-#!/usr/bin/perl\r
-#\r
-# This file is part of the IPCop Firewall.\r
-#\r
-# IPCop is free software; you can redistribute it and/or modify\r
-# it under the terms of the GNU General Public License as published by\r
-# the Free Software Foundation; either version 2 of the License, or\r
-# (at your option) any later version.\r
-#\r
-# IPCop is distributed in the hope that it will be useful,\r
-# but WITHOUT ANY WARRANTY; without even the implied warranty of\r
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r
-# GNU General Public License for more details.\r
-#\r
-# You should have received a copy of the GNU General Public License\r
-# along with IPCop; if not, write to the Free Software\r
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA\r
-#\r
-# Copyright (C) 2003-05-25 Mark Wormgoor <mark@wormgoor.com>\r
-#\r
-# $Id: vpnmain.cgi,v 1.10.2.69 2006/01/31 02:07:19 franck78 Exp $\r
-#\r
-\r
-use Net::DNS;\r
-use File::Copy;\r
-use File::Temp qw/ tempfile tempdir /;\r
-use strict;\r
-\r
-# enable only the following on debugging purpose\r
-#use warnings;\r
-#use CGI::Carp 'fatalsToBrowser';\r
-\r
-require 'CONFIG_ROOT/general-functions.pl';\r
-require "${General::swroot}/lang.pl";\r
-require "${General::swroot}/header.pl";\r
-\r
-require "${General::swroot}/countries.pl";\r
-\r
-#workaround to suppress a warning when a variable is used only once\r
-my @dummy = ( ${Header::colourgreen} );\r
-undef (@dummy);\r
-\r
-###\r
-### Initialize variables\r
-###\r
-my $sleepDelay = '4s'; # after a call to ipsecctrl S or R, wait this delay (seconds) before reading status\r
- # (let the ipsec do its job)\r
-my %netsettings=();\r
-my %cgiparams=();\r
-my %vpnsettings=();\r
-my %checked=();\r
-my %confighash=();\r
-my %cahash=();\r
-my %selected=();\r
-my $warnmessage = '';\r
-my $errormessage = '';\r
-&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);\r
-$cgiparams{'ENABLED'} = 'off';\r
-$cgiparams{'ENABLED_BLUE'} = 'off';\r
-$cgiparams{'EDIT_ADVANCED'} = 'off';\r
-$cgiparams{'NAT'} = 'off';\r
-$cgiparams{'COMPRESSION'} = 'off';\r
-$cgiparams{'ONLY_PROPOSED'} = 'off';\r
-$cgiparams{'ACTION'} = '';\r
-$cgiparams{'CA_NAME'} = '';\r
-$cgiparams{'DBG_CRYPT'} = '';\r
-$cgiparams{'DBG_PARSING'} = '';\r
-$cgiparams{'DBG_EMITTING'} = '';\r
-$cgiparams{'DBG_CONTROL'} = '';\r
-$cgiparams{'DBG_KLIPS'} = '';\r
-$cgiparams{'DBG_DNS'} = '';\r
-$cgiparams{'DBG_NAT_T'} = '';\r
-\r
-&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});\r
-\r
-###\r
-### Useful functions\r
-###\r
-sub valid_dns_host {\r
- my $hostname = $_[0];\r
- unless ($hostname) { return "No hostname"};\r
- my $res = new Net::DNS::Resolver;\r
- my $query = $res->search("$hostname");\r
- if ($query) {\r
- foreach my $rr ($query->answer) {\r
- ## Potential bug - we are only looking at A records:\r
- return 0 if $rr->type eq "A";\r
- }\r
- } else {\r
- return $res->errorstring;\r
- }\r
-}\r
-\r
-#\r
-# old version: maintain serial number to one, without explication. \r
-# this : let the counter go, so that each cert is numbered.\r
-#\r
-sub cleanssldatabase\r
-{\r
- if (open(FILE, ">${General::swroot}/certs/serial")) {\r
- print FILE "01";\r
- close FILE;\r
- }\r
- if (open(FILE, ">${General::swroot}/certs/index.txt")) {\r
- print FILE "";\r
- close FILE;\r
- }\r
- unlink ("${General::swroot}/certs/index.txt.old");\r
- unlink ("${General::swroot}/certs/serial.old");\r
- unlink ("${General::swroot}/certs/01.pem");\r
-}\r
-sub newcleanssldatabase\r
-{\r
- if (! -s "${General::swroot}/certs/serial" ) {\r
- open(FILE, ">${General::swroot}/certs/serial");\r
- print FILE "01";\r
- close FILE;\r
- }\r
- if (! -s ">${General::swroot}/certs/index.txt") {\r
- system ("touch ${General::swroot}/certs/index.txt");\r
- }\r
- unlink ("${General::swroot}/certs/index.txt.old");\r
- unlink ("${General::swroot}/certs/serial.old");\r
-# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete\r
-}\r
- \r
-sub writeipsecfiles {\r
- my %lconfighash = ();\r
- my %lvpnsettings = ();\r
- &General::readhasharray("${General::swroot}/vpn/config", \%lconfighash);\r
- &General::readhash("${General::swroot}/vpn/settings", \%lvpnsettings);\r
-\r
- open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die "Unable to open ${General::swroot}/vpn/ipsec.conf: $!";\r
- open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") or die "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!";\r
- flock CONF, 2;\r
- flock SECRETS, 2;\r
- print CONF "config setup\n";\r
- if ($lvpnsettings{'ENABLED_BLUE'} eq 'on')\r
- {\r
- if ($lvpnsettings{'ENABLED'} eq 'on')\r
- {\r
- print CONF "\tinterfaces=\"%defaultroute ipsec1=$netsettings{'BLUE_DEV'}\"\n";\r
- } else {\r
- print CONF "\tinterfaces=ipsec0=$netsettings{'BLUE_DEV'}\n";\r
- }\r
- } else {\r
- print CONF "\tinterfaces=%defaultroute\n";\r
- }\r
- \r
- my $plutodebug = ''; # build debug list\r
- map ($plutodebug .= $lvpnsettings{$_} eq 'on' ? lc (substr($_,4)).' ' : '',\r
- ('DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',\r
- 'DBG_KLIPS','DBG_DNS','DBG_NAT_T'));\r
- $plutodebug = 'none' if $plutodebug eq ''; # if nothing selected, use 'none'.\r
- print CONF "\tklipsdebug=none\n";\r
- print CONF "\tplutodebug=\"$plutodebug\"\n";\r
- print CONF "\tplutoload=%search\n";\r
- print CONF "\tplutostart=%search\n";\r
- print CONF "\tuniqueids=yes\n";\r
- print CONF "\tnat_traversal=yes\n";\r
- print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne '');\r
- print CONF "\tvirtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16";\r
- print CONF ",%v4:!$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";\r
- if (length($netsettings{'ORANGE_DEV'}) > 2) {\r
- print CONF ",%v4:!$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";\r
- }\r
- if (length($netsettings{'BLUE_DEV'}) > 2) {\r
- print CONF ",%v4:!$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";\r
- }\r
- foreach my $key (keys %lconfighash) {\r
- if ($lconfighash{$key}[3] eq 'net') {\r
- print CONF ",%v4:!$lconfighash{$key}[11]";\r
- }\r
- }\r
- print CONF "\n\n";\r
- print CONF "conn %default\n";\r
- print CONF "\tkeyingtries=0\n";\r
- print CONF "\tdisablearrivalcheck=no\n";\r
- print CONF "\n";\r
-\r
- if (-f "${General::swroot}/certs/hostkey.pem") {\r
- print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n"\r
- }\r
-\r
- foreach my $key (keys %lconfighash) {\r
- if ($lconfighash{$key}[0] eq 'on') {\r
- if ($lconfighash{$key}[10] eq '') { $lconfighash{$key}[10] = '%any'; }\r
-\r
- print CONF "conn $lconfighash{$key}[1]\n";\r
- #always choose LEFT localside for roadwarrior\r
- if ($lconfighash{$key}[3] eq 'host' || $lconfighash{$key}[6] eq 'left') {\r
- if ($lconfighash{$key}[26] eq 'BLUE')\r
- {\r
- print CONF "\tleft=$netsettings{'BLUE_ADDRESS'}\n";\r
-# print CONF "\tleftnexthop=$netsettings{'BLUE_NETADDRESS'}\n";\r
- } \r
- elsif ($lconfighash{$key}[26] eq 'ORANGE')\r
- {\r
- print CONF "\tleft=$netsettings{'ORANGE_ADDRESS'}\n";\r
- } \r
- elsif ($lconfighash{$key}[26] eq 'GREEN')\r
- {\r
- print CONF "\tleft=$netsettings{'GREEN_ADDRESS'}\n";\r
- } \r
- elsif ($lconfighash{$key}[26] eq 'RED')\r
- {\r
- print CONF "\tleft=$lvpnsettings{'VPN_IP'}\n";\r
- print CONF "\tleftnexthop=%defaultroute\n" if ($lvpnsettings{'VPN_IP'} ne '%defaultroute');\r
- }\r
- print CONF "\tleftsubnet=$lconfighash{$key}[8]\n";\r
- print CONF "\tright=$lconfighash{$key}[10]\n";\r
- if ($lconfighash{$key}[3] eq 'net') {\r
- print CONF "\trightsubnet=$lconfighash{$key}[11]\n";\r
- print CONF "\trightnexthop=%defaultroute\n";\r
- } elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') {\r
- print CONF "\trightsubnet=vhost:%no,%priv\n";\r
- }\r
- if ($lconfighash{$key}[4] eq 'cert') {\r
- print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n";\r
- print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n";\r
- }\r
- } else {\r
- print CONF "\tright=$lvpnsettings{'VPN_IP'}\n";\r
- print CONF "\trightsubnet=$lconfighash{$key}[8]\n";\r
- print CONF "\trightnexthop=%defaultroute\n" if ($lvpnsettings{'VPN_IP'} ne '%defaultroute');\r
- print CONF "\tleft=$lconfighash{$key}[10]\n";\r
- if ($lconfighash{$key}[3] eq 'net') {\r
- print CONF "\tleftsubnet=$lconfighash{$key}[11]\n";\r
- print CONF "\tleftnexthop=%defaultroute\n";\r
- }\r
- if ($lconfighash{$key}[4] eq 'cert') {\r
- print CONF "\trightcert=${General::swroot}/certs/hostcert.pem\n";\r
- print CONF "\tleftcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n";\r
- }\r
- }\r
- print CONF "\tleftid=$lconfighash{$key}[7]\n" if ($lconfighash{$key}[7]);\r
- print CONF "\trightid=$lconfighash{$key}[9]\n" if ($lconfighash{$key}[9]);\r
-\r
- # Algorithms\r
- if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) {\r
- print CONF "\tike=";\r
- my @encs = split('\|', $lconfighash{$key}[18]);\r
- my @ints = split('\|', $lconfighash{$key}[19]);\r
- my @groups = split('\|', $lconfighash{$key}[20]);\r
- my $comma = 0;\r
- foreach my $i (@encs) {\r
- foreach my $j (@ints) {\r
- foreach my $k (@groups) {\r
- if ($comma != 0) { print CONF ","; } else { $comma = 1; }\r
- print CONF "$i-$j-modp$k";\r
- }\r
- }\r
- }\r
- if ($lconfighash{$key}[24] eq 'on') {\r
- print CONF "!\n";\r
- } else {\r
- print CONF "\n";\r
- }\r
- }\r
- if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) {\r
- print CONF "\tesp=";\r
- my @encs = split('\|', $lconfighash{$key}[21]);\r
- my @ints = split('\|', $lconfighash{$key}[22]);\r
- my $comma = 0;\r
- foreach my $i (@encs) {\r
- foreach my $j (@ints) {\r
- if ($comma != 0) { print CONF ","; } else { $comma = 1; }\r
- print CONF "$i-$j";\r
- }\r
- }\r
- if ($lconfighash{$key}[24] eq 'on') {\r
- print CONF "!\n";\r
- } else {\r
- print CONF "\n";\r
- }\r
- }\r
- if ($lconfighash{$key}[23]) {\r
- print CONF "\tpfsgroup=$lconfighash{$key}[23]\n";\r
- }\r
-\r
- # Lifetimes\r
- if ($lconfighash{$key}[16]) {\r
- print CONF "\tikelifetime=$lconfighash{$key}[16]h\n";\r
- }\r
- if ($lconfighash{$key}[17]) {\r
- print CONF "\tkeylife=$lconfighash{$key}[17]h\n";\r
- }\r
-\r
- # Compression\r
- if ($lconfighash{$key}[13] eq 'on') {\r
- print CONF "\tcompress=yes\n";\r
- }\r
-\r
- # Dead Peer Detection\r
- print CONF "\tdpddelay=30\n";\r
- print CONF "\tdpdtimeout=120\n";\r
- print CONF "\tdpdaction=$lconfighash{$key}[27]\n";\r
- \r
- # Disable pfs ?\r
- print CONF "\tpfs=$lconfighash{$key}[28]\n";\r
-\r
- # Print Authentication details\r
- if ($lconfighash{$key}[4] eq 'psk') {\r
- if ($lconfighash{$key}[6] eq 'left'){\r
- if ($lconfighash{$key}[26] eq 'BLUE') {\r
