[PATCH 1/3] vpnmain.cgi: Do not use a bad source for randomness

[PATCH 1/3] vpnmain.cgi: Do not use a bad source for randomness

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 703 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 53507305f..8b05a0de7 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2141,7 +2141,7 @@ END
 		&General::log("ipsec", "Creating a cert...");
 
 		if (open(STDIN, "-|")) {
-			my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
+			my $opt = " req -nodes";
 			$opt .= " -newkey rsa:4096";
 			$opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
 			$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
-- 
2.39.2

[PATCH 2/3] vpnmain.cgi: Return the entire error message if OpenSSL fails

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1185 bytes --]

The function did not evaluate the return code which is why it used a
hack to figure out if some output is an error or not.

This is being fixed in this commit and the entire output is being
returned if the return code is non-zero.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/vpnmain.cgi | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 8b05a0de7..d82e6b5c9 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -229,13 +229,14 @@ sub callssl ($) {
 	my $opt = shift;
 	my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr
 	my $ret = '';
-	foreach my $line (split (/\n/, $retssl)) {
-		&General::log("ipsec", "$line") if (0); # 1 for verbose logging
-		$ret .= '<br>'.$line if ( $line =~ /error|unknown/ );
-	}
-	if ($ret) {
-		$ret= &Header::cleanhtml($ret);
+
+	if ($?) {
+		foreach my $line (split (/\n/, $retssl)) {
+			&General::log("ipsec", "$line") if (0); # 1 for verbose logging
+			$ret .= '<br>' . &Header::escape($line);
+		}
 	}
+
 	return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : '' ;
 }
 ###
-- 
2.39.2

[PATCH 3/3] vpnmain.cgi: Add option to regenerate the host certificate

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 13663 bytes --]

This is necessary since we now have a much shorter lifetime for the host
certificate. However, it is complicated to do this is which is why we
are copying the previous certificate and generate a new CSR. This is
then signed.

A caveat of this patch is that we do not rollover the key.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/ssl/openssl.cnf   |  1 +
 doc/language_issues.de   |  1 +
 doc/language_issues.en   |  1 +
 doc/language_issues.es   |  1 +
 doc/language_issues.fr   |  1 +
 doc/language_issues.it   |  1 +
 doc/language_issues.nl   |  1 +
 doc/language_issues.pl   |  1 +
 doc/language_issues.ru   |  1 +
 doc/language_issues.tr   |  1 +
 doc/language_missings    |  8 ++++++
 html/cgi-bin/vpnmain.cgi | 54 +++++++++++++++++++++++++++++++++++++++-
 langs/en/cgi-bin/en.pl   |  1 +
 13 files changed, 72 insertions(+), 1 deletion(-)

diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf
index 3b980fcd4..00c206ed8 100644
--- a/config/ssl/openssl.cnf
+++ b/config/ssl/openssl.cnf
@@ -23,6 +23,7 @@ default_md	= sha256
 preserve	= no
 policy		= policy_match
 email_in_dn	= no
+copy_extensions = copyall
 
