Merge pull request #131 from vindenesen/T1670

[OpenVPN] T1670: Added setting for tls-auth. Added check for if tls_cert and tls_key w…

2 files changed, 27 insertions, 5 deletions

diff --git a/interface-definitions/interfaces-openvpn.xml b/interface-definitions/interfaces-openvpn.xml
index d282a8773..05970f2d9 100644
--- a/interface-definitions/interfaces-openvpn.xml
+++ b/interface-definitions/interfaces-openvpn.xml
@@ -518,6 +518,11 @@
               <help>Transport Layer Security (TLS) options</help>
             </properties>
             <children>
+              <leafNode name="auth-file">
+                <properties>
+                  <help>File containing tls static key for tls-auth</help>
+                </properties>
+              </leafNode>
               <leafNode name="ca-cert-file">
                 <properties>
                   <help>File containing certificate for Certificate Authority (CA)</help>
diff --git a/src/conf_mode/interface-openvpn.py b/src/conf_mode/interface-openvpn.py
index 34c094862..7b3e57d7d 100755
--- a/src/conf_mode/interface-openvpn.py
+++ b/src/conf_mode/interface-openvpn.py
@@ -171,6 +171,10 @@ crl-verify {{ tls_crl }}
 dh {{ tls_dh }}
 {% endif %}
 
+{%- if tls_auth %}
+tls-auth {{tls_auth}}
+{% endif %}
+
 {%- if 'active' in tls_role %}
 tls-client
 {%- elif 'passive' in tls_role %}
@@ -277,6 +281,7 @@ default_config_data = {
     'server_topology': '',
     'shared_secret_file': '',
     'tls': False,
+    'tls_auth': '',
     'tls_ca_cert': '',
     'tls_cert': '',
     'tls_crl': '',
@@ -532,6 +537,11 @@ def get_config():
     if conf.exists('server reject-unconfigured-clients'):
         openvpn['server_reject_unconfigured'] = True
 
+    # File containing TLS auth static key
+    if conf.exists('tls auth-file'):
+        openvpn['tls_auth'] = conf.return_value('tls auth-file')
+        openvpn['tls'] = True
+
     # File containing certificate for Certificate Authority (CA)
     if conf.exists('tls ca-cert-file'):
          openvpn['tls_ca_cert'] = conf.return_value('tls ca-cert-file')
@@ -714,11 +724,17 @@ def verify(openvpn):
         if not checkCertHeader('-----BEGIN CERTIFICATE-----', openvpn['tls_ca_cert']):
             raise ConfigError('Specified ca-cert-file "{}" is invalid'.format(openvpn['tls_ca_cert']))
 
-        if not checkCertHeader('-----BEGIN CERTIFICATE-----', openvpn['tls_cert']):
-            raise ConfigError('Specified cert-file "{}" is invalid'.format(openvpn['tls_cert']))
+        if openvpn['tls_auth']:
+            if not checkCertHeader('-----BEGIN OpenVPN Static key V1-----', openvpn['tls_auth']):
+                raise ConfigError('Specified auth-file "{}" is invalid'.format(openvpn['tls_auth']))
+        
+        if openvpn['tls_cert']:
+            if not checkCertHeader('-----BEGIN CERTIFICATE-----', openvpn['tls_cert']):
+                raise ConfigError('Specified cert-file "{}" is invalid'.format(openvpn['tls_cert']))
 
-        if not checkCertHeader('-----BEGIN (?:RSA )?PRIVATE KEY-----', openvpn['tls_key']):
-            raise ConfigError('Specified key-file "{}" is not valid'.format(openvpn['tls_key']))
+        if openvpn['tls_key']:
+            if not checkCertHeader('-----BEGIN (?:RSA )?PRIVATE KEY-----', openvpn['tls_key']):
+                raise ConfigError('Specified key-file "{}" is not valid'.format(openvpn['tls_key']))
 
         if openvpn['tls_crl']:
             if not checkCertHeader('-----BEGIN X509 CRL-----', openvpn['tls_crl']):
@@ -730,7 +746,8 @@ def verify(openvpn):
 
         if openvpn['tls_role']:
             if openvpn['mode'] in ['client', 'server']:
-                raise ConfigError('Cannot specify "tls role" in client-server mode')
+                if not openvpn['tls_auth']:
+                    raise ConfigError('Cannot specify "tls role" in client-server mode')
 
             if openvpn['tls_role'] == 'active':
                 if openvpn['protocol'] == 'tcp-passive':