smeserver-openvpn-s2s/contribs7/smeserver-openvpn-s2s-0.1-tls_auth_1.patch

diff -Nur -x '*.orig' -x '*.rej' smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key
--- smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key 2010-10-15 19:37:57.000000000 +0200
+++ mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key       2010-10-17 15:46:44.000000000 +0200
@@ -1,6 +1,32 @@
-# Secret Key config
+# Authentication
 {
 
-$OUT .= "secret priv/$key"."_key.pem\n";
+my $auth = $db->get_prop($key,'Authentication') || 'TLS';
 
+if ($auth eq 'SharedKey'){
+    $OUT .= "secret priv/$key"."_sharedkey.pem\n";
 }
+elsif ($auth eq 'TLS'){
+    if ($type eq 'server'){
+       $OUT .= "tls-server\n";
+       $OUT .= "ca pub/$key" . "_cacert.pem\n";
+       $OUT .= "cert pub/$key" . "_cert.pem\n";
+       $OUT .= "key priv/$key" . "_key.pem\n";
+       $OUT .= "dh pub/$key" . "_dh.pem\n";
+       $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 0\n"
+           if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) &&
+              ( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' );
+    }
+    else{
+       $OUT .= "tls-client\n";
+       $OUT .= "ca pub/$key" . "_cacert.pem\n";
+       $OUT .= "cert pub/$key" . "_cert.pem\n";
+       $OUT .= "key priv/$key" . "_key.pem\n";
+       $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 1\n"
+           if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) &&
+              ( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' );
+    }
+}
+
+}
+
diff -Nur -x '*.orig' -x '*.rej' smeserver-openvpn-s2s-0.1/root/etc/e-smith/web/functions/openvpns2s mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/web/functions/openvpns2s
--- smeserver-openvpn-s2s-0.1/root/etc/e-smith/web/functions/openvpns2s 2010-10-16 17:56:47.000000000 +0200
+++ mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/web/functions/openvpns2s       2010-10-17 15:36:34.000000000 +0200
@@ -74,7 +74,7 @@
     #----------------------------------------------------------------
     # CLIENT CONFIGURATION PAGE
     #----------------------------------------------------------------
-    <page name="CREATE_OR_MODIFY_CLIENT_CONF_PAGE" pre-event="turn_off_buttons()" post-event="apply_conf('client')">
+    <page name="CREATE_OR_MODIFY_CLIENT_CONF_PAGE" pre-event="turn_off_buttons()" post-event="write_db_conf('client')">
 
         <field type="literal" id="add_client_desc" value="">
             <description>DESC_ADD_CLIENT_PAGE</description>
@@ -94,6 +94,11 @@
             <label>LABEL_STATUS</label>
         </field>
 
+        <field type="select" id="auth" options="'TLS' => 'TLS', 'SharedKey' => 'SECRET_KEY'">
+            <description>DESC_AUTH</description>
+            <label>LABEL_AUTH</label>
+        </field>
+
         <field type="text" id="remote_host" validation="is_hostname_or_ip()">
             <description>DESC_REMOTE_HOST</description>
             <label>LABEL_REMOTE_HOST</label>
@@ -119,19 +124,14 @@
             <label>LABEL_REMOTE_NET</label>
         </field>
 
-        <field type="textarea" id="shared_key" validation="is_valid_key()">
-            <description>DESC_SHARED_KEY</description>
-            <label>LABEL_SHARED_KEY</label>
-        </field>
-
-        <subroutine src="print_button('SAVE')"/>
+        <subroutine src="print_button('NEXT')"/>
 
     </page>
 
     #----------------------------------------------------------------
     # SERVER CONFIGURATION PAGE
     #----------------------------------------------------------------
-    <page name="CREATE_OR_MODIFY_SERVER_CONF_PAGE" pre-event="turn_off_buttons()" post-event="apply_conf('server')">
+    <page name="CREATE_OR_MODIFY_SERVER_CONF_PAGE" pre-event="turn_off_buttons()" post-event="write_db_conf('server')">
 
         <field type="literal" id="add_server" value="">
             <description>DESC_ADD_SERVER_PAGE</description>
@@ -151,6 +151,11 @@
             <label>LABEL_STATUS</label>
         </field>
 
+        <field type="select" id="auth" options="'TLS' => 'TLS', 'SharedKey' => 'SECRET_KEY'">
+            <description>DESC_AUTH</description>
+            <label>LABEL_AUTH</label>
+        </field>
+
         <field type="text" id="port" validation="is_valid_and_available_port()">
             <description>DESC_LOCAL_PORT</description>
             <label>LABEL_LOCAL_PORT</label>
@@ -171,13 +176,16 @@
             <label>LABEL_REMOTE_NET</label>
         </field>
 
