@ -524,22 +560,6 @@
   putHtml('</td></tr>');
 
   putHtml('<tr class="dtrow1"><td style="text-align: right;" colspan="2">');
-  putHtml('Auth Method:');
-  putHtml('</td><td style="text-align: left;" colspan="2">');
-  if (($auth_method = getVARdef($db, 'OVPN_USER_PASS_VERIFY')) === '') {
-    $auth_method = 'no';
-  }
-  putHtml('<select name="auth_method" onchange="auth_method_change()">');
-  foreach ($auth_method_menu as $key => $value) {
-    $sel = ($auth_method === $key) ? ' selected="selected"' : '';
-    putHtml('<option value="'.$key.'"'.$sel.'>'.$value.'</option>');
-  }
-  putHtml('</select>');
-  putHtml('</td><td style="text-align: left;" colspan="2">');
-  putHtml('<input type="submit" value="User/Pass" name="submit_user_pass" class="button" />');
-  putHtml('</td></tr>');
-
-  putHtml('<tr class="dtrow1"><td style="text-align: right;" colspan="2">');
   putHtml('Protocol:');
   putHtml('</td><td style="text-align: left;" colspan="1">');
   $protocol = getVARdef($db, 'OVPN_PROTOCOL');
@@ -628,6 +648,38 @@
   putHtml('</td></tr>');
 
   putHtml('<tr class="dtrow0"><td class="dialogText" style="text-align: left;" colspan="6">');
+  putHtml('<strong>Authentication:</strong>');
+  putHtml('</td></tr>');
+
+  putHtml('<tr class="dtrow1"><td style="text-align: right;" colspan="2">');
+  putHtml('Auth Method:');
+  putHtml('</td><td style="text-align: left;" colspan="2">');
+  if (($auth_method = getVARdef($db, 'OVPN_USER_PASS_VERIFY')) === '') {
+    $auth_method = 'no';
+  }
+  putHtml('<select name="auth_method" onchange="auth_method_change()">');
+  foreach ($auth_method_menu as $key => $value) {
+    $sel = ($auth_method === $key) ? ' selected="selected"' : '';
+    putHtml('<option value="'.$key.'"'.$sel.'>'.$value.'</option>');
+  }
+  putHtml('</select>');
+  putHtml('</td><td style="text-align: left;" colspan="2">');
+  putHtml('<input type="submit" value="User/Pass" name="submit_user_pass" class="button" />');
+  putHtml('</td></tr>');
+
+  putHtml('<tr class="dtrow1"><td style="text-align: right;" colspan="2">');
+  putHtml('Extra TLS-Auth:');
+  putHtml('</td><td style="text-align: left;" colspan="4">');
+  $tls_auth = getVARdef($db, 'OVPN_TA');
+  putHtml('<select name="tls_auth">');
+  $sel = ($tls_auth === '') ? ' selected="selected"' : '';
+  putHtml('<option value=""'.$sel.'>No</option>');
+  $sel = ($tls_auth !== '') ? ' selected="selected"' : '';
+  putHtml('<option value="yes"'.$sel.'>Yes</option>');
+  putHtml('</select>');
+  putHtml('</td></tr>');
+
+  putHtml('<tr class="dtrow0"><td class="dialogText" style="text-align: left;" colspan="6">');
   putHtml('<strong>Firewall Options:</strong>');
   putHtml('</td></tr>');
   putHtml('<tr class="dtrow1"><td style="text-align: right;" colspan="2">');
@@ -812,6 +864,12 @@
   }
   putHtml('<input type="text" size="64" maxlength="128" value="'.$value.'" name="dh" />');
   putHtml('</td></tr>');
+  putHtml('<tr class="dtrow1"><td style="text-align: right;">');
+  putHtml('TLS-Auth File:');
+  putHtml('</td><td style="text-align: left;" colspan="5">');
+  $value = getVARdef($db, 'OVPN_TA');
+  putHtml('<input type="text" size="64" maxlength="128" value="'.$value.'" name="ta" />');
+  putHtml('</td></tr>');
 }
 
   putHtml('</table>');

