1 |
diff -Nur -x '*.orig' -x '*.rej' smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key |
2 |
--- smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key 2010-10-15 19:37:57.000000000 +0200 |
3 |
+++ mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key 2010-10-17 15:46:44.000000000 +0200 |
4 |
@@ -1,6 +1,32 @@ |
5 |
-# Secret Key config |
6 |
+# Authentication |
7 |
{ |
8 |
|
9 |
-$OUT .= "secret priv/$key"."_key.pem\n"; |
10 |
+my $auth = $db->get_prop($key,'Authentication') || 'TLS'; |
11 |
|
12 |
+if ($auth eq 'SharedKey'){ |
13 |
+ $OUT .= "secret priv/$key"."_sharedkey.pem\n"; |
14 |
} |
15 |
+elsif ($auth eq 'TLS'){ |
16 |
+ if ($type eq 'server'){ |
17 |
+ $OUT .= "tls-server\n"; |
18 |
+ $OUT .= "ca pub/$key" . "_cacert.pem\n"; |
19 |
+ $OUT .= "cert pub/$key" . "_cert.pem\n"; |
20 |
+ $OUT .= "key priv/$key" . "_key.pem\n"; |
21 |
+ $OUT .= "dh pub/$key" . "_dh.pem\n"; |
22 |
+ $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 0\n" |
23 |
+ if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) && |
24 |
+ ( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ); |
25 |
+ } |
26 |
+ else{ |
27 |
+ $OUT .= "tls-client\n"; |
28 |
+ $OUT .= "ca pub/$key" . "_cacert.pem\n"; |
29 |
+ $OUT .= "cert pub/$key" . "_cert.pem\n"; |
30 |
+ $OUT .= "key priv/$key" . "_key.pem\n"; |
31 |
+ $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 1\n" |
32 |
+ if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) && |
33 |
+ ( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ); |
34 |
+ } |
35 |
+} |
36 |
+ |
37 |
+} |
38 |
+ |
39 |
diff -Nur -x '*.orig' -x '*.rej' smeserver-openvpn-s2s-0.1/root/etc/e-smith/web/functions/openvpns2s mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/web/functions/openvpns2s |
40 |
--- smeserver-openvpn-s2s-0.1/root/etc/e-smith/web/functions/openvpns2s 2010-10-16 17:56:47.000000000 +0200 |
41 |
+++ mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/web/functions/openvpns2s 2010-10-17 15:36:34.000000000 +0200 |
42 |
@@ -74,7 +74,7 @@ |
43 |
#---------------------------------------------------------------- |
44 |
# CLIENT CONFIGURATION PAGE |
45 |
#---------------------------------------------------------------- |
46 |
- <page name="CREATE_OR_MODIFY_CLIENT_CONF_PAGE" pre-event="turn_off_buttons()" post-event="apply_conf('client')"> |
47 |
+ <page name="CREATE_OR_MODIFY_CLIENT_CONF_PAGE" pre-event="turn_off_buttons()" post-event="write_db_conf('client')"> |
48 |
|
49 |
<field type="literal" id="add_client_desc" value=""> |
50 |
<description>DESC_ADD_CLIENT_PAGE</description> |
51 |
@@ -94,6 +94,11 @@ |
52 |
<label>LABEL_STATUS</label> |
53 |
</field> |
54 |
|
55 |
+ <field type="select" id="auth" options="'TLS' => 'TLS', 'SharedKey' => 'SECRET_KEY'"> |
56 |
+ <description>DESC_AUTH</description> |
57 |
+ <label>LABEL_AUTH</label> |
58 |
+ </field> |
59 |
+ |
60 |
<field type="text" id="remote_host" validation="is_hostname_or_ip()"> |
61 |
<description>DESC_REMOTE_HOST</description> |
62 |
<label>LABEL_REMOTE_HOST</label> |
63 |
@@ -119,19 +124,14 @@ |
64 |
<label>LABEL_REMOTE_NET</label> |
65 |
</field> |
66 |
|
67 |