 [ policy_match ]
 countryName		= optional
diff --git a/doc/language_issues.de b/doc/language_issues.de
index 4fd5a0819..fa0705e74 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -933,6 +933,7 @@ WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Dae
 WARNING: untranslated string: no entries = No entries at the moment.
 WARNING: untranslated string: optional = Optional
 WARNING: untranslated string: pakfire invalid tree = Invalid repository selected
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: required = Required
diff --git a/doc/language_issues.en b/doc/language_issues.en
index b4327cb78..88e66346b 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -1578,6 +1578,7 @@ WARNING: untranslated string: red1 = RED
 WARNING: untranslated string: references = References
 WARNING: untranslated string: refresh = Refresh
 WARNING: untranslated string: refresh index page while connected = Refresh index.cgi page while connected
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: release = Release
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 45ffdf5d7..ab6b5a1e9 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -995,6 +995,7 @@ WARNING: untranslated string: no data = unknown string
 WARNING: untranslated string: openvpn cert expires soon = Expires Soon
 WARNING: untranslated string: openvpn cert has expired = Expired
 WARNING: untranslated string: pakfire ago = ago.
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: route config changed = unknown string
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index cacfb1ec6..e6781362f 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -948,6 +948,7 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
 WARNING: untranslated string: pakfire ago = ago.
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: route config changed = unknown string
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 68ff12c86..b21f15062 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1215,6 +1215,7 @@ WARNING: untranslated string: rdns = rDNS
 WARNING: untranslated string: reboot fsck = Reboot & run &lsquo;fsck&rsquo;
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: release = Release
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index d1a637215..668df4fc3 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1237,6 +1237,7 @@ WARNING: untranslated string: ptr = PTR
 WARNING: untranslated string: rdns = rDNS
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: required = Required
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 893f73211..f4a29cb84 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1418,6 +1418,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run &lsquo;fsck&rsquo;
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
 WARNING: untranslated string: red1 = RED
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: release = Release
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 64c9b5095..4eface69a 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1413,6 +1413,7 @@ WARNING: untranslated string: reboot fsck = Reboot & run &lsquo;fsck&rsquo;
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
 WARNING: untranslated string: red1 = RED
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: release = Release
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index eadbd33c7..d5f321dd8 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1125,6 +1125,7 @@ WARNING: untranslated string: ptr = PTR
 WARNING: untranslated string: reboot fsck = Reboot & run &lsquo;fsck&rsquo;
 WARNING: untranslated string: rebooting ipfire fsck = Rebooting IPFire, forcing filesystem check
 WARNING: untranslated string: received = Received
+WARNING: untranslated string: regenerate host certificate = Renew Host Certificate
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
 WARNING: untranslated string: release = Release
diff --git a/doc/language_missings b/doc/language_missings
index 28ae29c2b..2b70ef9f9 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -73,6 +73,7 @@
 < optional
 < quick control
 < random number generator daemon
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < required
@@ -117,6 +118,7 @@
 < invalid ip or hostname
 < openvpn cert expires soon
 < openvpn cert has expired
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < service boot setting unavailable
@@ -138,6 +140,7 @@
 < extrahd not mounted
 < g.dtm
 < g.lite
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < spec rstack overflow
@@ -523,6 +526,7 @@
 < reboot fsck
 < rebooting ipfire fsck
 < received
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < release
@@ -1063,6 +1067,7 @@
 < rdns
 < rebooting ipfire fsck
 < received
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < required
@@ -1943,6 +1948,7 @@
 < rebooting ipfire fsck
 < received
 < red1
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < release
@@ -2934,6 +2940,7 @@
 < rebooting ipfire fsck
 < received
 < red1
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < release
@@ -3405,6 +3412,7 @@
 < reboot fsck
 < rebooting ipfire fsck
 < received
+< regenerate host certificate
 < reiserfs warning1
 < reiserfs warning2
 < release
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index d82e6b5c9..9173a85d8 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -866,6 +866,12 @@ END
 		exit(0);
 	}
 ###
+### Regenerate the host certificate
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'regenerate host certificate'}) {
+	$errormessage = &regenerate_host_certificate();
+
+###
 ### Form for generating/importing the caroot+host certificate
 ###
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
@@ -3612,7 +3618,12 @@ END
 			<input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" />
 			</form>
 		</td>
-		<td width='4%' $col2>&nbsp;</td></tr>
+		<td width='4%' align='center' $col2>
+			<form method='post' action='$ENV{'SCRIPT_NAME'}'>
+				<input type='image' name='$Lang::tr{'regenerate host certificate'}' src='/images/reload.gif' alt='$Lang::tr{'regenerate host certificate'}' title='$Lang::tr{'regenerate host certificate'}' />
+				<input type='hidden' name='ACTION' value='$Lang::tr{'regenerate host certificate'}' />
+			</form>
+		</td></tr>
 END
 ;
 	} else {
@@ -3782,3 +3793,44 @@ sub make_subnets($$) {
 
 	return join(",", @cidr_nets);
 }
+
+sub regenerate_host_certificate() {
+	my $errormessage = "";
+
+	&General::log("ipsec", "Regenerating host certificate...");
+
+	# Create a CSR based on the existing certificate
+	my $opt = " x509 -x509toreq -copy_extensions copyall";
+	$opt .= " -signkey ${General::swroot}/certs/hostkey.pem";
+	$opt .= " -in ${General::swroot}/certs/hostcert.pem";
+	$opt .= " -out ${General::swroot}/certs/hostreq.pem";
+	$errormessage = &callssl($opt);
+
+	# Revoke the old certificate
+	if (!$errormessage) {
+		&General::log("ipsec", "Revoking the old host cert...");
+
+		my $opt = " ca -revoke ${General::swroot}/certs/hostcert.pem";
+		$errormessage = &callssl($opt);
+	}
+
+	# Sign the host certificate request
+	if (!$errormessage) {
+		&General::log("ipsec", "Self signing host cert...");
+
+		my $opt = " ca -md sha256 -days 825";
+		$opt .= " -batch -notext";
+		$opt .= " -in ${General::swroot}/certs/hostreq.pem";
+		$opt .= " -out ${General::swroot}/certs/hostcert.pem";
+		$errormessage = &callssl ($opt);
+
+		unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed
+	}
+
+	# Reload the new certificate
+	if (!$errormessage) {
+		&General::system('/usr/local/bin/ipsecctrl', 'R');
+	}
+
+	return $errormessage;
+}
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 16a3061b4..5ac651e2f 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2208,6 +2208,7 @@
 'refresh' => 'Refresh',
 'refresh index page while connected' => 'Refresh index.cgi page while connected',
 'refresh update list' => 'Refresh update list',
+'regenerate host certificate' => 'Renew Host Certificate',
 'registered user rules' => 'Talos VRT rules for registered users',
 'reiserfs warning1' => 'Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.',
 'reiserfs warning2' => 'Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.',
-- 
2.39.2