diff -Nur -x '*.orig' -x '*.rej' smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key --- smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key 2010-10-15 19:37:57.000000000 +0200 +++ mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key 2010-10-17 15:46:44.000000000 +0200 @@ -1,6 +1,32 @@ -# Secret Key config +# Authentication { -$OUT .= "secret priv/$key"."_key.pem\n"; +my $auth = $db->get_prop($key,'Authentication') || 'TLS'; +if ($auth eq 'SharedKey'){ + $OUT .= "secret priv/$key"."_sharedkey.pem\n"; } +elsif ($auth eq 'TLS'){ + if ($type eq 'server'){ + $OUT .= "tls-server\n"; + $OUT .= "ca pub/$key" . "_cacert.pem\n"; + $OUT .= "cert pub/$key" . "_cert.pem\n"; + $OUT .= "key priv/$key" . "_key.pem\n"; + $OUT .= "dh pub/$key" . "_dh.pem\n"; + $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 0\n" + if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) && + ( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ); + } + else{ + $OUT .= "tls-client\n"; + $OUT .= "ca pub/$key" . "_cacert.pem\n"; + $OUT .= "cert pub/$key" . "_cert.pem\n"; + $OUT .= "key priv/$key" . "_key.pem\n"; + $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 1\n" + if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) && + ( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ); + } +} + +} + diff -Nur -x '*.orig' -x '*.rej' smeserver-openvpn-s2s-0.1/root/etc/e-smith/web/functions/openvpns2s mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/web/functions/openvpns2s --- smeserver-openvpn-s2s-0.1/root/etc/e-smith/web/functions/openvpns2s 2010-10-16 17:56:47.000000000 +0200 +++ mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/web/functions/openvpns2s 2010-10-17 15:36:34.000000000 +0200 @@ -74,7 +74,7 @@ #---------------------------------------------------------------- # CLIENT CONFIGURATION PAGE #---------------------------------------------------------------- - + DESC_ADD_CLIENT_PAGE @@ -94,6 +94,11 @@ + + DESC_AUTH + + + DESC_REMOTE_HOST @@ -119,19 +124,14 @@ - - DESC_SHARED_KEY - - - - + #---------------------------------------------------------------- # SERVER CONFIGURATION PAGE #---------------------------------------------------------------- - + DESC_ADD_SERVER_PAGE @@ -151,6 +151,11 @@ + + DESC_AUTH + + + DESC_LOCAL_PORT @@ -171,13 +176,16 @@ - - DESC_SHARED_KEY - - + - + + + + DESC_CONFIGURE_CERT + + + diff -Nur -x '*.orig' -x '*.rej' smeserver-openvpn-s2s-0.1/root/usr/lib/perl5/site_perl/esmith/FormMagick/Panel/openvpns2s.pm mezzanine_patched_smeserver-openvpn-s2s-0.1/root/usr/lib/perl5/site_perl/esmith/FormMagick/Panel/openvpns2s.pm --- smeserver-openvpn-s2s-0.1/root/usr/lib/perl5/site_perl/esmith/FormMagick/Panel/openvpns2s.pm 2010-10-17 15:47:04.000000000 +0200 +++ mezzanine_patched_smeserver-openvpn-s2s-0.1/root/usr/lib/perl5/site_perl/esmith/FormMagick/Panel/openvpns2s.pm 2010-10-17 15:46:55.000000000 +0200 @@ -19,13 +19,13 @@ our @EXPORT = qw( print_custom_button print_section_bar - apply_conf + write_db_conf update_ports print_conf_table print_conf_name_field remove_conf print_conf_to_remove - read_key + read_file ); our $pubdir = '/etc/openvpn/s2s/pub'; @@ -62,7 +62,7 @@ return undef; } -sub apply_conf{ +sub write_db_conf{ my ($fm,$type) = @_; my $q = $fm->{cgi}; my $conf = $q->param('conf_name'); @@ -84,6 +84,7 @@ } $ovpn_db->set_prop($conf, 'status', $q->param("status")); + $ovpn_db->set_prop($conf, 'Authentication', $q->param("auth")); $ovpn_db->set_prop($conf, 