-        <field type="textarea" id="shared_key" validation="is_valid_key()">
-            <description>DESC_SHARED_KEY</description>
-            <label>LABEL_SHARED_KEY</label>
-        </field>
+        <subroutine src="print_button('NEXT')"/>
 
-        <subroutine src="print_button('SAVE')"/>
+    </page>
 
+    <page name="CONFIG_CERT_PAGE" pre-event="print_status_message()" post-event="write_pem()">
+        <field type="literal" id="cert_conf" value="">
+            <description>DESC_CONFIGURE_CERT</description>
+        </field>
+        <subroutine src="print_cert_fields()"/>
+        <subroutine src="print_button('SAVE')"/>
     </page>
 
     <page name="REMOVE_CONF_PAGE" pre-event="turn_off_buttons()" post-event="remove_conf()">
diff -Nur -x '*.orig' -x '*.rej' smeserver-openvpn-s2s-0.1/root/usr/lib/perl5/site_perl/esmith/FormMagick/Panel/openvpns2s.pm mezzanine_patched_smeserver-openvpn-s2s-0.1/root/usr/lib/perl5/site_perl/esmith/FormMagick/Panel/openvpns2s.pm
--- smeserver-openvpn-s2s-0.1/root/usr/lib/perl5/site_perl/esmith/FormMagick/Panel/openvpns2s.pm        2010-10-17 15:47:04.000000000 +0200
+++ mezzanine_patched_smeserver-openvpn-s2s-0.1/root/usr/lib/perl5/site_perl/esmith/FormMagick/Panel/openvpns2s.pm      2010-10-17 15:46:55.000000000 +0200
@@ -19,13 +19,13 @@
 our @EXPORT = qw(
     print_custom_button
     print_section_bar
-    apply_conf
+    write_db_conf
     update_ports
     print_conf_table
     print_conf_name_field
     remove_conf
     print_conf_to_remove
-    read_key
+    read_file
 );
 
 our $pubdir = '/etc/openvpn/s2s/pub';
@@ -62,7 +62,7 @@
     return undef;
 }   
 
-sub apply_conf{
+sub write_db_conf{
     my ($fm,$type) = @_;
     my $q = $fm->{cgi};
     my $conf = $q->param('conf_name');
@@ -84,6 +84,7 @@
     }
 
     $ovpn_db->set_prop($conf, 'status', $q->param("status"));
+    $ovpn_db->set_prop($conf, 'Authentication', $q->param("auth"));
     $ovpn_db->set_prop($conf, 'LocalIP', $q->param("local_ip"));
     $ovpn_db->set_prop($conf, 'RemoteIP', $q->param("remote_ip"));
     $ovpn_db->set_prop($conf, 'Port', $q->param("port"));
@@ -91,33 +92,96 @@
     $ovpn_db->set_prop($conf, 'Comment', $q->param("comment"));
     $ovpn_db->set_prop($conf, 'RemoteNetworks', $q->param("remote_net"));
 
+    # Now, update the main configuration entry
+    update_ports();
+
+    $fm->success('SUCCESS','CONFIG_CERT_PAGE');
+    return undef;
+}
+
+sub write_pem{
+    my ($fm,$type) = @_;
+    my $q = $fm->{cgi};
+    my $conf = $q->param('conf_name');
+    my $type = $ovpn_db->get_prop($conf, 'type') || 'server';
+    my $auth = $ovpn_db->get_prop($conf, 'Authentication') || 'TLS';
+
+    # Run validation routines
+    my $msg = $fm->is_url_or_empty( $q->param("crl_url"));
+    unless ($msg eq "OK"){
+        return $fm->error($msg,'CONFIG_CERT_PAGE');
+    }
+
+    my @pems = ();
+
+    if ($auth eq 'TLS'){
+        push @pems, qw/cacert_pem cert_pem key_pem/;
+        push @pems, 'dh_pem' if $type eq 'server';
+    }
+    else{
+        push @pems, 'shared_key' if $auth eq 'SharedKey';
+    }
+
+    foreach my $pem (@pems){
+        $msg = $fm->is_valid_key( $q->param("$pem") );
+        unless ($msg eq "OK"){
+            return $fm->error($msg,'CONFIG_CERT_PAGE');
+        }
+    }
+
     # Untaint $conf
     $conf =~ m/(.*)/;
     $conf = $1;
 