- print SECRETS ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $netsettings{'BLUE_ADDRESS'}) . " ";\r
- print SECRETS $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10];\r
- print SECRETS " : PSK \"$lconfighash{$key}[5]\"\n";\r
- } else {\r
- print SECRETS ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $lvpnsettings{'VPN_IP'}) . " ";\r
- print SECRETS $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10];\r
- print SECRETS " : PSK \"$lconfighash{$key}[5]\"\n";\r
- }\r
- } else {\r
- if ($lconfighash{$key}[26] eq 'BLUE') {\r
- print SECRETS ($lconfighash{$key}[9] ? $lconfighash{$key}[9] : $netsettings{'BLUE_ADDRESS'}) . " ";\r
- print SECRETS $lconfighash{$key}[7] ? $lconfighash{$key}[7] : $lconfighash{$key}[10];\r
- print SECRETS " : PSK \"$lconfighash{$key}[5]\"\n";\r
- } else {\r
- print SECRETS ($lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lvpnsettings{'VPN_IP'}) . " ";\r
- print SECRETS $lconfighash{$key}[7] ? $lconfighash{$key}[7] : $lconfighash{$key}[10];\r
- print SECRETS " : PSK \"$lconfighash{$key}[5]\"\n";\r
- }\r
- }\r
-\r
- print CONF "\tauthby=secret\n";\r
- } else {\r
- print CONF "\tauthby=rsasig\n";\r
- }\r
-\r
- # Automatically start only if a net-to-net connection\r
- if ($lconfighash{$key}[3] eq 'host') {\r
- print CONF "\tauto=add\n";\r
- } else {\r
- print CONF "\tauto=start\n";\r
- }\r
- print CONF "\n";\r
- }#on\r
- }#foreach key\r
-\r
- close(CONF);\r
- close(SECRETS);\r
-}\r
-\r
-###\r
-### Save main settings\r
-###\r
-if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {\r
- &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);\r
- unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})\r
- || $cgiparams{'VPN_IP'} eq '%defaultroute' ) {\r
- $errormessage = $Lang::tr{'invalid input for hostname'};\r
- goto SAVE_ERROR;\r
- }\r
-\r
- unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds !\r
- $errormessage = $Lang::tr{'invalid time period'};\r
- goto SAVE_ERROR;\r
- }\r
-\r
- unless ($cgiparams{'VPN_OVERRIDE_MTU'} =~ /^(|[0-9]{1,5})$/ ) { #allow 0-99999\r
- $errormessage = $Lang::tr{'vpn mtu invalid'};\r
- goto SAVE_ERROR;\r
- }\r
-\r
- map ($vpnsettings{$_} = $cgiparams{$_},\r
- ('ENABLED','ENABLED_BLUE','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',\r
- 'DBG_KLIPS','DBG_DNS','DBG_NAT_T'));\r
-\r
- $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};\r
- $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};\r
- $vpnsettings{'VPN_OVERRIDE_MTU'} = $cgiparams{'VPN_OVERRIDE_MTU'};\r
- &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);\r
- &writeipsecfiles();\r
- if ($vpnsettings{'ENABLED'} eq 'on' ||\r
- $vpnsettings{'ENABLED_BLUE'} eq 'on') {\r
- system('/usr/local/bin/ipsecctrl', 'S');\r
- } else {\r
- system('/usr/local/bin/ipsecctrl', 'D');\r
- }\r
- sleep $sleepDelay;\r
- SAVE_ERROR:\r
-###\r
-### Reset all step 2\r
-###\r
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'} && $cgiparams{'AREUSURE'} eq 'yes') {\r
- my $file = '';\r
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
-\r
- foreach my $key (keys %confighash) {\r
- if ($confighash{$key}[4] eq 'cert') {\r
- delete $confighash{$key};\r
- }\r
- }\r
- while ($file = glob("${General::swroot}/{ca,certs,crls,private}/*")) {\r
- unlink $file\r
- }\r
- &cleanssldatabase();\r
- if (open(FILE, ">${General::swroot}/vpn/caconfig")) {\r
- print FILE "";\r
- close FILE;\r
- }\r
- &General::writehasharray("${General::swroot}/vpn/config", \%confighash);\r
- &writeipsecfiles();\r
- system('/usr/local/bin/ipsecctrl', 'R');\r
- sleep $sleepDelay;\r
-\r
-###\r
-### Reset all step 1\r
-###\r
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'}) {\r
- &Header::showhttpheaders();\r
- &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
- &Header::openbigbox('100%', 'LEFT', '', '');\r
- &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});\r
- print <<END\r
- <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />\r
- <tr><td align='center'>\r
- <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: \r
- $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}\r
- <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' />\r
- <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>\r
- </form></table>\r
-END\r
- ;\r
- &Header::closebox();\r
- &Header::closebigbox();\r
- &Header::closepage();\r
- exit (0);\r
-\r
-###\r
-### Upload CA Certificate\r
-###\r
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {\r
- &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
-\r
- if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) {\r
- $errormessage = $Lang::tr{'name must only contain characters'};\r
- goto UPLOADCA_ERROR;\r
- }\r
-\r
- if (length($cgiparams{'CA_NAME'}) >60) {\r
- $errormessage = $Lang::tr{'name too long'};\r
- goto VPNCONF_ERROR;\r
- }\r
-\r
- if ($cgiparams{'CA_NAME'} eq 'ca') {\r
- $errormessage = $Lang::tr{'name is invalid'};\r
- goto UPLOAD_CA_ERROR;\r
- }\r
-\r
- # Check if there is no other entry with this name\r
- foreach my $key (keys %cahash) {\r
- if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) {\r
- $errormessage = $Lang::tr{'a ca certificate with this name already exists'};\r
- goto UPLOADCA_ERROR;\r
- }\r
- }\r
-\r
- if (ref ($cgiparams{'FH'}) ne 'Fh') {\r
- $errormessage = $Lang::tr{'there was no file upload'};\r
- goto UPLOADCA_ERROR;\r
- }\r
- # Move uploaded ca to a temporary file\r
- (my $fh, my $filename) = tempfile( );\r
- if (copy ($cgiparams{'FH'}, $fh) != 1) {\r
- $errormessage = $!;\r
- goto UPLOADCA_ERROR;\r
- }\r
- my $temp = `/usr/bin/openssl x509 -text -in $filename`;\r
- if ($temp !~ /CA:TRUE/i) {\r
- $errormessage = $Lang::tr{'not a valid ca certificate'};\r
- unlink ($filename);\r
- goto UPLOADCA_ERROR;\r
- } else {\r
- move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem");\r
- if ($? ne 0) {\r
- $errormessage = "$Lang::tr{'certificate file move failed'}: $!";\r
- unlink ($filename);\r
- goto UPLOADCA_ERROR;\r
- }\r
- }\r
-\r
- my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem`;\r
- $casubject =~ /Subject: (.*)[\n]/;\r
- $casubject = $1;\r
- $casubject =~ s+/Email+, E+;\r
- $casubject =~ s/ ST=/ S=/;\r
- $casubject = &Header::cleanhtml($casubject);\r
-\r
- my $key = &General::findhasharraykey (\%cahash);\r
- $cahash{$key}[0] = $cgiparams{'CA_NAME'};\r
- $cahash{$key}[1] = $casubject;\r
- &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
- system('/usr/local/bin/ipsecctrl', 'R');\r
- sleep $sleepDelay;\r
-\r
- UPLOADCA_ERROR:\r
-\r
-###\r
-### Display ca certificate\r
-###\r
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) {\r
- &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
-\r
- if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {\r
- &Header::showhttpheaders();\r
- &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
- &Header::openbigbox('100%', 'LEFT', '', '');\r
- &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:");\r
- my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;\r
- $output = &Header::cleanhtml($output,"y");\r
- print "<pre>$output</pre>\n";\r
- &Header::closebox();\r
- print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";\r
- &Header::closebigbox();\r
- &Header::closepage();\r
- exit(0);\r
- } else {\r
- $errormessage = $Lang::tr{'invalid key'};\r
- }\r
-\r
-###\r
-### Download ca certificate\r
-###\r
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) {\r
- &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
-\r
- if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {\r
- print "Content-Type: application/octet-stream\r\n";\r
- print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";\r
- print `/usr/bin/openssl x509 -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;\r
- exit(0);\r
- } else {\r
- $errormessage = $Lang::tr{'invalid key'};\r
- }\r
-\r
-###\r
-### Remove ca certificate (step 2)\r
-###\r
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') {\r
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
- &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
-\r
- if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {\r
- foreach my $key (keys %confighash) {\r
- my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;\r
- if ($test =~ /: OK/) {\r
- # Delete connection\r
- if ($vpnsettings{'ENABLED'} eq 'on' ||\r
- $vpnsettings{'ENABLED_BLUE'} eq 'on') {\r
- system('/usr/local/bin/ipsecctrl', 'D', $key);\r
- }\r
- unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem");\r
- unlink ("${General::swroot}/certs/$confighash{$key}[1].p12");\r
- delete $confighash{$key};\r
- &General::writehasharray("${General::swroot}/vpn/config", \%confighash);\r
- &writeipsecfiles();\r
- }\r
- }\r
- unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");\r
- delete $cahash{$cgiparams{'KEY'}};\r
- &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
- system('/usr/local/bin/ipsecctrl', 'R');\r
- sleep $sleepDelay;\r
- } else {\r
- $errormessage = $Lang::tr{'invalid key'};\r
- }\r
-###\r
-### Remove ca certificate (step 1)\r
-###\r
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) {\r
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
- &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
-\r
- my $assignedcerts = 0;\r
- if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {\r
- foreach my $key (keys %confighash) {\r
- my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;\r
- if ($test =~ /: OK/) {\r
- $assignedcerts++;\r
- }\r
- }\r
- if ($assignedcerts) {\r
- &Header::showhttpheaders();\r
- &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
- &Header::openbigbox('100%', 'LEFT', '', '');\r
- &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});\r
- print <<END\r
- <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />\r
- <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />\r
- <tr><td align='center'>\r
- <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: $assignedcerts\r
- $Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}\r
- <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />\r
- <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>\r
- </form></table>\r
-END\r
- ;\r
- &Header::closebox();\r
- &Header::closebigbox();\r
- &Header::closepage();\r
- exit (0);\r
- } else {\r
- unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");\r
- delete $cahash{$cgiparams{'KEY'}};\r
- &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
- system('/usr/local/bin/ipsecctrl', 'R');\r
- sleep $sleepDelay;\r
- }\r
- } else {\r
- $errormessage = $Lang::tr{'invalid key'};\r
- }\r
-\r
-###\r