'LocalIP', $q->param("local_ip")); $ovpn_db->set_prop($conf, 'RemoteIP', $q->param("remote_ip")); $ovpn_db->set_prop($conf, 'Port', $q->param("port")); @@ -91,33 +92,96 @@ $ovpn_db->set_prop($conf, 'Comment', $q->param("comment")); $ovpn_db->set_prop($conf, 'RemoteNetworks', $q->param("remote_net")); + # Now, update the main configuration entry + update_ports(); + + $fm->success('SUCCESS','CONFIG_CERT_PAGE'); + return undef; +} + +sub write_pem{ + my ($fm,$type) = @_; + my $q = $fm->{cgi}; + my $conf = $q->param('conf_name'); + my $type = $ovpn_db->get_prop($conf, 'type') || 'server'; + my $auth = $ovpn_db->get_prop($conf, 'Authentication') || 'TLS'; + + # Run validation routines + my $msg = $fm->is_url_or_empty( $q->param("crl_url")); + unless ($msg eq "OK"){ + return $fm->error($msg,'CONFIG_CERT_PAGE'); + } + + my @pems = (); + + if ($auth eq 'TLS'){ + push @pems, qw/cacert_pem cert_pem key_pem/; + push @pems, 'dh_pem' if $type eq 'server'; + } + else{ + push @pems, 'shared_key' if $auth eq 'SharedKey'; + } + + foreach my $pem (@pems){ + $msg = $fm->is_valid_key( $q->param("$pem") ); + unless ($msg eq "OK"){ + return $fm->error($msg,'CONFIG_CERT_PAGE'); + } + } + # Untaint $conf $conf =~ m/(.*)/; $conf = $1; - # Write the shared_key - if (! open (KEY, ">$privdir/$conf".'_key.pem')){ - $fm->error('ERROR_OPENING_KEY_FILE','FIRST_PAGE'); + if (! open (CA, ">$pubdir/$conf". "_cacert.pem")){ + $fm->error('ERROR_OPEN_CA','FIRST_PAGE'); + return; + } + print CA $q->param('cacert_pem'); + close CA; + + if (! open (CRT, ">$pubdir/$conf" . "_cert.pem")){ + $fm->error('ERROR_OPEN_CRT','FIRST_PAGE'); return; } - print KEY $q->param('shared_key'); + print CRT $q->param('cert_pem'); + close CRT; + + if (! open (KEY, ">$privdir/$conf" . "_key.pem")){ + $fm->error('ERROR_OPEN_KEY','FIRST_PAGE'); + return; + } + print KEY $q->param('key_pem'); close KEY; - esmith::util::chownFile("root", "root", "$privdir/$conf".'_key.pem'); - chmod 0600, "$privdir/$conf".'_key.pem'; + if (! open (DH, ">$pubdir/$conf" . "_dh.pem")){ + $fm->error('ERROR_OPEN_DH','FIRST_PAGE'); + return; + } + print DH $q->param('dh_pem'); + close DH; - # Now, update the main configuration entry - update_ports(); + if (! open (TA, ">$privdir/$conf" . "_sharedkey.pem")){ + $fm->error('ERROR_OPEN_TA','FIRST_PAGE'); + return; + } + print TA $q->param('shared_key'); + close TA; - # Now, run the signal-event - unless (system ("/sbin/e-smith/signal-event", "openvpn-s2s-update") == 0 ){ - $fm->error('ERROR_OCCURED','FIRST_PAGE'); - return undef; + esmith::util::chownFile("root", "root", "$privdir/$conf*"); + esmith::util::chownFile("root", "root", "$pubdir/$conf*"); + chmod 0600, "$privdir/$conf*"; + chmod 0644, "$pubdir/$conf*"; + + $ovpn_db->set_prop($conf, 'CrlUrl', $q->param("crl_url")); + + unless ( system ("/sbin/e-smith/signal-event", "openvpn-s2s-update") == 0 ){ + return $fm->error("ERROR_OCCURED", 'FIRST_PAGE'); } - - $fm->success('SUCCESS','CONFIG_CERT_PAGE'); + $fm->success('SUCCESS','FIRST_PAGE'); return undef; + } # Update ports used in the configuration DB @@ -139,6 +203,96 @@ $conf_db->set_prop('openvpn-s2s', 'TCPPorts', join(',',@tcp_ports)); } +sub print_cert_fields{ + my $fm = shift; + my $q = $fm->{cgi}; + my $conf = $q->param('conf_name'); + my $rec = $ovpn_db->get("$conf"); + my $type = $rec->prop('type') || 'server'; + my $auth = $rec->prop('Authentication') || 'TLS'; + my $crlurl = $rec->prop('CrlUrl') || ''; + + # Untaint $conf + $conf =~ m/(.