Modified: branches/1.0/package/webinterface/altweb/admin/openvpnclient.php
===================================================================
--- branches/1.0/package/webinterface/altweb/admin/openvpnclient.php	2013-02-16 20:53:24 UTC (rev 5957)
+++ branches/1.0/package/webinterface/altweb/admin/openvpnclient.php	2013-02-18 00:08:17 UTC (rev 5958)
@@ -40,7 +40,7 @@
 );
 
 $nscerttype_menu = array (
-  '' => 'None',
+  '' => 'No',
   'server' => 'Server'
 );
 
@@ -112,6 +112,12 @@
     fwrite($fp, "### CERT File\n".$value."\n");
     $value = 'OVPNC_KEY="'.$openssl['client_key'].'"';
     fwrite($fp, "### Key File\n".$value."\n");
+    if ($_POST['tls_auth'] === 'yes' && is_file($openssl['tls_auth_key'])) {
+      $value = 'OVPNC_TA="'.$openssl['tls_auth_key'].'"';
+    } else {
+      $value = 'OVPNC_TA=""';
+    }
+    fwrite($fp, "### TLS-Auth File\n".$value."\n");
   }
   
   fwrite($fp, "### gui.openvpnclient.conf - end ###\n");
@@ -141,6 +147,7 @@
       $result = 2;
     }
   } elseif (isset($_FILES['creds'])) {
+    $tls_auth_key = TRUE;
     $result = 1;
     foreach ($_FILES['creds']['error'] as $key => $error) {
       if ($error == 0) {
@@ -159,7 +166,7 @@
             break;
           }
         } elseif (stripos($name, '.key', $len) !== FALSE) {
-          if ($key !== 'client_key') {
+          if ($key !== 'client_key' && $key !== 'tls_auth_key') {
             $result = 23;
             break;
           }
@@ -170,6 +177,8 @@
       } elseif ($error == 1 || $error == 2) {
         $result = 20;
         break;
+      } elseif ($key === 'tls_auth_key') {  // TLS-Auth is optional
+        $tls_auth_key = FALSE;
       } else {
         $result = 21;
         break;
@@ -180,13 +189,15 @@
       if ($openssl !== FALSE) {
         $result = 30;
         foreach ($_FILES['creds']['tmp_name'] as $key => $tmp_name) {
-          if (! move_uploaded_file($tmp_name, $openssl[$key])) {
-            $result = 3;
-            break;
+          if ($key !== 'tls_auth_key' || $tls_auth_key) {
+            if (! move_uploaded_file($tmp_name, $openssl[$key])) {
+              $result = 3;
+              break;
+            }
+            if ($key === 'client_key' || $key === 'tls_auth_key') {
+              chmod($openssl[$key], 0600);
+            }
           }
-          if ($key === 'client_key') {
-            chmod($openssl[$key], 0600);
-          }
         }
       }
     }
@@ -219,7 +230,7 @@
     } elseif ($result == 20) {
       putHtml('<p style="color: red;">File size is not reasonable for a cert or key.</p>');
     } elseif ($result == 21) {
-      putHtml('<p style="color: red;">All three files, CA, Cert and Key must be defined.</p>');
+      putHtml('<p style="color: red;">The three files, CA, Cert and Key must be defined. The TLS-Auth Key is optional.</p>');
     } elseif ($result == 22) {
       putHtml('<p style="color: red;">Invalid suffix, only files ending with .crt and .key are allowed.</p>');
     } elseif ($result == 23) {
@@ -322,23 +333,13 @@
   