-### Display root certificate\r
-###\r
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||\r
- $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {\r
- my $output;\r
- &Header::showhttpheaders();\r
- &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
- &Header::openbigbox('100%', 'LEFT', '', '');\r
- if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {\r
- &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:");\r
- $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`;\r
- } else {\r
- &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:");\r
- $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`;\r
- }\r
- $output = &Header::cleanhtml($output,"y");\r
- print "<pre>$output</pre>\n";\r
- &Header::closebox();\r
- print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";\r
- &Header::closebigbox();\r
- &Header::closepage();\r
- exit(0);\r
-\r
-###\r
-### Download root certificate\r
-###\r
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) {\r
- if ( -f "${General::swroot}/ca/cacert.pem" ) {\r
- print "Content-Type: application/octet-stream\r\n";\r
- print "Content-Disposition: filename=cacert.pem\r\n\r\n";\r
- print `/usr/bin/openssl x509 -in ${General::swroot}/ca/cacert.pem`;\r
- exit(0);\r
- }\r
-###\r
-### Download host certificate\r
-###\r
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) {\r
- if ( -f "${General::swroot}/certs/hostcert.pem" ) {\r
- print "Content-Type: application/octet-stream\r\n";\r
- print "Content-Disposition: filename=hostcert.pem\r\n\r\n";\r
- print `/usr/bin/openssl x509 -in ${General::swroot}/certs/hostcert.pem`;\r
- exit(0);\r
- }\r
-###\r
-### Form for generating a root certificate\r
-###\r
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||\r
- $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {\r
-\r
- &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);\r
- if (-f "${General::swroot}/ca/cacert.pem") {\r
- $errormessage = $Lang::tr{'valid root certificate already exists'};\r
- $cgiparams{'ACTION'} = '';\r
- goto ROOTCERT_ERROR;\r
- }\r
-\r
- if (($cgiparams{'ROOTCERT_HOSTNAME'} eq '') && -e "${General::swroot}/red/active") {\r
- if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {\r
- my $ipaddr = <IPADDR>;\r
- close IPADDR;\r
- chomp ($ipaddr);\r
- $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];\r
- if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {\r
- $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;\r
- }\r
- }\r
- } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {\r
-\r
- if (ref ($cgiparams{'FH'}) ne 'Fh') {\r
- $errormessage = $Lang::tr{'there was no file upload'};\r
- goto ROOTCERT_ERROR;\r
- }\r
-\r
- # Move uploaded certificate request to a temporary file\r
- (my $fh, my $filename) = tempfile( );\r
- if (copy ($cgiparams{'FH'}, $fh) != 1) {\r
- $errormessage = $!;\r
- goto ROOTCERT_ERROR;\r
- }\r
-\r
- # Create a temporary dirctory\r
- my $tempdir = tempdir( CLEANUP => 1 );\r
-\r
- # Extract the CA certificate from the file\r
- my $pid = open(OPENSSL, "|-");\r
- $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};\r
- if ($pid) { # parent\r
- if ($cgiparams{'P12_PASS'} ne '') {\r
- print OPENSSL "$cgiparams{'P12_PASS'}\n";\r
- }\r
- close (OPENSSL);\r
- if ($?) {\r
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
- unlink ($filename);\r
- goto ROOTCERT_ERROR;\r
- }\r
- } else { # child\r
- unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys',\r
- '-in', $filename,\r
- '-out', "$tempdir/cacert.pem")) {\r
- $errormessage = "$Lang::tr{'cant start openssl'}: $!";\r
- unlink ($filename);\r
- goto ROOTCERT_ERROR;\r
- }\r
- }\r
-\r
- # Extract the Host certificate from the file\r
- $pid = open(OPENSSL, "|-");\r
- $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};\r
- if ($pid) { # parent\r
- if ($cgiparams{'P12_PASS'} ne '') {\r
- print OPENSSL "$cgiparams{'P12_PASS'}\n";\r
- }\r
- close (OPENSSL);\r
- if ($?) {\r
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
- unlink ($filename);\r
- goto ROOTCERT_ERROR;\r
- }\r
- } else { # child\r
- unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys',\r
- '-in', $filename,\r
- '-out', "$tempdir/hostcert.pem")) {\r
- $errormessage = "$Lang::tr{'cant start openssl'}: $!";\r
- unlink ($filename);\r
- goto ROOTCERT_ERROR;\r
- }\r
- }\r
-\r
- # Extract the Host key from the file\r
- $pid = open(OPENSSL, "|-");\r
- $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};\r
- if ($pid) { # parent\r
- if ($cgiparams{'P12_PASS'} ne '') {\r
- print OPENSSL "$cgiparams{'P12_PASS'}\n";\r
- }\r
- close (OPENSSL);\r
- if ($?) {\r
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
- unlink ($filename);\r
- goto ROOTCERT_ERROR;\r
- }\r
- } else { # child\r
- unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts',\r
- '-nodes',\r
- '-in', $filename,\r
- '-out', "$tempdir/hostkey.pem")) {\r
- $errormessage = "$Lang::tr{'cant start openssl'}: $!";\r
- unlink ($filename);\r
- goto ROOTCERT_ERROR;\r
- }\r
- }\r
-\r
- move("$tempdir/cacert.pem", "${General::swroot}/ca/cacert.pem");\r
- if ($? ne 0) {\r
- $errormessage = "$Lang::tr{'certificate file move failed'}: $!";\r
- unlink ($filename);\r
- unlink ("${General::swroot}/ca/cacert.pem");\r
- unlink ("${General::swroot}/certs/hostcert.pem");\r
- unlink ("${General::swroot}/certs/hostkey.pem");\r
- goto ROOTCERT_ERROR;\r
- }\r
-\r
- move("$tempdir/hostcert.pem", "${General::swroot}/certs/hostcert.pem");\r
- if ($? ne 0) {\r
- $errormessage = "$Lang::tr{'certificate file move failed'}: $!";\r
- unlink ($filename);\r
- unlink ("${General::swroot}/ca/cacert.pem");\r
- unlink ("${General::swroot}/certs/hostcert.pem");\r
- unlink ("${General::swroot}/certs/hostkey.pem");\r
- goto ROOTCERT_ERROR;\r
- }\r
-\r
- move("$tempdir/hostkey.pem", "${General::swroot}/certs/hostkey.pem");\r
- if ($? ne 0) {\r
- $errormessage = "$Lang::tr{'certificate file move failed'}: $!";\r
- unlink ($filename);\r
- unlink ("${General::swroot}/ca/cacert.pem");\r
- unlink ("${General::swroot}/certs/hostcert.pem");\r
- unlink ("${General::swroot}/certs/hostkey.pem");\r
- goto ROOTCERT_ERROR;\r
- }\r
-\r
- # Create an empty CRL\r
- system('/usr/bin/openssl', 'ca', '-gencrl',\r
- '-out', "${General::swroot}/crls/cacrl.pem");\r
- if ($?) {\r
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
- unlink ("${General::swroot}/certs/hostkey.pem");\r
- unlink ("${General::swroot}/certs/hostcert.pem");\r
- unlink ("${General::swroot}/ca/cacert.pem");\r
- unlink ("${General::swroot}/crls/cacrl.pem");\r
- &cleanssldatabase();\r
- goto ROOTCERT_ERROR;\r
- } else {\r
- &cleanssldatabase();\r
- }\r
-\r
- goto ROOTCERT_SUCCESS;\r
-\r
- } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {\r
-\r
- # Validate input since the form was submitted\r
- if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){\r
- $errormessage = $Lang::tr{'organization cant be empty'};\r
- goto ROOTCERT_ERROR;\r
- }\r
- if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) {\r
- $errormessage = $Lang::tr{'organization too long'};\r
- goto ROOTCERT_ERROR;\r
- }\r
- if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {\r
- $errormessage = $Lang::tr{'invalid input for organization'};\r
- goto ROOTCERT_ERROR;\r
- }\r
- if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){\r
- $errormessage = $Lang::tr{'hostname cant be empty'};\r
- goto ROOTCERT_ERROR;\r
- }\r
- unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) {\r
- $errormessage = $Lang::tr{'invalid input for hostname'};\r
- goto ROOTCERT_ERROR;\r
- }\r
- if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) {\r
- $errormessage = $Lang::tr{'invalid input for e-mail address'};\r
- goto ROOTCERT_ERROR;\r
- }\r
- if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) {\r
- $errormessage = $Lang::tr{'e-mail address too long'};\r
- goto ROOTCERT_ERROR;\r
- }\r
- if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {\r
- $errormessage = $Lang::tr{'invalid input for department'};\r
- goto ROOTCERT_ERROR;\r
- }\r
- if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {\r
- $errormessage = $Lang::tr{'invalid input for city'};\r
- goto ROOTCERT_ERROR;\r
- }\r
- if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {\r
- $errormessage = $Lang::tr{'invalid input for state or province'};\r
- goto ROOTCERT_ERROR;\r
- }\r
- if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) {\r
- $errormessage = $Lang::tr{'invalid input for country'};\r
- goto ROOTCERT_ERROR;\r
- }\r
-\r
- # Copy the cgisettings to vpnsettings and save the configfile\r
- $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'};\r
- $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'};\r
- $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'};\r
- $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'};\r
- $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'};\r
- $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'};\r
- $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'};\r
- &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);\r
-\r
- # Replace empty strings with a .\r
- (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./;\r
- (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./;\r
- (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./;\r
-\r
- # Create the CA certificate\r
- my $pid = open(OPENSSL, "|-");\r
- $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};\r
- if ($pid) { # parent\r
- print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";\r
- print OPENSSL "$state\n";\r
- print OPENSSL "$city\n";\r
- print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";\r
- print OPENSSL "$ou\n";\r
- print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n";\r
- print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";\r
- close (OPENSSL);\r
- if ($?) {\r
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
- unlink ("${General::swroot}/private/cakey.pem");\r
- unlink ("${General::swroot}/ca/cacert.pem");\r
- goto ROOTCERT_ERROR;\r
- }\r
- } else { # child\r
- unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',\r
- '-days', '999999', '-newkey', 'rsa:2048',\r
- '-keyout', "${General::swroot}/private/cakey.pem",\r
- '-out', "${General::swroot}/ca/cacert.pem")) {\r
- $errormessage = "$Lang::tr{'cant start openssl'}: $!";\r
- goto ROOTCERT_ERROR;\r
- }\r
- }\r
-\r
- # Create the Host certificate request\r
- $pid = open(OPENSSL, "|-");\r
- $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};\r
- if ($pid) { # parent\r
- print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";\r