*)/; + $conf = $1; + + if ($auth eq 'TLS'){ + print esmith::cgi::genTextRow($q,$fm->localise('DESC_CRL_URL')); + print $q->Tr ( + $q->td ({-class => "sme-noborders-label"}, + $fm->localise('LABEL_CRL_URL')),"\n", + $q->td ({-class => "sme-noborders-content"}, + $q->textfield ( + -name => 'crl_url', + -override => 1, + -default => $crlurl, + -size => 62))),"\n"; + print esmith::cgi::genTextRow($q,$fm->localise('DESC_CA_PEM')); + print $q->Tr ( + $q->td ({-class => "sme-noborders-label"}, + $fm->localise('LABEL_CA_PEM')),"\n", + $q->td ({-class => "sme-noborders-content"}, + $q->textarea ( + -name => 'cacert_pem', + -override => 1, + -default => read_file("$pubdir/$conf"."_cacert.pem"), + -rows => 15, + -columns => 70))),"\n"; + print esmith::cgi::genTextRow($q,$fm->localise('DESC_CRT_PEM')); + print $q->Tr ( + $q->td ({-class => "sme-noborders-label"}, + $fm->localise('LABEL_CRT_PEM')),"\n", + $q->td ({-class => "sme-noborders-content"}, + $q->textarea ( + -name => 'cert_pem', + -override => 1, + -default => read_file("$pubdir/$conf"."_cert.pem"), + -rows => 15, + -columns => 70))),"\n"; + print esmith::cgi::genTextRow($q,$fm->localise('DESC_KEY_PEM')); + print $q->Tr ( + $q->td ({-class => "sme-noborders-label"}, + $fm->localise('LABEL_KEY_PEM')),"\n", + $q->td ({-class => "sme-noborders-content"}, + $q->textarea ( + -name => 'key_pem', + -override => 1, + -default => read_file("$privdir/$conf"."_key.pem"), + -rows => 15, + -columns => 70))),"\n"; + if ($type eq 'server'){ + print esmith::cgi::genTextRow($q,$fm->localise('DESC_DH_PEM')); + print $q->Tr ( + $q->td ({-class => "sme-noborders-label"}, + $fm->localise('LABEL_DH_PEM')),"\n", + $q->td ({-class => "sme-noborders-content"}, + $q->textarea ( + -name => 'dh_pem', + -override => 1, + -default => read_file("$pubdir/$conf"."_dh.pem"), + -rows => 8, + -columns => 70))),"\n"; + } + print esmith::cgi::genTextRow($q,$fm->localise('DESC_SHARED_KEY_TLS')); + } + else{ + print esmith::cgi::genTextRow($q,$fm->localise('DESC_SHARED_KEY')); + } + + print $q->Tr ( + $q->td ({-class => "sme-noborders-label"}, + $fm->localise('LABEL_SHARED_KEY')),"\n", + $q->td ({-class => "sme-noborders-content"}, + $q->textarea ( + -name => 'shared_key', + -override => 1, + -default => read_file("$privdir/$conf"."_sharedkey.pem"), + -rows => 5, + -columns => 70))),"\n"; + return undef; +} + + # Print clients or servers table sub print_conf_table{ my $fm = shift; @@ -208,6 +362,8 @@ $q->param(-name=>'remote_host',-value=> $rec->prop('RemoteHost')); } + $q->param(-name=>'auth',-value=> + $rec->prop('Authentication')); $q->param(-name=>'local_ip',-value=> $rec->prop('LocalIP')); $q->param(-name=>'remote_ip',-value=> @@ -220,8 +376,6 @@ $rec->prop('status')); $q->param(-name=>'remote_net',-value=> $rec->prop('RemoteNetworks')); - $q->param(-name=>'shared_key',-value=> - read_key($name)); } } else { @@ -309,14 +463,12 @@ return undef; } -sub read_key{ - my $conf = shift; +sub read_file{ + my $file = shift; my $ret = ''; - if (open (PEM, "<$privdir/$conf".'_key.pem')){ - while (){ - $ret .= $_; - } + if (open (PEM, "<$file")){ + $ret .= $_ while (); close PEM; } return $ret; @@ -332,6 +484,15 @@ return $ret; } +sub is_url_or_empty{ + my ($fm, $url) = @_; + my $ret = 'OK'; + if (($url !~ /^(http:\/\/)|(https:\/\/)/) && ($url ne '')){ + $ret = $fm->localise('NOT_A_VALID_URL',{string => $url}); + } + return $ret; +} + sub is_valid_net_or_empty{ my ($fm, $nets) = @_; my $ret = 'OK';