   putHtml('<tr class="dtrow1"><td style="text-align: right;" colspan="2">');
   putHtml('Device:');
-  putHtml('</td><td style="text-align: left;" colspan="1">');
+  putHtml('</td><td style="text-align: left;" colspan="4">');
   putHtml('<select name="device">');
   $sel = (getVARdef($db, 'OVPNC_DEV') === 'tun2') ? ' selected="selected"' : '';
   putHtml('<option value="tun2"'.$sel.'>tun2</option>');
   $sel = (getVARdef($db, 'OVPNC_DEV') === 'tun3') ? ' selected="selected"' : '';
   putHtml('<option value="tun3"'.$sel.'>tun3</option>');
   putHtml('</select>');
-  putHtml('</td><td style="text-align: right;" colspan="1">');
-  putHtml('nsCertType:');
-  putHtml('</td><td style="text-align: left;" colspan="2">');
-  $nscerttype = getVARdef($db, 'OVPNC_NSCERTTYPE');
-  putHtml('<select name="nscerttype">');
-  foreach ($nscerttype_menu as $key => $value) {
-    $sel = ($nscerttype === $key) ? ' selected="selected"' : '';
-    putHtml('<option value="'.$key.'"'.$sel.'>'.$value.'</option>');
-  }
-  putHtml('</select>');
   putHtml('</td></tr>');
   
   putHtml('<tr class="dtrow1"><td style="text-align: right;" colspan="2">');
@@ -355,6 +356,34 @@
   putHtml('</td></tr>');
 
   putHtml('<tr class="dtrow0"><td class="dialogText" style="text-align: left;" colspan="6">');
+  putHtml('<strong>Authentication:</strong>');
+  putHtml('</td></tr>');
+
+  putHtml('<tr class="dtrow1"><td style="text-align: right;" colspan="2">');
+  putHtml('Require nsCertType:');
+  putHtml('</td><td style="text-align: left;" colspan="4">');
+  $nscerttype = getVARdef($db, 'OVPNC_NSCERTTYPE');
+  putHtml('<select name="nscerttype">');
+  foreach ($nscerttype_menu as $key => $value) {
+    $sel = ($nscerttype === $key) ? ' selected="selected"' : '';
+    putHtml('<option value="'.$key.'"'.$sel.'>'.$value.'</option>');
+  }
+  putHtml('</select>');
+  putHtml('</td></tr>');
+
+  putHtml('<tr class="dtrow1"><td style="text-align: right;" colspan="2">');
+  putHtml('Extra TLS-Auth:');
+  putHtml('</td><td style="text-align: left;" colspan="4">');
+  $tls_auth = getVARdef($db, 'OVPNC_TA');
+  putHtml('<select name="tls_auth">');
+  $sel = ($tls_auth === '') ? ' selected="selected"' : '';
+  putHtml('<option value=""'.$sel.'>No</option>');
+  $sel = ($tls_auth !== '') ? ' selected="selected"' : '';
+  putHtml('<option value="yes"'.$sel.'>Yes</option>');
+  putHtml('</select>');
+  putHtml('</td></tr>');
+
+  putHtml('<tr class="dtrow0"><td class="dialogText" style="text-align: left;" colspan="6">');
   putHtml('<strong>Client Mode:</strong>');
   putHtml('</td></tr>');
   putHtml('<tr class="dtrow1"><td style="text-align: right;" colspan="2">');
@@ -379,9 +408,9 @@
   putHtml('</form>');
   
   if (opensslOPENVPNCis_valid($openssl)) {
-    putHtml('<p style="color: green;">Client Credentials are defined.</p>');
+    putHtml('<p style="color: green;">Required Client Credentials are defined.</p>');
   } else {
-    putHtml('<p style="color: red;">Not all Client Credential files are defined.</p>');
+    putHtml('<p style="color: red;">Not all required Client Credential files are defined.</p>');
   }
   
   putHtml('<form method="post" action="'.$myself.'" enctype="multipart/form-data">');
@@ -400,6 +429,10 @@
   putHtml('</td><td style="text-align: left;">');
   putHtml(getCREDinfo($openssl, 'client_key', $str).'<input type="file" name="creds[client_key]" />');
   putHtml('</td></tr><tr class="dtrow1"><td style="text-align: right;">');
+  putHtml('TLS-Auth Key:');
+  putHtml('</td><td style="text-align: left;">');
+  putHtml(getCREDinfo($openssl, 'tls_auth_key', $str).'<input type="file" name="creds[tls_auth_key]" />');
+  putHtml('</td></tr><tr class="dtrow1"><td style="text-align: right;">');
   if ($CName !== '') {
     putHtml('CN:');
     putHtml('</td><td style="text-align: left;">');