- print OPENSSL "$state\n";\r
- print OPENSSL "$city\n";\r
- print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";\r
- print OPENSSL "$ou\n";\r
- print OPENSSL "$cgiparams{'ROOTCERT_HOSTNAME'}\n";\r
- print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";\r
- print OPENSSL ".\n";\r
- print OPENSSL ".\n";\r
- close (OPENSSL);\r
- if ($?) {\r
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
- unlink ("${General::swroot}/certs/hostkey.pem");\r
- unlink ("${General::swroot}/certs/hostreq.pem");\r
- goto ROOTCERT_ERROR;\r
- }\r
- } else { # child\r
- unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',\r
- '-newkey', 'rsa:1024',\r
- '-keyout', "${General::swroot}/certs/hostkey.pem",\r
- '-out', "${General::swroot}/certs/hostreq.pem")) {\r
- $errormessage = "$Lang::tr{'cant start openssl'}: $!";\r
- unlink ("${General::swroot}/certs/hostkey.pem");\r
- unlink ("${General::swroot}/certs/hostreq.pem");\r
- unlink ("${General::swroot}/private/cakey.pem");\r
- unlink ("${General::swroot}/ca/cacert.pem");\r
- goto ROOTCERT_ERROR;\r
- }\r
- }\r
- \r
- # Sign the host certificate request\r
- system('/usr/bin/openssl', 'ca', '-days', '999999',\r
- '-batch', '-notext',\r
- '-in', "${General::swroot}/certs/hostreq.pem",\r
- '-out', "${General::swroot}/certs/hostcert.pem");\r
- if ($?) {\r
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
- unlink ("${General::swroot}/private/cakey.pem");\r
- unlink ("${General::swroot}/ca/cacert.pem");\r
- unlink ("${General::swroot}/certs/hostkey.pem");\r
- unlink ("${General::swroot}/certs/hostreq.pem");\r
- unlink ("${General::swroot}/certs/hostcert.pem");\r
- &cleanssldatabase();\r
- goto ROOTCERT_ERROR;\r
- } else {\r
- unlink ("${General::swroot}/certs/hostreq.pem");\r
- &cleanssldatabase();\r
- }\r
-\r
- # Create an empty CRL\r
- system('/usr/bin/openssl', 'ca', '-gencrl',\r
- '-out', "${General::swroot}/crls/cacrl.pem");\r
- if ($?) {\r
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
- unlink ("${General::swroot}/certs/hostkey.pem");\r
- unlink ("${General::swroot}/certs/hostcert.pem");\r
- unlink ("${General::swroot}/ca/cacert.pem");\r
- unlink ("${General::swroot}/crls/cacrl.pem");\r
- &cleanssldatabase();\r
- goto ROOTCERT_ERROR;\r
- } else {\r
- &cleanssldatabase();\r
- }\r
- goto ROOTCERT_SUCCESS;\r
- }\r
- ROOTCERT_ERROR:\r
- if ($cgiparams{'ACTION'} ne '') {\r
- &Header::showhttpheaders();\r
- &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
- &Header::openbigbox('100%', 'LEFT', '', $errormessage);\r
- if ($errormessage) {\r
- &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});\r
- print "<class name='base'>$errormessage";\r
- print " </class>";\r
- &Header::closebox();\r
- }\r
- &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificates'}:");\r
- print <<END\r
- <form method='post' enctype='multipart/form-data'>\r
- <table width='100%' border='0' cellspacing='1' cellpadding='0'>\r
- <tr><td width='30%' class='base'>$Lang::tr{'organization name'}:</td>\r
- <td width='35%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td>\r
- <td width='35%' colspan='2'> </td></tr>\r
- <tr><td class='base'>$Lang::tr{'ipcops hostname'}:</td>\r
- <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td>\r
- <td colspan='2'> </td></tr>\r
- <tr><td class='base'>$Lang::tr{'your e-mail'}: <img src='/blob.gif' alt='*' /></td>\r
- <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td>\r
- <td colspan='2'> </td></tr>\r
- <tr><td class='base'>$Lang::tr{'your department'}: <img src='/blob.gif' alt='*' /></td>\r
- <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td>\r
- <td colspan='2'> </td></tr>\r
- <tr><td class='base'>$Lang::tr{'city'}: <img src='/blob.gif' alt='*' /></td>\r
- <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td>\r
- <td colspan='2'> </td></tr>\r
- <tr><td class='base'>$Lang::tr{'state or province'}: <img src='/blob.gif' alt='*' /></td>\r
- <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td>\r
- <td colspan='2'> </td></tr>\r
- <tr><td class='base'>$Lang::tr{'country'}:</td>\r
- <td class='base'><select name='ROOTCERT_COUNTRY'>\r
-END\r
- ;\r
- foreach my $country (sort keys %{Countries::countries}) {\r
- print "<option value='$Countries::countries{$country}'";\r
- if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) {\r
- print " selected='selected'";\r
- }\r
- print ">$country</option>";\r
- }\r
- print <<END\r
- </select></td>\r
- <td colspan='2'> </td></tr>\r
- <tr><td> </td>\r
- <td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td>\r
- <td> </td><td> </td></tr>\r
- <tr><td class='base' align='left' valign='top'>\r
- <img src='/blob.gif' valign='top' alt='*' /> $Lang::tr{'this field may be blank'}</td>\r
- <td class='base' align='left'>\r
- <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: \r
- $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'}\r
- </td></tr>\r
- <tr><td colspan='4'><hr /></td></tr>\r
- <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td>\r
- <td nowrap='nowrap'><input type='file' name='FH' size='32'></td>\r
- <td colspan='2'> </td></tr>\r
- <tr><td class='base'>$Lang::tr{'pkcs12 file password'}: <img src='/blob.gif' alt='*' /></td>\r
- <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td>\r
- <td colspan='2'> </td></tr>\r
- <tr><td> </td>\r
- <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td>\r
- <td colspan='2'> </td></tr>\r
- <tr><td class='base' colspan='4' align='left'>\r
- <img src='/blob.gif' valign='top' alt='*' /> $Lang::tr{'this field may be blank'}</td></tr>\r
- </form></table>\r
-END\r
- ;\r
- &Header::closebox();\r
-\r
- &Header::closebigbox();\r
- &Header::closepage();\r
- exit(0)\r
- }\r
-\r
- ROOTCERT_SUCCESS:\r
- if ($vpnsettings{'ENABLED'} eq 'on' ||\r
- $vpnsettings{'ENABLE_BLUE'} eq 'on') {\r
- system('/usr/local/bin/ipsecctrl', 'S');\r
- sleep $sleepDelay;\r
- }\r
-###\r
-### Download PKCS12 file\r
-###\r
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) {\r
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
-\r
- print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";\r
- print "Content-Type: application/octet-stream\r\n\r\n";\r
- print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;\r
- exit (0);\r
-\r
-###\r
-### Display certificate\r
-###\r
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) {\r
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
-\r
- if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {\r
- &Header::showhttpheaders();\r
- &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
- &Header::openbigbox('100%', 'LEFT', '', '');\r
- &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:");\r
- my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;\r
- $output = &Header::cleanhtml($output,"y");\r
- print "<pre>$output</pre>\n";\r
- &Header::closebox();\r
- print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";\r
- &Header::closebigbox();\r
- &Header::closepage();\r
- exit(0);\r
- }\r
-\r
-###\r
-### Download Certificate\r
-###\r
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) {\r
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
-\r
- if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {\r
- print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n";\r
- print "Content-Type: application/octet-stream\r\n\r\n";\r
- print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;\r
- exit (0);\r
- }\r
-\r
-###\r
-### Enable/Disable connection\r
-###\r
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {\r
- \r
- &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);\r
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
-\r
- if ($confighash{$cgiparams{'KEY'}}) {\r
- if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {\r
- $confighash{$cgiparams{'KEY'}}[0] = 'on';\r
- &General::writehasharray("${General::swroot}/vpn/config", \%confighash);\r
- &writeipsecfiles();\r
- if ($vpnsettings{'ENABLED'} eq 'on' ||\r
- $vpnsettings{'ENABLED_BLUE'} eq 'on') {\r
- system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});\r
- sleep $sleepDelay;\r
- }\r
- } else {\r
- $confighash{$cgiparams{'KEY'}}[0] = 'off';\r
- if ($vpnsettings{'ENABLED'} eq 'on' ||\r
- $vpnsettings{'ENABLED_BLUE'} eq 'on') {\r
- system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});\r
- }\r
- &General::writehasharray("${General::swroot}/vpn/config", \%confighash);\r
- &writeipsecfiles();\r
- }\r
- } else {\r
- $errormessage = $Lang::tr{'invalid key'};\r
- }\r
-\r
-###\r
-### Restart connection\r
-###\r
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) {\r
- &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);\r
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
-\r
- if ($confighash{$cgiparams{'KEY'}}) {\r
- if ($vpnsettings{'ENABLED'} eq 'on' ||\r
- $vpnsettings{'ENABLED_BLUE'} eq 'on') {\r
- system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});\r
- sleep $sleepDelay;\r
- }\r
- } else {\r
- $errormessage = $Lang::tr{'invalid key'};\r
- }\r
-\r
-###\r
-### Remove connection\r
-###\r
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {\r
- &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);\r
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
-\r
- if ($confighash{$cgiparams{'KEY'}}) {\r
- if ($vpnsettings{'ENABLED'} eq 'on' ||\r
- $vpnsettings{'ENABLED_BLUE'} eq 'on') {\r
- system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});\r
- }\r
- unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");\r
- unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12");\r
- delete $confighash{$cgiparams{'KEY'}};\r
- &General::writehasharray("${General::swroot}/vpn/config", \%confighash);\r
- &writeipsecfiles();\r
- } else {\r
- $errormessage = $Lang::tr{'invalid key'};\r
- }\r
-\r
-###\r
-### Choose between adding a host-net or net-net connection\r
-###\r
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {\r
- &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);\r
- &Header::showhttpheaders();\r
- &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
- &Header::openbigbox('100%', 'LEFT', '', '');\r
- &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'});\r
- print <<END\r
- <b>$Lang::tr{'connection type'}:</b><br />\r
- <table><form method='post'>\r
- <tr><td><input type='radio' name='TYPE' value='host' checked /></td>\r
- <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>\r
- <tr><td><input type='radio' name='TYPE' value='net' /></td>\r
- <td class='base'>$Lang::tr{'net to net vpn'}</td></tr>\r