-    # Write the shared_key
-    if (! open (KEY, ">$privdir/$conf".'_key.pem')){   
-        $fm->error('ERROR_OPENING_KEY_FILE','FIRST_PAGE');
+    if (! open (CA, ">$pubdir/$conf". "_cacert.pem")){
+        $fm->error('ERROR_OPEN_CA','FIRST_PAGE');
+        return;
+    }
+    print CA $q->param('cacert_pem');
+    close CA;
+
+    if (! open (CRT, ">$pubdir/$conf" . "_cert.pem")){
+        $fm->error('ERROR_OPEN_CRT','FIRST_PAGE');
         return;
     }
-    print KEY $q->param('shared_key');
+    print CRT $q->param('cert_pem');
+    close CRT;
+
+    if (! open (KEY, ">$privdir/$conf" . "_key.pem")){
+        $fm->error('ERROR_OPEN_KEY','FIRST_PAGE');
+        return;
+    }
+    print KEY $q->param('key_pem');
     close KEY;
 
-    esmith::util::chownFile("root", "root", "$privdir/$conf".'_key.pem');
-    chmod 0600, "$privdir/$conf".'_key.pem';
+    if (! open (DH, ">$pubdir/$conf" . "_dh.pem")){
+        $fm->error('ERROR_OPEN_DH','FIRST_PAGE');
+        return;
+    }
+    print DH $q->param('dh_pem');
+    close DH;
 
-    # Now, update the main configuration entry
-    update_ports();
+    if (! open (TA, ">$privdir/$conf" . "_sharedkey.pem")){
+        $fm->error('ERROR_OPEN_TA','FIRST_PAGE');
+        return;
+    }
+    print TA $q->param('shared_key');
+    close TA;
 
-    # Now, run the signal-event
-    unless (system ("/sbin/e-smith/signal-event", "openvpn-s2s-update") == 0 ){
-        $fm->error('ERROR_OCCURED','FIRST_PAGE');
-        return undef;
+    esmith::util::chownFile("root", "root", "$privdir/$conf*");
+    esmith::util::chownFile("root", "root", "$pubdir/$conf*");
+    chmod 0600, "$privdir/$conf*";
+    chmod 0644, "$pubdir/$conf*";
+
+    $ovpn_db->set_prop($conf, 'CrlUrl', $q->param("crl_url"));
+
+    unless ( system ("/sbin/e-smith/signal-event", "openvpn-s2s-update") == 0 ){
+        return $fm->error("ERROR_OCCURED", 'FIRST_PAGE');
     }
-    
 
-    $fm->success('SUCCESS','CONFIG_CERT_PAGE');
+    $fm->success('SUCCESS','FIRST_PAGE');
     return undef;
+
 }
 
 # Update ports used in the configuration DB
@@ -139,6 +203,96 @@
     $conf_db->set_prop('openvpn-s2s', 'TCPPorts', join(',',@tcp_ports));
 }
 
