]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blame - html/cgi-bin/vpnmain.cgi
projects / people / pmueller / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
perl: Package Data::UUID
[people/pmueller/ipfire-2.x.git] / html / cgi-bin / vpnmain.cgi
CommitLineData
ac1cfefa 1#!/usr/bin/perl
70df8302
MT		 2###############################################################################
3# #
4# IPFire.org - A linux based firewall #
993724b4 5# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
70df8302
MT		 6# #
7# This program is free software: you can redistribute it and/or modify #
8# it under the terms of the GNU General Public License as published by #
9# the Free Software Foundation, either version 3 of the License, or #
10# (at your option) any later version. #
11# #
12# This program is distributed in the hope that it will be useful, #
13# but WITHOUT ANY WARRANTY; without even the implied warranty of #
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15# GNU General Public License for more details. #
16# #
17# You should have received a copy of the GNU General Public License #
18# along with this program. If not, see <http://www.gnu.org/licenses/>. #
19# #
20###############################################################################
ac1cfefa 21
26a0befd 22use MIME::Base64;
ac1cfefa
MT		 23use Net::DNS;
24use File::Copy;
25use File::Temp qw/ tempfile tempdir /;
26use strict;
eff2dbf8 27use Sort::Naturally;
ac1cfefa 28# enable only the following on debugging purpose
cb5e9c6c
CS		 29#use warnings;
30#use CGI::Carp 'fatalsToBrowser';
ac1cfefa 31
986e08d9 32require '/var/ipfire/general-functions.pl';
ac1cfefa
MT		 33require "${General::swroot}/lang.pl";
34require "${General::swroot}/header.pl";
ac1cfefa
MT		 35require "${General::swroot}/countries.pl";
36
37#workaround to suppress a warning when a variable is used only once
ed84e8b8 38my @dummy = ( ${Header::colourgreen}, ${Header::colourblue} );
ac1cfefa
MT		 39undef (@dummy);
40
41###
42### Initialize variables
43###
624615ee 44my $sleepDelay = 4; # after a call to ipsecctrl S or R, wait this delay (seconds) before reading status (let the ipsec do its job)
ac1cfefa 45my %netsettings=();
ed84e8b8
MT		 46our %cgiparams=();
47our %vpnsettings=();
ac1cfefa
MT		 48my %checked=();
49my %confighash=();
50my %cahash=();
51my %selected=();
52my $warnmessage = '';
53my $errormessage = '';
ed84e8b8 54
f2fdd0c1
CS		 55my %color = ();
56my %mainsettings = ();
57&General::readhash("${General::swroot}/main/settings", \%mainsettings);
8186b372 58&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
f2fdd0c1 59
ac1cfefa 60&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
e897bfeb 61
af183eeb
MT		 62my %INACTIVITY_TIMEOUTS = (
63 300 => $Lang::tr{'five minutes'},
64 600 => $Lang::tr{'ten minutes'},
65 900 => $Lang::tr{'fifteen minutes'},
66 1800 => $Lang::tr{'thirty minutes'},
67 3600 => $Lang::tr{'one hour'},
68 43200 => $Lang::tr{'twelve hours'},
69 86400 => $Lang::tr{'24 hours'},
70 0 => "- $Lang::tr{'unlimited'} -",
71);
72
ae0d0698
MT		 73# Load aliases
74my %aliases;
75&General::get_aliases(\%aliases);
76
e9850821
AM		 77my $col="";
78
ac1cfefa 79$cgiparams{'ENABLED'} = 'off';
ac1cfefa 80$cgiparams{'EDIT_ADVANCED'} = 'off';
ac1cfefa
MT		 81$cgiparams{'ACTION'} = '';
82$cgiparams{'CA_NAME'} = '';
ed84e8b8
MT		 83$cgiparams{'KEY'} = '';
84$cgiparams{'TYPE'} = '';
85$cgiparams{'ADVANCED'} = '';
ed84e8b8
MT		 86$cgiparams{'NAME'} = '';
87$cgiparams{'LOCAL_SUBNET'} = '';
88$cgiparams{'REMOTE_SUBNET'} = '';
ae0d0698 89$cgiparams{'LOCAL'} = '';
ed84e8b8
MT		 90$cgiparams{'REMOTE'} = '';
91$cgiparams{'LOCAL_ID'} = '';
92$cgiparams{'REMOTE_ID'} = '';
93$cgiparams{'REMARK'} = '';
94$cgiparams{'PSK'} = '';
95$cgiparams{'CERT_NAME'} = '';
96$cgiparams{'CERT_EMAIL'} = '';
97$cgiparams{'CERT_OU'} = '';
98$cgiparams{'CERT_ORGANIZATION'} = '';
99$cgiparams{'CERT_CITY'} = '';
100$cgiparams{'CERT_STATE'} = '';
101$cgiparams{'CERT_COUNTRY'} = '';
102$cgiparams{'SUBJECTALTNAME'} = '';
103$cgiparams{'CERT_PASS1'} = '';
104$cgiparams{'CERT_PASS2'} = '';
105$cgiparams{'ROOTCERT_HOSTNAME'} = '';
106$cgiparams{'ROOTCERT_COUNTRY'} = '';
107$cgiparams{'P12_PASS'} = '';
108$cgiparams{'ROOTCERT_ORGANIZATION'} = '';
109$cgiparams{'ROOTCERT_HOSTNAME'} = '';
110$cgiparams{'ROOTCERT_EMAIL'} = '';
111$cgiparams{'ROOTCERT_OU'} = '';
112$cgiparams{'ROOTCERT_CITY'} = '';
113$cgiparams{'ROOTCERT_STATE'} = '';
9d85ac3b 114$cgiparams{'RW_NET'} = '';
4e156911
AM		 115$cgiparams{'DPD_DELAY'} = '30';
116$cgiparams{'DPD_TIMEOUT'} = '120';
f6529a04 117$cgiparams{'FORCE_MOBIKE'} = 'off';
1e9457ac 118$cgiparams{'START_ACTION'} = 'route';
8ebe7254 119$cgiparams{'INACTIVITY_TIMEOUT'} = 1800;
29f5e0e2 120$cgiparams{'MODE'} = "tunnel";
cae1f4a7 121$cgiparams{'INTERFACE_MODE'} = "";
74641317 122$cgiparams{'INTERFACE_ADDRESS'} = "";
55842dda 123$cgiparams{'INTERFACE_MTU'} = 1500;
ac1cfefa
MT		 124&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
125
126###
127### Useful functions
128###
129sub valid_dns_host {
130 my $hostname = $_[0];
131 unless ($hostname) { return "No hostname"};
132 my $res = new Net::DNS::Resolver;
133 my $query = $res->search("$hostname");
134 if ($query) {
135 foreach my $rr ($query->answer) {
136 ## Potential bug - we are only looking at A records:
137 return 0 if $rr->type eq "A";
138 }
139 } else {
140 return $res->errorstring;
141 }
142}
ed84e8b8
MT		 143###
144### Just return true is one interface is vpn enabled
145###
146sub vpnenabled {
624615ee 147 return ($vpnsettings{'ENABLED'} eq 'on');
ed84e8b8
MT		 148}
149###
624615ee
LS		 150### old version: maintain serial number to one, without explication.
151### this: let the counter go, so that each cert is numbered.
ed84e8b8 152###
624615ee
LS		 153sub cleanssldatabase {
154 if (open(FILE, ">${General::swroot}/certs/serial")) {
155 print FILE "01";
156 close FILE;
157 }
158 if (open(FILE, ">${General::swroot}/certs/index.txt")) {
159 print FILE "";
160 close FILE;
161 }
e6f7f8e7
EK		 162 if (open(FILE, ">${General::swroot}/certs/index.txt.attr")) {
163 print FILE "";
164 close FILE;
165 }
624615ee 166 unlink ("${General::swroot}/certs/index.txt.old");
e6f7f8e7 167 unlink ("${General::swroot}/certs/index.txt.attr.old");
624615ee
LS		 168 unlink ("${General::swroot}/certs/serial.old");
169 unlink ("${General::swroot}/certs/01.pem");
ac1cfefa 170}
624615ee
LS		 171sub newcleanssldatabase {
172 if (! -s "${General::swroot}/certs/serial" ) {
173 open(FILE, ">${General::swroot}/certs/serial");
174 print FILE "01";
175 close FILE;
176 }
177 if (! -s ">${General::swroot}/certs/index.txt") {
178 system ("touch ${General::swroot}/certs/index.txt");
179 }
e6f7f8e7
EK		 180 if (! -s ">${General::swroot}/certs/index.txt.attr") {
181 system ("touch ${General::swroot}/certs/index.txt.attr");
182 }
624615ee 183 unlink ("${General::swroot}/certs/index.txt.old");
e6f7f8e7 184 unlink ("${General::swroot}/certs/index.txt.attr.old");
624615ee
LS		 185 unlink ("${General::swroot}/certs/serial.old");
186# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete
ac1cfefa 187}
ed84e8b8
MT		 188
189###
190### Call openssl and return errormessage if any
191###
192sub callssl ($) {
624615ee
LS		 193 my $opt = shift;
194 my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr
195 my $ret = '';
196 foreach my $line (split (/\n/, $retssl)) {
197 &General::log("ipsec", "$line") if (0); # 1 for verbose logging
198 $ret .= '<br>'.$line if ( $line =~ /error|unknown/ );
199 }
200 if ($ret) {
201 $ret= &Header::cleanhtml($ret);
202 }
203 return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : '' ;
ed84e8b8
MT		 204}
205###
206### Obtain a CN from given cert
207###
208sub getCNfromcert ($) {
624615ee
LS		 209 #&General::log("ipsec", "Extracting name from $_[0]...");
210 my $temp = `/usr/bin/openssl x509 -text -in $_[0]`;
568a227b 211 $temp =~ /Subject:.*CN = (.*)[\n]/;
624615ee
LS		 212 $temp = $1;
213 $temp =~ s+/Email+, E+;
568a227b 214 $temp =~ s/ ST = / S = /;
624615ee
LS		 215 $temp =~ s/,//g;
216 $temp =~ s/\'//g;
217 return $temp;
ed84e8b8
MT		 218}
219###
220### Obtain Subject from given cert
221###
222sub getsubjectfromcert ($) {
624615ee
LS		 223 #&General::log("ipsec", "Extracting subject from $_[0]...");
224 my $temp = `/usr/bin/openssl x509 -text -in $_[0]`;
225 $temp =~ /Subject: (.*)[\n]/;
226 $temp = $1;
227 $temp =~ s+/Email+, E+;
568a227b 228 $temp =~ s/ ST = / S = /;
624615ee 229 return $temp;
ed84e8b8
MT		 230}
231###
624615ee 232### Combine local subnet and connection name to make a unique name for each connection section
ed84e8b8
MT		 233### (this sub is not used now)
234###
235sub makeconnname ($) {
624615ee
LS		 236 my $conn = shift;
237 my $subnet = shift;
238
239 $subnet =~ /^(.*?)\/(.*?)$/; # $1=IP $2=mask
240 my $ip = unpack('N', &Socket::inet_aton($1));
241 if (length ($2) > 2) {
242 my $mm = unpack('N', &Socket::inet_aton($2));
243 while ( ($mm & 1)==0 ) {
244 $ip >>= 1;
245 $mm >>= 1;
246 };
247 } else {
248 $ip >>= (32 - $2);
249 }
250 return sprintf ("%s-%X", $conn, $ip);
ed84e8b8
MT		 251}
252###
253### Write a config file.
254###
255###Type=Host : GUI can choose the interface used (RED,GREEN,BLUE) and
256### the side is always defined as 'left'.
ed84e8b8 257###
ed84e8b8 258
ac1cfefa 259sub writeipsecfiles {
624615ee
LS		 260 my %lconfighash = ();
261 my %lvpnsettings = ();
262 &General::readhasharray("${General::swroot}/vpn/config", \%lconfighash);
263 &General::readhash("${General::swroot}/vpn/settings", \%lvpnsettings);
264
265 open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die "Unable to open ${General::swroot}/vpn/ipsec.conf: $!";
266 open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") or die "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!";
267 flock CONF, 2;
268 flock SECRETS, 2;
269 print CONF "version 2\n\n";
270 print CONF "conn %default\n";
271 print CONF "\tkeyingtries=%forever\n";
272 print CONF "\n";
273
274 # Add user includes to config file
275 if (-e "/etc/ipsec.user.conf") {
276 print CONF "include /etc/ipsec.user.conf\n";
277 print CONF "\n";
ed84e8b8 278 }
e8b3bb0e 279
624615ee 280 print SECRETS "include /etc/ipsec.user.secrets\n";
4b02b404 281
624615ee
LS		 282 if (-f "${General::swroot}/certs/hostkey.pem") {
283 print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n"
284 }
285 my $last_secrets = ''; # old the less specifics connections
286
287 foreach my $key (keys %lconfighash) {
288 next if ($lconfighash{$key}[0] ne 'on');
289
290 #remote peer is not set? => use '%any'
291 $lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq '');
292
ae0d0698
MT		 293 # Field 6 might be "off" on old installations
294 if ($lconfighash{$key}[6] eq "off") {
517683ee 295 $lconfighash{$key}[6] = $lvpnsettings{"VPN_IP"};
ae0d0698
MT		 296 }
297
624615ee 298 my $localside;
ae0d0698
MT		 299 if ($lconfighash{$key}[6]) {
300 $localside = $lconfighash{$key}[6];
ae0d0698
MT		 301 } else {
302 $localside = "%defaultroute";
4b02b404 303 }
e8b3bb0e 304
b01c17e9
MT		 305 my $interface_mode = $lconfighash{$key}[36];
306
624615ee
LS		 307 print CONF "conn $lconfighash{$key}[1]\n";
308 print CONF "\tleft=$localside\n";
b01c17e9
MT		 309
310 if ($interface_mode eq "gre") {
90aa4f10 311 print CONF "\tleftprotoport=gre\n";
b01c17e9
MT		 312 } elsif ($interface_mode eq "vti") {
313 print CONF "\tleftsubnet=0.0.0.0/0\n";
314 } else {
f2d45a45 315 print CONF "\tleftsubnet=" . &make_subnets("left", $lconfighash{$key}[8]) . "\n";
b01c17e9
MT		 316 }
317
624615ee
LS		 318 print CONF "\tleftfirewall=yes\n";
319 print CONF "\tlefthostaccess=yes\n";
320 print CONF "\tright=$lconfighash{$key}[10]\n";
321
322 if ($lconfighash{$key}[3] eq 'net') {
b01c17e9 323 if ($interface_mode eq "gre") {
90aa4f10 324 print CONF "\trightprotoport=gre\n";
b01c17e9
MT		 325 } elsif ($interface_mode eq "vti") {
326 print CONF "\trightsubnet=0.0.0.0/0\n";
327 } else {
f2d45a45 328 print CONF "\trightsubnet=" . &make_subnets("right", $lconfighash{$key}[11]) . "\n";
b01c17e9 329 }
624615ee 330 }
e8b3bb0e 331
624615ee
LS		 332 # Local Cert and Remote Cert (unless auth is DN dn-auth)
333 if ($lconfighash{$key}[4] eq 'cert') {
334 print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n";
335 print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if ($lconfighash{$key}[2] ne '%auth-dn');
ed84e8b8 336 }
ed84e8b8 337
624615ee
LS		 338 # Local and Remote IDs
339 print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]);
340 print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]);
126246a8 341
326728d5
MT		 342 # Set mode
343 if ($lconfighash{$key}[35] eq "transport") {
344 print CONF "\ttype=transport\n";
345 } else {
346 print CONF "\ttype=tunnel\n";
347 }
348
b01c17e9
MT		 349 # Add mark for VTI
350 if ($interface_mode eq "vti") {
351 print CONF "\tmark=$key\n";
352 }
353
624615ee
LS		 354 # Is PFS enabled?
355 my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off';
ed84e8b8 356
624615ee
LS		 357 # Algorithms
358 if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) {
359 my @encs = split('\|', $lconfighash{$key}[18]);
360 my @ints = split('\|', $lconfighash{$key}[19]);
361 my @groups = split('\|', $lconfighash{$key}[20]);
ed84e8b8 362
624615ee
LS		 363 my @algos = &make_algos("ike", \@encs, \@ints, \@groups, 1);
364 print CONF "\tike=" . join(",", @algos);
365
366 if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
367 print CONF "!\n";
368 } else {
369 print CONF "\n";
370 }
371 }
372
373 if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) {
374 my @encs = split('\|', $lconfighash{$key}[21]);
375 my @ints = split('\|', $lconfighash{$key}[22]);
376 my @groups = split('\|', $lconfighash{$key}[23]);
377
378 # Use IKE grouptype if no ESP group type has been selected
379 # (for backwards compatibility)
380 if ($lconfighash{$key}[23] eq "") {
381 @groups = split('\|', $lconfighash{$key}[20]);
382 }
f6529a04 383
624615ee
LS		 384 my @algos = &make_algos("esp", \@encs, \@ints, \@groups, ($pfs eq "on"));
385 print CONF "\tesp=" . join(",", @algos);
afd5d8f7 386
624615ee
LS		 387 if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
388 print CONF "!\n";
389 } else {
390 print CONF "\n";
391 }
afd5d8f7 392 }
ac1cfefa 393
624615ee
LS		 394 # IKE V1 or V2
395 if (! $lconfighash{$key}[29]) {
396 $lconfighash{$key}[29] = "ikev1";
397 }
a4737620 398
624615ee 399 print CONF "\tkeyexchange=$lconfighash{$key}[29]\n";
a4737620 400
624615ee
LS		 401 # Lifetimes
402 print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" if ($lconfighash{$key}[16]);
403 print CONF "\tkeylife=$lconfighash{$key}[17]h\n" if ($lconfighash{$key}[17]);
404
405 # Compression
406 print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on');
407
408 # Force MOBIKE?
409 if (($lconfighash{$key}[29] eq "ikev2") && ($lconfighash{$key}[32] eq 'on')) {
410 print CONF "\tmobike=yes\n";
411 }
412
413 # Dead Peer Detection
414 my $dpdaction = $lconfighash{$key}[27];
415 print CONF "\tdpdaction=$dpdaction\n";
416
417 # If the dead peer detection is disabled and IKEv2 is used,
418 # dpddelay must be set to zero, too.
419 if ($dpdaction eq "none") {
420 if ($lconfighash{$key}[29] eq "ikev2") {
421 print CONF "\tdpddelay=0\n";
422 }
423 } else {
424 my $dpddelay = $lconfighash{$key}[31];
425 if (!$dpddelay) {
426 $dpddelay = 30;
427 }
428 print CONF "\tdpddelay=$dpddelay\n";
429 my $dpdtimeout = $lconfighash{$key}[30];
430 if (!$dpdtimeout) {
431 $dpdtimeout = 120;
432 }
433 print CONF "\tdpdtimeout=$dpdtimeout\n";
434 }
435
436 # Build Authentication details: LEFTid RIGHTid : PSK psk
437 my $psk_line;
438 if ($lconfighash{$key}[4] eq 'psk') {
439 $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ;
440 $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address?
441 $psk_line .= " : PSK '$lconfighash{$key}[5]'\n";
442 # if the line contains %any, it is less specific than two IP or ID, so move it at end of file.