- <tr><td align='center' colspan='2'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>\r
- </form></table>\r
-END\r
- ;\r
- &Header::closebox();\r
- &Header::closebigbox();\r
- &Header::closepage();\r
- exit (0);\r
-###\r
-### Adding a new connection\r
-###\r
-} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) ||\r
- ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) ||\r
- ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {\r
-\r
- &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);\r
- &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
-\r
- if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {\r
- if (! $confighash{$cgiparams{'KEY'}}[0]) {\r
- $errormessage = $Lang::tr{'invalid key'};\r
- goto VPNCONF_END;\r
- }\r
- $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0];\r
- $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1];\r
- $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];\r
- $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];\r
- $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];\r
- $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6];\r
- $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7];\r
- $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8];\r
- $cgiparams{'REMOTE_ID'} = $confighash{$cgiparams{'KEY'}}[9];\r
- $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];\r
- $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];\r
- $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];\r
- $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];\r
- $cgiparams{'DPD_ACTION'}= $confighash{$cgiparams{'KEY'}}[27];\r
- $cgiparams{'PFS_YES_NO'}= $confighash{$cgiparams{'KEY'}}[28];\r
-\r
- } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {\r
- $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});\r
- if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {\r
- $errormessage = $Lang::tr{'connection type is invalid'};\r
- goto VPNCONF_ERROR;\r
- }\r
-\r
- if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {\r
- $errormessage = $Lang::tr{'name must only contain characters'};\r
- goto VPNCONF_ERROR;\r
- }\r
-\r
- if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {\r
- $errormessage = $Lang::tr{'name is invalid'};\r
- goto VPNCONF_ERROR;\r
- }\r
-\r
- if (length($cgiparams{'NAME'}) >60) {\r
- $errormessage = $Lang::tr{'name too long'};\r
- goto VPNCONF_ERROR;\r
- }\r
-\r
- if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) {\r
- $errormessage = $Lang::tr{'ipcop side is invalid'};\r
- goto VPNCONF_ERROR;\r
- }\r
-\r
- # Check if there is no other entry with this name\r
- if (! $cgiparams{'KEY'}) {\r
- foreach my $key (keys %confighash) {\r
- if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {\r
- $errormessage = $Lang::tr{'a connection with this name already exists'};\r
- goto VPNCONF_ERROR;\r
- }\r
- }\r
- }\r
-\r
- if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) {\r
- $errormessage = $Lang::tr{'invalid input for remote host/ip'};\r
- goto VPNCONF_ERROR;\r
- }\r
-\r
- if ($cgiparams{'REMOTE'}) {\r
- if (! &General::validip($cgiparams{'REMOTE'})) {\r
- if (! &General::validfqdn ($cgiparams{'REMOTE'})) {\r
- $errormessage = $Lang::tr{'invalid input for remote host/ip'};\r
- goto VPNCONF_ERROR;\r
- } else {\r
- if (&valid_dns_host($cgiparams{'REMOTE'})) {\r
- $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}";\r
- }\r
- }\r
- }\r
- }\r
-\r
- unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {\r
- $errormessage = $Lang::tr{'local subnet is invalid'};\r
- goto VPNCONF_ERROR;\r
- }\r
-\r
- # Check if there is no other entry without IP-address and PSK\r
- if ($cgiparams{'REMOTE'} eq '') {\r
- foreach my $key (keys %confighash) {\r
- if(($cgiparams{'KEY'} ne $key) && \r
- ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') && \r
- $confighash{$key}[10] eq '') {\r
- $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'};\r
- goto VPNCONF_ERROR;\r
- }\r
- }\r
- }\r
- if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {\r
- $errormessage = $Lang::tr{'remote subnet is invalid'};\r
- goto VPNCONF_ERROR;\r
- }\r
-\r
- if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {\r
- $errormessage = $Lang::tr{'invalid input'};\r
- goto VPNCONF_ERROR;\r
- }\r
- if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {\r
- $errormessage = $Lang::tr{'invalid input'};\r
- goto VPNCONF_ERROR;\r
- }\r
-\r
- if (($cgiparams{'LOCAL_ID'} !~ /^(|@[a-zA-Z0-9_.-]*)$/) ||\r
- ($cgiparams{'REMOTE_ID'} !~ /^(|@[a-zA-Z0-9_.-]*)$/) ||\r
- (($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne ''))\r
- ) {\r
- $errormessage = $Lang::tr{'invalid local-remote id'};\r
- goto VPNCONF_ERROR;\r
- }\r
- \r
- if ($cgiparams{'AUTH'} eq 'psk') {\r
- if (! length($cgiparams{'PSK'}) ) {\r
- $errormessage = $Lang::tr{'pre-shared key is too short'};\r
- goto VPNCONF_ERROR;\r
- }\r
- if ($cgiparams{'PSK'} =~ /['",&]/) { # " ' correct coloring syntax editor !\r
- $errormessage = $Lang::tr{'invalid characters found in pre-shared key'};\r
- goto VPNCONF_ERROR;\r
- }\r
- } elsif ($cgiparams{'AUTH'} eq 'certreq') {\r
- if ($cgiparams{'KEY'}) {\r
- $errormessage = $Lang::tr{'cant change certificates'};\r
- goto VPNCONF_ERROR;\r
- }\r
- if (ref ($cgiparams{'FH'}) ne 'Fh') {\r
- $errormessage = $Lang::tr{'there was no file upload'};\r
- goto VPNCONF_ERROR;\r
- }\r
-\r
- # Move uploaded certificate request to a temporary file\r
- (my $fh, my $filename) = tempfile( );\r
- if (copy ($cgiparams{'FH'}, $fh) != 1) {\r
- $errormessage = $!;\r
- goto VPNCONF_ERROR;\r
- }\r
-\r
- # Sign the certificate request and move it\r
- # Sign the host certificate request\r
- system('/usr/bin/openssl', 'ca', '-days', '999999',\r
- '-batch', '-notext',\r
- '-in', $filename,\r
- '-out', "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");\r
- if ($?) {\r
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
- unlink ($filename);\r
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");\r
- &cleanssldatabase();\r
- goto VPNCONF_ERROR;\r
- } else {\r
- unlink ($filename);\r
- &cleanssldatabase();\r
- }\r
-\r
- my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem`;\r
- $temp =~ /Subject:.*CN=(.*)[\n]/;\r
- $temp = $1;\r
- $temp =~ s+/Email+, E+;\r
- $temp =~ s/ ST=/ S=/;\r
- $cgiparams{'CERT_NAME'} = $temp;\r
- $cgiparams{'CERT_NAME'} =~ s/,//g;\r
- $cgiparams{'CERT_NAME'} =~ s/\'//g;\r
- if ($cgiparams{'CERT_NAME'} eq '') {\r
- $errormessage = $Lang::tr{'could not retrieve common name from certificate'};\r
- goto VPNCONF_ERROR;\r
- }\r
- } elsif ($cgiparams{'AUTH'} eq 'certfile') {\r
- if ($cgiparams{'KEY'}) {\r
- $errormessage = $Lang::tr{'cant change certificates'};\r
- goto VPNCONF_ERROR;\r
- }\r
- if (ref ($cgiparams{'FH'}) ne 'Fh') {\r
- $errormessage = $Lang::tr{'there was no file upload'};\r
- goto VPNCONF_ERROR;\r
- }\r
- # Move uploaded certificate to a temporary file\r
- (my $fh, my $filename) = tempfile( );\r
- if (copy ($cgiparams{'FH'}, $fh) != 1) {\r
- $errormessage = $!;\r
- goto VPNCONF_ERROR;\r
- }\r
-\r
- # Verify the certificate has a valid CA and move it\r
- my $validca = 0;\r
- my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/cacert.pem $filename`;\r
- if ($test =~ /: OK/) {\r
- $validca = 1;\r
- } else {\r
- foreach my $key (keys %cahash) {\r
- $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`;\r
- if ($test =~ /: OK/) {\r
- $validca = 1;\r
- }\r
- }\r
- }\r
- if (! $validca) {\r
- $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'};\r
- unlink ($filename);\r
- goto VPNCONF_ERROR;\r
- } else {\r
- move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");\r
- if ($? ne 0) {\r
- $errormessage = "$Lang::tr{'certificate file move failed'}: $!";\r
- unlink ($filename);\r
- goto VPNCONF_ERROR;\r
- }\r
- }\r
-\r
- my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem`;\r
- $temp =~ /Subject:.*CN=(.*)[\n]/;\r
- $temp = $1;\r
- $temp =~ s+/Email+, E+;\r
- $temp =~ s/ ST=/ S=/;\r
- $cgiparams{'CERT_NAME'} = $temp;\r
- $cgiparams{'CERT_NAME'} =~ s/,//g;\r
- $cgiparams{'CERT_NAME'} =~ s/\'//g;\r
- if ($cgiparams{'CERT_NAME'} eq '') {\r
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");\r
- $errormessage = $Lang::tr{'could not retrieve common name from certificate'};\r
- goto VPNCONF_ERROR;\r
- }\r
- } elsif ($cgiparams{'AUTH'} eq 'certgen') {\r
- if ($cgiparams{'KEY'}) {\r
- $errormessage = $Lang::tr{'cant change certificates'};\r
- goto VPNCONF_ERROR;\r
- }\r
- # Validate input since the form was submitted\r
- if (length($cgiparams{'CERT_NAME'}) >60) {\r
- $errormessage = $Lang::tr{'name too long'};\r
- goto VPNCONF_ERROR;\r
- }\r
- if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {\r
- $errormessage = $Lang::tr{'invalid input for name'};\r
- goto VPNCONF_ERROR;\r
- }\r
- if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {\r
- $errormessage = $Lang::tr{'invalid input for e-mail address'};\r
- goto VPNCONF_ERROR;\r
- }\r
- if (length($cgiparams{'CERT_EMAIL'}) > 40) {\r
- $errormessage = $Lang::tr{'e-mail address too long'};\r
- goto VPNCONF_ERROR;\r
- }\r
- if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {\r
- $errormessage = $Lang::tr{'invalid input for department'};\r
- goto VPNCONF_ERROR;\r
- }\r
- if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {\r
- $errormessage = $Lang::tr{'organization too long'};\r
- goto VPNCONF_ERROR;\r
- }\r
- if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {\r
- $errormessage = $Lang::tr{'invalid input for organization'};\r
- goto VPNCONF_ERROR;\r
- }\r
- if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {\r
- $errormessage = $Lang::tr{'invalid input for city'};\r
- goto VPNCONF_ERROR;\r
- }\r
- if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {\r
- $errormessage = $Lang::tr{'invalid input for state or province'};\r
- goto VPNCONF_ERROR;\r
- }\r
- if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {\r
- $errormessage = $Lang::tr{'invalid input for country'};\r
- goto VPNCONF_ERROR;\r
- }\r
- if (length($cgiparams{'CERT_PASS1'}) < 5) {\r
- $errormessage = $Lang::tr{'password too short'};\r
- goto VPNCONF_ERROR;\r
- }\r
- if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {\r
- $errormessage = $Lang::tr{'passwords do not match'};\r
- goto VPNCONF_ERROR;\r
- }\r
-\r
- # Replace empty strings with a .\r
- (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;\r
- (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;\r
- (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;\r
-\r
- # Create the Host certificate request\r