+sub print_cert_fields{
+    my $fm = shift;
+    my $q = $fm->{cgi};
+    my $conf = $q->param('conf_name');
+    my $rec = $ovpn_db->get("$conf");
+    my $type = $rec->prop('type') || 'server';
+    my $auth = $rec->prop('Authentication') || 'TLS';
+    my $crlurl = $rec->prop('CrlUrl') || '';
+
+    # Untaint $conf
+    $conf =~ m/(.*)/;
+    $conf = $1;
+
+    if ($auth eq 'TLS'){
+        print esmith::cgi::genTextRow($q,$fm->localise('DESC_CRL_URL'));
+        print $q->Tr (
+            $q->td ({-class => "sme-noborders-label"},
+                $fm->localise('LABEL_CRL_URL')),"\n",
+            $q->td ({-class => "sme-noborders-content"},
+                $q->textfield (
+                    -name     => 'crl_url',
+                    -override => 1,
+                    -default  => $crlurl,
+                    -size  => 62))),"\n";
+        print esmith::cgi::genTextRow($q,$fm->localise('DESC_CA_PEM'));
+        print $q->Tr (
+            $q->td ({-class => "sme-noborders-label"},
+                $fm->localise('LABEL_CA_PEM')),"\n",
+            $q->td ({-class => "sme-noborders-content"},
+                $q->textarea (
+                    -name     => 'cacert_pem',
+                    -override => 1,
+                    -default  => read_file("$pubdir/$conf"."_cacert.pem"),
+                    -rows     => 15,
+                    -columns  => 70))),"\n";
+        print esmith::cgi::genTextRow($q,$fm->localise('DESC_CRT_PEM'));
+        print $q->Tr (
+            $q->td ({-class => "sme-noborders-label"},
+                $fm->localise('LABEL_CRT_PEM')),"\n",
+            $q->td ({-class => "sme-noborders-content"},
+                $q->textarea (
+                    -name     => 'cert_pem',
+                    -override => 1,
+                    -default  => read_file("$pubdir/$conf"."_cert.pem"),
+                    -rows     => 15,
+                    -columns  => 70))),"\n";
+        print esmith::cgi::genTextRow($q,$fm->localise('DESC_KEY_PEM'));
+        print $q->Tr (
+            $q->td ({-class => "sme-noborders-label"},
+                $fm->localise('LABEL_KEY_PEM')),"\n",
+            $q->td ({-class => "sme-noborders-content"},
+                $q->textarea (
+                    -name     => 'key_pem',
+                    -override => 1,
+                    -default  => read_file("$privdir/$conf"."_key.pem"),
+                    -rows     => 15,
+                    -columns  => 70))),"\n";
+        if ($type eq 'server'){
+            print esmith::cgi::genTextRow($q,$fm->localise('DESC_DH_PEM'));
+            print $q->Tr (
+                $q->td ({-class => "sme-noborders-label"},
+                    $fm->localise('LABEL_DH_PEM')),"\n",
+                $q->td ({-class => "sme-noborders-content"},
+                    $q->textarea (
+                        -name     => 'dh_pem',
+                        -override => 1,
+                        -default  => read_file("$pubdir/$conf"."_dh.pem"),
+                        -rows     => 8,
+                        -columns  => 70))),"\n";
+        }
+        print esmith::cgi::genTextRow($q,$fm->localise('DESC_SHARED_KEY_TLS'));
+    }
+    else{
+        print esmith::cgi::genTextRow($q,$fm->localise('DESC_SHARED_KEY'));
+    }
+
+    print $q->Tr (
+            $q->td ({-class => "sme-noborders-label"},
+                $fm->localise('LABEL_SHARED_KEY')),"\n",
+            $q->td ({-class => "sme-noborders-content"},
+                $q->textarea (
+                    -name     => 'shared_key',
+                    -override => 1,
+                    -default  => read_file("$privdir/$conf"."_sharedkey.pem"),
+                    -rows     => 5,
+                    -columns  => 70))),"\n";
+    return undef;
+}
+
+
 # Print clients or servers table
 sub print_conf_table{
     my $fm = shift;
@@ -208,6 +362,8 @@
                 $q->param(-name=>'remote_host',-value=>
                     $rec->prop('RemoteHost'));
             }
+            $q->param(-name=>'auth',-value=>
+                    $rec->prop('Authentication'));
             $q->param(-name=>'local_ip',-value=>
                     $rec->prop('LocalIP'));
             $q->param(-name=>'remote_ip',-value=>
@@ -220,8 +376,6 @@
                     $rec->prop('status'));
             $q->param(-name=>'remote_net',-value=>
                     $rec->prop('RemoteNetworks'));
-            $q->param(-name=>'shared_key',-value=>
-                    read_key($name));
         }
     }
     else {
@@ -309,14 +463,12 @@
     return undef;
 }
 
-sub read_key{
-    my $conf = shift;
+sub read_file{
+    my $file = shift;
     my $ret = '';
 
-    if (open (PEM, "<$privdir/$conf".'_key.pem')){
-        while (<PEM>){
-            $ret .= $_;
-        }
+    if (open (PEM, "<$file")){
+        $ret .= $_ while (<PEM>);
         close PEM;
     }
     return $ret;
@@ -332,6 +484,15 @@
     return $ret;
 }
 