443 if ($psk_line =~ /%any/) {
444 $last_secrets .= $psk_line;
445 } else {
446 print SECRETS $psk_line;
447 }
448 print CONF "\tauthby=secret\n";
449 } else {
450 print CONF "\tauthby=rsasig\n";
451 print CONF "\tleftrsasigkey=%cert\n";
452 print CONF "\trightrsasigkey=%cert\n";
453 }
454
dcb406cc
MT		 455 my $start_action = $lconfighash{$key}[33];
456 if (!$start_action) {
457 $start_action = "start";
458 }
459
af183eeb
MT		 460 my $inactivity_timeout = $lconfighash{$key}[34];
461 if ($inactivity_timeout eq "") {
462 $inactivity_timeout = 900;
463 }
464
624615ee
LS		 465 # Automatically start only if a net-to-net connection
466 if ($lconfighash{$key}[3] eq 'host') {
467 print CONF "\tauto=add\n";
468 print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n";
469 } else {
dcb406cc 470 print CONF "\tauto=$start_action\n";
1ee1666e
MT		 471
472 # If in on-demand mode, we terminate the tunnel
473 # after 15 min of no traffic
af183eeb
MT		 474 if ($start_action eq 'route' && $inactivity_timeout > 0) {
475 print CONF "\tinactivity=$inactivity_timeout\n";
1ee1666e 476 }
624615ee
LS		 477 }
478
479 # Fragmentation
480 print CONF "\tfragmentation=yes\n";
481
482 print CONF "\n";
483 } #foreach key
484
485 # Add post user includes to config file
486 # After the GUI-connections allows to patch connections.
487 if (-e "/etc/ipsec.user-post.conf") {
488 print CONF "include /etc/ipsec.user-post.conf\n";
489 print CONF "\n";
490 }
491
492 print SECRETS $last_secrets if ($last_secrets);
493 close(CONF);
494 close(SECRETS);
ac1cfefa
MT		 495}
496
ae2782ba
MT		 497# Hook to regenerate the configuration files.
498if ($ENV{"REMOTE_ADDR"} eq "") {
26dfc86a 499 writeipsecfiles();
ae2782ba
MT		 500 exit(0);
501}
502
ac1cfefa
MT		 503###
504### Save main settings
505###
506if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
624615ee
LS		 507 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
508
624615ee
LS		 509 if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) {
510 $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'};
511 goto SAVE_ERROR;
512 }
513
514 $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
624615ee
LS		 515 $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'};
516 &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
517 &writeipsecfiles();
518 if (&vpnenabled) {
519 system('/usr/local/bin/ipsecctrl', 'S');
520 } else {
521 system('/usr/local/bin/ipsecctrl', 'D');
522 }
523 sleep $sleepDelay;
524 SAVE_ERROR:
ac1cfefa
MT		 525###
526### Reset all step 2
527###
ed84e8b8 528} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && $cgiparams{'AREUSURE'} eq 'yes') {
624615ee
LS		 529 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
530
531 foreach my $key (keys %confighash) {
532 if ($confighash{$key}[4] eq 'cert') {
533 delete $confighash{$key};
534 }
535 }
536 while (my $file = glob("${General::swroot}/{ca,certs,crls,private}/*")) {
537 unlink $file
538 }
539 &cleanssldatabase();
540 if (open(FILE, ">${General::swroot}/vpn/caconfig")) {
541 print FILE "";
542 close FILE;
543 }
544 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
545 &writeipsecfiles();
546 system('/usr/local/bin/ipsecctrl', 'R');
547 sleep $sleepDelay;
ac1cfefa
MT		 548
549###
550### Reset all step 1
551###
ed84e8b8 552} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) {
624615ee
LS		 553 &Header::showhttpheaders();
554 &Header::openpage($Lang::tr{'ipsec'}, 1, '');
555 &Header::openbigbox('100%', 'left', '', '');
556 &Header::openbox('100%', 'left', $Lang::tr{'are you sure'});
557 print <<END
ed84e8b8 558 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
624615ee
LS		 559 <table width='100%'>
560 <tr>
561 <td align='center'>
562 <input type='hidden' name='AREUSURE' value='yes' />
563 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:&nbsp;$Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}
564 </td>
565 </tr><tr>
566 <td align='center'>
567 <input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' />
ed84e8b8 568 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td>
624615ee
LS		 569 </tr>
570 </table>
ed84e8b8 571 </form>
ac1cfefa 572END
624615ee
LS		 573;
574 &Header::closebox();
575 &Header::closebigbox();
576 &Header::closepage();
577 exit (0);
ac1cfefa
MT		 578
579###
580### Upload CA Certificate
581###
582} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {
624615ee
LS		 583 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
584
585 if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) {
586 $errormessage = $Lang::tr{'name must only contain characters'};
587 goto UPLOADCA_ERROR;
588 }
589
590 if (length($cgiparams{'CA_NAME'}) >60) {
591 $errormessage = $Lang::tr{'name too long'};
592 goto VPNCONF_ERROR;
593 }
594
595 if ($cgiparams{'CA_NAME'} eq 'ca') {
596 $errormessage = $Lang::tr{'name is invalid'};
597 goto UPLOAD_CA_ERROR;
598 }
599
600 # Check if there is no other entry with this name
601 foreach my $key (keys %cahash) {
602 if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) {
603 $errormessage = $Lang::tr{'a ca certificate with this name already exists'};
604 goto UPLOADCA_ERROR;
605 }
606 }
607
2ad1b18b 608 unless (ref ($cgiparams{'FH'})) {
624615ee
LS		 609 $errormessage = $Lang::tr{'there was no file upload'};
610 goto UPLOADCA_ERROR;
611 }
612 # Move uploaded ca to a temporary file
613 (my $fh, my $filename) = tempfile( );
614 if (copy ($cgiparams{'FH'}, $fh) != 1) {
615 $errormessage = $!;
616 goto UPLOADCA_ERROR;
617 }
618 my $temp = `/usr/bin/openssl x509 -text -in $filename`;
619 if ($temp !~ /CA:TRUE/i) {
620 $errormessage = $Lang::tr{'not a valid ca certificate'};
621 unlink ($filename);
622 goto UPLOADCA_ERROR;
623 } else {
624 move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem");
625 if ($? ne 0) {
626 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
627 unlink ($filename);
628 goto UPLOADCA_ERROR;
629 }
630 }
631
632 my $key = &General::findhasharraykey (\%cahash);
633 $cahash{$key}[0] = $cgiparams{'CA_NAME'};
634 $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"));
635 &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
636
637 system('/usr/local/bin/ipsecctrl', 'R');
638 sleep $sleepDelay;
639
640 UPLOADCA_ERROR:
ac1cfefa
MT		 641
642###
643### Display ca certificate
644###
645} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) {
624615ee
LS		 646 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
647
648 if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {
649 &Header::showhttpheaders();
650 &Header::openpage($Lang::tr{'ipsec'}, 1, '');
651 &Header::openbigbox('100%', 'left', '', '');
652 &Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:");
653 my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
654 $output = &Header::cleanhtml($output,"y");
655 print "<pre>$output</pre>\n";
656 &Header::closebox();
657 print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
658 &Header::closebigbox();
659 &Header::closepage();
660 exit(0);
661 } else {
662 $errormessage = $Lang::tr{'invalid key'};
663 }
ac1cfefa
MT		 664
665###
ed84e8b8 666### Export ca certificate to browser
ac1cfefa
MT		 667###
668} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) {
624615ee
LS		 669 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
670
671 if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
672 print "Content-Type: application/force-download\n";
673 print "Content-Type: application/octet-stream\r\n";
674 print "Content-Disposition: attachment; filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
675 print `/usr/bin/openssl x509 -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
676 exit(0);
677 } else {
678 $errormessage = $Lang::tr{'invalid key'};
679 }
ac1cfefa
MT		 680
681###
682### Remove ca certificate (step 2)
683###
684} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') {
624615ee
LS		 685 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
686 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
687
688 if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
689 foreach my $key (keys %confighash) {
690 my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
691 if ($test =~ /: OK/) {
692 # Delete connection
624615ee
LS		 693 unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem");
694 unlink ("${General::swroot}/certs/$confighash{$key}[1].p12");
695 delete $confighash{$key};
696 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
697 &writeipsecfiles();
b45faf9e 698 system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled);
624615ee
LS		 699 }
700 }
701 unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
702 delete $cahash{$cgiparams{'KEY'}};
703 &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
704 system('/usr/local/bin/ipsecctrl', 'R');
705 sleep $sleepDelay;
706 } else {
707 $errormessage = $Lang::tr{'invalid key'};
ac1cfefa 708 }
ac1cfefa
MT		 709###
710### Remove ca certificate (step 1)
711###
712} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) {
624615ee
LS		 713 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
714 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
715
716 my $assignedcerts = 0;
717 if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
718 foreach my $key (keys %confighash) {
719 my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
720 if ($test =~ /: OK/) {
721 $assignedcerts++;
722 }
723 }
724 if ($assignedcerts) {
725 &Header::showhttpheaders();
726 &Header::openpage($Lang::tr{'ipsec'}, 1, '');
727 &Header::openbigbox('100%', 'left', '', '');
728 &Header::openbox('100%', 'left', $Lang::tr{'are you sure'});
729 print <<END
730 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
731 <table width='100%'>
732 <tr>
733 <td align='center'>
734 <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
735 <input type='hidden' name='AREUSURE' value='yes' /></td>
736 </tr><tr>
737 <td align='center'>
738 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>&nbsp;$Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}</td>
739 </tr><tr>
740 <td align='center'>
741 <input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
742 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td>
743 </tr>
744 </table>
745 </form>
ac1cfefa 746END
624615ee
LS		 747;
748 &Header::closebox();
749 &Header::closebigbox();
750 &Header::closepage();
751 exit (0);
752 } else {
753 unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
754 delete $cahash{$cgiparams{'KEY'}};
755 &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
756 system('/usr/local/bin/ipsecctrl', 'R');
757 sleep $sleepDelay;
758 }
ac1cfefa 759 } else {
624615ee 760 $errormessage = $Lang::tr{'invalid key'};
ac1cfefa 761 }
ac1cfefa
MT		 762
763###
764### Display root certificate
765###
766} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
767 $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
624615ee
LS		 768 my $output;
769 &Header::showhttpheaders();
770 &Header::openpage($Lang::tr{'ipsec'}, 1, '');
771 &Header::openbigbox('100%', 'left', '', '');
772 if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
773 &Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:");
774 $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`;
775 } else {
776 &Header::openbox('100%', 'left', "$Lang::tr{'host certificate'}:");
777 $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`;
778 }
779 $output = &Header::cleanhtml($output,"y");
780 print "<pre>$output</pre>\n";
781 &Header::closebox();
782 print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
783 &Header::closebigbox();
784 &Header::closepage();
785 exit(0);
ac1cfefa
MT		 786
787###
ed84e8b8 788### Export root certificate to browser
ac1cfefa
MT		 789###
790} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) {
624615ee
LS		 791 if ( -f "${General::swroot}/ca/cacert.pem" ) {
792 print "Content-Type: application/force-download\n";
793 print "Content-Disposition: attachment; filename=cacert.pem\r\n\r\n";
794 print `/usr/bin/openssl x509 -in ${General::swroot}/ca/cacert.pem`;
795 exit(0);
796 }
ac1cfefa 797###
ed84e8b8 798### Export host certificate to browser
ac1cfefa
MT		 799###
800} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) {
624615ee
LS		 801 if ( -f "${General::swroot}/certs/hostcert.pem" ) {
802 print "Content-Type: application/force-download\n";
803 print "Content-Disposition: attachment; filename=hostcert.pem\r\n\r\n";
804 print `/usr/bin/openssl x509 -in ${General::swroot}/certs/hostcert.pem`;
805 exit(0);
806 }
ac1cfefa 807###
ed84e8b8 808### Form for generating/importing the caroot+host certificate
ac1cfefa
MT		 809###
810} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
624615ee
LS		 811 $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
812
813 if (-f "${General::swroot}/ca/cacert.pem") {
814 $errormessage = $Lang::tr{'valid root certificate already exists'};
815 goto ROOTCERT_SKIP;
816 }
817
818 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
819 # fill in initial values
820 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
821 if (-e "${General::swroot}/red/active" && open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
822 my $ipaddr = <IPADDR>;
823 close IPADDR;
824 chomp ($ipaddr);
825 $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
993724b4 826 $cgiparams{'SUBJECTALTNAME'} = "DNS:" . $cgiparams{'ROOTCERT_HOSTNAME'};
624615ee
LS		 827 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
828 $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
993724b4 829 $cgiparams{'SUBJECTALTNAME'} = "IP:" . $cgiparams{'ROOTCERT_HOSTNAME'};
624615ee
LS		 830 }
831 }
832 $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});
833 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
834 &General::log("ipsec", "Importing from p12...");
ac1cfefa 835
2ad1b18b 836 unless (ref ($cgiparams{'FH'})) {
624615ee
LS		 837 $errormessage = $Lang::tr{'there was no file upload'};
838 goto ROOTCERT_ERROR;
839 }
ac1cfefa 840
624615ee
LS		 841 # Move uploaded certificate request to a temporary file
842 (my $fh, my $filename) = tempfile( );
843 if (copy ($cgiparams{'FH'}, $fh) != 1) {
844 $errormessage = $!;
845 goto ROOTCERT_ERROR;
846 }
ac1cfefa 847
624615ee
LS		 848 # Extract the CA certificate from the file
849 &General::log("ipsec", "Extracting caroot from p12...");
850 if (open(STDIN, "-|")) {
851 my $opt = " pkcs12 -cacerts -nokeys";
852 $opt .= " -in $filename";
853 $opt .= " -out /tmp/newcacert";
854 $errormessage = &callssl ($opt);
855 } else { #child
856 print "$cgiparams{'P12_PASS'}\n";
857 exit (0);
858 }
ac1cfefa 859
624615ee
LS		 860 # Extract the Host certificate from the file
861 if (!$errormessage) {
862 &General::log("ipsec", "Extracting host cert from p12...");
863 if (open(STDIN, "-|")) {
864 my $opt = " pkcs12 -clcerts -nokeys";
865 $opt .= " -in $filename";
866 $opt .= " -out /tmp/newhostcert";
867 $errormessage = &callssl ($opt);
868 } else { #child
869 print "$cgiparams{'P12_PASS'}\n";
870 exit (0);
871 }
872 }
ed84e8b8 873
624615ee
LS		 874 # Extract the Host key from the file
875 if (!$errormessage) {
876 &General::log("ipsec", "Extracting private key from p12...");
877 if (open(STDIN, "-|")) {
878 my $opt = " pkcs12 -nocerts -nodes";
879 $opt .= " -in $filename";
880 $opt .= " -out /tmp/newhostkey";
881 $errormessage = &callssl ($opt);
882 } else { #child
883 print "$cgiparams{'P12_PASS'}\n";
884 exit (0);
885 }
886 }
ac1cfefa 887
624615ee
LS		 888 if (!$errormessage) {
889 &General::log("ipsec", "Moving cacert...");
890 move("/tmp/newcacert", "${General::swroot}/ca/cacert.pem");
891 $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
892 }
ed84e8b8 893
624615ee
LS		 894 if (!$errormessage) {
895 &General::log("ipsec", "Moving host cert...");
896 move("/tmp/newhostcert", "${General::swroot}/certs/hostcert.pem");
897 $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
898 }
ed84e8b8 899
624615ee
LS		 900 if (!$errormessage) {
901 &General::log("ipsec", "Moving private key...");
902 move("/tmp/newhostkey", "${General::swroot}/certs/hostkey.pem");
903 $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
904 }
905
906 #cleanup temp files
907 unlink ($filename);
908 unlink ('/tmp/newcacert');
909 unlink ('/tmp/newhostcert');
910 unlink ('/tmp/newhostkey');
911 if ($errormessage) {
912 unlink ("${General::swroot}/ca/cacert.pem");
913 unlink ("${General::swroot}/certs/hostcert.pem");
914 unlink ("${General::swroot}/certs/hostkey.pem");
915 goto ROOTCERT_ERROR;
916 }
917
918 # Create empty CRL cannot be done because we don't have
919 # the private key for this CAROOT
920 # IPFire can only import certificates
921
922 &General::log("ipsec", "p12 import completed!");
923 &cleanssldatabase();
924 goto ROOTCERT_SUCCESS;
925
926 } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {
927
928 # Validate input since the form was submitted
929 if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){
930 $errormessage = $Lang::tr{'organization cant be empty'};
931 goto ROOTCERT_ERROR;
932 }
933 if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) {
934 $errormessage = $Lang::tr{'organization too long'};
935 goto ROOTCERT_ERROR;
936 }
937 if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
938 $errormessage = $Lang::tr{'invalid input for organization'};
939 goto ROOTCERT_ERROR;
940 }
941 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){
942 $errormessage = $Lang::tr{'hostname cant be empty'};
943 goto ROOTCERT_ERROR;
944 }
945 unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) {
946 $errormessage = $Lang::tr{'invalid input for hostname'};
947 goto ROOTCERT_ERROR;
948 }
949 if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) {
950 $errormessage = $Lang::tr{'invalid input for e-mail address'};
951 goto ROOTCERT_ERROR;
952 }
953 if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) {
954 $errormessage = $Lang::tr{'e-mail address too long'};
955 goto ROOTCERT_ERROR;
956 }
957 if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
958 $errormessage = $Lang::tr{'invalid input for department'};
959 goto ROOTCERT_ERROR;
960 }
961 if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
962 $errormessage = $Lang::tr{'invalid input for city'};
963 goto ROOTCERT_ERROR;
964 }
965 if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
966 $errormessage = $Lang::tr{'invalid input for state or province'};
967 goto ROOTCERT_ERROR;
968 }
969 if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) {
970 $errormessage = $Lang::tr{'invalid input for country'};
971 goto ROOTCERT_ERROR;
972 }
973 #the exact syntax is a list comma separated of
974 # email:any-validemail
975 # URI: a uniform resource indicator
976 # DNS: a DNS domain name
977 # RID: a registered OBJECT IDENTIFIER
978 # IP: an IP address
979 # example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com
980
993724b4
PM		 981 if ($cgiparams{'SUBJECTALTNAME'} eq '') {
982 $errormessage = $Lang::tr{'vpn subjectaltname missing'};
983 goto ROOTCERT_ERROR;
984 }
985
624615ee
LS		 986 if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) {
987 $errormessage = $Lang::tr{'vpn altname syntax'};
988 goto VPNCONF_ERROR;
989 }
990
991 # Copy the cgisettings to vpnsettings and save the configfile
992 $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'};
993 $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'};
994 $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'};
995 $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'};
996 $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'};
997 $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'};
998 $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'};
999 &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
1000
1001 # Replace empty strings with a .
1002 (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./;
1003 (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./;
1004 (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./;
1005
1006 # Create the CA certificate
1007 if (!$errormessage) {
1008 &General::log("ipsec", "Creating cacert...");
1009 if (open(STDIN, "-|")) {
1010 my $opt = " req -x509 -sha256 -nodes";
926e5519 1011 $opt .= " -days 3650";
624615ee
LS		 1012 $opt .= " -newkey rsa:4096";
1013 $opt .= " -keyout ${General::swroot}/private/cakey.pem";
1014 $opt .= " -out ${General::swroot}/ca/cacert.pem";
1015
1016 $errormessage = &callssl ($opt);
1017 } else { #child
1018 print "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1019 print "$state\n";
1020 print "$city\n";
1021 print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1022 print "$ou\n";
1023 print "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n";
1024 print "$cgiparams{'ROOTCERT_EMAIL'}\n";
1025 exit (0);
1026 }
1027 }
1028
1029 # Create the Host certificate request
1030 if (!$errormessage) {
1031 &General::log("ipsec", "Creating host cert...");
1032 if (open(STDIN, "-|")) {
1033 my $opt = " req -sha256 -nodes";
1034 $opt .= " -newkey rsa:2048";
1035 $opt .= " -keyout ${General::swroot}/certs/hostkey.pem";
1036 $opt .= " -out ${General::swroot}/certs/hostreq.pem";
1037 $errormessage = &callssl ($opt);
1038 } else { #child
1039 print "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1040 print "$state\n";
1041 print "$city\n";
1042 print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1043 print "$ou\n";
1044 print "$cgiparams{'ROOTCERT_HOSTNAME'}\n";
1045 print "$cgiparams{'ROOTCERT_EMAIL'}\n";
1046 print ".\n";
1047 print ".\n";
1048 exit (0);
1049 }
1050 }
1051
1052 # Sign the host certificate request
1053 if (!$errormessage) {
1054 &General::log("ipsec", "Self signing host cert...");
1055
1056 #No easy way for specifying the contain of subjectAltName without writing a config file...
