From patchwork Fri Feb  2 17:34:11 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Erik Kapfer <erik.kapfer@ipfire.org>
X-Patchwork-Id: 1641
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	by web02.ipfire.org (Postfix) with ESMTP id DC7C160157
	for <patchwork@ipfire.org>; Fri,  2 Feb 2018 07:34:23 +0100 (CET)
Received: from mail01.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id A0A194686;
	Fri,  2 Feb 2018 07:34:22 +0100 (CET)
Received: from localhost.localdomain (i59F5F570.versanet.de [89.245.245.112])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 3F1A54645;
	Fri,  2 Feb 2018 07:34:20 +0100 (CET)
From: Erik Kapfer <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] CRL updater: Update script for OpenVPN CRL
Date: Fri,  2 Feb 2018 07:34:11 +0100
Message-Id: <1517553251-28156-1-git-send-email-erik.kapfer@ipfire.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1517330336-18550-1-git-send-email-erik.kapfer@ipfire.org>
References: <1517330336-18550-1-git-send-email-erik.kapfer@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Update script for OpenVPNs CRL has been integrated cause OpenVPN refactors the CRL handling since v.2.4.0 .
    Script checks the next update field from the CRL and executes an update two days before it expires.
    Script is placed under fcron.daily for daily checks.
    OpenVPN changes can be found in here https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336 .

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
---
 config/ovpn/ovpn_crl_updater.sh | 53 +++++++++++++++++++++++++++++++++++++++++
 lfs/openvpn                     |  4 ++++
 2 files changed, 57 insertions(+)
 create mode 100644 config/ovpn/ovpn_crl_updater.sh

diff --git a/config/ovpn/ovpn_crl_updater.sh b/config/ovpn/ovpn_crl_updater.sh
new file mode 100644
index 0000000..309edc2
--- /dev/null
+++ b/config/ovpn/ovpn_crl_updater.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+#
+# Script Name: ovpn_crl_updater.sh
+# Description: This script checks the "Next Update:" field of the CRL and renews it if needed,
+#     which prevents the expiration of OpenVPNs CRL.
+#     With OpenVPN 2.4.x the CRL handling has been refactored,
+#     whereby the verification logic has been removed from ssl_verify_<backend>.c .
+#     See for more infos:
+#     https://github.com/OpenVPN/openvpn/commit/160504a2955c4478cd2c0323452929e07016a336
+#
+# Run Information: If OpenVPNs CRL is presant, 
+#     this script provides a cronjob which checks daily if an update of the CRL is needed.
+#     If the expiring date reaches the value (defined in the 'UPDATE' variable in days)
+#     before the CRL expiration, an openssl command will be executed to renew the CRL.
+#     The renewing of the CRL will be logged into /var/log/messages.
+# 
+# Author: Erik Kapfer
+#
+# Date: 17.01.2018
+#
+###############################################################################################
+
+# Check if OpenVPN is active or if the CRL is presant
+if [ ! -e "/var/ipfire/ovpn/crls/cacrl.pem" ]; then
+	exit 0;
+fi
+
+## Paths
+OVPN="/var/ipfire/ovpn";
+CRL="${OVPN}/crls/cacrl.pem";
+CAKEY="${OVPN}/ca/cakey.pem";
+CACERT="${OVPN}/ca/cacert.pem";
+OPENSSLCONF="${OVPN}/openssl/ovpn.cnf";
+## Values
+# CRL check for the the 'Next Update:' in seconds
+EXPIRINGDATEINSEC="$(( $(date -d "$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')" +%s) - $(date +%s) ))";
+# Day in seconds to calculate
+DAYINSEC="86400";
+# Convert seconds to days
+NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))";
+# Update of the CRL in days before CRL expiring date
+UPDATE="2";
+
+# Check if OpenVPNs CRL needs to be renewed
+if [ "${NEXTUPDATE}" -le "${UPDATE}" ]; then
+	openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}";
+	logger -t openssl "OpenVPN CRL has been renewed";
+fi
+
+exit 0
+
+# EOF
diff --git a/lfs/openvpn b/lfs/openvpn
index a925f78..1e1ddc2 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -96,6 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
 	chown root:root /usr/lib/openvpn/verify
 	chmod 755 /usr/lib/openvpn/verify
+	# Add crl updater
+	mv -v /var/ipfire/ovpn/ovpn_crl_updater.sh /etc/fcron.daily
+	chown root:root /etc/fcron.daily/ovpn_crl_updater.sh
+	chmod 750 /etc/fcron.daily/ovpn_crl_updater.sh
 
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)