- <field type="textarea" id="shared_key" validation="is_valid_key()"> |
68 |
- <description>DESC_SHARED_KEY</description> |
69 |
- <label>LABEL_SHARED_KEY</label> |
70 |
- </field> |
71 |
- |
72 |
- <subroutine src="print_button('SAVE')"/> |
73 |
+ <subroutine src="print_button('NEXT')"/> |
74 |
|
75 |
</page> |
76 |
|
77 |
#---------------------------------------------------------------- |
78 |
# SERVER CONFIGURATION PAGE |
79 |
#---------------------------------------------------------------- |
80 |
- <page name="CREATE_OR_MODIFY_SERVER_CONF_PAGE" pre-event="turn_off_buttons()" post-event="apply_conf('server')"> |
81 |
+ <page name="CREATE_OR_MODIFY_SERVER_CONF_PAGE" pre-event="turn_off_buttons()" post-event="write_db_conf('server')"> |
82 |
|
83 |
<field type="literal" id="add_server" value=""> |
84 |
<description>DESC_ADD_SERVER_PAGE</description> |
85 |
@@ -151,6 +151,11 @@ |
86 |
<label>LABEL_STATUS</label> |
87 |
</field> |
88 |
|
89 |
+ <field type="select" id="auth" options="'TLS' => 'TLS', 'SharedKey' => 'SECRET_KEY'"> |
90 |
+ <description>DESC_AUTH</description> |
91 |
+ <label>LABEL_AUTH</label> |
92 |
+ </field> |
93 |
+ |
94 |
<field type="text" id="port" validation="is_valid_and_available_port()"> |
95 |
<description>DESC_LOCAL_PORT</description> |
96 |
<label>LABEL_LOCAL_PORT</label> |
97 |
@@ -171,13 +176,16 @@ |
98 |
<label>LABEL_REMOTE_NET</label> |
99 |
</field> |
100 |
|
101 |
- <field type="textarea" id="shared_key" validation="is_valid_key()"> |
102 |
- <description>DESC_SHARED_KEY</description> |
103 |
- <label>LABEL_SHARED_KEY</label> |
104 |
- </field> |
105 |
+ <subroutine src="print_button('NEXT')"/> |
106 |
|
107 |
- <subroutine src="print_button('SAVE')"/> |
108 |
+ </page> |
109 |
|
110 |
+ <page name="CONFIG_CERT_PAGE" pre-event="print_status_message()" post-event="write_pem()"> |
111 |
+ <field type="literal" id="cert_conf" value=""> |
112 |
+ <description>DESC_CONFIGURE_CERT</description> |
113 |
+ </field> |
114 |
+ <subroutine src="print_cert_fields()"/> |
115 |
+ <subroutine src="print_button('SAVE')"/> |
116 |
</page> |
117 |
|
118 |
<page name="REMOVE_CONF_PAGE" pre-event="turn_off_buttons()" post-event="remove_conf()"> |
119 |
diff -Nur -x '*.orig' -x '*.rej' smeserver-openvpn-s2s-0.1/root/usr/lib/perl5/site_perl/esmith/FormMagick/Panel/openvpns2s.pm mezzanine_patched_smeserver-openvpn-s2s-0.1/root/usr/lib/perl5/site_perl/esmith/FormMagick/Panel/openvpns2s.pm |
120 |
--- smeserver-openvpn-s2s-0.1/root/usr/lib/perl5/site_perl/esmith/FormMagick/Panel/openvpns2s.pm 2010-10-17 15:47:04.000000000 +0200 |
121 |
+++ mezzanine_patched_smeserver-openvpn-s2s-0.1/root/usr/lib/perl5/site_perl/esmith/FormMagick/Panel/openvpns2s.pm 2010-10-17 15:46:55.000000000 +0200 |
122 |
@@ -19,13 +19,13 @@ |
123 |
our @EXPORT = qw( |
124 |
print_custom_button |
125 |
print_section_bar |
126 |
- apply_conf |
127 |
+ write_db_conf |
128 |
update_ports |
129 |
print_conf_table |
130 |
print_conf_name_field |
131 |
remove_conf |
132 |
print_conf_to_remove |
133 |
- read_key |
134 |
+ read_file |
135 |
); |
136 |
|
137 |
our $pubdir = '/etc/openvpn/s2s/pub'; |
138 |
@@ -62,7 +62,7 @@ |
139 |
return undef; |