1057 my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX');
1058 print $fh <<END
1059 basicConstraints=CA:FALSE
1060 nsComment="OpenSSL Generated Certificate"
1061 subjectKeyIdentifier=hash
1062 authorityKeyIdentifier=keyid,issuer:always
1063 extendedKeyUsage = serverAuth
ed84e8b8
MT		 1064END
1065;
624615ee
LS		 1066 print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
1067 close ($fh);
1068
926e5519 1069 my $opt = " ca -md sha256 -days 825";
624615ee
LS		 1070 $opt .= " -batch -notext";
1071 $opt .= " -in ${General::swroot}/certs/hostreq.pem";
1072 $opt .= " -out ${General::swroot}/certs/hostcert.pem";
1073 $opt .= " -extfile $v3extname";
1074 $errormessage = &callssl ($opt);
1075 unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed
1076 unlink ($v3extname);
1077 }
1078
1079 # Create an empty CRL
1080 if (!$errormessage) {
1081 &General::log("ipsec", "Creating emptycrl...");
1082 my $opt = " ca -gencrl";
1083 $opt .= " -out ${General::swroot}/crls/cacrl.pem";
1084 $errormessage = &callssl ($opt);
1085 }
1086
1087 # Successfully build CA / CERT!
1088 if (!$errormessage) {
1089 &cleanssldatabase();
1090 goto ROOTCERT_SUCCESS;
1091 }
1092
1093 #Cleanup
1094 unlink ("${General::swroot}/ca/cacert.pem");
1095 unlink ("${General::swroot}/certs/hostkey.pem");
1096 unlink ("${General::swroot}/certs/hostcert.pem");
1097 unlink ("${General::swroot}/crls/cacrl.pem");
1098 &cleanssldatabase();
1099 }
1100
1101 ROOTCERT_ERROR:
1102 &Header::showhttpheaders();
1103 &Header::openpage($Lang::tr{'ipsec'}, 1, '');
1104 &Header::openbigbox('100%', 'left', '', $errormessage);
1105 if ($errormessage) {
1106 &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
1107 print "<class name='base'>$errormessage";
1108 print "&nbsp;</class>";
1109 &Header::closebox();
1110 }
1111 &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:");
1112 print <<END
1113 <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
1114 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
1115 <tr><td width='40%' class='base'>$Lang::tr{'organization name'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
1116 <td width='60%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td></tr>
1117 <tr><td class='base'>$Lang::tr{'ipfires hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
1118 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td></tr>
1119 <tr><td class='base'>$Lang::tr{'your e-mail'}:</td>
1120 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td></tr>
1121 <tr><td class='base'>$Lang::tr{'your department'}:</td>
1122 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td></tr>
1123 <tr><td class='base'>$Lang::tr{'city'}:</td>
1124 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td></tr>
1125 <tr><td class='base'>$Lang::tr{'state or province'}:</td>
1126 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td></tr>
1127 <tr><td class='base'>$Lang::tr{'country'}:</td>
1128 <td class='base'><select name='ROOTCERT_COUNTRY'>
ac1cfefa 1129END
624615ee
LS		 1130;
1131 foreach my $country (sort keys %{Countries::countries}) {
1132 print "<option value='$Countries::countries{$country}'";
1133 if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) {
1134 print " selected='selected'";
1135 }
1136 print ">$country</option>";
1137 }
1138 print <<END
1139 </select></td></tr>
993724b4 1140 <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)&nbsp;<img src='/blob.gif' alt='*' /></td>
ed84e8b8 1141 <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' /></td></tr>
624615ee
LS		 1142 <tr><td>&nbsp;</td>
1143 <td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr>
1144 <tr><td class='base' colspan='2' align='left'>
1145 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
1146 $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'}
1147 </td></tr>
1148 <tr><td colspan='2'><hr></td></tr>
1149 <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td>
1150 <td nowrap='nowrap'><input type='file' name='FH' size='32' /></td></tr>
1151 <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
1152 <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td></tr>
1153 <tr><td>&nbsp;</td>
1154 <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td></tr>
1155 <tr><td class='base' colspan='2' align='left'>
1156 <img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
1157 </table></form>
ed84e8b8 1158END
624615ee
LS		 1159;
1160 &Header::closebox();
1161 &Header::closebigbox();
1162 &Header::closepage();
1163 exit(0);
1164
1165 ROOTCERT_SUCCESS:
1166 if (&vpnenabled) {
1167 system('/usr/local/bin/ipsecctrl', 'S');
1168 sleep $sleepDelay;
1169 }
1170 ROOTCERT_SKIP:
ac1cfefa 1171###
ed84e8b8 1172### Export PKCS12 file to browser
ac1cfefa
MT		 1173###
1174} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) {
624615ee
LS		 1175 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
1176 print "Content-Type: application/force-download\n";
1177 print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
1178 print "Content-Type: application/octet-stream\r\n\r\n";
1179 print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
1180 exit (0);
ac1cfefa 1181
26a0befd
MT		 1182# Export Apple profile to browser
1183} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download apple profile'}) {
1184 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
1185 my $key = $cgiparams{'KEY'};
1186
1187 my $uuid1 = "AAAABBBB";
1188 my $uuid2 = "CCCCDDDD";
1189
1190 my $cert = "";
1191 my $cert_uuid = "123456789";
1192
1193 # Read and encode certificate
1194 if ($confighash{$key}[4] eq "cert") {
1195 my $cert_path = "${General::swroot}/certs/$confighash{$key}[1].p12";
1196
1197 # Read certificate and encode it into Base64
1198 open(CERT, "<${cert_path}");
1199 local($/) = undef; # slurp
1200 $cert = MIME::Base64::encode_base64(<CERT>);
1201 close(CERT);
1202 }
1203
1204 print "Content-Type: application/octet-stream\n";
1205 print "Content-Disposition: attachment; filename=" . $confighash{$key}[1] . ".mobileconfig\n";
1206 print "\n"; # end headers
1207
1208 print "<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n";
1209 print "<plist version=\"1.0\">\n";
1210 print " <dict>\n";
1211 print " <key>PayloadDisplayName</key>\n";
1212 print " <string>$confighash{$key}[1]</string>\n";
1213 print " <key>PayloadIdentifier</key>\n";
1214 print " <string>$confighash{$key}[1]</string>\n";
1215 print " <key>PayloadUUID</key>\n";
1216 print " <string>${uuid1}</string>\n";
1217 print " <key>PayloadType</key>\n";
1218 print " <string>Configuration</string>\n";
1219 print " <key>PayloadVersion</key>\n";
1220 print " <integer>1</integer>\n";
1221 print " <key>PayloadContent</key>\n";
1222 print " <array>\n";
1223 print " <dict>\n";
1224 print " <key>PayloadIdentifier</key>\n";
1225 print " <string>org.example.vpn1.conf1</string>\n";
1226 print " <key>PayloadUUID</key>\n";
1227 print " <string>${uuid2}</string>\n";
1228 print " <key>PayloadType</key>\n";
1229 print " <string>com.apple.vpn.managed</string>\n";
1230 print " <key>PayloadVersion</key>\n";
1231 print " <integer>1</integer>\n";
1232 print " <key>UserDefinedName</key>\n";
1233 print " <string>$confighash{$key}[1]</string>\n";
1234 print " <key>VPNType</key>\n";
1235 print " <string>IKEv2</string>\n";
1236 print " <key>IKEv2</key>\n";
1237 print " <dict>\n";
1238 print " <key>RemoteAddress</key>\n";
1239 print " <string>18.206.152.26</string>\n";
1240
1241 # Left ID
1242 if ($confighash{$key}[9]) {
1243 print " <key>LocalIdentifier</key>\n";
1244 print " <string>$confighash{$key}[9]</string>\n";
1245 }
1246
1247 # Right ID
1248 if ($confighash{$key}[7]) {
1249 print " <key>RemoteIdentifier</key>\n";
1250 print " <string>$confighash{$key}[7]</string>\n";
1251 }
1252
1253 if ($confighash{$key}[4] eq "cert") {
1254 print " <key>AuthenticationMethod</key>\n";
1255 print " <string>Certificate</string>\n";
1256
1257 print " <key>PayloadCertificateUUID</key>\n";
1258 print " <string>${cert_uuid}</string>\n";
1259 } else {
1260 print " <key>AuthenticationMethod</key>\n";
1261 print " <string>SharedSecret</string>\n";
1262 print " <key>SharedSecret</key>\n";
1263 print " <string>$confighash{$key}[5]</string>\n";
1264 }
1265
1266 print " <key>ExtendedAuthEnabled</key>\n";
1267 print " <integer>0</integer>\n";
1268 print " </dict>\n";
1269 print " </dict>\n";
1270
1271 if ($confighash{$key}[4] eq "cert") {
1272 print " <dict>\n";
1273 print " <key>PayloadIdentifier</key>\n";
1274 print " <string>org.example.vpn1.client</string>\n";
1275 print " <key>PayloadUUID</key>\n";
1276 print " <string>${cert_uuid}</string>\n";
1277 print " <key>PayloadType</key>\n";
1278 print " <string>com.apple.security.pkcs12</string>\n";
1279 print " <key>PayloadVersion</key>\n";
1280 print " <integer>1</integer>\n";
1281 print " <key>PayloadContent</key>\n";
1282 print " <data>\n";
1283
1284 foreach (split /\n/,${cert}) {
1285 print " $_\n";
1286 }
1287
1288 print " </data>\n";
1289 print " </dict>\n";
1290 }
1291
1292 print " </array>\n";
1293 print " </dict>\n";
1294 print "</plist>\n";
1295
1296 # Done
1297 exit(0);
ac1cfefa
MT		 1298###
1299### Display certificate
1300###
1301} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) {
624615ee
LS		 1302 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
1303
1304 if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
1305 &Header::showhttpheaders();
1306 &Header::openpage($Lang::tr{'ipsec'}, 1, '');
1307 &Header::openbigbox('100%', 'left', '', '');
1308 &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:");
1309 my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
1310 $output = &Header::cleanhtml($output,"y");
1311 print "<pre>$output</pre>\n";
1312 &Header::closebox();
1313 print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1314 &Header::closebigbox();
1315 &Header::closepage();
1316 exit(0);
1317 }
ac1cfefa
MT		 1318
1319###
ed84e8b8 1320### Export Certificate to browser
ac1cfefa
MT		 1321###
1322} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) {
624615ee 1323 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
ac1cfefa 1324
624615ee
LS		 1325 if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
1326 print "Content-Type: application/force-download\n";
1327 print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n";
1328 print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
1329 exit (0);
1330 }
ac1cfefa
MT		 1331
1332###
1333### Enable/Disable connection
1334###
1335} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
624615ee
LS		 1336
1337 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
1338 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
1339
1340 if ($confighash{$cgiparams{'KEY'}}) {
1341 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
1342 $confighash{$cgiparams{'KEY'}}[0] = 'on';
1343 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
1344 &writeipsecfiles();
1345 system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled);
1346 } else {
624615ee
LS		 1347 $confighash{$cgiparams{'KEY'}}[0] = 'off';
1348 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
1349 &writeipsecfiles();
b45faf9e 1350 system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
624615ee
LS		 1351 }
1352 sleep $sleepDelay;
ac1cfefa 1353 } else {
624615ee 1354 $errormessage = $Lang::tr{'invalid key'};
ac1cfefa 1355 }
ac1cfefa
MT		 1356
1357###
1358### Restart connection
1359###
1360} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) {
624615ee
LS		 1361 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
1362 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
ac1cfefa 1363
624615ee
LS		 1364 if ($confighash{$cgiparams{'KEY'}}) {
1365 if (&vpnenabled) {
1366 system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
1367 sleep $sleepDelay;
1368 }
1369 } else {
1370 $errormessage = $Lang::tr{'invalid key'};
ac1cfefa 1371 }
ac1cfefa
MT		 1372
1373###
1374### Remove connection
1375###
1376} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
624615ee
LS		 1377 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
1378 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
1379
1380 if ($confighash{$cgiparams{'KEY'}}) {
624615ee
LS		 1381 unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
1382 unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
1383 delete $confighash{$cgiparams{'KEY'}};
1384 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
1385 &writeipsecfiles();
b45faf9e 1386 system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
624615ee
LS		 1387 } else {
1388 $errormessage = $Lang::tr{'invalid key'};
1389 }
c6df357f 1390 &General::firewall_reload();
ac1cfefa
MT		 1391###
1392### Choose between adding a host-net or net-net connection
1393###
1394} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {
ac1cfefa 1395 &Header::showhttpheaders();
7d44bfee 1396 &Header::openpage($Lang::tr{'ipsec'}, 1, '');
ed84e8b8
MT		 1397 &Header::openbigbox('100%', 'left', '', '');
1398 &Header::openbox('100%', 'left', $Lang::tr{'connection type'});
ac1cfefa 1399 print <<END
624615ee
LS		 1400 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
1401 <b>$Lang::tr{'connection type'}:</b><br />
1402 <table>
1403 <tr><td><input type='radio' name='TYPE' value='host' checked='checked' /></td>
ed84e8b8 1404 <td class='base'>$Lang::tr{'host to net vpn'}</td>
624615ee 1405 </tr><tr>
ed84e8b8
MT		 1406 <td><input type='radio' name='TYPE' value='net' /></td>
1407 <td class='base'>$Lang::tr{'net to net vpn'}</td>
624615ee 1408 </tr><tr>
ed84e8b8 1409 <td align='center' colspan='2'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td>
624615ee
LS		 1410 </tr>
1411 </table></form>
ac1cfefa 1412END
624615ee 1413;
ac1cfefa
MT		 1414 &Header::closebox();
1415 &Header::closebigbox();
1416 &Header::closepage();
1417 exit (0);
1418###
ed1d0fbd 1419### Adding/Editing/Saving a connection
ac1cfefa
MT		 1420###
1421} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) ||
624615ee
LS		 1422 ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) ||
1423 ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {
ac1cfefa 1424
624615ee
LS		 1425 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
1426 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
1427 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
cbb3a8f9 1428
624615ee
LS		 1429 if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
1430 if (! $confighash{$cgiparams{'KEY'}}[0]) {
1431 $errormessage = $Lang::tr{'invalid key'};
1432 goto VPNCONF_END;
1433 }
1434 $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0];
1435 $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1];
1436 $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];
1437 $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];
1438 $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];
ae0d0698 1439 $cgiparams{'LOCAL'} = $confighash{$cgiparams{'KEY'}}[6];
624615ee 1440 $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7];
b1881251
MT		 1441 my @local_subnets = split(",", $confighash{$cgiparams{'KEY'}}[8]);
1442 $cgiparams{'LOCAL_SUBNET'} = join(/\|/, @local_subnets);
624615ee
LS		 1443 $cgiparams{'REMOTE_ID'} = $confighash{$cgiparams{'KEY'}}[9];
1444 $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
b1881251
MT		 1445 my @remote_subnets = split(",", $confighash{$cgiparams{'KEY'}}[11]);
1446 $cgiparams{'REMOTE_SUBNET'} = join(/\|/, @remote_subnets);
624615ee
LS		 1447 $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
1448 $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27];
1449 $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29];
1450 $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];
1451 $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19];
1452 $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20];
1453 $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16];
1454 $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21];
1455 $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22];
1456 $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23];
1457 if ($cgiparams{'ESP_GROUPTYPE'} eq "") {
1458 $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'};
1459 }
1460 $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17];
1461 $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13];
1462 $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24];
1463 $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28];
1464 $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30];
1465 $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31];
1466 $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32];
eb09c90e 1467 $cgiparams{'START_ACTION'} = $confighash{$cgiparams{'KEY'}}[33];
af183eeb 1468 $cgiparams{'INACTIVITY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[34];
29f5e0e2 1469 $cgiparams{'MODE'} = $confighash{$cgiparams{'KEY'}}[35];
cae1f4a7 1470 $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36];
74641317 1471 $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37];
55842dda 1472 $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38];
624615ee
LS		 1473
1474 if (!$cgiparams{'DPD_DELAY'}) {
1475 $cgiparams{'DPD_DELAY'} = 30;
1476 }
cbb3a8f9 1477
624615ee
LS		 1478 if (!$cgiparams{'DPD_TIMEOUT'}) {
1479 $cgiparams{'DPD_TIMEOUT'} = 120;
1480 }
ac1cfefa 1481
af183eeb
MT		 1482 if ($cgiparams{'INACTIVITY_TIMEOUT'} eq "") {
1483 $cgiparams{'INACTIVITY_TIMEOUT'} = 900;
1484 }
1485
29f5e0e2
MT		 1486 if ($cgiparams{'MODE'} eq "") {
1487 $cgiparams{'MODE'} = "tunnel";
1488 }
1489
ab79dc43
MT		 1490 if ($cgiparams{'INTERFACE_MTU'} eq "") {
1491 $cgiparams{'INTERFACE_MTU'} = 1500;
1492 }
1493
624615ee
LS		 1494 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
1495 $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
1496 if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
1497 $errormessage = $Lang::tr{'connection type is invalid'};
1498 goto VPNCONF_ERROR;
1499 }
ac1cfefa 1500
624615ee
LS		 1501 if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
1502 $errormessage = $Lang::tr{'name must only contain characters'};
1503 goto VPNCONF_ERROR;
1504 }
ac1cfefa 1505
624615ee
LS		 1506 if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
1507 $errormessage = $Lang::tr{'name is invalid'};
1508 goto VPNCONF_ERROR;
1509 }
ac1cfefa 1510
624615ee
LS		 1511 if (length($cgiparams{'NAME'}) >60) {
1512 $errormessage = $Lang::tr{'name too long'};
1513 goto VPNCONF_ERROR;
ac1cfefa 1514 }
ac1cfefa 1515
624615ee
LS		 1516 # Check if there is no other entry with this name
1517 if (! $cgiparams{'KEY'}) { #only for add
1518 foreach my $key (keys %confighash) {
1519 if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
1520 $errormessage = $Lang::tr{'a connection with this name already exists'};
1521 goto VPNCONF_ERROR;
1522 }
1523 }
1524 }
ac1cfefa 1525
624615ee
LS		 1526 if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) {
1527 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
1528 goto VPNCONF_ERROR;
ac1cfefa 1529 }
ac1cfefa 1530
ae0d0698
MT		 1531 if ($cgiparams{'LOCAL'}) {
1532 if (($cgiparams{'LOCAL'} ne "") && (!&General::validip($cgiparams{'LOCAL'}))) {
1533 $errormessage = $Lang::tr{'invalid input for local ip address'};
1534 goto VPNCONF_ERROR;
1535 }
1536 }
1537
624615ee
LS		 1538 if ($cgiparams{'REMOTE'}) {
1539 if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) {
1540 if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
1541 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
1542 goto VPNCONF_ERROR;
1543 } else {
1544 if (&valid_dns_host($cgiparams{'REMOTE'})) {
1545 $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}";
1546 }
1547 }
1548 }
1549 }
ac1cfefa 1550
b1881251
MT		 1551 my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'});
1552 foreach my $subnet (@local_subnets) {
8792caad 1553 unless (&Network::check_subnet($subnet)) {
b1881251 1554 $errormessage = $Lang::tr{'local subnet is invalid'};
8792caad
MT		 1555 goto VPNCONF_ERROR;
1556 }
ac1cfefa 1557 }
ac1cfefa 1558
624615ee
LS		 1559 # Allow only one roadwarrior/psk without remote IP-address
1560 if ($cgiparams{'REMOTE'} eq '' && $cgiparams{'AUTH'} eq 'psk') {
1561 foreach my $key (keys %confighash) {
1562 if ( ($cgiparams{'KEY'} ne $key) &&
1563 ($confighash{$key}[4] eq 'psk') &&
1564 ($confighash{$key}[10] eq '') ) {
1565 $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'};
1566 goto VPNCONF_ERROR;
1567 }
1568 }
1569 }
ac1cfefa 1570
b1881251
MT		 1571 if ($cgiparams{'TYPE'} eq 'net') {
1572 my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'});
1573 foreach my $subnet (@remote_subnets) {
1574 unless (&Network::check_subnet($subnet)) {
1575 $errormessage = $Lang::tr{'remote subnet is invalid'};
1576 goto VPNCONF_ERROR;
1577 }
1578 }
216bd9b3
MT		 1579
1580 if ($cgiparams{'MODE'} !~ /^(tunnel|transport)$/) {
1581 $errormessage = $Lang::tr{'invalid input for mode'};
1582 goto VPNCONF_ERROR;
1583 }
1584
1585 if ($cgiparams{'INTERFACE_MODE'} !~ /^(|gre|vti)$/) {
1586 $errormessage = $Lang::tr{'invalid input for interface mode'};
1587 goto VPNCONF_ERROR;
1588 }
1589
7e25093d
MT		 1590 if (($cgiparams{'INTERFACE_MODE'} eq "vti") && ($cgiparams{'MODE'} eq "transport")) {
1591 $errormessage = $Lang::tr{'transport mode does not support vti'};
1592 goto VPNCONF_ERROR;
1593 }
1594
216bd9b3
MT		 1595 if (($cgiparams{'INTERFACE_MODE'} ne "") && !&Network::check_subnet($cgiparams{'INTERFACE_ADDRESS'})) {
1596 $errormessage = $Lang::tr{'invalid input for interface address'};
1597 goto VPNCONF_ERROR;
1598 }
1599
1600 if ($cgiparams{'INTERFACE_MTU'} !~ /^\d+$/) {
1601 $errormessage = $Lang::tr{'invalid input for interface mtu'};
1602 goto VPNCONF_ERROR;
1603 }
624615ee 1604 }
ac1cfefa 1605
624615ee
LS		 1606 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
1607 $errormessage = $Lang::tr{'invalid input'};
1608 goto VPNCONF_ERROR;
1609 }
1610 if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {
1611 $errormessage = $Lang::tr{'invalid input'};
1612 goto VPNCONF_ERROR;
1613 }
ed84e8b8 1614
624615ee
LS		 1615 # Allow nothing or a string (DN,FDQN,) beginning with @
1616 # with no comma but slashes between RID eg @O=FR/C=Paris/OU=myhome/CN=franck
1617 if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) ||
1618 ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) ||
1619 (($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne ''))
1620 ) {
1621 $errormessage = $Lang::tr{'invalid local-remote id'} . '<br />' .
