diff options
| author | Stig Thormodsrud <stig@vyatta.com> | 2008-01-10 13:30:45 -0800 |
|---|---|---|
| committer | Stig Thormodsrud <stig@vyatta.com> | 2008-01-10 13:30:45 -0800 |
| commit | 6f32c7aeea3834d58f903209ab3e3908a37e9dd5 (patch) | |
| tree | 9751e83205e665b3e04c2cce12385ffd99b79b6c | |
| parent | 4ddf2e3407577987dd2f0ce408e7a6949c22c417 (diff) | |
| download | vyatta-cfg-vpn-6f32c7aeea3834d58f903209ab3e3908a37e9dd5.tar.gz vyatta-cfg-vpn-6f32c7aeea3834d58f903209ab3e3908a37e9dd5.zip | |
Fix "set vpn rsa-key local-file file".
| -rwxr-xr-x | scripts/VyattaVPNUtil.pm | 2 | ||||
| -rwxr-xr-x | scripts/vpn-config.pl | 96 |
2 files changed, 47 insertions, 51 deletions
diff --git a/scripts/VyattaVPNUtil.pm b/scripts/VyattaVPNUtil.pm index b31c0e5..55c8ba4 100755 --- a/scripts/VyattaVPNUtil.pm +++ b/scripts/VyattaVPNUtil.pm @@ -47,7 +47,7 @@ sub rsa_get_local_key_file { # my $vc = new VyattaConfig(); $vc->setLevel('vpn'); - my $key_file_override = $vc->returnValue('rsa-keys local-key file'); + my $key_file_override = $vc->returnOrigValue('rsa-keys local-key file'); # # We'll assume validation for valid path/file was handled in the diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index fb8aa29..1216923 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -152,57 +152,54 @@ if ($vcVPN->exists('ipsec')) { } } - { + # + # Check the local key file + # Note: $local_key_file will be used later when reading the keys + # + my $running_local_key_file = VyattaVPNUtil::rsa_get_local_key_file(); + my $local_key_file = $vcVPN->returnValue('rsa-keys local-key file'); + if (!defined($local_key_file)) { + $local_key_file = VyattaVPNUtil::LOCAL_KEY_FILE_DEFAULT; + } + if ($local_key_file ne $running_local_key_file) { + + # Sanity check the usr specified local_key_file # - # Check the local key file + # 1). Must start with "/" + # 2). Only allow alpha-numeric, ".", "-", "_", or "/". + # 3). Don't allow "//" + # 4). Verify that it's not a directory # - my $local_key_file = $vcVPN->returnValue('rsa-keys local-key file'); - if (defined($local_key_file) && $local_key_file ne '') { - - # Sanity check the usr specified local_key_file - # - # 1). Must start with "/" - # 2). Only allow alpha-numeric, ".", "-", "_", or "/". - # 3). Don't allow "//" - # 4). Verify that it's not a directory - # - if ($local_key_file !~ /^\//) { - $error = 1; - print STDERR "VPN configuration error. Invalid local RSA key file path \"$local_key_file\". Does not start with a '/'.\n"; - } - if ($local_key_file =~ /[^a-zA-Z0-9\.\-\_\/]/g) { - $error = 1; - print STDERR "VPN configuration error. Invalid local RSA key file path \"$local_key_file\". Contains a character that is not alpha-numeric and not '.', '-', '_', '/'.\n"; - } - if ($local_key_file =~ /\/\//g) { - $error = 1; - print STDERR "VPN configuration error. Invalid local RSA key file path \"$local_key_file\". Contains string \"//\".\n"; - } - if (-d $local_key_file) { - $error = 1; - print STDERR "VPN configuration error. Invalid local RSA key file path \"$local_key_file\". Path is a directory rather than a file.\n"; - } - - if ($error == 0) { - my $prev_local_key_file = $vcVPN->returnOrigValue('rsa-keys local-key file'); - if (!defined($prev_local_key_file) || $prev_local_key_file eq '') { - $prev_local_key_file = VyattaVPNUtil::LOCAL_KEY_FILE_DEFAULT; - } - if ($local_key_file ne $prev_local_key_file) { - if (-r $prev_local_key_file && !(-e $local_key_file)) { - VyattaVPNUtil::vpn_debug "cp $prev_local_key_file $local_key_file"; - my ($dirpath) = ($local_key_file =~ m#^(.*/)?.*#s); - my $rc = system("mkdir -p $dirpath"); - if ($rc != 0) { - $error = 1; - print STDERR "VPN configuration error. Could not copy previous local RSA key file \"$prev_local_key_file\" to new local RSA key file \"$local_key_file\". Could not mkdir [$dirpath] $!\n"; - } else { - $rc = system("cp $prev_local_key_file $local_key_file"); - if ($rc != 0) { - $error = 1; - print STDERR "VPN configuration error. Could not copy previous local RSA key file \"$prev_local_key_file\" to new local RSA key file \"$local_key_file\". $!\n"; - } - } + if ($local_key_file !~ /^\//) { + $error = 1; + print STDERR "VPN configuration error. Invalid local RSA key file path \"$local_key_file\". Does not start with a '/'.\n"; + } + if ($local_key_file =~ /[^a-zA-Z0-9\.\-\_\/]/g) { + $error = 1; + print STDERR "VPN configuration error. Invalid local RSA key file path \"$local_key_file\". Contains a character that is not alpha-numeric and not '.', '-', '_', '/'.\n"; + } + if ($local_key_file =~ /\/\//g) { + $error = 1; + print STDERR "VPN configuration error. Invalid local RSA key file path \"$local_key_file\". Contains string \"//\".\n"; + } + if (-d $local_key_file) { + $error = 1; + print STDERR "VPN configuration error. Invalid local RSA key file path \"$local_key_file\". Path is a directory rather than a file.\n"; + } + + if ($error == 0) { + if (-r $running_local_key_file && !(-e $local_key_file)) { + VyattaVPNUtil::vpn_debug "cp $running_local_key_file $local_key_file"; + my ($dirpath) = ($local_key_file =~ m#^(.*/)?.*#s); + my $rc = system("mkdir -p $dirpath"); + if ($rc != 0) { + $error = 1; + print STDERR "VPN configuration error. Could not copy previous local RSA key file \"$running_local_key_file\" to new local RSA key file \"$local_key_file\". Could not mkdir [$dirpath] $!\n"; + } else { + $rc = system("cp $running_local_key_file $local_key_file"); + if ($rc != 0) { + $error = 1; + print STDERR "VPN configuration error. Could not copy previous local RSA key file \"$running_local_key_file\" to new local RSA key file \"$local_key_file\". $!\n"; } } } @@ -664,7 +661,6 @@ if ($vcVPN->exists('ipsec')) { $genout .= "\tauthby=secret\n"; } elsif (defined($auth_mode) && $auth_mode eq 'rsa') { - my $local_key_file = VyattaVPNUtil::rsa_get_local_key_file(); unless (-r $local_key_file) { $error = 1; if (-e $local_key_file) { |