140 |
} |
141 |
|
142 |
-sub apply_conf{ |
143 |
+sub write_db_conf{ |
144 |
my ($fm,$type) = @_; |
145 |
my $q = $fm->{cgi}; |
146 |
my $conf = $q->param('conf_name'); |
147 |
@@ -84,6 +84,7 @@ |
148 |
} |
149 |
|
150 |
$ovpn_db->set_prop($conf, 'status', $q->param("status")); |
151 |
+ $ovpn_db->set_prop($conf, 'Authentication', $q->param("auth")); |
152 |
$ovpn_db->set_prop($conf, 'LocalIP', $q->param("local_ip")); |
153 |
$ovpn_db->set_prop($conf, 'RemoteIP', $q->param("remote_ip")); |
154 |
$ovpn_db->set_prop($conf, 'Port', $q->param("port")); |
155 |
@@ -91,33 +92,96 @@ |
156 |
$ovpn_db->set_prop($conf, 'Comment', $q->param("comment")); |
157 |
$ovpn_db->set_prop($conf, 'RemoteNetworks', $q->param("remote_net")); |
158 |
|
159 |
+ # Now, update the main configuration entry |
160 |
+ update_ports(); |
161 |
+ |
162 |
+ $fm->success('SUCCESS','CONFIG_CERT_PAGE'); |
163 |
+ return undef; |
164 |
+} |
165 |
+ |
166 |
+sub write_pem{ |
167 |
+ my ($fm,$type) = @_; |
168 |
+ my $q = $fm->{cgi}; |
169 |
+ my $conf = $q->param('conf_name'); |
170 |
+ my $type = $ovpn_db->get_prop($conf, 'type') || 'server'; |
171 |
+ my $auth = $ovpn_db->get_prop($conf, 'Authentication') || 'TLS'; |
172 |
+ |
173 |
+ # Run validation routines |
174 |
+ my $msg = $fm->is_url_or_empty( $q->param("crl_url")); |
175 |
+ unless ($msg eq "OK"){ |
176 |
+ return $fm->error($msg,'CONFIG_CERT_PAGE'); |
177 |
+ } |
178 |
+ |
179 |
+ my @pems = (); |
180 |
+ |
181 |
+ if ($auth eq 'TLS'){ |
182 |
+ push @pems, qw/cacert_pem cert_pem key_pem/; |
183 |
+ push @pems, 'dh_pem' if $type eq 'server'; |
184 |
+ } |
185 |
+ else{ |
186 |
+ push @pems, 'shared_key' if $auth eq 'SharedKey'; |
187 |
+ } |
188 |
+ |
189 |
+ foreach my $pem (@pems){ |
190 |
+ $msg = $fm->is_valid_key( $q->param("$pem") ); |
191 |
+ unless ($msg eq "OK"){ |
192 |
+ return $fm->error($msg,'CONFIG_CERT_PAGE'); |
193 |
+ } |
194 |
+ } |
195 |
+ |
196 |
# Untaint $conf |
197 |
$conf =~ m/(.*)/; |
198 |
$conf = $1; |
199 |
|
200 |
- # Write the shared_key |
201 |
- if (! open (KEY, ">$privdir/$conf".'_key.pem')){ |
202 |
- $fm->error('ERROR_OPENING_KEY_FILE','FIRST_PAGE'); |
203 |
+ if (! open (CA, ">$pubdir/$conf". "_cacert.pem")){ |
204 |
+ $fm->error('ERROR_OPEN_CA','FIRST_PAGE'); |
205 |
+ return; |
206 |
+ } |
207 |
+ print CA $q->param('cacert_pem'); |
208 |
+ close CA; |
209 |
+ |
210 |
+ if (! open (CRT, ">$pubdir/$conf" . "_cert.pem")){ |
211 |
+ $fm->error('ERROR_OPEN_CRT','FIRST_PAGE'); |
212 |
return; |
213 |
} |
214 |
- print KEY $q->param('shared_key'); |
215 |
+ print CRT $q->param('cert_pem'); |
216 |
+ close CRT; |
217 |
+ |
218 |
+ if (! open (KEY, ">$privdir/$conf" . "_key.pem")){ |
219 |
+ $fm->error('ERROR_OPEN_KEY','FIRST_PAGE'); |
220 |
+ return; |
221 |
+ } |
222 |
+ print KEY $q->param('key_pem'); |
223 |
close KEY; |
224 |
|
225 |
- esmith::util::chownFile("root", "root", "$privdir/$conf".'_key.pem'); |
226 |
- chmod 0600, "$privdir/$conf".'_key.pem'; |
227 |
+ if (! open (DH, ">$pubdir/$conf" . "_dh.pem")){ |
228 |
+ $fm->error('ERROR_OPEN_DH','FIRST_PAGE'); |
229 |
+ return; |
230 |
+ } |
231 |
+ print DH $q->param('dh_pem'); |