1622 'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*<br />' .
1623 'FQDN: @ipfire.org<br />' .
1624 'USER_FQDN: info@ipfire.org<br />' .
1625 'IPV4_ADDR: 123.123.123.123';
1626 goto VPNCONF_ERROR;
1627 }
1628 # If Auth is DN, verify existance of Remote ID.
1629 if ( $cgiparams{'REMOTE_ID'} eq '' && (
1630 $cgiparams{'AUTH'} eq 'auth-dn'|| # while creation
1631 $confighash{$cgiparams{'KEY'}}[2] eq '%auth-dn')){ # while editing
1632 $errormessage = $Lang::tr{'vpn missing remote id'};
1633 goto VPNCONF_ERROR;
4d81e0f3 1634 }
4d81e0f3 1635
624615ee
LS		 1636 if ($cgiparams{'TYPE'} eq 'net'){
1637 $warnmessage=&General::checksubnets('',$cgiparams{'REMOTE_SUBNET'},'ipsec');
1638 if ($warnmessage ne ''){
1639 $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage;
1640 }
1641 }
1642
1643 if ($cgiparams{'AUTH'} eq 'psk') {
1644 if (! length($cgiparams{'PSK'}) ) {
1645 $errormessage = $Lang::tr{'pre-shared key is too short'};
1646 goto VPNCONF_ERROR;
1647 }
1648 if ($cgiparams{'PSK'} =~ /'/) {
1649 $cgiparams{'PSK'} =~ tr/'/ /;
1650 $errormessage = $Lang::tr{'invalid characters found in pre-shared key'};
1651 goto VPNCONF_ERROR;
1652 }
ac1cfefa 1653 } elsif ($cgiparams{'AUTH'} eq 'certreq') {
624615ee
LS		 1654 if ($cgiparams{'KEY'}) {
1655 $errormessage = $Lang::tr{'cant change certificates'};
1656 goto VPNCONF_ERROR;
1657 }
2ad1b18b 1658 unless (ref ($cgiparams{'FH'})) {
624615ee
LS		 1659 $errormessage = $Lang::tr{'there was no file upload'};
1660 goto VPNCONF_ERROR;
1661 }
ac1cfefa 1662
624615ee
LS		 1663 # Move uploaded certificate request to a temporary file
1664 (my $fh, my $filename) = tempfile( );
1665 if (copy ($cgiparams{'FH'}, $fh) != 1) {
1666 $errormessage = $!;
1667 goto VPNCONF_ERROR;
1668 }
ac1cfefa 1669
624615ee
LS		 1670 # Sign the certificate request
1671 &General::log("ipsec", "Signing your cert $cgiparams{'NAME'}...");
926e5519 1672 my $opt = " ca -md sha256 -days 825";
ed84e8b8
MT		 1673 $opt .= " -batch -notext";
1674 $opt .= " -in $filename";
1675 $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
1676
624615ee
LS		 1677 if ( $errormessage = &callssl ($opt) ) {
1678 unlink ($filename);
1679 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
1680 &cleanssldatabase();
1681 goto VPNCONF_ERROR;
1682 } else {
1683 unlink ($filename);
1684 &cleanssldatabase();
1685 }
1686
1687 $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
1688 if ($cgiparams{'CERT_NAME'} eq '') {
1689 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
1690 goto VPNCONF_ERROR;
1691 }
ed84e8b8
MT		 1692 } elsif ($cgiparams{'AUTH'} eq 'pkcs12') {
1693 &General::log("ipsec", "Importing from p12...");
1694
2ad1b18b 1695 unless (ref ($cgiparams{'FH'})) {
624615ee
LS		 1696 $errormessage = $Lang::tr{'there was no file upload'};
1697 goto ROOTCERT_ERROR;
ed84e8b8
MT		 1698 }
1699
1700 # Move uploaded certificate request to a temporary file
1701 (my $fh, my $filename) = tempfile( );
1702 if (copy ($cgiparams{'FH'}, $fh) != 1) {
624615ee
LS		 1703 $errormessage = $!;
1704 goto ROOTCERT_ERROR;
ed84e8b8
MT		 1705 }
1706
1707 # Extract the CA certificate from the file
1708 &General::log("ipsec", "Extracting caroot from p12...");
1709 if (open(STDIN, "-|")) {
624615ee 1710 my $opt = " pkcs12 -cacerts -nokeys";
ed84e8b8
MT		 1711 $opt .= " -in $filename";
1712 $opt .= " -out /tmp/newcacert";
ed84e8b8 1713 $errormessage = &callssl ($opt);
624615ee 1714 } else { #child
ed84e8b8
MT		 1715 print "$cgiparams{'P12_PASS'}\n";
1716 exit (0);
624615ee
LS		 1717 }
1718
1719 # Extract the Host certificate from the file
1720 if (!$errormessage) {
1721 &General::log("ipsec", "Extracting host cert from p12...");
1722 if (open(STDIN, "-|")) {
1723 my $opt = " pkcs12 -clcerts -nokeys";
1724 $opt .= " -in $filename";
1725 $opt .= " -out /tmp/newhostcert";
1726 $errormessage = &callssl ($opt);
1727 } else { #child
1728 print "$cgiparams{'P12_PASS'}\n";
1729 exit (0);
1730 }
1731 }
1732
1733 if (!$errormessage) {
1734 &General::log("ipsec", "Moving cacert...");
1735 #If CA have new subject, add it to our list of CA
1736 my $casubject = &Header::cleanhtml(getsubjectfromcert ('/tmp/newcacert'));
1737 my @names;
1738 foreach my $x (keys %cahash) {
1739 $casubject='' if ($cahash{$x}[1] eq $casubject);
1740 unshift (@names,$cahash{$x}[0]);
1741 }
1742 if ($casubject) { # a new one!
1743 my $temp = `/usr/bin/openssl x509 -text -in /tmp/newcacert`;
1744 if ($temp !~ /CA:TRUE/i) {
1745 $errormessage = $Lang::tr{'not a valid ca certificate'};
1746 } else {
1747 #compute a name for it
1748 my $idx=0;
1749 while (grep(/Imported-$idx/, @names) ) {$idx++};
1750 $cgiparams{'CA_NAME'}="Imported-$idx";
1751 $cgiparams{'CERT_NAME'}=&Header::cleanhtml(getCNfromcert ('/tmp/newhostcert'));
1752 move("/tmp/newcacert", "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem");
1753 $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
1754 if (!$errormessage) {
1755 my $key = &General::findhasharraykey (\%cahash);
1756 $cahash{$key}[0] = $cgiparams{'CA_NAME'};
1757 $cahash{$key}[1] = $casubject;
1758 &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
1759 system('/usr/local/bin/ipsecctrl', 'R');
1760 }
1761 }
1762 }
ed84e8b8
MT		 1763 }
1764 if (!$errormessage) {
624615ee
LS		 1765 &General::log("ipsec", "Moving host cert...");
1766 move("/tmp/newhostcert", "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
1767 $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
1768 }
ed84e8b8
MT		 1769
1770 #cleanup temp files
1771 unlink ($filename);
1772 unlink ('/tmp/newcacert');
1773 unlink ('/tmp/newhostcert');
1774 if ($errormessage) {
624615ee
LS		 1775 unlink ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem");
1776 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
1777 goto VPNCONF_ERROR;
ed84e8b8
MT		 1778 }
1779 &General::log("ipsec", "p12 import completed!");
ac1cfefa 1780 } elsif ($cgiparams{'AUTH'} eq 'certfile') {
624615ee
LS		 1781 if ($cgiparams{'KEY'}) {
1782 $errormessage = $Lang::tr{'cant change certificates'};
1783 goto VPNCONF_ERROR;
1784 }
2ad1b18b 1785 unless (ref ($cgiparams{'FH'})) {
624615ee
LS		 1786 $errormessage = $Lang::tr{'there was no file upload'};
1787 goto VPNCONF_ERROR;
1788 }
1789 # Move uploaded certificate to a temporary file
1790 (my $fh, my $filename) = tempfile( );
1791 if (copy ($cgiparams{'FH'}, $fh) != 1) {
1792 $errormessage = $!;
1793 goto VPNCONF_ERROR;
ac1cfefa 1794 }
ac1cfefa 1795
624615ee
LS		 1796 # Verify the certificate has a valid CA and move it
1797 &General::log("ipsec", "Validating imported cert against our known CA...");
1798 my $validca = 1; #assume ok
1799 my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/cacert.pem $filename`;
1800 if ($test !~ /: OK/) {
1801 my $validca = 0;
1802 foreach my $key (keys %cahash) {
1803 $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`;
1804 if ($test =~ /: OK/) {
1805 $validca = 1;
1806 last;
1807 }
1808 }
1809 }
1810 if (! $validca) {
1811 $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'};
1812 unlink ($filename);
1813 goto VPNCONF_ERROR;
1814 } else {
1815 move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
1816 if ($? ne 0) {
1817 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1818 unlink ($filename);
1819 goto VPNCONF_ERROR;
1820 }
1821 }
1822
1823 $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
1824 if ($cgiparams{'CERT_NAME'} eq '') {
1825 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
1826 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
1827 goto VPNCONF_ERROR;
1828 }
ac1cfefa 1829 } elsif ($cgiparams{'AUTH'} eq 'certgen') {
624615ee
LS		 1830 if ($cgiparams{'KEY'}) {
1831 $errormessage = $Lang::tr{'cant change certificates'};
1832 goto VPNCONF_ERROR;
1833 }
1834 # Validate input since the form was submitted
1835 if (length($cgiparams{'CERT_NAME'}) >60) {
1836 $errormessage = $Lang::tr{'name too long'};
1837 goto VPNCONF_ERROR;
1838 }
1839 if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
1840 $errormessage = $Lang::tr{'invalid input for name'};
1841 goto VPNCONF_ERROR;
1842 }
1843 if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
1844 $errormessage = $Lang::tr{'invalid input for e-mail address'};
1845 goto VPNCONF_ERROR;
1846 }
1847 if (length($cgiparams{'CERT_EMAIL'}) > 40) {
1848 $errormessage = $Lang::tr{'e-mail address too long'};
1849 goto VPNCONF_ERROR;
1850 }
1851 if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1852 $errormessage = $Lang::tr{'invalid input for department'};
1853 goto VPNCONF_ERROR;
1854 }
1855 if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {
1856 $errormessage = $Lang::tr{'organization too long'};
1857 goto VPNCONF_ERROR;
1858 }
1859 if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
1860 $errormessage = $Lang::tr{'invalid input for organization'};
1861 goto VPNCONF_ERROR;
1862 }
1863 if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1864 $errormessage = $Lang::tr{'invalid input for city'};
1865 goto VPNCONF_ERROR;
1866 }
1867 if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1868 $errormessage = $Lang::tr{'invalid input for state or province'};
1869 goto VPNCONF_ERROR;
1870 }
1871 if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {
1872 $errormessage = $Lang::tr{'invalid input for country'};
1873 goto VPNCONF_ERROR;
1874 }
1875 #the exact syntax is a list comma separated of
1876 # email:any-validemail
1877 # URI: a uniform resource indicator
1878 # DNS: a DNS domain name
1879 # RID: a registered OBJECT IDENTIFIER
1880 # IP: an IP address
1881 # example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com
1882
1883 if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) {
1884 $errormessage = $Lang::tr{'vpn altname syntax'};
1885 goto VPNCONF_ERROR;
1886 }
ed84e8b8 1887
624615ee
LS		 1888 if (length($cgiparams{'CERT_PASS1'}) < 5) {
1889 $errormessage = $Lang::tr{'password too short'};
1890 goto VPNCONF_ERROR;
1891 }
1892 if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
1893 $errormessage = $Lang::tr{'passwords do not match'};
1894 goto VPNCONF_ERROR;
1895 }
ac1cfefa 1896
624615ee
LS		 1897 # Replace empty strings with a .
1898 (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
1899 (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
1900 (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
ac1cfefa 1901
624615ee
LS		 1902 # Create the Client certificate request
1903 &General::log("ipsec", "Creating a cert...");
ed84e8b8 1904
624615ee
LS		 1905 if (open(STDIN, "-|")) {
1906 my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
1907 $opt .= " -newkey rsa:2048";
1908 $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
1909 $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
1910
1911 if ( $errormessage = &callssl ($opt) ) {
1912 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
1913 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
1914 goto VPNCONF_ERROR;
1915 }
1916 } else { #child
1917 print "$cgiparams{'CERT_COUNTRY'}\n";
1918 print "$state\n";
1919 print "$city\n";
1920 print "$cgiparams{'CERT_ORGANIZATION'}\n";
1921 print "$ou\n";
1922 print "$cgiparams{'CERT_NAME'}\n";
1923 print "$cgiparams{'CERT_EMAIL'}\n";
1924 print ".\n";
1925 print ".\n";
1926 exit (0);
1927 }
ed84e8b8 1928
624615ee
LS		 1929 # Sign the client certificate request
1930 &General::log("ipsec", "Signing the cert $cgiparams{'NAME'}...");
1931
1932 #No easy way for specifying the contain of subjectAltName without writing a config file...
1933 my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX');
1934 print $fh <<END
1935 basicConstraints=CA:FALSE
1936 nsComment="OpenSSL Generated Certificate"
1937 subjectKeyIdentifier=hash
1938 extendedKeyUsage=clientAuth
1939 authorityKeyIdentifier=keyid,issuer:always
ed84e8b8
MT		 1940END
1941;
624615ee
LS		 1942 print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
1943 close ($fh);
1944
926e5519 1945 my $opt = " ca -md sha256 -days 825 -batch -notext";
624615ee
LS		 1946 $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
1947 $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
1948 $opt .= " -extfile $v3extname";
1949
1950 if ( $errormessage = &callssl ($opt) ) {
1951 unlink ($v3extname);
1952 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
1953 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
1954 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
1955 &cleanssldatabase();
1956 goto VPNCONF_ERROR;
1957 } else {
1958 unlink ($v3extname);
1959 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
1960 &cleanssldatabase();
1961 }
1962
1963 # Create the pkcs12 file
1964 &General::log("ipsec", "Packing a pkcs12 file...");
1965 $opt = " pkcs12 -export";
1966 $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
1967 $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
1968 $opt .= " -name \"$cgiparams{'NAME'}\"";
1969 $opt .= " -passout pass:$cgiparams{'CERT_PASS1'}";
1970 $opt .= " -certfile ${General::swroot}/ca/cacert.pem";
1971 $opt .= " -caname \"$vpnsettings{'ROOTCERT_ORGANIZATION'} CA\"";
1972 $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}.p12";
1973
1974 if ( $errormessage = &callssl ($opt) ) {
1975 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
1976 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
1977 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}.p12");
1978 goto VPNCONF_ERROR;
1979 } else {
1980 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
1981 }
ac1cfefa 1982 } elsif ($cgiparams{'AUTH'} eq 'cert') {
624615ee 1983 ;# Nothing, just editing
ed84e8b8 1984 } elsif ($cgiparams{'AUTH'} eq 'auth-dn') {
624615ee 1985 $cgiparams{'CERT_NAME'} = '%auth-dn'; # a special value saying 'no cert file'
ac1cfefa 1986 } else {
624615ee
LS		 1987 $errormessage = $Lang::tr{'invalid input for authentication method'};
1988 goto VPNCONF_ERROR;
ac1cfefa
MT		 1989 }
1990
ed84e8b8
MT		 1991 # 1)Error message here is not accurate.