- my $pid = open(OPENSSL, "|-");\r
- $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;};\r
- if ($pid) { # parent\r
- print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n";\r
- print OPENSSL "$state\n";\r
- print OPENSSL "$city\n";\r
- print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n";\r
- print OPENSSL "$ou\n";\r
- print OPENSSL "$cgiparams{'CERT_NAME'}\n";\r
- print OPENSSL "$cgiparams{'CERT_EMAIL'}\n";\r
- print OPENSSL ".\n";\r
- print OPENSSL ".\n";\r
- close (OPENSSL);\r
- if ($?) {\r
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");\r
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");\r
- goto VPNCONF_ERROR;\r
- }\r
- } else { # child\r
- unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',\r
- '-newkey', 'rsa:1024',\r
- '-keyout', "${General::swroot}/certs/$cgiparams{'NAME'}key.pem",\r
- '-out', "${General::swroot}/certs/$cgiparams{'NAME'}req.pem")) {\r
- $errormessage = "$Lang::tr{'cant start openssl'}: $!";\r
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");\r
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");\r
- goto VPNCONF_ERROR;\r
- }\r
- }\r
- \r
- # Sign the host certificate request\r
- system('/usr/bin/openssl', 'ca', '-days', '999999',\r
- '-batch', '-notext',\r
- '-in', "${General::swroot}/certs/$cgiparams{'NAME'}req.pem",\r
- '-out', "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");\r
- if ($?) {\r
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");\r
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");\r
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");\r
- &cleanssldatabase();\r
- goto VPNCONF_ERROR;\r
- } else {\r
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");\r
- &cleanssldatabase();\r
- }\r
-\r
- # Create the pkcs12 file\r
- system('/usr/bin/openssl', 'pkcs12', '-export', \r
- '-inkey', "${General::swroot}/certs/$cgiparams{'NAME'}key.pem",\r
- '-in', "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem",\r
- '-name', $cgiparams{'NAME'},\r
- '-passout', "pass:$cgiparams{'CERT_PASS1'}",\r
- '-certfile', "${General::swroot}/ca/cacert.pem", \r
- '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA",\r
- '-out', "${General::swroot}/certs/$cgiparams{'NAME'}.p12");\r
- if ($?) {\r
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");\r
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");\r
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}.p12");\r
- goto VPNCONF_ERROR;\r
- } else {\r
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");\r
- }\r
- } elsif ($cgiparams{'AUTH'} eq 'cert') {\r
- ;# Nothing, just editing\r
- } else {\r
- $errormessage = $Lang::tr{'invalid input for authentication method'};\r
- goto VPNCONF_ERROR;\r
- }\r
-\r
- # Check if there is no other entry with this common name\r
- if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {\r
- foreach my $key (keys %confighash) {\r
- if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {\r
- $errormessage = $Lang::tr{'a connection with this common name already exists'};\r
- goto VPNCONF_ERROR;\r
- }\r
- }\r
- }\r
-\r
- # Save the config\r
- my $key = $cgiparams{'KEY'};\r
- if (! $key) {\r
- $key = &General::findhasharraykey (\%confighash);\r
- foreach my $i (0 .. 28) { $confighash{$key}[$i] = "";}\r
- }\r
- $confighash{$key}[0] = $cgiparams{'ENABLED'};\r
- $confighash{$key}[1] = $cgiparams{'NAME'};\r
- if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') {\r
- $confighash{$key}[2] = $cgiparams{'CERT_NAME'};\r
- }\r
- $confighash{$key}[3] = $cgiparams{'TYPE'};\r
- if ($cgiparams{'AUTH'} eq 'psk') {\r
- $confighash{$key}[4] = 'psk';\r
- $confighash{$key}[5] = $cgiparams{'PSK'};\r
- } else {\r
- $confighash{$key}[4] = 'cert';\r
- }\r
- if ($cgiparams{'TYPE'} eq 'net') {\r
- $confighash{$key}[6] = $cgiparams{'SIDE'};\r
- $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};\r
- }\r
- $confighash{$key}[7] = $cgiparams{'LOCAL_ID'};\r
- $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};\r
- $confighash{$key}[9] = $cgiparams{'REMOTE_ID'};\r
- $confighash{$key}[10] = $cgiparams{'REMOTE'};\r
- $confighash{$key}[25] = $cgiparams{'REMARK'};\r
- $confighash{$key}[26] = $cgiparams{'INTERFACE'};\r
- $confighash{$key}[27] = $cgiparams{'DPD_ACTION'};\r
- $confighash{$key}[28] = $cgiparams{'PFS_YES_NO'};\r
-\r
- #use default advanced value\r
- $confighash{$key}[14] = 'on';\r
- $confighash{$key}[13] = 'off';\r
- $confighash{$key}[18] = 'aes128|3des';\r
- $confighash{$key}[19] = 'sha|md5';\r
- $confighash{$key}[20] = '1536|1024';\r
- $confighash{$key}[16] = '1';\r
- $confighash{$key}[21] = 'aes128|3des';\r
- $confighash{$key}[22] = 'sha1|md5';\r
- $confighash{$key}[23] = '';\r
- $confighash{$key}[17] = '8';\r
- $confighash{$key}[24] = 'off';\r
-\r
- #free unused fields!\r
- #$confighash{$key}[12] = '';\r
- #$confighash{$key}[15] = '';\r
-\r
- &General::writehasharray("${General::swroot}/vpn/config", \%confighash);\r
- &writeipsecfiles();\r
- if ($vpnsettings{'ENABLED'} eq 'on' ||\r
- $vpnsettings{'ENABLED_BLUE'} eq 'on') {\r
- system('/usr/local/bin/ipsecctrl', 'S', $key);\r
- sleep $sleepDelay;\r
- }\r
- if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {\r
- $cgiparams{'KEY'} = $key;\r
- $cgiparams{'ACTION'} = $Lang::tr{'advanced'};\r
- }\r
- goto VPNCONF_END;\r
- } else { # add new connection\r
- $cgiparams{'ENABLED'} = 'on';\r
- $cgiparams{'SIDE'} = 'left';\r
- if ( ! -f "${General::swroot}/private/cakey.pem" ) {\r
- $cgiparams{'AUTH'} = 'psk';\r
- } elsif ( ! -f "${General::swroot}/ca/cacert.pem") {\r
- $cgiparams{'AUTH'} = 'certfile';\r
- } else {\r
- $cgiparams{'AUTH'} = 'certgen';\r
- }\r
- $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";\r
- $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};\r
- $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};\r
- $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};\r
- $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};\r
-\r
- # choose appropriate dpd action \r
- if ($cgiparams{'TYPE'} eq 'host') {\r
- $cgiparams{'DPD_ACTION'} = 'clear';\r
- } else {\r
- $cgiparams{'DPD_ACTION'} = 'hold'; #restart when available!\r
- }\r
-\r
- # Default is yes for 'pfs'\r
- $cgiparams{'PFS_YES_NO'} = 'yes';\r
- \r
- # ID are empty\r
- $cgiparams{'LOCAL_ID'} = '';\r
- $cgiparams{'REMOTE_ID'} = '';\r
- \r
- }\r
-\r
- VPNCONF_ERROR:\r
- $checked{'ENABLED'}{'off'} = '';\r
- $checked{'ENABLED'}{'on'} = '';\r
- $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'";\r
- $checked{'ENABLED_BLUE'}{'off'} = '';\r
- $checked{'ENABLED_BLUE'}{'on'} = '';\r
- $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = "checked='checked'";\r
-\r
- $checked{'EDIT_ADVANCED'}{'off'} = '';\r
- $checked{'EDIT_ADVANCED'}{'on'} = '';\r
- $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = "checked='checked'";\r
-\r
- $selected{'SIDE'}{'left'} = '';\r
- $selected{'SIDE'}{'right'} = '';\r
- $selected{'SIDE'}{$cgiparams{'SIDE'}} = "selected='selected'";\r
-\r
- $checked{'AUTH'}{'psk'} = '';\r
- $checked{'AUTH'}{'certreq'} = '';\r
- $checked{'AUTH'}{'certgen'} = '';\r
- $checked{'AUTH'}{'certfile'} = '';\r
- $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";\r
-\r
- $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = "selected='selected'";\r
- $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";\r
- $selected{'PFS_YES_NO'}{$cgiparams{'PFS_YES_NO'}} = "selected='selected'";\r
-\r
- if (1) {\r
- &Header::showhttpheaders();\r
- &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
- &Header::openbigbox('100%', 'LEFT', '', $errormessage);\r
- if ($errormessage) {\r
- &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});\r
- print "<class name='base'>$errormessage";\r
- print " </class>";\r
- &Header::closebox();\r
- }\r
-\r
- if ($warnmessage) {\r
- &Header::openbox('100%', 'LEFT', "$Lang::tr{'warning messages'}:");\r
- print "<class name='base'>$warnmessage";\r
- print " </class>";\r
- &Header::closebox();\r
- }\r
-\r
- print "<form method='post' enctype='multipart/form-data'>";\r
- print "<input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' />";\r
-\r
- if ($cgiparams{'KEY'}) {\r
- print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />";\r
- print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />";\r
- }\r
-\r
- &Header::openbox('100%', 'LEFT', "$Lang::tr{'connection'}:");\r
- print "<table width='100%'>";\r
- print "<tr><td width='25%' class='boldbase'>$Lang::tr{'name'}:</td>";\r
- if ($cgiparams{'KEY'}) {\r
- print "<td width='25%' class='base'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' /><b>$cgiparams{'NAME'}</b></td>";\r
- } else {\r
- print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' size='30' /></td>";\r
- }\r
- print "<td>$Lang::tr{'enabled'}</td><td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td></tr>";\r
- \r
- if ($cgiparams{'TYPE'} eq 'host') {\r
-\r
- print "<tr><td>$Lang::tr{'interface'}</td>";\r
- print "<td><select name='INTERFACE'>";\r
- print "<option value='RED' $selected{'INTERFACE'}{'RED'}>RED</option>";\r
- print "<option value='BLUE' $selected{'INTERFACE'}{'BLUE'}>BLUE</option>" if ($netsettings{'BLUE_DEV'} ne '');\r
-# print "<option value='GREEN' $selected{'INTERFACE'}{'GREEN'}>GREEN</option>";\r
-# print "<option value='ORANGE' $selected{'INTERFACE'}{'ORANGE'}>ORANGE</option>";\r
- print "</select></td></tr>";\r
- print <<END\r
- <tr><td class='boldbase'>$Lang::tr{'local subnet'}</td>\r
- <td><input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size='30' /></td>\r
- <td colspan='2'> </td></tr>\r
- <tr><td class='boldbase'>$Lang::tr{'remote host/ip'}: <img src='/blob.gif' alt='*' /></td>\r
- <td><input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size='30' /></td>\r
- <td colspan='2'> </td></tr>\r
-END\r
- ;\r
- } else {\r
- print <<END\r
- <tr><input type='hidden' name='INTERFACE' value='RED' />\r
- <td class='boldbase' nowrap='nowrap'>$Lang::tr{'ipcop side'}</td>\r
- <td><select name='SIDE'><option value='left' $selected{'SIDE'}{'left'}>left</option>\r
- <option value='right' $selected{'SIDE'}{'right'}>right</option></select></td>\r
- <td class='boldbase'>$Lang::tr{'remote host/ip'}:</td>\r
- <td><input type='TEXT' name='REMOTE' value='$cgiparams{'REMOTE'}' size ='30' /></td></tr>\r
- <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td>\r
- <td><input type='TEXT' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size='30' /></td>\r
- <td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}</td>\r
- <td><input type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size='30' /></td></tr>\r