232 |
+ close DH; |
233 |
|
234 |
- # Now, update the main configuration entry |
235 |
- update_ports(); |
236 |
+ if (! open (TA, ">$privdir/$conf" . "_sharedkey.pem")){ |
237 |
+ $fm->error('ERROR_OPEN_TA','FIRST_PAGE'); |
238 |
+ return; |
239 |
+ } |
240 |
+ print TA $q->param('shared_key'); |
241 |
+ close TA; |
242 |
|
243 |
- # Now, run the signal-event |
244 |
- unless (system ("/sbin/e-smith/signal-event", "openvpn-s2s-update") == 0 ){ |
245 |
- $fm->error('ERROR_OCCURED','FIRST_PAGE'); |
246 |
- return undef; |
247 |
+ esmith::util::chownFile("root", "root", "$privdir/$conf*"); |
248 |
+ esmith::util::chownFile("root", "root", "$pubdir/$conf*"); |
249 |
+ chmod 0600, "$privdir/$conf*"; |
250 |
+ chmod 0644, "$pubdir/$conf*"; |
251 |
+ |
252 |
+ $ovpn_db->set_prop($conf, 'CrlUrl', $q->param("crl_url")); |
253 |
+ |
254 |
+ unless ( system ("/sbin/e-smith/signal-event", "openvpn-s2s-update") == 0 ){ |
255 |
+ return $fm->error("ERROR_OCCURED", 'FIRST_PAGE'); |
256 |
} |
257 |
- |
258 |
|
259 |
- $fm->success('SUCCESS','CONFIG_CERT_PAGE'); |
260 |
+ $fm->success('SUCCESS','FIRST_PAGE'); |
261 |
return undef; |
262 |
+ |
263 |
} |
264 |
|
265 |
# Update ports used in the configuration DB |
266 |
@@ -139,6 +203,96 @@ |
267 |
$conf_db->set_prop('openvpn-s2s', 'TCPPorts', join(',',@tcp_ports)); |
268 |
} |
269 |
|
270 |
+sub print_cert_fields{ |
271 |
+ my $fm = shift; |
272 |
+ my $q = $fm->{cgi}; |
273 |
+ my $conf = $q->param('conf_name'); |
274 |
+ my $rec = $ovpn_db->get("$conf"); |
275 |
+ my $type = $rec->prop('type') || 'server'; |
276 |
+ my $auth = $rec->prop('Authentication') || 'TLS'; |
277 |
+ my $crlurl = $rec->prop('CrlUrl') || ''; |
278 |
+ |
279 |
+ # Untaint $conf |
280 |
+ $conf =~ m/(.*)/; |
281 |
+ $conf = $1; |
282 |
+ |
283 |
+ if ($auth eq 'TLS'){ |
284 |
+ print esmith::cgi::genTextRow($q,$fm->localise('DESC_CRL_URL')); |
285 |
+ print $q->Tr ( |
286 |
+ $q->td ({-class => "sme-noborders-label"}, |
287 |
+ $fm->localise('LABEL_CRL_URL')),"\n", |
288 |
+ $q->td ({-class => "sme-noborders-content"}, |
289 |
+ $q->textfield ( |
290 |
+ -name => 'crl_url', |
291 |
+ -override => 1, |
292 |
+ -default => $crlurl, |
293 |
+ -size => 62))),"\n"; |
294 |
+ print esmith::cgi::genTextRow($q,$fm->localise('DESC_CA_PEM')); |
295 |
+ print $q->Tr ( |
296 |
+ $q->td ({-class => "sme-noborders-label"}, |
297 |
+ $fm->localise('LABEL_CA_PEM')),"\n", |
298 |
+ $q->td ({-class => "sme-noborders-content"}, |
299 |
+ $q->textarea ( |
300 |
+ -name => 'cacert_pem', |
301 |
+ -override => 1, |
302 |
+ -default => read_file("$pubdir/$conf"."_cacert.pem"), |
303 |
+ -rows => 15, |
304 |
+ -columns => 70))),"\n"; |
305 |
+ print esmith::cgi::genTextRow($q,$fm->localise('DESC_CRT_PEM')); |
306 |
+ print $q->Tr ( |
307 |
+ $q->td ({-class => "sme-noborders-label"}, |
308 |
+ $fm->localise('LABEL_CRT_PEM')),"\n", |
309 |
+ $q->td ({-class => "sme-noborders-content"}, |
310 |
+ $q->textarea ( |
311 |
+ -name => 'cert_pem', |
312 |
+ -override => 1, |
313 |
+ -default => read_file("$pubdir/$conf"."_cert.pem"), |
314 |
+ -rows => 15, |
315 |
+ -columns => 70))),"\n"; |
316 |