1992 # 2)Test is superfluous, openswan can reference same cert multiple times
1993 # 3)Present since initial version (1.3.2.11), it isn't a bug correction
1994 # Check if there is no other entry with this certificate name
1995 #if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk') && ($cgiparams{'AUTH'} ne 'auth-dn')) {
624615ee 1996 # foreach my $key (keys %confighash) {
ed84e8b8 1997 # if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {
624615ee
LS		 1998 # $errormessage = $Lang::tr{'a connection with this common name already exists'};
1999 # goto VPNCONF_ERROR;
2000 # }
ed84e8b8 2001 # }
ed84e8b8 2002 #}
624615ee 2003 # Save the config
ed84e8b8 2004
ac1cfefa
MT		 2005 my $key = $cgiparams{'KEY'};
2006 if (! $key) {
624615ee 2007 $key = &General::findhasharraykey (\%confighash);
55842dda 2008 foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";}
ac1cfefa
MT		 2009 }
2010 $confighash{$key}[0] = $cgiparams{'ENABLED'};
2011 $confighash{$key}[1] = $cgiparams{'NAME'};
2012 if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') {
624615ee 2013 $confighash{$key}[2] = $cgiparams{'CERT_NAME'};
ac1cfefa
MT		 2014 }
2015 $confighash{$key}[3] = $cgiparams{'TYPE'};
2016 if ($cgiparams{'AUTH'} eq 'psk') {
624615ee
LS		 2017 $confighash{$key}[4] = 'psk';
2018 $confighash{$key}[5] = $cgiparams{'PSK'};
ac1cfefa 2019 } else {
624615ee 2020 $confighash{$key}[4] = 'cert';
ac1cfefa
MT		 2021 }
2022 if ($cgiparams{'TYPE'} eq 'net') {
b1881251
MT		 2023 my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'});
2024 $confighash{$key}[11] = join('|', @remote_subnets);
ac1cfefa 2025 }
ae0d0698 2026 $confighash{$key}[6] = $cgiparams{'LOCAL'};
ac1cfefa 2027 $confighash{$key}[7] = $cgiparams{'LOCAL_ID'};
8792caad
MT		 2028 my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'});
2029 $confighash{$key}[8] = join('|', @local_subnets);
ac1cfefa
MT		 2030 $confighash{$key}[9] = $cgiparams{'REMOTE_ID'};
2031 $confighash{$key}[10] = $cgiparams{'REMOTE'};
2032 $confighash{$key}[25] = $cgiparams{'REMARK'};
ae2782ba 2033 $confighash{$key}[26] = ""; # Formerly INTERFACE
ac1cfefa 2034 $confighash{$key}[27] = $cgiparams{'DPD_ACTION'};
e2e4ed01 2035 $confighash{$key}[29] = $cgiparams{'IKE_VERSION'};
ac1cfefa 2036
624615ee 2037 # don't forget advanced value
ed84e8b8
MT		 2038 $confighash{$key}[18] = $cgiparams{'IKE_ENCRYPTION'};
2039 $confighash{$key}[19] = $cgiparams{'IKE_INTEGRITY'};
2040 $confighash{$key}[20] = $cgiparams{'IKE_GROUPTYPE'};
2041 $confighash{$key}[16] = $cgiparams{'IKE_LIFETIME'};
2042 $confighash{$key}[21] = $cgiparams{'ESP_ENCRYPTION'};
2043 $confighash{$key}[22] = $cgiparams{'ESP_INTEGRITY'};
2044 $confighash{$key}[23] = $cgiparams{'ESP_GROUPTYPE'};
2045 $confighash{$key}[17] = $cgiparams{'ESP_KEYLIFE'};
451a2f68 2046 $confighash{$key}[12] = 'off'; # $cgiparams{'AGGRMODE'};
ed84e8b8
MT		 2047 $confighash{$key}[13] = $cgiparams{'COMPRESSION'};
2048 $confighash{$key}[24] = $cgiparams{'ONLY_PROPOSED'};
2049 $confighash{$key}[28] = $cgiparams{'PFS'};
4e156911
AM		 2050 $confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'};
2051 $confighash{$key}[31] = $cgiparams{'DPD_DELAY'};
f6529a04 2052 $confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'};
eb09c90e 2053 $confighash{$key}[33] = $cgiparams{'START_ACTION'};
af183eeb 2054 $confighash{$key}[34] = $cgiparams{'INACTIVITY_TIMEOUT'};
29f5e0e2 2055 $confighash{$key}[35] = $cgiparams{'MODE'};
cae1f4a7 2056 $confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'};
74641317 2057 $confighash{$key}[37] = $cgiparams{'INTERFACE_ADDRESS'};
55842dda 2058 $confighash{$key}[38] = $cgiparams{'INTERFACE_MTU'};
ac1cfefa 2059
624615ee 2060 # free unused fields!
ed84e8b8 2061 $confighash{$key}[15] = 'off';
ac1cfefa
MT		 2062
2063 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
2064 &writeipsecfiles();
ed84e8b8 2065 if (&vpnenabled) {
624615ee
LS		 2066 system('/usr/local/bin/ipsecctrl', 'S', $key);
2067 sleep $sleepDelay;
ac1cfefa
MT		 2068 }
2069 if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {
624615ee
LS		 2070 $cgiparams{'KEY'} = $key;
2071 $cgiparams{'ACTION'} = $Lang::tr{'advanced'};
ac1cfefa
MT		 2072 }
2073 goto VPNCONF_END;
624615ee
LS		 2074} else { # add new connection
2075 $cgiparams{'ENABLED'} = 'on';
ac1cfefa 2076 if ( ! -f "${General::swroot}/private/cakey.pem" ) {
624615ee 2077 $cgiparams{'AUTH'} = 'psk';
ac1cfefa 2078 } elsif ( ! -f "${General::swroot}/ca/cacert.pem") {
624615ee 2079 $cgiparams{'AUTH'} = 'certfile';
ac1cfefa 2080 } else {
624615ee 2081 $cgiparams{'AUTH'} = 'certgen';
ac1cfefa 2082 }
605c391a
MT		 2083
2084 if ($netsettings{"GREEN_NETADDRESS"} && $netsettings{"GREEN_NETMASK"}) {
2085 $cgiparams{"LOCAL_SUBNET"} = $netsettings{'GREEN_NETADDRESS'} . "/" . $netsettings{'GREEN_NETMASK'};
2086 } else {
2087 $cgiparams{"LOCAL_SUBNET"} = "";
2088 }
624615ee
LS		 2089 $cgiparams{'CERT_EMAIL'} = $vpnsettings{'ROOTCERT_EMAIL'};
2090 $cgiparams{'CERT_OU'} = $vpnsettings{'ROOTCERT_OU'};
2091 $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
2092 $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};
2093 $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};
2094 $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};
ac1cfefa 2095
624615ee 2096 # choose appropriate dpd action
ac1cfefa 2097 if ($cgiparams{'TYPE'} eq 'host') {
afd5d8f7 2098 $cgiparams{'DPD_ACTION'} = 'clear';
ac1cfefa 2099 } else {
afd5d8f7 2100 $cgiparams{'DPD_ACTION'} = 'restart';
ac1cfefa
MT		 2101 }
2102
cbb3a8f9
MT		 2103 if (!$cgiparams{'DPD_DELAY'}) {
2104 $cgiparams{'DPD_DELAY'} = 30;
2105 }
2106
2107 if (!$cgiparams{'DPD_TIMEOUT'}) {
2108 $cgiparams{'DPD_TIMEOUT'} = 120;
2109 }
2110
f6529a04
MT		 2111 if (!$cgiparams{'FORCE_MOBIKE'}) {
2112 $cgiparams{'FORCE_MOBIKE'} = 'no';
2113 }
2114
ae2782ba
MT		 2115 # Default IKE Version to v2
2116 if (!$cgiparams{'IKE_VERSION'}) {
624615ee 2117 $cgiparams{'IKE_VERSION'} = 'ikev2';
e2e4ed01
AF		 2118 }
2119
ac1cfefa 2120 # ID are empty
624615ee 2121 $cgiparams{'LOCAL_ID'} = '';
ac1cfefa 2122 $cgiparams{'REMOTE_ID'} = '';
ed84e8b8
MT		 2123
2124 #use default advanced value
05375f12 2125 $cgiparams{'IKE_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
570d54fd 2126 $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256'; #[19];
d47b2cc2 2127 $cgiparams{'IKE_GROUPTYPE'} = 'curve25519|curve448|4096|3072|2048'; #[20];
624615ee 2128 $cgiparams{'IKE_LIFETIME'} = '3'; #[16];
05375f12 2129 $cgiparams{'ESP_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
570d54fd 2130 $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256'; #[22];
d47b2cc2 2131 $cgiparams{'ESP_GROUPTYPE'} = 'curve25519|curve448|4096|3072|2048'; #[23];
624615ee 2132 $cgiparams{'ESP_KEYLIFE'} = '1'; #[17];
120d77b3 2133 $cgiparams{'COMPRESSION'} = 'off'; #[13];
570d54fd 2134 $cgiparams{'ONLY_PROPOSED'} = 'on'; #[24];
624615ee 2135 $cgiparams{'PFS'} = 'on'; #[28];
af183eeb 2136 $cgiparams{'INACTIVITY_TIMEOUT'} = 900;
29f5e0e2 2137 $cgiparams{'MODE'} = "tunnel";
cae1f4a7 2138 $cgiparams{'INTERFACE_MODE'} = "";
74641317 2139 $cgiparams{'INTERFACE_ADDRESS'} = "";
55842dda 2140 $cgiparams{'INTERFACE_MTU'} = 1500;
624615ee 2141}
ac1cfefa 2142
624615ee
LS		 2143VPNCONF_ERROR:
2144 $checked{'ENABLED'}{'off'} = '';
2145 $checked{'ENABLED'}{'on'} = '';
2146 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'";
2147
2148 $checked{'EDIT_ADVANCED'}{'off'} = '';
2149 $checked{'EDIT_ADVANCED'}{'on'} = '';
2150 $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = "checked='checked'";
2151
2152 $checked{'AUTH'}{'psk'} = '';
2153 $checked{'AUTH'}{'certreq'} = '';
2154 $checked{'AUTH'}{'certgen'} = '';
2155 $checked{'AUTH'}{'certfile'} = '';
2156 $checked{'AUTH'}{'pkcs12'} = '';
2157 $checked{'AUTH'}{'auth-dn'} = '';
2158 $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
2159
216bd9b3
MT		 2160 $selected{'MODE'}{'tunnel'} = '';
2161 $selected{'MODE'}{'transport'} = '';
2162 $selected{'MODE'}{$cgiparams{'MODE'}} = "selected='selected'";
2163
2164 $selected{'INTERFACE_MODE'}{''} = '';
2165 $selected{'INTERFACE_MODE'}{'gre'} = '';
2166 $selected{'INTERFACE_MODE'}{'vti'} = '';
2167 $selected{'INTERFACE_MODE'}{$cgiparams{'INTERFACE_MODE'}} = "selected='selected'";
2168
ae0d0698
MT		 2169 $selected{'LOCAL'}{''} = '';
2170 foreach my $alias (sort keys %aliases) {
2171 my $address = $aliases{$alias}{'IPT'};
2172
2173 $selected{'LOCAL'}{$address} = '';
2174 }
2175 $selected{'LOCAL'}{$cgiparams{'LOCAL'}} = "selected='selected'";
2176
624615ee
LS		 2177 &Header::showhttpheaders();
2178 &Header::openpage($Lang::tr{'ipsec'}, 1, '');
2179 &Header::openbigbox('100%', 'left', '', $errormessage);
2180 if ($errormessage) {
2181 &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
2182 print "<class name='base'>$errormessage";
2183 print "&nbsp;</class>";
2184 &Header::closebox();
2185 }
2186
2187 if ($warnmessage) {
2188 &Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:");
2189 print "<class name='base'>$warnmessage";
2190 print "&nbsp;</class>";
2191 &Header::closebox();
2192 }
ac1cfefa 2193
624615ee
LS		 2194 print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>";
2195 print<<END
ed84e8b8 2196 <input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' />
4ad0b5b6 2197 <input type='hidden' name='IKE_VERSION' value='$cgiparams{'IKE_VERSION'}' />
ed84e8b8
MT		 2198 <input type='hidden' name='IKE_ENCRYPTION' value='$cgiparams{'IKE_ENCRYPTION'}' />
2199 <input type='hidden' name='IKE_INTEGRITY' value='$cgiparams{'IKE_INTEGRITY'}' />
2200 <input type='hidden' name='IKE_GROUPTYPE' value='$cgiparams{'IKE_GROUPTYPE'}' />
2201 <input type='hidden' name='IKE_LIFETIME' value='$cgiparams{'IKE_LIFETIME'}' />
2202 <input type='hidden' name='ESP_ENCRYPTION' value='$cgiparams{'ESP_ENCRYPTION'}' />
2203 <input type='hidden' name='ESP_INTEGRITY' value='$cgiparams{'ESP_INTEGRITY'}' />
2204 <input type='hidden' name='ESP_GROUPTYPE' value='$cgiparams{'ESP_GROUPTYPE'}' />
2205 <input type='hidden' name='ESP_KEYLIFE' value='$cgiparams{'ESP_KEYLIFE'}' />
ed84e8b8
MT		 2206 <input type='hidden' name='COMPRESSION' value='$cgiparams{'COMPRESSION'}' />
2207 <input type='hidden' name='ONLY_PROPOSED' value='$cgiparams{'ONLY_PROPOSED'}' />
2208 <input type='hidden' name='PFS' value='$cgiparams{'PFS'}' />
cbb3a8f9
MT		 2209 <input type='hidden' name='DPD_ACTION' value='$cgiparams{'DPD_ACTION'}' />
2210 <input type='hidden' name='DPD_DELAY' value='$cgiparams{'DPD_DELAY'}' />
2211 <input type='hidden' name='DPD_TIMEOUT' value='$cgiparams{'DPD_TIMEOUT'}' />
f6529a04 2212 <input type='hidden' name='FORCE_MOBIKE' value='$cgiparams{'FORCE_MOBIKE'}' />
eb09c90e 2213 <input type='hidden' name='START_ACTION' value='$cgiparams{'START_ACTION'}' />
5e6fa03e 2214 <input type='hidden' name='INACTIVITY_TIMEOUT' value='$cgiparams{'INACTIVITY_TIMEOUT'}' />
ed84e8b8 2215END
624615ee
LS		 2216;
2217 if ($cgiparams{'KEY'}) {
2218 print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />";
2219 print "<input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />";
2220 print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />";
2221 }
2222
2223 &Header::openbox('100%', 'left', "$Lang::tr{'connection'}: $cgiparams{'NAME'}");
2224 print "<table width='100%'>";
2225 if (!$cgiparams{'KEY'}) {
2226 print <<EOF;
2227 <tr>
2228 <td width='20%'>$Lang::tr{'name'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
2229 <td width='30%'>
2230 <input type='text' name='NAME' value='$cgiparams{'NAME'}' size='25' />
2231 </td>
2232 <td colspan="2"></td>
2233 </tr>
d2d87f2c 2234EOF
624615ee 2235 }
ac1cfefa 2236
624615ee
LS		 2237 my $disabled;
2238 my $blob;
2239 if ($cgiparams{'TYPE'} eq 'host') {
e3edceeb 2240 $disabled = "disabled='disabled'";
624615ee 2241 } elsif ($cgiparams{'TYPE'} eq 'net') {
e3edceeb 2242 $blob = "<img src='/blob.gif' alt='*' />";
624615ee 2243 };
5fd30232 2244
b1881251
MT		 2245 my @local_subnets = split(/\|/, $cgiparams{'LOCAL_SUBNET'});
2246 my $local_subnets = join(",", @local_subnets);
8792caad 2247
b1881251
MT		 2248 my @remote_subnets = split(/\|/, $cgiparams{'REMOTE_SUBNET'});
2249 my $remote_subnets = join(",", @remote_subnets);
8792caad 2250
ae0d0698 2251 print <<END;
ae2782ba 2252 <tr>
d2d87f2c
MT		 2253 <td width='20%'>$Lang::tr{'enabled'}</td>
2254 <td width='30%'>
2255 <input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} />
2256 </td>
455fdcb1 2257 <td colspan="2"></td>
d2d87f2c
MT		 2258 </tr>
2259 <tr>
ae0d0698
MT		 2260 <td class='boldbase' width='20%'>$Lang::tr{'local ip address'}:</td>
2261 <td width='30%'>
2262 <select name="LOCAL">
2263 <option value="" $selected{'LOCAL'}{''}>- $Lang::tr{'default IP address'} -</option>
2264END
2265
2266 foreach my $alias (sort keys %aliases) {
2267 my $address = $aliases{$alias}{'IPT'};
2268 print <<END;
2269 <option value="$address" $selected{'LOCAL'}{$address}>$alias ($address)</option>
2270END
2271 }
2272
2273 print <<END;
2274 </select>
2275 </td>
624615ee
LS		 2276 <td class='boldbase' width='20%'>$Lang::tr{'remote host/ip'}:&nbsp;$blob</td>
2277 <td width='30%'>
2278 <input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size="25" />
2279 </td>
455fdcb1
MT		 2280 </tr>
2281 <tr>
2282 <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
2283 <td width='30%'>
2284 <input type='text' name='LOCAL_SUBNET' value='$local_subnets' size="25" />
2285 </td>
624615ee
LS		 2286 <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'}&nbsp;$blob</td>
2287 <td width='30%'>
455fdcb1 2288 <input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' size="25" />
624615ee 2289 </td>
ae2782ba
MT		 2290 </tr>
2291 <tr>
624615ee
LS		 2292 <td class='boldbase' width='20%'>$Lang::tr{'vpn local id'}:</td>
2293 <td width='30%'>
2294 <input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' size="25" />
2295 </td>
2296 <td class='boldbase' width='20%'>$Lang::tr{'vpn remote id'}:</td>
2297 <td width='30%'>
2298 <input type='text' name='REMOTE_ID' value='$cgiparams{'REMOTE_ID'}' size="25" />
2299 </td>
ae2782ba 2300 </tr>
d2d87f2c 2301 <tr><td colspan="4"><br /></td></tr>
ae2782ba 2302 <tr>
624615ee
LS		 2303 <td class='boldbase' width='20%'>$Lang::tr{'remark title'}</td>
2304 <td colspan='3'>
2305 <input type='text' name='REMARK' value='$cgiparams{'REMARK'}' maxlength='50' size="73" />
2306 </td>
ed84e8b8 2307 </tr>
ac1cfefa 2308END
624615ee
LS		 2309;
2310 if (!$cgiparams{'KEY'}) {
2311 print "<tr><td colspan='3'><input type='checkbox' name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> $Lang::tr{'edit advanced settings when done'}</td></tr>";
2312 }
2313 print "</table>";
ed84e8b8 2314 &Header::closebox();
ed84e8b8 2315
216bd9b3
MT		 2316 if ($cgiparams{'TYPE'} eq 'net') {
2317 &Header::openbox('100%', 'left', $Lang::tr{'ipsec settings'});
2318 print <<EOF;
2319 <table width='100%'>
2320 <tbody>
2321 <tr>
2322 <td class='boldbase' width='20%'>$Lang::tr{'mode'}:</td>
2323 <td width='30%'>
2324 <select name='MODE'>
2325 <option value='tunnel' $selected{'MODE'}{'tunnel'}>$Lang::tr{'ipsec mode tunnel'}</option>
2326 <option value='transport' $selected{'MODE'}{'transport'}>$Lang::tr{'ipsec mode transport'}</option>
2327 </select>
2328 </td>
2329 <td colspan='2'></td>
2330 </tr>
2331
2332 <tr>
2333 <td class='boldbase' width='20%'>$Lang::tr{'interface mode'}:</td>
2334 <td width='30%'>
2335 <select name='INTERFACE_MODE'>
2336 <option value='' $selected{'INTERFACE_MODE'}{''}>$Lang::tr{'ipsec interface mode none'}</option>
2337 <option value='gre' $selected{'INTERFACE_MODE'}{'gre'}>$Lang::tr{'ipsec interface mode gre'}</option>
2338 <option value='vti' $selected{'INTERFACE_MODE'}{'vti'}>$Lang::tr{'ipsec interface mode vti'}</option>
2339 </select>
2340 </td>
2341
2342 <td class='boldbase' width='20%'>$Lang::tr{'ip address'}/$Lang::tr{'subnet mask'}:</td>
2343 <td width='30%'>
2344 <input type="text" name="INTERFACE_ADDRESS" value="$cgiparams{'INTERFACE_ADDRESS'}">
2345 </td>
2346 </tr>
2347
2348 <tr>
2349 <td class='boldbase' width='20%'>$Lang::tr{'mtu'}:</td>
2350 <td width='30%'>
2351 <input type="number" name="INTERFACE_MTU" value="$cgiparams{'INTERFACE_MTU'}" min="576" max="9000">
2352 </td>
2353 <td colspan='2'></td>
2354 </tr>
2355 </tbody>
2356 </table>
2357EOF
2358 &Header::closebox();
2359 }
2360
624615ee
LS		 2361 if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
2362 &Header::openbox('100%', 'left', $Lang::tr{'authentication'});
2363 print <<END
2364 <table width='100%' cellpadding='0' cellspacing='5' border='0'>
2365 <tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared key'}</td>
2366 <td class='base' width='50%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td>
2367 </tr>
2368 </table>
ac1cfefa 2369END
624615ee
LS		 2370;
2371 &Header::closebox();
2372 } elsif (! $cgiparams{'KEY'}) {
2373 my $cakeydisabled = ( ! -f "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : '';
2374 $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if ($cakeydisabled);
2375 my $cacrtdisabled = ( ! -f "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : '';
2376
2377 &Header::openbox('100%', 'left', $Lang::tr{'authentication'});
2378 print <<END
2379 <table width='100%' cellpadding='0' cellspacing='5' border='0'>
2380 <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} /></td>
2381 <td class='base' width='55%'>$Lang::tr{'use a pre-shared key'}</td>