-END\r
- ;\r
- }\r
- print <<END\r
- <tr><td>$Lang::tr{'dpd action'}:</td>\r
- <td><select name='DPD_ACTION'>\r
- <option value='clear' $selected{'DPD_ACTION'}{'clear'}>clear</option>\r
- <option value='hold' $selected{'DPD_ACTION'}{'hold'}>hold</option>\r
- <option value='restart' $selected{'DPD_ACTION'}{'restart'}>restart</option>\r
- </select> <a href='http://www.openswan.com/docs/local/README.DPD'>?</a></td>\r
-<!-- http://www.openswan.com/docs/local/README.DPD\r
- http://bugs.xelerance.com/view.php?id=156\r
- restart = clear + reinitiate connection\r
---> <td width='25%'>$Lang::tr{'pfs yes no'}:</td>\r
- <td width='25%'><select name='PFS_YES_NO'>\r
- <option value='yes' $selected{'PFS_YES_NO'}{'yes'}>$Lang::tr{'yes'}</option>\r
- <option value='no' $selected{'PFS_YES_NO'}{'no'}>$Lang::tr{'no'}</option>\r
- </select></td></tr>\r
- <td><b>$Lang::tr{'options'}</b></td>\r
- <tr><td class='boldbase'>leftid: <img src='/blob.gif' alt='*' />\r
- <br />($Lang::tr{'eg'} <tt>@xy.example.com</tt>)</td>\r
- <td><input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' maxlength='50' /></td>\r
- <td class='boldbase'>rightid: <img src='/blob.gif' alt='*' /></td>\r
- <td><input type='text' name='REMOTE_ID' value='$cgiparams{'REMOTE_ID'}' maxlength='50' /></td></tr>\r
- <tr><td class='boldbase'>$Lang::tr{'remark title'} <img src='/blob.gif' alt='*' /></td>\r
- <td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td></tr>\r
-END\r
- ;\r
- if (!$cgiparams{'KEY'}) {\r
- print "<tr><td colspan='3'><input type='checkbox' name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> $Lang::tr{'edit advanced settings when done'}</td></tr>";\r
- }\r
- print "</table>";\r
- &Header::closebox();\r
- \r
- if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {\r
- &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'});\r
- print <<END\r
- <table width='100%' cellpadding='0' cellspacing='5' border='0'>\r
- <tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared key'}</td>\r
- <td class='base' width='50%'><input type='text' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr>\r
- </table>\r
-END\r
- ;\r
- &Header::closebox();\r
- } elsif (! $cgiparams{'KEY'}) {\r
- my $disabled='';\r
- my $cakeydisabled='';\r
- my $cacrtdisabled='';\r
- if ( ! -f "${General::swroot}/private/cakey.pem" ) { $cakeydisabled = "disabled='disabled'" } else { $cakeydisabled = "" };\r
- if ( ! -f "${General::swroot}/ca/cacert.pem" ) { $cacrtdisabled = "disabled='disabled'" } else { $cacrtdisabled = "" };\r
- &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'});\r
- print <<END\r
- <table width='100%' cellpadding='0' cellspacing='5' border='0'>\r
- <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} /></td>\r
- <td class='base' width='45%'>$Lang::tr{'use a pre-shared key'}</td>\r
- <td class='base' width='50%'><input type='text' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr>\r
- <tr><td colspan='3' bgcolor='#000000'><img src='/images/null.gif' width='1' height='1' border='0' /></td></tr>\r
- <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td>\r
- <td class='base'>$Lang::tr{'upload a certificate request'}</td>\r
- <td class='base' rowspan='2'><input type='file' name='FH' size='30' $cacrtdisabled></td></tr>\r
- <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td>\r
- <td class='base'>$Lang::tr{'upload a certificate'}</td></tr>\r
- <tr><td colspan='3' bgcolor='#000000'><img src='/images/null.gif' width='1' height='1' BORDER='0' /></td></tr>\r
- <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td>\r
- <td class='base'>$Lang::tr{'generate a certificate'}</td><td> </td></tr>\r
- <tr><td> </td>\r
- <td class='base'>$Lang::tr{'users fullname or system hostname'}:</td>\r
- <td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>\r
- <tr><td> </td>\r
- <td class='base'>$Lang::tr{'users email'}: <img src='/blob.gif' alt='*' /></td>\r
- <td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>\r
- <tr><td> </td>\r
- <td class='base'>$Lang::tr{'users department'}: <img src='/blob.gif' alt='*' /></td>\r
- <td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>\r
- <tr><td> </td>\r
- <td class='base'>$Lang::tr{'organization name'}: <img src='/blob.gif' alt='*' /></td>\r
- <td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>\r
- <tr><td> </td>\r
- <td class='base'>$Lang::tr{'city'}: <img src='/blob.gif' alt='*' /></td>\r
- <td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>\r
- <tr><td> </td>\r
- <td class='base'>$Lang::tr{'state or province'}: <img src='/blob.gif' alt='*' /></td>\r
- <td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>\r
- <tr><td> </td>\r
- <td class='base'>$Lang::tr{'country'}:</td>\r
- <td class='base'><select name='CERT_COUNTRY' $cakeydisabled>\r
-END\r
- ;\r
- foreach my $country (sort keys %{Countries::countries}) {\r
- print "\t\t\t<option value='$Countries::countries{$country}'";\r
- if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) {\r
- print " selected='selected'";\r
- }\r
- print ">$country</option>\n";\r
- }\r
- print <<END\r
- </select></td></tr>\r
- <tr><td> </td>\r
- <td class='base'>$Lang::tr{'pkcs12 file password'}:</td>\r
- <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr>\r
- <tr><td> </td><td class='base'>$Lang::tr{'pkcs12 file password'}:<BR>($Lang::tr{'confirmation'})</td>\r
- <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr>\r
- </table>\r
-END\r
- ;\r
- &Header::closebox();\r
- }\r
-\r
- print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";\r
- if ($cgiparams{'KEY'}) {\r
- print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />";\r
- }\r
- print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";\r
- &Header::closebigbox();\r
- &Header::closepage();\r
- exit (0);\r
- }\r
- VPNCONF_END:\r
-}\r
-\r
-###\r
-### Advanced settings\r
-###\r
-if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||\r
- ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq 'yes')) {\r
- &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);\r
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
- if (! $confighash{$cgiparams{'KEY'}}) {\r
- $errormessage = $Lang::tr{'invalid key'};\r
- goto ADVANCED_END;\r
- }\r
-\r
- if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {\r
- if ($cgiparams{'NAT'} !~ /^(on|off)$/) {\r
- $errormessage = $Lang::tr{'invalid input'};\r
- goto ADVANCED_ERROR;\r
- }\r
- if ($cgiparams{'COMPRESSION'} !~ /^(on|off)$/) {\r
- $errormessage = $Lang::tr{'invalid input'};\r
- goto ADVANCED_ERROR;\r
- }\r
- if ($cgiparams{'NAT'} eq 'on' && $cgiparams{'COMPRESSION'} eq 'on') {\r
- $errormessage = $Lang::tr{'cannot enable both nat traversal and compression'};\r
- goto ADVANCED_ERROR;\r
- }\r
- my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});\r
- if ($#temp < 0) {\r
- $errormessage = $Lang::tr{'invalid input'};\r
- goto ADVANCED_ERROR;\r
- }\r
- foreach my $val (@temp) {\r
- if ($val !~ /^(aes256|aes128|3des|twofish256|twofish128|serpent256|serpent128|blowfish256|blowfish128|cast128)$/) {\r
- $errormessage = $Lang::tr{'invalid input'};\r
- goto ADVANCED_ERROR;\r
- }\r
- }\r
- @temp = split('\|', $cgiparams{'IKE_INTEGRITY'});\r
- if ($#temp < 0) {\r
- $errormessage = $Lang::tr{'invalid input'};\r
- goto ADVANCED_ERROR;\r
- }\r
- foreach my $val (@temp) {\r
- if ($val !~ /^(sha2_512|sha2_256|sha|md5)$/) {\r
- $errormessage = $Lang::tr{'invalid input'};\r
- goto ADVANCED_ERROR;\r
- }\r
- }\r
- @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});\r
- if ($#temp < 0) {\r
- $errormessage = $Lang::tr{'invalid input'};\r
- goto ADVANCED_ERROR;\r
- }\r
- foreach my $val (@temp) {\r
- if ($val !~ /^(768|1024|1536|2048|3072|4096|6144|8192)$/) {\r
- $errormessage = $Lang::tr{'invalid input'};\r
- goto ADVANCED_ERROR;\r
- }\r
- }\r
- if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) {\r
- $errormessage = $Lang::tr{'invalid input for ike lifetime'};\r
- goto ADVANCED_ERROR;\r
- }\r
- if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 8) {\r
- $errormessage = $Lang::tr{'ike lifetime should be between 1 and 8 hours'};\r
- goto ADVANCED_ERROR;\r
- }\r
- @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});\r
- if ($#temp < 0) {\r
- $errormessage = $Lang::tr{'invalid input'};\r
- goto ADVANCED_ERROR;\r
- }\r
- foreach my $val (@temp) {\r
- if ($val !~ /^(aes256|aes128|3des|twofish256|twofish128|serpent256|serpent128|blowfish256|blowfish128)$/) {\r
- $errormessage = $Lang::tr{'invalid input'};\r
- goto ADVANCED_ERROR;\r
- }\r
- }\r
- @temp = split('\|', $cgiparams{'ESP_INTEGRITY'});\r
- if ($#temp < 0) {\r
- $errormessage = $Lang::tr{'invalid input'};\r
- goto ADVANCED_ERROR;\r
- }\r
- foreach my $val (@temp) {\r
- if ($val !~ /^(sha2_512|sha2_256|sha1|md5)$/) {\r
- $errormessage = $Lang::tr{'invalid input'};\r
- goto ADVANCED_ERROR;\r
- }\r
- }\r
- if ($cgiparams{'ESP_GROUPTYPE'} ne '' &&\r
- $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(768|1024|1536|2048|3072|4096)$/) {\r
- $errormessage = $Lang::tr{'invalid input'};\r
- goto ADVANCED_ERROR;\r
- }\r
-\r
- if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) {\r
- $errormessage = $Lang::tr{'invalid input for esp keylife'};\r
- goto ADVANCED_ERROR;\r
- }\r
- if ($cgiparams{'ESP_KEYLIFE'} < 1 || $cgiparams{'ESP_KEYLIFE'} > 24) {\r
- $errormessage = $Lang::tr{'esp keylife should be between 1 and 24 hours'};\r
- goto ADVANCED_ERROR;\r
- }\r
- if ($cgiparams{'ONLY_PROPOSED'} !~ /^(on|off)$/) {\r
- $errormessage = $Lang::tr{'invalid input'};\r
- goto ADVANCED_ERROR;\r
- }\r
- $confighash{$cgiparams{'KEY'}}[14] = $cgiparams{'NAT'};\r
- $confighash{$cgiparams{'KEY'}}[13] = $cgiparams{'COMPRESSION'};\r
- $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'};\r
- $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'};\r
- $confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'};\r
- $confighash{$cgiparams{'KEY'}}[16] = $cgiparams{'IKE_LIFETIME'};\r
- $confighash{$cgiparams{'KEY'}}[21] = $cgiparams{'ESP_ENCRYPTION'};\r
- $confighash{$cgiparams{'KEY'}}[22] = $cgiparams{'ESP_INTEGRITY'};\r
- $confighash{$cgiparams{'KEY'}}[23] = $cgiparams{'ESP_GROUPTYPE'};\r
- $confighash{$cgiparams{'KEY'}}[17] = $cgiparams{'ESP_KEYLIFE'};\r
- $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'};\r
- &General::writehasharray("${General::swroot}/vpn/config", \%confighash);\r
- &writeipsecfiles();\r
- if ($vpnsettings{'ENABLED'} eq 'on' ||\r
- $vpnsettings{'ENABLED_BLUE'} eq 'on') {\r
- system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});\r
