From cc2b41bf153c8f3a1fa5687834dfdb713078096b Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Fri, 22 Feb 2019 15:29:48 +0100 Subject: [PATCH] OpenVPN export, add auth-nocache option, closes https://github.com/opnsense/core/issues/3193 --- .../OPNsense/OpenVPN/forms/export_options.xml | 10 ++++++++++ .../app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php | 2 +- .../mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php | 5 ++++- .../mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php | 2 +- .../mvc/app/models/OPNsense/OpenVPN/Export.xml | 4 ++++ 5 files changed, 20 insertions(+), 3 deletions(-) diff --git a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml index a4b95fb00..9be23ed2f 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml +++ b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml @@ -45,6 +45,16 @@ checkbox Verify the server certificate name when the client connects + + openvpn_export.auth_nocache + + checkbox + + + Sets auth-nocache in the exported configuration when password authentication is used. + This prevents OpenVPN from caching passwords in memory. + + openvpn_export.plain_config diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php index 059167b36..c0afb2cfe 100644 --- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php +++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php @@ -48,7 +48,7 @@ class ArchiveOpenVPN extends PlainOpenVPN */ public function supportedOptions() { - return array("plain_config", "p12_password", "random_local_port"); + return array("plain_config", "p12_password", "random_local_port", "auth_nocache"); } /** diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php index 4bb3fa999..501ef74bf 100644 --- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php +++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php @@ -48,7 +48,7 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider */ public function supportedOptions() { - return array("plain_config", "random_local_port"); + return array("plain_config", "random_local_port", "auth_nocache"); } /** @@ -132,6 +132,9 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider } if (in_array($this->config['mode'], array('server_user', 'server_tls_user'))) { $conf[] = "auth-user-pass"; + if (!empty($this->config['auth_nocache'])) { + $conf[] = "auth-nocache"; + } } if (!empty($this->config['compression'])) { diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php index 62517862a..e2ac61ce1 100644 --- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php +++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php @@ -48,7 +48,7 @@ class ViscosityVisz extends PlainOpenVPN */ public function supportedOptions() { - return array("plain_config", "p12_password", "random_local_port"); + return array("plain_config", "p12_password", "random_local_port", "auth_nocache"); } /** diff --git a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml index aea27dba7..95a19e6e8 100644 --- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml +++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml @@ -27,6 +27,10 @@ 1 Y + + 0 + N +