2382 <td class='base' width='40%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr>
2383 <tr><td colspan='3' bgcolor='#000000'></td></tr>
2384 <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td>
2385 <td class='base'><hr />$Lang::tr{'upload a certificate request'}</td>
2386 <td class='base' rowspan='3' valign='middle'><input type='file' name='FH' size='30' $cacrtdisabled /></td></tr>
2387 <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td>
2388 <td class='base'>$Lang::tr{'upload a certificate'}</td></tr>
2389 <tr><td><input type='radio' name='AUTH' value='pkcs12' $cacrtdisabled /></td>
2390 <td class='base'>$Lang::tr{'upload p12 file'} $Lang::tr{'pkcs12 file password'}:<input type='password' name='P12_PASS'/></td></tr>
2391 <tr><td><input type='radio' name='AUTH' value='auth-dn' $checked{'AUTH'}{'auth-dn'} $cacrtdisabled /></td>
2392 <td class='base'><hr />$Lang::tr{'vpn auth-dn'}</td></tr>
2393 <tr><td colspan='3' bgcolor='#000000'></td></tr>
2394 <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td>
2395 <td class='base'><hr />$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr>
2396 <tr><td>&nbsp;</td>
2397 <td class='base'>$Lang::tr{'users fullname or system hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
2398 <td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' size='32' $cakeydisabled /></td></tr>
2399 <tr><td>&nbsp;</td>
2400 <td class='base'>$Lang::tr{'users email'}:</td>
2401 <td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' size='32' $cakeydisabled /></td></tr>
2402 <tr><td>&nbsp;</td>
2403 <td class='base'>$Lang::tr{'users department'}:</td>
2404 <td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' size='32' $cakeydisabled /></td></tr>
2405 <tr><td>&nbsp;</td>
2158e11b 2406 <td class='base'>$Lang::tr{'organization name'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
624615ee
LS		 2407 <td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' size='32' $cakeydisabled /></td></tr>
2408 <tr><td>&nbsp;</td>
2409 <td class='base'>$Lang::tr{'city'}:</td>
2410 <td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' size='32' $cakeydisabled /></td></tr>
2411 <tr><td>&nbsp;</td>
2412 <td class='base'>$Lang::tr{'state or province'}:</td>
2413 <td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' size='32' $cakeydisabled /></td></tr>
2414 <tr><td>&nbsp;</td>
2415 <td class='base'>$Lang::tr{'country'}:</td>
2416 <td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
2417END
2418;
2419 foreach my $country (sort keys %{Countries::countries}) {
2420 print "\t\t\t<option value='$Countries::countries{$country}'";
2421 if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) {
2422 print " selected='selected'";
2423 }
2424 print ">$country</option>\n";
2425 }
2426 print <<END
2427 </select></td></tr>
2428
2429 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td>
2430 <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' $cakeydisabled /></td></tr>
2431 <tr><td>&nbsp;</td>
2432 <td class='base'>$Lang::tr{'pkcs12 file password'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
2433 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr>
2434 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'pkcs12 file password'}&nbsp;($Lang::tr{'confirmation'}):&nbsp;<img src='/blob.gif' alt='*' /></td>
2435 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr>
2436 </table>
2437END
2438;
2439 &Header::closebox();
ac1cfefa
MT		 2440 }
2441
624615ee
LS		 2442 print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
2443 if ($cgiparams{'KEY'}) {
2444 print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />";
2445 }
2446 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
2447 &Header::closebigbox();
2448 &Header::closepage();
2449 exit (0);
2450
2451 VPNCONF_END:
ac1cfefa
MT		 2452}
2453
2454###
2455### Advanced settings
2456###
2457if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
2458 ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq 'yes')) {
624615ee
LS		 2459 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
2460 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
2461 if (! $confighash{$cgiparams{'KEY'}}) {
2462 $errormessage = $Lang::tr{'invalid key'};
2463 goto ADVANCED_END;
2464 }
2465
2466 if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
2467 my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});
2468 if ($#temp < 0) {
2469 $errormessage = $Lang::tr{'invalid input'};
2470 goto ADVANCED_ERROR;
2471 }
2472 foreach my $val (@temp) {
05375f12 2473 if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|chacha20poly1305|camellia(256|192|128))$/) {
624615ee
LS		 2474 $errormessage = $Lang::tr{'invalid input'};
2475 goto ADVANCED_ERROR;
2476 }
2477 }
2478 @temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
2479 if ($#temp < 0) {
2480 $errormessage = $Lang::tr{'invalid input'};
2481 goto ADVANCED_ERROR;
2482 }
2483 foreach my $val (@temp) {
2484 if ($val !~ /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) {
2485 $errormessage = $Lang::tr{'invalid input'};
2486 goto ADVANCED_ERROR;
2487 }
2488 }
2489 @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});
2490 if ($#temp < 0) {
2491 $errormessage = $Lang::tr{'invalid input'};
2492 goto ADVANCED_ERROR;
2493 }
2494 foreach my $val (@temp) {
d47b2cc2 2495 if ($val !~ /^(curve25519|curve448|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) {
624615ee
LS		 2496 $errormessage = $Lang::tr{'invalid input'};
2497 goto ADVANCED_ERROR;
2498 }
2499 }
2500 if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) {
2501 $errormessage = $Lang::tr{'invalid input for ike lifetime'};
2502 goto ADVANCED_ERROR;
2503 }
610108ff 2504 if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 24) {
81ebfac7 2505 $errormessage = $Lang::tr{'ike lifetime should be between 1 and 24 hours'};
624615ee
LS		 2506 goto ADVANCED_ERROR;
2507 }
2508 @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});
2509 if ($#temp < 0) {
2510 $errormessage = $Lang::tr{'invalid input'};
2511 goto ADVANCED_ERROR;
2512 }
2513 foreach my $val (@temp) {
05375f12 2514 if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|chacha20poly1305|camellia(256|192|128))$/) {
624615ee
LS		 2515 $errormessage = $Lang::tr{'invalid input'};
2516 goto ADVANCED_ERROR;
2517 }
2518 }
2519 @temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
2520 if ($#temp < 0) {
2521 $errormessage = $Lang::tr{'invalid input'};
2522 goto ADVANCED_ERROR;
2523 }
2524 foreach my $val (@temp) {
2525 if ($val !~ /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) {
2526 $errormessage = $Lang::tr{'invalid input'};
2527 goto ADVANCED_ERROR;
2528 }
2529 }
2530 @temp = split('\|', $cgiparams{'ESP_GROUPTYPE'});
2531 if ($#temp < 0) {
2532 $errormessage = $Lang::tr{'invalid input'};
2533 goto ADVANCED_ERROR;
2534 }
2535 foreach my $val (@temp) {
d47b2cc2 2536 if ($val !~ /^(curve25519|curve448|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) {
624615ee
LS		 2537 $errormessage = $Lang::tr{'invalid input'};
2538 goto ADVANCED_ERROR;
2539 }
2540 }
2541 if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) {
2542 $errormessage = $Lang::tr{'invalid input for esp keylife'};
2543 goto ADVANCED_ERROR;
2544 }
2545 if ($cgiparams{'ESP_KEYLIFE'} < 1 || $cgiparams{'ESP_KEYLIFE'} > 24) {
2546 $errormessage = $Lang::tr{'esp keylife should be between 1 and 24 hours'};
2547 goto ADVANCED_ERROR;
2548 }
2549
2550 if (($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) ||
2551 ($cgiparams{'FORCE_MOBIKE'} !~ /^(|on|off)$/) ||
2552 ($cgiparams{'ONLY_PROPOSED'} !~ /^(|on|off)$/) ||
2553 ($cgiparams{'PFS'} !~ /^(|on|off)$/)) {
2554 $errormessage = $Lang::tr{'invalid input'};
2555 goto ADVANCED_ERROR;
2556 }
2557
2558 if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) {
2559 $errormessage = $Lang::tr{'invalid input for dpd delay'};
2560 goto ADVANCED_ERROR;
2561 }
2562
2563 if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) {
2564 $errormessage = $Lang::tr{'invalid input for dpd timeout'};
2565 goto ADVANCED_ERROR;
2566 }
2567
af183eeb
MT		 2568 if ($cgiparams{'INACTIVITY_TIMEOUT'} !~ /^\d+$/) {
2569 $errormessage = $Lang::tr{'invalid input for inactivity timeout'};
2570 goto ADVANCED_ERROR;
2571 }
2572
624615ee
LS		 2573 $confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'IKE_VERSION'};
2574 $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'};
2575 $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'};
2576 $confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'};
2577 $confighash{$cgiparams{'KEY'}}[16] = $cgiparams{'IKE_LIFETIME'};
2578 $confighash{$cgiparams{'KEY'}}[21] = $cgiparams{'ESP_ENCRYPTION'};
2579 $confighash{$cgiparams{'KEY'}}[22] = $cgiparams{'ESP_INTEGRITY'};
2580 $confighash{$cgiparams{'KEY'}}[23] = $cgiparams{'ESP_GROUPTYPE'};
2581 $confighash{$cgiparams{'KEY'}}[17] = $cgiparams{'ESP_KEYLIFE'};
2582 $confighash{$cgiparams{'KEY'}}[12] = 'off'; #$cgiparams{'AGGRMODE'};
2583 $confighash{$cgiparams{'KEY'}}[13] = $cgiparams{'COMPRESSION'};
2584 $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'};
2585 $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'};
2586 $confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'DPD_ACTION'};
2587 $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'};
2588 $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'};
2589 $confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'};
dcb406cc 2590 $confighash{$cgiparams{'KEY'}}[33] = $cgiparams{'START_ACTION'};
af183eeb 2591 $confighash{$cgiparams{'KEY'}}[34] = $cgiparams{'INACTIVITY_TIMEOUT'};
624615ee
LS		 2592 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
2593 &writeipsecfiles();
2594 if (&vpnenabled) {
2595 system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
2596 sleep $sleepDelay;
2597 }
2598 goto ADVANCED_END;
2599 } else {
2600 $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29];
2601 $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];
2602 $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19];
2603 $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20];
2604 $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16];
2605 $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21];
2606 $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22];
2607 $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23];
2608 if ($cgiparams{'ESP_GROUPTYPE'} eq "") {
2609 $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'};
2610 }
2611 $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17];
2612 $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13];
2613 $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24];
2614 $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28];
2615 $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27];
2616 $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30];
2617 $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31];
2618 $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32];
dcb406cc 2619 $cgiparams{'START_ACTION'} = $confighash{$cgiparams{'KEY'}}[33];
af183eeb 2620 $cgiparams{'INACTIVITY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[34];
29f5e0e2 2621 $cgiparams{'MODE'} = $confighash{$cgiparams{'KEY'}}[35];
cae1f4a7 2622 $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36];
74641317 2623 $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37];
55842dda 2624 $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38];
624615ee
LS		 2625
2626 if (!$cgiparams{'DPD_DELAY'}) {
2627 $cgiparams{'DPD_DELAY'} = 30;
2628 }
2629
2630 if (!$cgiparams{'DPD_TIMEOUT'}) {
2631 $cgiparams{'DPD_TIMEOUT'} = 120;
2632 }
dcb406cc
MT		 2633
2634 if (!$cgiparams{'START_ACTION'}) {
2635 $cgiparams{'START_ACTION'} = "start";
2636 }
af183eeb
MT		 2637
2638 if ($cgiparams{'INACTIVITY_TIMEOUT'} eq "") {
2639 $cgiparams{'INACTIVITY_TIMEOUT'} = 900; # 15 min
2640 }
29f5e0e2
MT		 2641
2642 if ($cgiparams{'MODE'} eq "") {
2643 $cgiparams{'MODE'} = "tunnel";
2644 }
ac1cfefa 2645 }
624615ee
LS		 2646
2647 ADVANCED_ERROR:
05375f12 2648 $checked{'IKE_ENCRYPTION'}{'chacha20poly1305'} = '';
624615ee
LS		 2649 $checked{'IKE_ENCRYPTION'}{'aes256'} = '';
2650 $checked{'IKE_ENCRYPTION'}{'aes192'} = '';
2651 $checked{'IKE_ENCRYPTION'}{'aes128'} = '';
2652 $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = '';
2653 $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = '';
2654 $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = '';
2655 $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = '';
2656 $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = '';
2657 $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = '';
2658 $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = '';
2659 $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = '';
2660 $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = '';
2661 $checked{'IKE_ENCRYPTION'}{'3des'} = '';
2662 $checked{'IKE_ENCRYPTION'}{'camellia256'} = '';
2663 $checked{'IKE_ENCRYPTION'}{'camellia192'} = '';
2664 $checked{'IKE_ENCRYPTION'}{'camellia128'} = '';
2665 my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});
2666 foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; }
2667 $checked{'IKE_INTEGRITY'}{'sha2_512'} = '';
2668 $checked{'IKE_INTEGRITY'}{'sha2_384'} = '';
2669 $checked{'IKE_INTEGRITY'}{'sha2_256'} = '';
2670 $checked{'IKE_INTEGRITY'}{'sha'} = '';
2671 $checked{'IKE_INTEGRITY'}{'md5'} = '';
2672 $checked{'IKE_INTEGRITY'}{'aesxcbc'} = '';
ac1cfefa 2673 @temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
624615ee 2674 foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; }
64056cae 2675 $checked{'IKE_GROUPTYPE'}{'curve25519'} = '';
d47b2cc2 2676 $checked{'IKE_GROUPTYPE'}{'curve448'} = '';
624615ee
LS		 2677 $checked{'IKE_GROUPTYPE'}{'768'} = '';
2678 $checked{'IKE_GROUPTYPE'}{'1024'} = '';
2679 $checked{'IKE_GROUPTYPE'}{'1536'} = '';
2680 $checked{'IKE_GROUPTYPE'}{'2048'} = '';
2681 $checked{'IKE_GROUPTYPE'}{'3072'} = '';
2682 $checked{'IKE_GROUPTYPE'}{'4096'} = '';
2683 $checked{'IKE_GROUPTYPE'}{'6144'} = '';
2684 $checked{'IKE_GROUPTYPE'}{'8192'} = '';
ac1cfefa 2685 @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});
624615ee
LS		 2686 foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; }
2687
05375f12 2688 $checked{'ESP_ENCRYPTION'}{'chacha20poly1305'} = '';
624615ee
LS		 2689 $checked{'ESP_ENCRYPTION'}{'aes256'} = '';
2690 $checked{'ESP_ENCRYPTION'}{'aes192'} = '';
2691 $checked{'ESP_ENCRYPTION'}{'aes128'} = '';
2692 $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = '';
2693 $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = '';
2694 $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = '';
2695 $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = '';
2696 $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = '';
2697 $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = '';
2698 $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = '';
2699 $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = '';
2700 $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = '';
2701 $checked{'ESP_ENCRYPTION'}{'3des'} = '';
2702 $checked{'ESP_ENCRYPTION'}{'camellia256'} = '';
2703 $checked{'ESP_ENCRYPTION'}{'camellia192'} = '';
2704 $checked{'ESP_ENCRYPTION'}{'camellia128'} = '';
ac1cfefa 2705 @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});
624615ee
LS		 2706 foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; }
2707 $checked{'ESP_INTEGRITY'}{'sha2_512'} = '';
2708 $checked{'ESP_INTEGRITY'}{'sha2_384'} = '';
2709 $checked{'ESP_INTEGRITY'}{'sha2_256'} = '';
2710 $checked{'ESP_INTEGRITY'}{'sha1'} = '';
2711 $checked{'ESP_INTEGRITY'}{'md5'} = '';
2712 $checked{'ESP_INTEGRITY'}{'aesxcbc'} = '';
ac1cfefa 2713 @temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
624615ee 2714 foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; }
64056cae 2715 $checked{'ESP_GROUPTYPE'}{'curve25519'} = '';
d47b2cc2 2716 $checked{'ESP_GROUPTYPE'}{'curve448'} = '';
624615ee
LS		 2717 $checked{'ESP_GROUPTYPE'}{'768'} = '';
2718 $checked{'ESP_GROUPTYPE'}{'1024'} = '';
2719 $checked{'ESP_GROUPTYPE'}{'1536'} = '';
2720 $checked{'ESP_GROUPTYPE'}{'2048'} = '';
2721 $checked{'ESP_GROUPTYPE'}{'3072'} = '';
2722 $checked{'ESP_GROUPTYPE'}{'4096'} = '';
2723 $checked{'ESP_GROUPTYPE'}{'6144'} = '';
2724 $checked{'ESP_GROUPTYPE'}{'8192'} = '';
2725 $checked{'ESP_GROUPTYPE'}{'none'} = '';
4b02b404 2726 @temp = split('\|', $cgiparams{'ESP_GROUPTYPE'});
624615ee 2727 foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = "selected='selected'"; }
ed84e8b8 2728
624615ee
LS		 2729 $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' ? "checked='checked'" : '' ;
2730 $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq 'on' ? "checked='checked'" : '' ;
2731 $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq 'on' ? "checked='checked'" : '' ;
2732 $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ;
cbb3a8f9 2733
624615ee
LS		 2734 $selected{'IKE_VERSION'}{'ikev1'} = '';
2735 $selected{'IKE_VERSION'}{'ikev2'} = '';
2736 $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = "selected='selected'";
cbb3a8f9 2737
624615ee
LS		 2738 $selected{'DPD_ACTION'}{'clear'} = '';
2739 $selected{'DPD_ACTION'}{'hold'} = '';
2740 $selected{'DPD_ACTION'}{'restart'} = '';
2741 $selected{'DPD_ACTION'}{'none'} = '';