Modified: branches/1.0/package/webinterface/altweb/common/openssl-openvpn.php
===================================================================
--- branches/1.0/package/webinterface/altweb/common/openssl-openvpn.php	2013-02-16 20:53:24 UTC (rev 5957)
+++ branches/1.0/package/webinterface/altweb/common/openssl-openvpn.php	2013-02-18 00:08:17 UTC (rev 5958)
@@ -140,4 +140,22 @@
   chmod($ssl['dh_pem'], 0644);
   return(TRUE);
 }
+
+// Function: openvpnCREATEtls_auth()
+//
+function openvpnCREATEtls_auth($ssl) {
+
+  $ta_file = $ssl['key_dir'].'/ta.key';
+
+  if (is_file($ta_file)) {
+    return(TRUE);
+  }
+  shell('openvpn --genkey --secret '.$ta_file.' >/dev/null 2>/dev/null', $status);
+  if ($status != 0) {
+    @unlink($ta_file);
+    return(FALSE);
+  }
+  chmod($ta_file, 0600);
+  return(TRUE);
+}
 ?>

Modified: branches/1.0/package/webinterface/altweb/common/openssl-openvpnclient.php
===================================================================
--- branches/1.0/package/webinterface/altweb/common/openssl-openvpnclient.php	2013-02-16 20:53:24 UTC (rev 5957)
+++ branches/1.0/package/webinterface/altweb/common/openssl-openvpnclient.php	2013-02-18 00:08:17 UTC (rev 5958)
@@ -23,6 +23,7 @@
   $ssl['ca_crt'] = $ssl['key_dir'].'/ca.crt';
   $ssl['client_crt'] = $ssl['key_dir'].'/client.crt';
   $ssl['client_key'] = $ssl['key_dir'].'/client.key';
+  $ssl['tls_auth_key'] = $ssl['key_dir'].'/ta.key';
   
   if (! is_dir($ssl['base_dir'])) {
     if (! @mkdir($ssl['base_dir'], 0755)) {
@@ -70,7 +71,7 @@
 function opensslDELETEclientkeys($ssl) {
 
   if ($ssl !== FALSE) {
-    $types = array ('ca_crt', 'client_crt', 'client_key');
+    $types = array ('ca_crt', 'client_crt', 'client_key', 'tls_auth_key');
     foreach ($types as $type) {
       if (is_file($ssl[$type])) {
         @unlink($ssl[$type]);

Modified: branches/1.0/package/webinterface/altweb/common/openssl.php
===================================================================
--- branches/1.0/package/webinterface/altweb/common/openssl.php	2013-02-16 20:53:24 UTC (rev 5957)
+++ branches/1.0/package/webinterface/altweb/common/openssl.php	2013-02-18 00:08:17 UTC (rev 5958)
@@ -251,12 +251,16 @@
   $readme .= "$commonName.crt - This client's public key certificate, signed by ca.crt.\n\n";
   $readme .= "$commonName.key - This client's private key.\n";
   $readme .= "Note: File '$commonName.key' is not encrypted and must be kept secure.\n\n";
-  if ($type === 'p12' || $type === 'ovpn') {
+  if ($type === 'p12' || $type === 'ovpn' || $type === 'ovpn-ta') {
     $readme .= "$commonName.p12 - A password protected PKCS#12 container combining the credentials from the above three files.\n\n";
     $readme .= "PKCS#12 Container Password: $pass\n";
     $readme .= "Keep it secure.\n\n";
-    if ($type === 'ovpn') {
+    if ($type === 'ovpn' || $type === 'ovpn-ta') {
       $readme .= "$commonName.ovpn - OpenVPN certificate profile, use with file '$commonName.p12' for client devices.\n\n";
+      if ($type === 'ovpn-ta') {
+        $readme .= "$commonName-ta.key - TLS-Auth key which adds an additional HMAC signature to all SSL/TLS handshake packets.\n";
+        $readme .= "Note: File '$commonName-ta.key' is not encrypted and must be kept secure.\n\n";
+      }
     }
   }
 

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.