+sub is_url_or_empty{
+    my ($fm, $url) = @_;
+    my $ret = 'OK';
+    if (($url !~ /^(http:\/\/)|(https:\/\/)/) && ($url ne '')){
+        $ret = $fm->localise('NOT_A_VALID_URL',{string => $url});
+    }
+    return $ret;
+}
+
 sub is_valid_net_or_empty{
     my ($fm, $nets) = @_;
     my $ret = 'OK';
1	diff -Nur -x '.orig' -x '.rej' smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key
2	--- smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key 2010-10-15 19:37:57.000000000 +0200
3	+++ mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/templates/etc/openvpn/s2s/openvpn-s2s.conf/30key 2010-10-17 15:46:44.000000000 +0200
4	@@ -1,6 +1,32 @@
5	-# Secret Key config
6	+# Authentication
7	{
8
9	-$OUT .= "secret priv/$key"."_key.pem\n";
10	+my $auth = $db->get_prop($key,'Authentication') \|\| 'TLS';
11
12	+if ($auth eq 'SharedKey'){
13	+ $OUT .= "secret priv/$key"."_sharedkey.pem\n";
14	}
15	+elsif ($auth eq 'TLS'){
16	+ if ($type eq 'server'){
17	+ $OUT .= "tls-server\n";
18	+ $OUT .= "ca pub/$key" . "_cacert.pem\n";
19	+ $OUT .= "cert pub/$key" . "_cert.pem\n";
20	+ $OUT .= "key priv/$key" . "_key.pem\n";
21	+ $OUT .= "dh pub/$key" . "_dh.pem\n";
22	+ $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 0\n"
23	+ if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) &&
24	+ ( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' );
25	+ }
26	+ else{
27	+ $OUT .= "tls-client\n";
28	+ $OUT .= "ca pub/$key" . "_cacert.pem\n";
29	+ $OUT .= "cert pub/$key" . "_cert.pem\n";
30	+ $OUT .= "key priv/$key" . "_key.pem\n";
31	+ $OUT .= "tls-auth priv/$key" . "_sharedkey.pem 1\n"
32	+ if ( -e "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' ) &&
33	+ ( ! -z "/etc/openvpn/s2s/priv/$key".'_sharedkey.pem' );
34	+ }
35	+}
36	+
37	+}
38	+
39	diff -Nur -x '.orig' -x '.rej' smeserver-openvpn-s2s-0.1/root/etc/e-smith/web/functions/openvpns2s mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/web/functions/openvpns2s
40	--- smeserver-openvpn-s2s-0.1/root/etc/e-smith/web/functions/openvpns2s 2010-10-16 17:56:47.000000000 +0200
41	+++ mezzanine_patched_smeserver-openvpn-s2s-0.1/root/etc/e-smith/web/functions/openvpns2s 2010-10-17 15:36:34.000000000 +0200
42	@@ -74,7 +74,7 @@
43	#----------------------------------------------------------------
44	# CLIENT CONFIGURATION PAGE
45	#----------------------------------------------------------------
46	- <page name="CREATE_OR_MODIFY_CLIENT_CONF_PAGE" pre-event="turn_off_buttons()" post-event="apply_conf('client')">
47	+ <page name="CREATE_OR_MODIFY_CLIENT_CONF_PAGE" pre-event="turn_off_buttons()" post-event="write_db_conf('client')">
48
49	<field type="literal" id="add_client_desc" value="">
50	<description>DESC_ADD_CLIENT_PAGE</description>
51	@@ -94,6 +94,11 @@
52	<label>LABEL_STATUS</label>
53	</field>
54
55	+ <field type="select" id="auth" options="'TLS' => 'TLS', 'SharedKey' => 'SECRET_KEY'">
56	+ <description>DESC_AUTH</description>
57	+ <label>LABEL_AUTH</label>
58	+ </field>
59	+
60	<field type="text" id="remote_host" validation="is_hostname_or_ip()">
61	<description>DESC_REMOTE_HOST</description>
62	<label>LABEL_REMOTE_HOST</label>
63	@@ -119,19 +124,14 @@
64	<label>LABEL_REMOTE_NET</label>
65	</field>
66
67	- <field type="textarea" id="shared_key" validation="is_valid_key()">
68	- <description>DESC_SHARED_KEY</description>
69	- <label>LABEL_SHARED_KEY</label>
70	- </field>
71	-
72	- <subroutine src="print_button('SAVE')"/>
73	+ <subroutine src="print_button('NEXT')"/>
74
75	</page>
76
77	#----------------------------------------------------------------
78	# SERVER CONFIGURATION PAGE