2742 $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";
ac1cfefa 2743
237f3ab7 2744 $selected{'START_ACTION'}{'add'} = '';
dcb406cc
MT		 2745 $selected{'START_ACTION'}{'route'} = '';
2746 $selected{'START_ACTION'}{'start'} = '';
2747 $selected{'START_ACTION'}{$cgiparams{'START_ACTION'}} = "selected='selected'";
2748
af183eeb
MT		 2749 $selected{'INACTIVITY_TIMEOUT'} = ();
2750 foreach my $timeout (keys %INACTIVITY_TIMEOUTS) {
2751 $selected{'INACTIVITY_TIMEOUT'}{$timeout} = "";
2752 }
2753 $selected{'INACTIVITY_TIMEOUT'}{$cgiparams{'INACTIVITY_TIMEOUT'}} = "selected";
2754
624615ee
LS		 2755 &Header::showhttpheaders();
2756 &Header::openpage($Lang::tr{'ipsec'}, 1, '');
2757 &Header::openbigbox('100%', 'left', '', $errormessage);
2758
2759 if ($errormessage) {
2760 &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
2761 print "<class name='base'>$errormessage";
2762 print "&nbsp;</class>";
2763 &Header::closebox();
2764 }
2765
2766 if ($warnmessage) {
2767 &Header::openbox('100%', 'left', $Lang::tr{'warning messages'});
2768 print "<class name='base'>$warnmessage";
2769 print "&nbsp;</class>";
2770 &Header::closebox();
2771 }
ac1cfefa 2772
624615ee 2773 &Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:");
dcb406cc 2774 print <<EOF;
624615ee
LS		 2775 <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
2776 <input type='hidden' name='ADVANCED' value='yes' />
2777 <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
ac1cfefa 2778
624615ee 2779 <table width='100%'>
63e3da59
MT		 2780 <thead>
2781 <tr>
cbb3a8f9 2782 <th width="15%"></th>
63e3da59
MT		 2783 <th>IKE</th>
2784 <th>ESP</th>
2785 </tr>
2786 </thead>
2787 <tbody>
4ad0b5b6
MT		 2788 <tr>
2789 <td>$Lang::tr{'vpn keyexchange'}:</td>
2790 <td>
2791 <select name='IKE_VERSION'>
2792 <option value='ikev2' $selected{'IKE_VERSION'}{'ikev2'}>IKEv2</option>
2793 <option value='ikev1' $selected{'IKE_VERSION'}{'ikev1'}>IKEv1</option>
2794 </select>
2795 </td>
2796 <td></td>
2797 </tr>
63e3da59 2798 <tr>
cbb3a8f9 2799 <td class='boldbase' width="15%">$Lang::tr{'encryption'}</td>
63e3da59
MT		 2800 <td class='boldbase'>
2801 <select name='IKE_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
05375f12 2802 <option value='chacha20poly1305' $checked{'IKE_ENCRYPTION'}{'chacha20poly1305'}>256 bit ChaCha20-Poly1305/128 bit ICV</option>
dfea4f86 2803 <option value='aes256gcm128' $checked{'IKE_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
dfea4f86 2804 <option value='aes256gcm96' $checked{'IKE_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
dfea4f86 2805 <option value='aes256gcm64' $checked{'IKE_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
a4d24f90 2806 <option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
dfea4f86 2807 <option value='camellia256' $checked{'IKE_ENCRYPTION'}{'camellia256'}>256 bit Camellia-CBC</option>
a4d24f90
MT		 2808 <option value='aes192gcm128' $checked{'IKE_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
2809 <option value='aes192gcm96' $checked{'IKE_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
2810 <option value='aes192gcm64' $checked{'IKE_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
2811 <option value='aes192' $checked{'IKE_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
dfea4f86 2812 <option value='camellia192' $checked{'IKE_ENCRYPTION'}{'camellia192'}>192 bit Camellia-CBC</option>
a4d24f90
MT		 2813 <option value='aes128gcm128' $checked{'IKE_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
2814 <option value='aes128gcm96' $checked{'IKE_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
2815 <option value='aes128gcm64' $checked{'IKE_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
2816 <option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
dfea4f86 2817 <option value='camellia128' $checked{'IKE_ENCRYPTION'}{'camellia128'}>128 bit Camellia-CBC</option>
6fc0f5eb 2818 <option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC ($Lang::tr{'vpn weak'})</option>
63e3da59
MT		 2819 </select>
2820 </td>
2821 <td class='boldbase'>
2822 <select name='ESP_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
05375f12 2823 <option value='chacha20poly1305' $checked{'ESP_ENCRYPTION'}{'chacha20poly1305'}>256 bit ChaCha20-Poly1305/128 bit ICV</option>
dfea4f86 2824 <option value='aes256gcm128' $checked{'ESP_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
dfea4f86 2825 <option value='aes256gcm96' $checked{'ESP_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
dfea4f86 2826 <option value='aes256gcm64' $checked{'ESP_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
a4d24f90 2827 <option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
dfea4f86 2828 <option value='camellia256' $checked{'ESP_ENCRYPTION'}{'camellia256'}>256 bit Camellia-CBC</option>
a4d24f90
MT		 2829 <option value='aes192gcm128' $checked{'ESP_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
2830 <option value='aes192gcm96' $checked{'ESP_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
2831 <option value='aes192gcm64' $checked{'ESP_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
2832 <option value='aes192' $checked{'ESP_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
dfea4f86 2833 <option value='camellia192' $checked{'ESP_ENCRYPTION'}{'camellia192'}>192 bit Camellia-CBC</option>
a4d24f90
MT		 2834 <option value='aes128gcm128' $checked{'ESP_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
2835 <option value='aes128gcm96' $checked{'ESP_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
2836 <option value='aes128gcm64' $checked{'ESP_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
2837 <option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
dfea4f86 2838 <option value='camellia128' $checked{'ESP_ENCRYPTION'}{'camellia128'}>128 bit Camellia-CBC</option>
6fc0f5eb 2839 <option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC ($Lang::tr{'vpn weak'})</option>
63e3da59
MT		 2840 </select>
2841 </td>
2842 </tr>
ed84e8b8 2843
63e3da59 2844 <tr>
cbb3a8f9 2845 <td class='boldbase' width="15%">$Lang::tr{'integrity'}</td>
63e3da59
MT		 2846 <td class='boldbase'>
2847 <select name='IKE_INTEGRITY' multiple='multiple' size='6' style='width: 100%'>
2848 <option value='sha2_512' $checked{'IKE_INTEGRITY'}{'sha2_512'}>SHA2 512 bit</option>
2849 <option value='sha2_384' $checked{'IKE_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option>
2850 <option value='sha2_256' $checked{'IKE_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option>
a4d24f90 2851 <option value='aesxcbc' $checked{'IKE_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
c94d1976 2852 <option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA1 ($Lang::tr{'vpn weak'})</option>
86282bdc 2853 <option value='md5' $checked{'IKE_INTEGRITY'}{'md5'}>MD5 ($Lang::tr{'vpn broken'})</option>
63e3da59
MT		 2854 </select>
2855 </td>
2856 <td class='boldbase'>
2857 <select name='ESP_INTEGRITY' multiple='multiple' size='6' style='width: 100%'>
2858 <option value='sha2_512' $checked{'ESP_INTEGRITY'}{'sha2_512'}>SHA2 512 bit</option>
2859 <option value='sha2_384' $checked{'ESP_INTEGRITY'}{'sha2_384'}>SHA2 384 bit</option>
2860 <option value='sha2_256' $checked{'ESP_INTEGRITY'}{'sha2_256'}>SHA2 256 bit</option>
a4d24f90 2861 <option value='aesxcbc' $checked{'ESP_INTEGRITY'}{'aesxcbc'}>AES XCBC</option>
c94d1976
MT		 2862 <option value='sha1' $checked{'ESP_INTEGRITY'}{'sha1'}>SHA1 ($Lang::tr{'vpn weak'})</option>
2863 <option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5 ($Lang::tr{'vpn broken'})</option>
63e3da59
MT		 2864 </select>
2865 </td>
2866 </tr>
2867 <tr>
e3edceeb 2868 <td class='boldbase' width="15%">$Lang::tr{'lifetime'}&nbsp;<img src='/blob.gif' alt='*' /></td>
63e3da59
MT		 2869 <td class='boldbase'>
2870 <input type='text' name='IKE_LIFETIME' value='$cgiparams{'IKE_LIFETIME'}' size='5' /> $Lang::tr{'hours'}
2871 </td>
2872 <td class='boldbase'>
2873 <input type='text' name='ESP_KEYLIFE' value='$cgiparams{'ESP_KEYLIFE'}' size='5' /> $Lang::tr{'hours'}
2874 </td>
2875 </tr>
2876 <tr>
cbb3a8f9 2877 <td class='boldbase' width="15%">$Lang::tr{'grouptype'}</td>
63e3da59
MT		 2878 <td class='boldbase'>
2879 <select name='IKE_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
64056cae 2880 <option value='curve25519' $checked{'IKE_GROUPTYPE'}{'curve25519'}>Curve 25519 (256 bit)</option>
d47b2cc2 2881 <option value='curve448' $checked{'IKE_GROUPTYPE'}{'curve448'}>Curve 448 (224 bit)</option>
63e3da59 2882 <option value='e521' $checked{'IKE_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
63e3da59 2883 <option value='e512bp' $checked{'IKE_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
a4d24f90 2884 <option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
63e3da59 2885 <option value='e384bp' $checked{'IKE_GROUPTYPE'}{'e384bp'}>ECP-384 (Brainpool)</option>
a4d24f90 2886 <option value='e256' $checked{'IKE_GROUPTYPE'}{'e256'}>ECP-256 (NIST)</option>
63e3da59 2887 <option value='e256bp' $checked{'IKE_GROUPTYPE'}{'e256bp'}>ECP-256 (Brainpool)</option>
a4d24f90 2888 <option value='e224' $checked{'IKE_GROUPTYPE'}{'e224'}>ECP-224 (NIST)</option>
63e3da59 2889 <option value='e224bp' $checked{'IKE_GROUPTYPE'}{'e224bp'}>ECP-224 (Brainpool)</option>
a4d24f90 2890 <option value='e192' $checked{'IKE_GROUPTYPE'}{'e192'}>ECP-192 (NIST)</option>
63e3da59
MT		 2891 <option value='8192' $checked{'IKE_GROUPTYPE'}{'8192'}>MODP-8192</option>
2892 <option value='6144' $checked{'IKE_GROUPTYPE'}{'6144'}>MODP-6144</option>
2893 <option value='4096' $checked{'IKE_GROUPTYPE'}{'4096'}>MODP-4096</option>
2894 <option value='3072' $checked{'IKE_GROUPTYPE'}{'3072'}>MODP-3072</option>
63e3da59
MT		 2895 <option value='2048' $checked{'IKE_GROUPTYPE'}{'2048'}>MODP-2048</option>
2896 <option value='1536' $checked{'IKE_GROUPTYPE'}{'1536'}>MODP-1536</option>
c94d1976
MT		 2897 <option value='1024' $checked{'IKE_GROUPTYPE'}{'1024'}>MODP-1024 ($Lang::tr{'vpn broken'})</option>
2898 <option value='768' $checked{'IKE_GROUPTYPE'}{'768'}>MODP-768 ($Lang::tr{'vpn broken'})</option>
63e3da59
MT		 2899 </select>
2900 </td>
4b02b404
MT		 2901 <td class='boldbase'>
2902 <select name='ESP_GROUPTYPE' multiple='multiple' size='6' style='width: 100%'>
64056cae 2903 <option value='curve25519' $checked{'ESP_GROUPTYPE'}{'curve25519'}>Curve 25519 (256 bit)</option>
d47b2cc2 2904 <option value='curve448' $checked{'ESP_GROUPTYPE'}{'curve448'}>Curve 448 (224 bit)</option>
4b02b404
MT		 2905 <option value='e521' $checked{'ESP_GROUPTYPE'}{'e521'}>ECP-521 (NIST)</option>
2906 <option value='e512bp' $checked{'ESP_GROUPTYPE'}{'e512bp'}>ECP-512 (Brainpool)</option>
2907 <option value='e384' $checked{'ESP_GROUPTYPE'}{'e384'}>ECP-384 (NIST)</option>
2908 <option value='e384bp' $checked{'ESP_GROUPTYPE'}{'e384bp'}>ECP-384 (Brainpool)</option>
2909 <option value='e256' $checked{'ESP_GROUPTYPE'}{'e256'}>ECP-256 (NIST)</option>
2910 <option value='e256bp' $checked{'ESP_GROUPTYPE'}{'e256bp'}>ECP-256 (Brainpool)</option>
2911 <option value='e224' $checked{'ESP_GROUPTYPE'}{'e224'}>ECP-224 (NIST)</option>
2912 <option value='e224bp' $checked{'ESP_GROUPTYPE'}{'e224bp'}>ECP-224 (Brainpool)</option>
2913 <option value='e192' $checked{'ESP_GROUPTYPE'}{'e192'}>ECP-192 (NIST)</option>
2914 <option value='8192' $checked{'ESP_GROUPTYPE'}{'8192'}>MODP-8192</option>
2915 <option value='6144' $checked{'ESP_GROUPTYPE'}{'6144'}>MODP-6144</option>
2916 <option value='4096' $checked{'ESP_GROUPTYPE'}{'4096'}>MODP-4096</option>
2917 <option value='3072' $checked{'ESP_GROUPTYPE'}{'3072'}>MODP-3072</option>
4b02b404
MT		 2918 <option value='2048' $checked{'ESP_GROUPTYPE'}{'2048'}>MODP-2048</option>
2919 <option value='1536' $checked{'ESP_GROUPTYPE'}{'1536'}>MODP-1536</option>
c94d1976
MT		 2920 <option value='1024' $checked{'ESP_GROUPTYPE'}{'1024'}>MODP-1024 ($Lang::tr{'vpn broken'})</option>
2921 <option value='768' $checked{'ESP_GROUPTYPE'}{'768'}>MODP-768 ($Lang::tr{'vpn broken'})</option>
4b02b404
MT		 2922 <option value='none' $checked{'ESP_GROUPTYPE'}{'none'}>- $Lang::tr{'none'} -</option>
2923 </select>
2924 </td>
63e3da59
MT		 2925 </tr>
2926 </tbody>
624615ee 2927 </table>
63e3da59 2928
cbb3a8f9
MT		 2929 <br><br>
2930
2931 <h2>$Lang::tr{'dead peer detection'}</h2>
2932
624615ee
LS		 2933 <table width="100%">
2934 <tr>
cbb3a8f9
MT		 2935 <td width="15%">$Lang::tr{'dpd action'}:</td>
2936 <td>
2937 <select name='DPD_ACTION'>
afd5d8f7 2938 <option value='none' $selected{'DPD_ACTION'}{'none'}>- $Lang::tr{'disabled'} -</option>
cbb3a8f9
MT		 2939 <option value='clear' $selected{'DPD_ACTION'}{'clear'}>clear</option>
2940 <option value='hold' $selected{'DPD_ACTION'}{'hold'}>hold</option>
2941 <option value='restart' $selected{'DPD_ACTION'}{'restart'}>restart</option>
2942 </select>
2943 </td>
2944 </tr>
2945 <tr>
e3edceeb 2946 <td width="15%">$Lang::tr{'dpd timeout'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
cbb3a8f9
MT		 2947 <td>
2948 <input type='text' name='DPD_TIMEOUT' size='5' value='$cgiparams{'DPD_TIMEOUT'}' />
2949 </td>
2950 </tr>
2951 <tr>
e3edceeb 2952 <td width="15%">$Lang::tr{'dpd delay'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
cbb3a8f9
MT		 2953 <td>
2954 <input type='text' name='DPD_DELAY' size='5' value='$cgiparams{'DPD_DELAY'}' />
2955 </td>
2956 </tr>
624615ee 2957 </table>
cbb3a8f9 2958
624615ee 2959 <hr>
63e3da59 2960
624615ee 2961 <table width="100%">
63e3da59 2962 <tr>
cbb3a8f9 2963 <td>
63e3da59
MT		 2964 <label>
2965 <input type='checkbox' name='ONLY_PROPOSED' $checked{'ONLY_PROPOSED'} />
cbb88df1 2966 IKE+ESP: $Lang::tr{'use only proposed settings'}
63e3da59
MT		 2967 </label>
2968 </td>
dcb406cc
MT		 2969 <td>
2970 <label>$Lang::tr{'vpn start action'}</label>
2971 <select name="START_ACTION">
2972 <option value="route" $selected{'START_ACTION'}{'route'}>$Lang::tr{'vpn start action route'}</option>
2973 <option value="start" $selected{'START_ACTION'}{'start'}>$Lang::tr{'vpn start action start'}</option>
237f3ab7 2974 <option value="add" $selected{'START_ACTION'}{'add'} >$Lang::tr{'vpn start action add'}</option>
dcb406cc
MT		 2975 </select>
2976 </td>
63e3da59
MT		 2977 </tr>
2978 <tr>
af183eeb 2979 <td>
63e3da59
MT		 2980 <label>
2981 <input type='checkbox' name='PFS' $checked{'PFS'} />
2982 $Lang::tr{'pfs yes no'}
2983 </label>
2984 </td>
af183eeb
MT		 2985 <td>
2986 <label>$Lang::tr{'vpn inactivity timeout'}</label>
2987 <select name="INACTIVITY_TIMEOUT">
2988EOF
2989 foreach my $t (sort { $a <=> $b } keys %INACTIVITY_TIMEOUTS) {
2990 print "<option value=\"$t\" $selected{'INACTIVITY_TIMEOUT'}{$t}>$INACTIVITY_TIMEOUTS{$t}</option>\n";
2991 }
2992
2993 print <<EOF;
2994
2995 </select>
2996 </td>
63e3da59
MT		 2997 </tr>
2998 <tr>
dcb406cc 2999 <td colspan="2">
63e3da59
MT		 3000 <label>
3001 <input type='checkbox' name='COMPRESSION' $checked{'COMPRESSION'} />
3002 $Lang::tr{'vpn payload compression'}
3003 </label>
3004 </td>
ed84e8b8 3005 </tr>
f6529a04 3006 <tr>
dcb406cc 3007 <td colspan="2">
f6529a04
MT		 3008 <label>
3009 <input type='checkbox' name='FORCE_MOBIKE' $checked{'FORCE_MOBIKE'} />
3010 $Lang::tr{'vpn force mobike'}
3011 </label>
3012 </td>
3013 </tr>
63e3da59 3014 <tr>
dcb406cc
MT		 3015 <td align='left'><img src='/blob.gif' align='top' alt='*' />&nbsp;$Lang::tr{'required field'}</td>
3016 <td align='right'>
63e3da59
MT		 3017 <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
3018 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' />
3019 </td>
3020 </tr>
624615ee 3021 </table></form>
63e3da59
MT		 3022EOF
3023
624615ee
LS		 3024 &Header::closebox();
3025 &Header::closebigbox();
3026 &Header::closepage();
3027 exit(0);
ac1cfefa 3028
624615ee 3029 ADVANCED_END:
ac1cfefa
MT		 3030}
3031
3032###
3033### Default status page
3034###
624615ee
LS		 3035 %cgiparams = ();
3036 %cahash = ();
3037 %confighash = ();
3038 &General::readhash("${General::swroot}/vpn/settings", \%cgiparams);
3039 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
3040 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
3041 $cgiparams{'CA_NAME'} = '';
3042
3043 my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`;
3044
624615ee
LS		 3045 $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : '';
3046
3047 &Header::showhttpheaders();
3048 &Header::openpage($Lang::tr{'ipsec'}, 1, '');
3049 &Header::openbigbox('100%', 'left', '', $errormessage);
3050
3051 if ($errormessage) {
3052 &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
3053 print "<class name='base'>$errormessage\n";
3054 print "&nbsp;</class>\n";
3055 &Header::closebox();
3056 }
ac1cfefa 3057
4d81e0f3
AM		 3058 if ($warnmessage) {
3059 &Header::openbox('100%', 'left', $Lang::tr{'warning messages'});
3060 print "$warnmessage<br>";
3061 print "$Lang::tr{'fwdfw warn1'}<br>";
3062 &Header::closebox();
03b08c08 3063 print"<center><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'ok'}' style='width: 5em;'></form>";
4d81e0f3
AM		 3064 &Header::closepage();
3065 exit 0;
3066 }
3067
624615ee
LS		 3068 &Header::openbox('100%', 'left', $Lang::tr{'global settings'});
3069 print <<END
3070 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
3071 <table width='100%'>
38f6bdb7
MT		 3072 <tr>
3073 <td width='60%' class='base'>
3074 $Lang::tr{'enabled'}
3075 </td>
3076 <td width="40%">