+ print esmith::cgi::genTextRow($q,$fm->localise('DESC_KEY_PEM')); |
317 |
+ print $q->Tr ( |
318 |
+ $q->td ({-class => "sme-noborders-label"}, |
319 |
+ $fm->localise('LABEL_KEY_PEM')),"\n", |
320 |
+ $q->td ({-class => "sme-noborders-content"}, |
321 |
+ $q->textarea ( |
322 |
+ -name => 'key_pem', |
323 |
+ -override => 1, |
324 |
+ -default => read_file("$privdir/$conf"."_key.pem"), |
325 |
+ -rows => 15, |
326 |
+ -columns => 70))),"\n"; |
327 |
+ if ($type eq 'server'){ |
328 |
+ print esmith::cgi::genTextRow($q,$fm->localise('DESC_DH_PEM')); |
329 |
+ print $q->Tr ( |
330 |
+ $q->td ({-class => "sme-noborders-label"}, |
331 |
+ $fm->localise('LABEL_DH_PEM')),"\n", |
332 |
+ $q->td ({-class => "sme-noborders-content"}, |
333 |
+ $q->textarea ( |
334 |
+ -name => 'dh_pem', |
335 |
+ -override => 1, |
336 |
+ -default => read_file("$pubdir/$conf"."_dh.pem"), |
337 |
+ -rows => 8, |
338 |
+ -columns => 70))),"\n"; |
339 |
+ } |
340 |
+ print esmith::cgi::genTextRow($q,$fm->localise('DESC_SHARED_KEY_TLS')); |
341 |
+ } |
342 |
+ else{ |
343 |
+ print esmith::cgi::genTextRow($q,$fm->localise('DESC_SHARED_KEY')); |
344 |
+ } |
345 |
+ |
346 |
+ print $q->Tr ( |
347 |
+ $q->td ({-class => "sme-noborders-label"}, |
348 |
+ $fm->localise('LABEL_SHARED_KEY')),"\n", |
349 |
+ $q->td ({-class => "sme-noborders-content"}, |
350 |
+ $q->textarea ( |
351 |
+ -name => 'shared_key', |
352 |
+ -override => 1, |
353 |
+ -default => read_file("$privdir/$conf"."_sharedkey.pem"), |
354 |
+ -rows => 5, |
355 |
+ -columns => 70))),"\n"; |
356 |
+ return undef; |
357 |
+} |
358 |
+ |
359 |
+ |
360 |
# Print clients or servers table |
361 |
sub print_conf_table{ |
362 |
my $fm = shift; |
363 |
@@ -208,6 +362,8 @@ |
364 |
$q->param(-name=>'remote_host',-value=> |
365 |
$rec->prop('RemoteHost')); |
366 |
} |
367 |
+ $q->param(-name=>'auth',-value=> |
368 |
+ $rec->prop('Authentication')); |
369 |
$q->param(-name=>'local_ip',-value=> |
370 |
$rec->prop('LocalIP')); |
371 |
$q->param(-name=>'remote_ip',-value=> |
372 |
@@ -220,8 +376,6 @@ |
373 |
$rec->prop('status')); |
374 |
$q->param(-name=>'remote_net',-value=> |
375 |
$rec->prop('RemoteNetworks')); |
376 |
- $q->param(-name=>'shared_key',-value=> |
377 |
- read_key($name)); |
378 |
} |
379 |
} |
380 |
else { |
381 |
@@ -309,14 +463,12 @@ |
382 |
return undef; |
383 |
} |
384 |
|
385 |
-sub read_key{ |
386 |
- my $conf = shift; |
387 |
+sub read_file{ |
388 |
+ my $file = shift; |
389 |
my $ret = ''; |
390 |
|
391 |
- if (open (PEM, "<$privdir/$conf".'_key.pem')){ |
392 |
- while (<PEM>){ |
393 |
- $ret .= $_; |
394 |
- } |
395 |
+ if (open (PEM, "<$file")){ |
396 |
+ $ret .= $_ while (<PEM>); |
397 |
close PEM; |
398 |
} |
399 |
return $ret; |
400 |
@@ -332,6 +484,15 @@ |
401 |
return $ret; |
402 |
} |
403 |
|
404 |
+sub is_url_or_empty{ |
405 |
+ my ($fm, $url) = @_; |
406 |
+ my $ret = 'OK'; |
407 |
+ if (($url !~ /^(http:\/\/)|(https:\/\/)/) && ($url ne '')){ |
408 |
+ $ret = $fm->localise('NOT_A_VALID_URL',{string => $url}); |
409 |
+ } |
410 |
+ return $ret; |
411 |
+} |
412 |
+ |
413 |
sub is_valid_net_or_empty{ |
414 |
my ($fm, $nets) = @_; |
415 |
my $ret = 'OK'; |