79	#----------------------------------------------------------------
80	- <page name="CREATE_OR_MODIFY_SERVER_CONF_PAGE" pre-event="turn_off_buttons()" post-event="apply_conf('server')">
81	+ <page name="CREATE_OR_MODIFY_SERVER_CONF_PAGE" pre-event="turn_off_buttons()" post-event="write_db_conf('server')">
82
83	<field type="literal" id="add_server" value="">
84	<description>DESC_ADD_SERVER_PAGE</description>
85	@@ -151,6 +151,11 @@
86	<label>LABEL_STATUS</label>
87	</field>
88
89	+ <field type="select" id="auth" options="'TLS' => 'TLS', 'SharedKey' => 'SECRET_KEY'">
90	+ <description>DESC_AUTH</description>
91	+ <label>LABEL_AUTH</label>
92	+ </field>
93	+
94	<field type="text" id="port" validation="is_valid_and_available_port()">
95	<description>DESC_LOCAL_PORT</description>
96	<label>LABEL_LOCAL_PORT</label>
97	@@ -171,13 +176,16 @@
98	<label>LABEL_REMOTE_NET</label>
99	</field>
100
101	- <field type="textarea" id="shared_key" validation="is_valid_key()">
102	- <description>DESC_SHARED_KEY</description>
103	- <label>LABEL_SHARED_KEY</label>
104	- </field>
105	+ <subroutine src="print_button('NEXT')"/>
106
107	- <subroutine src="print_button('SAVE')"/>
108	+ </page>
109
110	+ <page name="CONFIG_CERT_PAGE" pre-event="print_status_message()" post-event="write_pem()">
111	+ <field type="literal" id="cert_conf" value="">
112	+ <description>DESC_CONFIGURE_CERT</description>
113	+ </field>
114	+ <subroutine src="print_cert_fields()"/>
115	+ <subroutine src="print_button('SAVE')"/>
116	</page>
117
118	<page name="REMOVE_CONF_PAGE" pre-event="turn_off_buttons()" post-event="remove_conf()">
119	diff -Nur -x '.orig' -x '.rej' smeserver-openvpn-s2s-0.1/root/usr/lib/perl5/site_perl/esmith/FormMagick/Panel/openvpns2s.pm mezzanine_patched_smeserver-openvpn-s2s-0.1/root/usr/lib/perl5/site_perl/esmith/FormMagick/Panel/openvpns2s.pm
120	--- smeserver-openvpn-s2s-0.1/root/usr/lib/perl5/site_perl/esmith/FormMagick/Panel/openvpns2s.pm 2010-10-17 15:47:04.000000000 +0200
121	+++ mezzanine_patched_smeserver-openvpn-s2s-0.1/root/usr/lib/perl5/site_perl/esmith/FormMagick/Panel/openvpns2s.pm 2010-10-17 15:46:55.000000000 +0200
122	@@ -19,13 +19,13 @@
123	our @EXPORT = qw(
124	print_custom_button
125	print_section_bar
126	- apply_conf
127	+ write_db_conf
128	update_ports
129	print_conf_table
130	print_conf_name_field
131	remove_conf
132	print_conf_to_remove
133	- read_key
134	+ read_file
135	);
136
137	our $pubdir = '/etc/openvpn/s2s/pub';
138	@@ -62,7 +62,7 @@
139	return undef;
140	}
141
142	-sub apply_conf{
143	+sub write_db_conf{
144	my ($fm,$type) = @_;
145	my $q = $fm->{cgi};
146	my $conf = $q->param('conf_name');
147	@@ -84,6 +84,7 @@
148	}
149
150	$ovpn_db->set_prop($conf, 'status', $q->param("status"));
151	+ $ovpn_db->set_prop($conf, 'Authentication', $q->param("auth"));
152	$ovpn_db->set_prop($conf, 'LocalIP', $q->param("local_ip"));
153	$ovpn_db->set_prop($conf, 'RemoteIP', $q->param("remote_ip"));
154	$ovpn_db->set_prop($conf, 'Port', $q->param("port"));
155	@@ -91,33 +92,96 @@
156	$ovpn_db->set_prop($conf, 'Comment', $q->param("comment"));
157	$ovpn_db->set_prop($conf, 'RemoteNetworks', $q->param("remote_net"));
158
159	+ # Now, update the main configuration entry
160	+ update_ports();
161	+
162	+ $fm->success('SUCCESS','CONFIG_CERT_PAGE');
163	+ return undef;
164	+}
165	+
166	+sub write_pem{
167	+ my ($fm,$type) = @_;
168	+ my $q = $fm->{cgi};
169	+ my $conf = $q->param('conf_name');
170	+ my $type = $ovpn_db->get_prop($conf, 'type') \|\| 'server';
171	+ my $auth = $ovpn_db->get_prop($conf, 'Authentication') \|\| 'TLS';
172	+
173	+ # Run validation routines