3077 <input type='checkbox' name='ENABLED' $checked{'ENABLED'} />
3078 </td>
3079 </tr>
3080 <tr>
3081 <td class='base' nowrap='nowrap' width="60%">$Lang::tr{'host to net vpn'}:</td>
3082 <td width="40%"><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td>
3083 </tr>
3084 <tr>
3085 <td width='100%' colspan="2" align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
3086 </tr>
ac1cfefa
MT		 3087</table>
3088END
624615ee
LS		 3089;
3090 print "</form>";
3091 &Header::closebox();
3092
3093 &Header::openbox('100%', 'left', $Lang::tr{'connection status and controlc'});
3094 print <<END
3095 <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
3096 <tr>
e9850821
AM		 3097 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
3098 <th width='22%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
3099 <th width='23%' class='boldbase' align='center'><b>$Lang::tr{'common name'}</b></th>
3100 <th width='30%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
3101 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
26a0befd 3102 <th class='boldbase' align='center' colspan='7'><b>$Lang::tr{'action'}</b></th>
624615ee 3103 </tr>
ac1cfefa 3104END
624615ee
LS		 3105;
3106 my $id = 0;
3107 my $gif;
3108 foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) {
ac1cfefa
MT		 3109 if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
3110
3111 if ($id % 2) {
e9850821
AM		 3112 print "<tr>";
3113 $col="bgcolor='$color{'color20'}'";
ac1cfefa 3114 } else {
e9850821
AM		 3115 print "<tr>";
3116 $col="bgcolor='$color{'color22'}'";
ac1cfefa 3117 }
e9850821
AM		 3118 print "<td align='center' nowrap='nowrap' $col>$confighash{$key}[1]</td>";
3119 print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$key}[29]</td>";
ed84e8b8 3120 if ($confighash{$key}[2] eq '%auth-dn') {
624615ee 3121 print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[9]</td>";
ed84e8b8 3122 } elsif ($confighash{$key}[4] eq 'cert') {
624615ee 3123 print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[2]</td>";
ac1cfefa 3124 } else {
624615ee 3125 print "<td align='left' $col>&nbsp;</td>";
ac1cfefa 3126 }
e9850821 3127 print "<td align='center' $col>$confighash{$key}[25]</td>";
0afd8493 3128 my $col1="bgcolor='${Header::colourred}'";
0afd8493 3129 my $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
aec1925b
MT		 3130 if ($confighash{$key}[33] eq "add") {
3131 $col1="bgcolor='${Header::colourorange}'";
3132 $active = "<b><font color='#FFFFFF'>$Lang::tr{'vpn wait'}</font></b>";
3133 }
5fd30232 3134 foreach my $line (@status) {
624615ee
LS		 3135 if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) ||
3136 ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) {
3137 $col1="bgcolor='${Header::colourgreen}'";
3138 $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
1f3f2d67 3139 last;
1fab4edf
MT		 3140 } elsif ($line =~ /$confighash{$key}[1]\[.*CONNECTING/) {
3141 $col1="bgcolor='${Header::colourorange}'";
3142 $active = "<b><font color='#FFFFFF'>$Lang::tr{'vpn connecting'}</font></b>";
8057ab15
MT		 3143 } elsif ($line =~ /$confighash{$key}[1]\{.*ROUTED/) {
3144 $col1="bgcolor='${Header::colourorange}'";
3145 $active = "<b><font color='#FFFFFF'>$Lang::tr{'vpn on-demand'}</font></b>";
624615ee
LS		 3146 }
3147 }
3148 # move to blue if really down
0afd8493
AM		 3149 if ($confighash{$key}[0] eq 'off' && $col1 =~ /${Header::colourred}/ ) {
3150 $col1="bgcolor='${Header::colourblue}'";
624615ee 3151 $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
5fd30232 3152 }
ac1cfefa 3153 print <<END
0afd8493 3154 <td align='center' $col1>$active</td>
e9850821 3155 <td align='center' $col>
624615ee
LS		 3156 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
3157 <input type='image' name='$Lang::tr{'restart'}' src='/images/reload.gif' alt='$Lang::tr{'restart'}' title='$Lang::tr{'restart'}' />
3158 <input type='hidden' name='ACTION' value='$Lang::tr{'restart'}' />
3159 <input type='hidden' name='KEY' value='$key' />
3160 </form>
ed84e8b8 3161 </td>
ac1cfefa 3162END
624615ee 3163;
ed84e8b8 3164 if (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) {
624615ee
LS		 3165 print <<END
3166 <td align='center' $col>
3167 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
ed84e8b8 3168 <input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' />
ac1cfefa
MT		 3169 <input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' />
3170 <input type='hidden' name='KEY' value='$key' />
624615ee
LS		 3171 </form>
3172 </td>
ac1cfefa 3173END
624615ee
LS		 3174;
3175 } else {
3176 print "<td width='2%' $col>&nbsp;</td>";
ac1cfefa 3177 }
624615ee
LS		 3178 if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") {
3179 print <<END
3180 <td align='center' $col>
3181 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
ed84e8b8 3182 <input type='image' name='$Lang::tr{'download pkcs12 file'}' src='/images/floppy.gif' alt='$Lang::tr{'download pkcs12 file'}' title='$Lang::tr{'download pkcs12 file'}' />
ac1cfefa
MT		 3183 <input type='hidden' name='ACTION' value='$Lang::tr{'download pkcs12 file'}' />
3184 <input type='hidden' name='KEY' value='$key' />
624615ee 3185 </form>
ed84e8b8 3186 </td>
ac1cfefa 3187END
624615ee
LS		 3188;
3189 } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) {
3190 print <<END
3191 <td align='center' $col>
3192 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
ed84e8b8 3193 <input type='image' name='$Lang::tr{'download certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' title='$Lang::tr{'download certificate'}' />
ac1cfefa
MT		 3194 <input type='hidden' name='ACTION' value='$Lang::tr{'download certificate'}' />
3195 <input type='hidden' name='KEY' value='$key' />
624615ee 3196 </form>
ed84e8b8 3197 </td>
ac1cfefa 3198END
624615ee
LS		 3199;
3200 } else {
3201 print "<td width='2%' $col>&nbsp;</td>";
ac1cfefa 3202 }
26a0befd
MT		 3203
3204 # Apple Profile
3205 if ($confighash{$key}[3] eq 'host') {
3206 print <<END;
3207 <td align='center' $col>
3208 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
3209 <input type='image' name='$Lang::tr{'download apple profile'}' src='/images/apple.png' alt='$Lang::tr{'download apple profile'}' title='$Lang::tr{'download apple profile'}' />
3210 <input type='hidden' name='ACTION' value='$Lang::tr{'download apple profile'}' />
3211 <input type='hidden' name='KEY' value='$key' />
3212 </form>
3213 </td>
3214END
3215 } else {
3216 print "<td width='2%' $col>&nbsp;</td>";
3217 }
3218
ac1cfefa 3219 print <<END
e9850821 3220 <td align='center' $col>
624615ee
LS		 3221 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
3222 <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' />
3223 <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
3224 <input type='hidden' name='KEY' value='$key' />
3225 </form>
ed84e8b8 3226 </td>
ac1cfefa 3227
e9850821 3228 <td align='center' $col>
624615ee
LS		 3229 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
3230 <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
3231 <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
3232 <input type='hidden' name='KEY' value='$key' />
3233 </form>
ed84e8b8 3234 </td>
e9850821 3235 <td align='center' $col>
624615ee
LS		 3236 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
3237 <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />
3238 <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' />
3239 <input type='hidden' name='KEY' value='$key' />
3240 </form>
ed84e8b8 3241 </td>
ac1cfefa
MT		 3242 </tr>
3243END
624615ee 3244;
ac1cfefa 3245 $id++;
624615ee
LS		 3246 }
3247 print "</table>";
3248
3249 # If the config file contains entries, print Key to action icons
3250 if ( $id ) {
3251 print <<END
3252 <table>
3253 <tr>
3254 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
3255 <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
3256 <td class='base'>$Lang::tr{'click to disable'}</td>
3257 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
3258 <td class='base'>$Lang::tr{'show certificate'}</td>
3259 <td>&nbsp; &nbsp; <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
3260 <td class='base'>$Lang::tr{'edit'}</td>
3261 <td>&nbsp; &nbsp; <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
3262 <td class='base'>$Lang::tr{'remove'}</td>
3263 </tr>
3264 <tr>
3265 <td>&nbsp; </td>
3266 <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td>
3267 <td class='base'>$Lang::tr{'click to enable'}</td>
3268 <td>&nbsp; &nbsp; <img src='/images/floppy.gif' alt='?FLOPPY' /></td>
3269 <td class='base'>$Lang::tr{'download certificate'}</td>
3270 <td>&nbsp; &nbsp; <img src='/images/reload.gif' alt='?RELOAD'/></td>
3271 <td class='base'>$Lang::tr{'restart'}</td>
3272 </tr>
3273 </table>
ac1cfefa 3274END
624615ee
LS		 3275;
3276 }
ac1cfefa 3277
624615ee
LS		 3278 print <<END
3279 <table width='100%'>
3280 <tr><td align='right' colspan='9'>
ed84e8b8
MT		 3281 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
3282 <input type='submit' name='ACTION' value='$Lang::tr{'add'}' />
3283 </form>
624615ee
LS		 3284 </td></tr>
3285 </table>
ac1cfefa 3286END
624615ee
LS		 3287;
3288 &Header::closebox();
ac1cfefa 3289
624615ee
LS		 3290 &Header::openbox('100%', 'left', "$Lang::tr{'certificate authorities'}");
3291 print <<EOF
3292 <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
3293 <tr>
e9850821
AM		 3294 <th width='25%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
3295 <th width='65%' class='boldbase' align='center'><b>$Lang::tr{'subject'}</b></th>
3296 <th width='10%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></th>
624615ee 3297 </tr>
ac1cfefa 3298EOF
624615ee
LS		 3299;
3300 my $col1="bgcolor='$color{'color22'}'";
e9850821 3301 my $col2="bgcolor='$color{'color20'}'";
624615ee
LS		 3302 if (-f "${General::swroot}/ca/cacert.pem") {
3303 my $casubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/cacert.pem"));
3304 print <<END
3305 <tr>
3306 <td class='base' $col1>$Lang::tr{'root certificate'}</td>
3307 <td class='base' $col1>$casubject</td>
3308 <td width='3%' align='center' $col1>
3309 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
3310 <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' />
3311 <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' />
3312 </form>
3313 </td>
3314 <td width='3%' align='center' $col1>
3315 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
3316 <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' />
3317 <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' />
3318 </form>
3319 </td>
3320 <td width='4%' $col1>&nbsp;</td></tr>
ac1cfefa 3321END
624615ee
LS		 3322;
3323 } else {
3324 # display rootcert generation buttons
3325 print <<END
3326 <tr>
3327 <td class='base' $col1>$Lang::tr{'root certificate'}:</td>
3328 <td class='base' $col1>$Lang::tr{'not present'}</td>
3329 <td colspan='3' $col1>&nbsp;</td></tr>
ac1cfefa 3330END
624615ee
LS		 3331;
3332 }
ac1cfefa 3333
624615ee
LS		 3334 if (-f "${General::swroot}/certs/hostcert.pem") {
3335 my $hostsubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/certs/hostcert.pem"));
ac1cfefa 3336
624615ee
LS		 3337 print <<END
3338 <tr>
3339 <td class='base' $col2>$Lang::tr{'host certificate'}</td>
3340 <td class='base' $col2>$hostsubject</td>
3341 <td width='3%' align='center' $col2>
3342 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
3343 <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' />
3344 <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' />
3345 </form>
3346 </td>
3347 <td width='3%' align='center' $col2>
3348 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
3349 <input type='image' name="$Lang::tr{'download host certificate'}" src='/images/floppy.gif' alt="$Lang::tr{'download host certificate'}" title="$Lang::tr{'download host certificate'}" />
3350 <input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" />
3351 </form>
3352 </td>
3353 <td width='4%' $col2>&nbsp;</td></tr>
ac1cfefa 3354END
624615ee
LS		 3355;
3356 } else {
3357 # Nothing
3358 print <<END
3359 <tr>
3360 <td width='25%' class='base' $col2>$Lang::tr{'host certificate'}:</td>
3361 <td class='base' $col2>$Lang::tr{'not present'}</td>
3362 <td colspan='3' $col2>&nbsp;</td></tr>
ac1cfefa 3363END
624615ee
LS		 3364;
3365 }
3366
e9850821
AM		 3367 my $rowcolor = 0;
3368 if (keys %cahash > 0) {
3369 foreach my $key (keys %cahash) {
624615ee
LS		 3370 if ($rowcolor++ % 2) {
3371 print "<tr>";
3372 $col="bgcolor='$color{'color20'}'";
3373 } else {
3374 print "<tr>";
3375 $col="bgcolor='$color{'color22'}'";
3376 }
3377 print "<td class='base' $col>$cahash{$key}[0]</td>\n";
3378 print "<td class='base' $col>$cahash{$key}[1]</td>\n";
3379 print <<END
3380 <td align='center' $col>
3381 <form method='post' name='cafrm${key}a' action='$ENV{'SCRIPT_NAME'}'>
3382 <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' />
3383 <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' />
3384 <input type='hidden' name='KEY' value='$key' />
3385 </form>
3386 </td>
3387 <td align='center' $col>
3388 <form method='post' name='cafrm${key}b' action='$ENV{'SCRIPT_NAME'}'>
3389 <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' />
3390 <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' />
3391 <input type='hidden' name='KEY' value='$key' />
3392 </form>
3393 </td>
3394 <td align='center' $col>
3395 <form method='post' name='cafrm${key}c' action='$ENV{'SCRIPT_NAME'}'>
3396 <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
3397 <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' />
3398 <input type='hidden' name='KEY' value='$key' />
3399 </form>
3400 </td>
3401 </tr>
3402END
3403;
3404 }
3405 }
3406 print "</table>";
3407
3408 # If the file contains entries, print Key to action icons
3409 if ( -f "${General::swroot}/ca/cacert.pem") {
3410 print <<END
3411 <table><tr>
3412 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
3413 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
3414 <td class='base'>$Lang::tr{'show certificate'}</td>
3415 <td>&nbsp; &nbsp; <img src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' /></td>
3416 <td class='base'>$Lang::tr{'download certificate'}</td>
3417 </tr></table>
ac1cfefa 3418END
624615ee 3419;
ac1cfefa 3420 }
624615ee 3421 my $createCA = -f "${General::swroot}/ca/cacert.pem" ? '' : "<tr><td colspan='3'></td><td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td></tr>";
ed84e8b8 3422 print <<END
624615ee
LS		 3423 <br>
3424 <hr />
3425 <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
3426 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
3427 $createCA
3428 <tr>
e3edceeb 3429 <td class='base' nowrap='nowrap'>$Lang::tr{'ca name'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
ed84e8b8
MT		 3430 <td nowrap='nowrap'><input type='text' name='CA_NAME' value='$cgiparams{'CA_NAME'}' size='15' /> </td>
3431 <td nowrap='nowrap'><input type='file' name='FH' size='30' /></td>
3432 <td nowrap='nowrap'><input type='submit' name='ACTION' value='$Lang::tr{'upload ca certificate'}' /></td>
624615ee
LS		 3433 </tr>
3434 <tr>
ed84e8b8 3435 <td colspan='3'>$Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}:</td>
0afd8493 3436 <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /></td>
624615ee
LS		 3437 </tr>
3438 </table>
3439 </form>
ac1cfefa 3440END
624615ee
LS		 3441;
3442 &Header::closebox();
3443 &Header::closebigbox();
3444 &Header::closepage();
e8b3bb0e
MT		 3445
3446sub array_unique($) {
3447 my $array = shift;
3448 my @unique = ();
3449
3450 my %seen = ();
3451 foreach my $e (@$array) {
3452 next if $seen{$e}++;
3453 push(@unique, $e);
3454 }
3455
3456 return @unique;
3457}
3458
3459sub make_algos($$$$$) {
3460 my ($mode, $encs, $ints, $grps, $pfs) = @_;
3461 my @algos = ();
3462
3463 foreach my $enc (@$encs) {
3464 foreach my $int (@$ints) {
3465 foreach my $grp (@$grps) {
3466 my @algo = ($enc);
3467
78039c15 3468 if ($mode eq "ike") {
e8b3bb0e 3469 push(@algo, $int);
e8b3bb0e 3470
2c531c21 3471 if ($grp =~ m/^e(.*)$/) {
e8b3bb0e 3472 push(@algo, "ecp$1");
d47b2cc2 3473 } elsif ($grp =~ m/curve(25519|448)/) {
e34e72b6 3474 push(@algo, "$grp");
e8b3bb0e
MT		 3475 } else {
3476 push(@algo, "modp$grp");
3477 }
e8b3bb0e 3478
745915d8 3479 } elsif ($mode eq "esp") {
78039c15
MT		 3480 my $is_aead = ($enc =~ m/[cg]cm/);
3481
3482 if (!$is_aead) {
3483 push(@algo, $int);
3484 }
4b02b404 3485
0dd16f40 3486 if (!$pfs || $grp eq "none") {
4b02b404
MT		 3487 # noop
3488 } elsif ($grp =~ m/^e(.*)$/) {
3489 push(@algo, "ecp$1");
d47b2cc2 3490 } elsif ($grp =~ m/curve(25519|448)/) {
e34e72b6 3491 push(@algo, "$grp");
4b02b404
MT		 3492 } else {
3493 push(@algo, "modp$grp");
3494 }
e8b3bb0e
MT		 3495 }
3496
3497 push(@algos, join("-", @algo));
3498 }
3499 }
3500 }
3501
3502 return &array_unique(\@algos);
3503}
8792caad 3504
f2d45a45
MT		 3505sub make_subnets($$) {
3506 my $direction = shift;
8792caad
MT		 3507 my $subnets = shift;
3508
3509 my @nets = split(/\|/, $subnets);
3510 my @cidr_nets = ();
3511 foreach my $net (@nets) {
3512 my $cidr_net = &General::ipcidr($net);
f2d45a45
MT		 3513
3514 # Skip 0.0.0.0/0 for remote because this renders the
3515 # while system inaccessible
3516 next if (($direction eq "right") && ($cidr_net eq "0.0.0.0/0"));
3517
8792caad
MT		 3518 push(@cidr_nets, $cidr_net);
3519 }
3520
3521 return join(",", @cidr_nets);
3522}
Peter's tree of IPFire 2.x