174	+ my $msg = $fm->is_url_or_empty( $q->param("crl_url"));
175	+ unless ($msg eq "OK"){
176	+ return $fm->error($msg,'CONFIG_CERT_PAGE');
177	+ }
178	+
179	+ my @pems = ();
180	+
181	+ if ($auth eq 'TLS'){
182	+ push @pems, qw/cacert_pem cert_pem key_pem/;
183	+ push @pems, 'dh_pem' if $type eq 'server';
184	+ }
185	+ else{
186	+ push @pems, 'shared_key' if $auth eq 'SharedKey';
187	+ }
188	+
189	+ foreach my $pem (@pems){
190	+ $msg = $fm->is_valid_key( $q->param("$pem") );
191	+ unless ($msg eq "OK"){
192	+ return $fm->error($msg,'CONFIG_CERT_PAGE');
193	+ }
194	+ }
195	+
196	# Untaint $conf
197	$conf =~ m/(.*)/;
198	$conf = $1;
199
200	- # Write the shared_key
201	- if (! open (KEY, ">$privdir/$conf".'_key.pem')){
202	- $fm->error('ERROR_OPENING_KEY_FILE','FIRST_PAGE');
203	+ if (! open (CA, ">$pubdir/$conf". "_cacert.pem")){
204	+ $fm->error('ERROR_OPEN_CA','FIRST_PAGE');
205	+ return;
206	+ }
207	+ print CA $q->param('cacert_pem');
208	+ close CA;
209	+
210	+ if (! open (CRT, ">$pubdir/$conf" . "_cert.pem")){
211	+ $fm->error('ERROR_OPEN_CRT','FIRST_PAGE');
212	return;
213	}
214	- print KEY $q->param('shared_key');
215	+ print CRT $q->param('cert_pem');
216	+ close CRT;
217	+
218	+ if (! open (KEY, ">$privdir/$conf" . "_key.pem")){
219	+ $fm->error('ERROR_OPEN_KEY','FIRST_PAGE');
220	+ return;
221	+ }
222	+ print KEY $q->param('key_pem');
223	close KEY;
224
225	- esmith::util::chownFile("root", "root", "$privdir/$conf".'_key.pem');
226	- chmod 0600, "$privdir/$conf".'_key.pem';
227	+ if (! open (DH, ">$pubdir/$conf" . "_dh.pem")){
228	+ $fm->error('ERROR_OPEN_DH','FIRST_PAGE');
229	+ return;
230	+ }
231	+ print DH $q->param('dh_pem');
232	+ close DH;
233
234	- # Now, update the main configuration entry
235	- update_ports();
236	+ if (! open (TA, ">$privdir/$conf" . "_sharedkey.pem")){
237	+ $fm->error('ERROR_OPEN_TA','FIRST_PAGE');
238	+ return;
239	+ }
240	+ print TA $q->param('shared_key');
241	+ close TA;
242
243	- # Now, run the signal-event
244	- unless (system ("/sbin/e-smith/signal-event", "openvpn-s2s-update") == 0 ){
245	- $fm->error('ERROR_OCCURED','FIRST_PAGE');
246	- return undef;
247	+ esmith::util::chownFile("root", "root", "$privdir/$conf*");
248	+ esmith::util::chownFile("root", "root", "$pubdir/$conf*");
249	+ chmod 0600, "$privdir/$conf*";
250	+ chmod 0644, "$pubdir/$conf*";
251	+
252	+ $ovpn_db->set_prop($conf, 'CrlUrl', $q->param("crl_url"));
253	+
254	+ unless ( system ("/sbin/e-smith/signal-event", "openvpn-s2s-update") == 0 ){
255	+ return $fm->error("ERROR_OCCURED", 'FIRST_PAGE');
256	}
257	-
258
259	- $fm->success('SUCCESS','CONFIG_CERT_PAGE');
260	+ $fm->success('SUCCESS','FIRST_PAGE');
261	return undef;
262	+
263	}
264
265	# Update ports used in the configuration DB
266	@@ -139,6 +203,96 @@
267	$conf_db->set_prop('openvpn-s2s', 'TCPPorts', join(',',@tcp_ports));
268	}
269
270	+sub print_cert_fields{
271	+ my $fm = shift;
272	+ my $q = $fm->{cgi};
273	+ my $conf = $q->param('conf_name');
274	+ my $rec = $ovpn_db->get("$conf");
275	+ my $type = $rec->prop('type') \|\| 'server';
276	+ my $auth = $rec->prop('Authentication') \|\| 'TLS';
277	+ my $crlurl = $rec->prop('CrlUrl') \|\| '';
278	+
279	+ # Untaint $conf
280	+ $conf =~ m/(.*)/;
281	+ $conf = $1;
282	+
283	+ if ($auth eq 'TLS'){
284	+ print esmith::cgi::genTextRow($q,$fm->localise('DESC_CRL_URL'));
285	+ print $q->Tr (
286	+ $q->td ({-class => "sme-noborders-label"},
287	+ $fm->localise('LABEL_CRL_URL')),"\n",
288	+ $q->td ({-class => "sme-noborders-content"},
289	+ $q->textfield (
290	+ -name => 'crl_url',
291	+ -override => 1,
292	+ -default => $crlurl,
293	+ -size => 62))),"\n";
294	+ print esmith::cgi::genTextRow($q,$fm->localise('DESC_CA_PEM'));
295	+ print $q->Tr (
296	+ $q->td ({-class => "sme-noborders-label"},
297	+ $fm->localise('LABEL_CA_PEM')),"\n",
298	+ $q->td ({-class => "sme-noborders-content"},
299	+ $q->textarea (
300	+ -name => 'cacert_pem',
301	+ -override => 1,
302	+ -default => read_file("$pubdir/$conf"."_cacert.pem"),
303	+ -rows => 15,
304	+ -columns => 70))),"\n";
305	+ print esmith::cgi::genTextRow($q,$fm->localise('DESC_CRT_PEM'));
306	+ print $q->Tr (
307	+ $q->td ({-class => "sme-noborders-label"},
308	+ $fm->localise('LABEL_CRT_PEM')),"\n",
309	+ $q->td ({-class => "sme-noborders-content"},
310	+ $q->textarea (
311	+ -name => 'cert_pem',
312	+ -override => 1,
313	+ -default => read_file("$pubdir/$conf"."_cert.pem"),
314	+ -rows => 15,
315	+ -columns => 70))),"\n";
316	+ print esmith::cgi::genTextRow($q,$fm->localise('DESC_KEY_PEM'));
317	+ print $q->Tr (
318	+ $q->td ({-class => "sme-noborders-label"},
319	+ $fm->localise('LABEL_KEY_PEM')),"\n",
320	+ $q->td ({-class => "sme-noborders-content"},
321	+ $q->textarea (
322	+ -name => 'key_pem',
323	+ -override => 1,
324	+ -default => read_file("$privdir/$conf"."_key.pem"),
325	+ -rows => 15,
326	+ -columns => 70))),"\n";
327	+ if ($type eq 'server'){
328	+ print esmith::cgi::genTextRow($q,$fm->localise('DESC_DH_PEM'));
329	+ print $q->Tr (
330	+ $q->td ({-class => "sme-noborders-label"},
331	+ $fm->localise('LABEL_DH_PEM')),"\n",
332	+ $q->td ({-class => "sme-noborders-content"},
333	+ $q->textarea (
334	+ -name => 'dh_pem',
335	+ -override => 1,
336	+ -default => read_file("$pubdir/$conf"."_dh.pem"),
337	+ -rows => 8,
338	+ -columns => 70))),"\n";
339	+ }
340	+ print esmith::cgi::genTextRow($q,$fm->localise('DESC_SHARED_KEY_TLS'));
341	+ }
342	+ else{
343	+ print esmith::cgi::genTextRow($q,$fm->localise('DESC_SHARED_KEY'));
344	+ }
345	+
346	+ print $q->Tr (
347	+ $q->td ({-class => "sme-noborders-label"},
348	+ $fm->localise('LABEL_SHARED_KEY')),"\n",
349	+ $q->td ({-class => "sme-noborders-content"},
350	+ $q->textarea (
351	+ -name => 'shared_key',
352	+ -override => 1,
353	+ -default => read_file("$privdir/$conf"."_sharedkey.pem"),
354	+ -rows => 5,
355	+ -columns => 70))),"\n";
356	+ return undef;
357	+}
358	+
359	+
360	# Print clients or servers table
361	sub print_conf_table{
362	my $fm = shift;
363	@@ -208,6 +362,8 @@
364	$q->param(-name=>'remote_host',-value=>
365	$rec->prop('RemoteHost'));
366	}
367	+ $q->param(-name=>'auth',-value=>
368	+ $rec->prop('Authentication'));
369	$q->param(-name=>'local_ip',-value=>
370	$rec->prop('LocalIP'));
371	$q->param(-name=>'remote_ip',-value=>
372	@@ -220,8 +376,6 @@
373	$rec->prop('status'));
374	$q->param(-name=>'remote_net',-value=>
375	$rec->prop('RemoteNetworks'));
376	- $q->param(-name=>'shared_key',-value=>
377	- read_key($name));
378	}
379	}
380	else {
381	@@ -309,14 +463,12 @@
382	return undef;
383	}
384
385	-sub read_key{
386	- my $conf = shift;
387	+sub read_file{
388	+ my $file = shift;
389	my $ret = '';
390
391	- if (open (PEM, "<$privdir/$conf".'_key.pem')){
392	- while (<PEM>){
393	- $ret .= $_;
394	- }
395	+ if (open (PEM, "<$file")){
396	+ $ret .= $_ while (<PEM>);
397	close PEM;
398	}
399	return $ret;
400	@@ -332,6 +484,15 @@
401	return $ret;
402	}
403
404	+sub is_url_or_empty{
405	+ my ($fm, $url) = @_;
406	+ my $ret = 'OK';
407	+ if (($url !~ /^(http:\/\/)\|(https:\/\/)/) && ($url ne '')){
408	+ $ret = $fm->localise('NOT_A_VALID_URL',{string => $url});
409	+ }
410	+ return $ret;
411	+}
412	+
413	sub is_valid_net_or_empty{
414	my ($fm, $nets) = @_;
415	my $ret = 'OK';