- sleep $sleepDelay;\r
- }\r
- goto ADVANCED_END;\r
- } else {\r
-\r
- $cgiparams{'NAT'} = $confighash{$cgiparams{'KEY'}}[14];\r
- $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13];\r
- $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];\r
- $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19];\r
- $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20];\r
- $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16];\r
- $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21];\r
- $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22];\r
- $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23];\r
- $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17];\r
- $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24];\r
- \r
- if ($confighash{$cgiparams{'KEY'}}[3] eq 'net' || $confighash{$cgiparams{'KEY'}}[10]) {\r
- $cgiparams{'NAT'} = 'off';\r
- }\r
- }\r
-\r
- ADVANCED_ERROR:\r
- $checked{'NAT'}{'off'} = '';\r
- $checked{'NAT'}{'on'} = '';\r
- $checked{'NAT'}{$cgiparams{'NAT'}} = "checked='checked'";\r
- $checked{'COMPRESSION'}{'off'} = '';\r
- $checked{'COMPRESSION'}{'on'} = '';\r
- $checked{'COMPRESSION'}{$cgiparams{'COMPRESSION'}} = "checked='checked'";\r
- $checked{'IKE_ENCRYPTION'}{'aes256'} = '';\r
- $checked{'IKE_ENCRYPTION'}{'aes128'} = '';\r
- $checked{'IKE_ENCRYPTION'}{'3des'} = '';\r
- $checked{'IKE_ENCRYPTION'}{'twofish256'} = '';\r
- $checked{'IKE_ENCRYPTION'}{'twofish128'} = '';\r
- $checked{'IKE_ENCRYPTION'}{'serpent256'} = '';\r
- $checked{'IKE_ENCRYPTION'}{'serpent128'} = '';\r
- $checked{'IKE_ENCRYPTION'}{'blowfish256'} = '';\r
- $checked{'IKE_ENCRYPTION'}{'blowfish128'} = '';\r
- $checked{'IKE_ENCRYPTION'}{'cast128'} = '';\r
- my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});\r
- foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; }\r
- $checked{'IKE_INTEGRITY'}{'sha2_512'} = '';\r
- $checked{'IKE_INTEGRITY'}{'sha2_256'} = '';\r
- $checked{'IKE_INTEGRITY'}{'sha'} = '';\r
- $checked{'IKE_INTEGRITY'}{'md5'} = '';\r
- @temp = split('\|', $cgiparams{'IKE_INTEGRITY'});\r
- foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; }\r
- $checked{'IKE_GROUPTYPE'}{'768'} = '';\r
- $checked{'IKE_GROUPTYPE'}{'1024'} = '';\r
- $checked{'IKE_GROUPTYPE'}{'1536'} = '';\r
- $checked{'IKE_GROUPTYPE'}{'2048'} = '';\r
- $checked{'IKE_GROUPTYPE'}{'3072'} = '';\r
- $checked{'IKE_GROUPTYPE'}{'4096'} = '';\r
- $checked{'IKE_GROUPTYPE'}{'6144'} = '';\r
- $checked{'IKE_GROUPTYPE'}{'8192'} = '';\r
- @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});\r
- foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; }\r
- $checked{'ESP_ENCRYPTION'}{'aes256'} = '';\r
- $checked{'ESP_ENCRYPTION'}{'aes128'} = '';\r
- $checked{'ESP_ENCRYPTION'}{'3des'} = '';\r
- $checked{'ESP_ENCRYPTION'}{'twofish256'} = '';\r
- $checked{'ESP_ENCRYPTION'}{'twofish128'} = '';\r
- $checked{'ESP_ENCRYPTION'}{'serpent256'} = '';\r
- $checked{'ESP_ENCRYPTION'}{'serpent128'} = '';\r
- $checked{'ESP_ENCRYPTION'}{'blowfish256'} = '';\r
- $checked{'ESP_ENCRYPTION'}{'blowfish128'} = '';\r
- @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});\r
- foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; }\r
- $checked{'ESP_INTEGRITY'}{'sha2_512'} = '';\r
- $checked{'ESP_INTEGRITY'}{'sha2_256'} = '';\r
- $checked{'ESP_INTEGRITY'}{'sha1'} = '';\r
- $checked{'ESP_INTEGRITY'}{'md5'} = '';\r
- @temp = split('\|', $cgiparams{'ESP_INTEGRITY'});\r
- foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; }\r
- $checked{'ESP_GROUPTYPE'}{'modp768'} = '';\r
- $checked{'ESP_GROUPTYPE'}{'modp1024'} = '';\r
- $checked{'ESP_GROUPTYPE'}{'modp1536'} = '';\r
- $checked{'ESP_GROUPTYPE'}{'modp2048'} = '';\r
- $checked{'ESP_GROUPTYPE'}{'modp3072'} = '';\r
- $checked{'ESP_GROUPTYPE'}{'modp4096'} = '';\r
- $checked{'ESP_GROUPTYPE'}{$cgiparams{'ESP_GROUPTYPE'}} = "selected='selected'";\r
- $checked{'ONLY_PROPOSED'}{'off'} = '';\r
- $checked{'ONLY_PROPOSED'}{'on'} = '';\r
- $checked{'ONLY_PROPOSED'}{$cgiparams{'ONLY_PROPOSED'}} = "checked='checked'";\r
-\r
- &Header::showhttpheaders();\r
- &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
- &Header::openbigbox('100%', 'LEFT', '', $errormessage);\r
-\r
- if ($errormessage) {\r
- &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});\r
- print "<class name='base'>$errormessage";\r
- print " </class>";\r
- &Header::closebox();\r
- }\r
-\r
- if ($warnmessage) {\r
- &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});\r
- print "<class name='base'>$warnmessage";\r
- print " </class>";\r
- &Header::closebox();\r
- }\r
-\r
- print "<form method='post' enctype='multipart/form-data'>\n";\r
- print "<input type='hidden' name='ADVANCED' value='yes' />\n";\r
- print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />\n";\r
-\r
- &Header::openbox('100%', 'LEFT', "$Lang::tr{'advanced'}:");\r
- print "<table width='100%'>\n";\r
- print "<tr><td width='25%' class='boldbase'>$Lang::tr{'compression'}</td>\n";\r
- print "<td width='25%'><input type='checkbox' name='COMPRESSION' $checked{'COMPRESSION'}{'on'} /></td>\n";\r
- if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {\r
- print "<td width='25%'><input type='hidden' name='NAT' value='off' /></td><td width='25%'> </td></tr>\n";\r
- } elsif ($confighash{$cgiparams{'KEY'}}[10]) {\r
- print "<td width='25%' class='boldbase'>$Lang::tr{'nat-traversal'}</td>\n";\r
- print "<td width='25%'><input type='checkbox' name='NAT' $checked{'NAT'}{'on'} disabled='disabled' /></td></tr>\n";\r
- } else {\r
- print "<td width='25%' class='boldbase'>$Lang::tr{'nat-traversal'}</td>\n";\r
- print "<td width='25%'><input type='checkbox' name='NAT' $checked{'NAT'}{'on'} /></td></tr>\n";\r
- }\r
- print <<EOF\r
- <tr><td width='25%' class='boldbase' valign='top'>$Lang::tr{'ike encryption'}</td>\r
- <td width='25%' valign='top'><select name='IKE_ENCRYPTION' multiple='multiple' size='4'>\r
- <option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>AES (256 bit)</option>\r
- <option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>AES (128 bit)</option>\r
- <option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>3DES</option>\r
- <option value='twofish256' $checked{'IKE_ENCRYPTION'}{'twofish256'}>Twofish (256 bit)</option>\r
- <option value='twofish128' $checked{'IKE_ENCRYPTION'}{'twofish128'}>Twofish (128 bit)</option>\r
- <option value='serpent256' $checked{'IKE_ENCRYPTION'}{'serpent256'}>Serpent (256 bit)</option>\r
- <option value='serpent128' $checked{'IKE_ENCRYPTION'}{'serpent128'}>Serpent (128 bit)</option>\r
- <option value='blowfish256' $checked{'IKE_ENCRYPTION'}{'blowfish256'}>Blowfish (256 bit)</option>\r
- <option value='blowfish128' $checked{'IKE_ENCRYPTION'}{'blowfish128'}>Blowfish (128 bit)</option>\r
- <option value='cast128' $checked{'IKE_ENCRYPTION'}{'cast128'}>Cast (128 bit)</option></SELECT></td>\r
- <td width='25%' class='boldbase' valign='top'>$Lang::tr{'ike integrity'}</td>\r
- <td width='25%' valign='top'><select name='IKE_INTEGRITY' multiple='multiple' size='4'>\r
- <option value='sha2_512' $checked{'IKE_INTEGRITY'}{'sha2_512'}>SHA2 (512)</option>\r
- <option value='sha2_256' $checked{'IKE_INTEGRITY'}{'sha2_256'}>SHA2 (256)</option>\r
- <option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA</option>\r
- <option value='md5' $checked{'IKE_INTEGRITY'}{'md5'}>MD5</option></SELECT></td></tr>\r
- <tr><td width='25%' class='boldbase' valign='top'>$Lang::tr{'ike lifetime'}</td>\r
- <td width='25%' valign='top'><input type='text' name='IKE_LIFETIME' value='$cgiparams{'IKE_LIFETIME'}' SIZE='5'> $Lang::tr{'hours'}</td>\r
- <td width='25%' class='boldbase' valign='top'>$Lang::tr{'ike grouptype'}</td>\r
- <td width='25%' valign='top'><select name='IKE_GROUPTYPE' multiple='multiple' size='4'>\r
- <option value='8192' $checked{'IKE_GROUPTYPE'}{'8192'}>MODP-8192</option>\r
- <option value='6144' $checked{'IKE_GROUPTYPE'}{'6144'}>MODP-6144</option>\r
- <option value='4096' $checked{'IKE_GROUPTYPE'}{'4096'}>MODP-4096</option>\r
- <option value='3072' $checked{'IKE_GROUPTYPE'}{'3072'}>MODP-3072</option>\r
- <option value='2048' $checked{'IKE_GROUPTYPE'}{'2048'}>MODP-2048</option>\r
- <option value='1536' $checked{'IKE_GROUPTYPE'}{'1536'}>MODP-1536</option>\r
- <option value='1024' $checked{'IKE_GROUPTYPE'}{'1024'}>MODP-1024</option>\r
- <option value='768' $checked{'IKE_GROUPTYPE'}{'768'}>MODP-768</option></select></td></tr>\r
- <tr><td width='25%' class='boldbase' valign='top'>$Lang::tr{'esp encryption'}</td>\r
- <td width='25%' valign='top'><select name='ESP_ENCRYPTION' multiple='multiple' size='4'>\r
- <option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>AES (256 bit)</option>\r
- <option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>AES (128 bit)</option>\r
- <option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>3DES</option>\r
- <option value='twofish256' $checked{'ESP_ENCRYPTION'}{'twofish256'}>Twofish (256 bit)</option>\r
- <option value='twofish128' $checked{'ESP_ENCRYPTION'}{'twofish128'}>Twofish (128 bit)</option>\r
- <option value='serpent256' $checked{'ESP_ENCRYPTION'}{'serpent256'}>Serpent (256 bit)</option>\r
- <option value='serpent128' $checked{'ESP_ENCRYPTION'}{'serpent128'}>Serpent (128 bit)</option>\r
- <option value='blowfish256' $checked{'ESP_ENCRYPTION'}{'blowfish256'}>Blowfish (256 bit)</option>\r
- <option value='blowfish128' $checked{'ESP_ENCRYPTION'}{'blowfish128'}>Blowfish (128 bit)</option></select></td>\r
- <td width='25%' class='boldbase' valign='top'>$Lang::tr{'esp integrity'}</td>\r
- <td width='25%' valign='top'><select name='ESP_INTEGRITY' multiple='multiple' size='4'>\r
- <option value='sha2_512' $checked{'ESP_INTEGRITY'}{'sha2_512'}>SHA2 (512)</option>\r
- <option value='sha2_256' $checked{'ESP_INTEGRITY'}{'sha2_256'}>SHA2 (256)</option>\r
- <option value='sha1' $checked{'ESP_INTEGRITY'}{'sha1'}>SHA1</option>\r
- <option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5</option></select></td></tr>\r
- <tr><td width='25%' class='boldbase' valign='top'>$Lang::tr{'esp keylife'}</td>\r
- <td width='25%' valign='top'><input type='text' name='ESP_KEYLIFE' value='$cgiparams{'ESP_KEYLIFE'}' size='5' /> $Lang::tr{'hours'}</td>\r
- <td width='25%' class='boldbase' valign='top'>$Lang::tr{'esp grouptype'}</td>\r
- <td width='25%' valign='top'><select name='ESP_GROUPTYPE'>\r
- <option value=''>$Lang::tr{'phase1 group'}</option>\r
- <option value='modp4096' $checked{'ESP_GROUPTYPE'}{'modp4096'}>MODP-4096</option>\r
- <option value='modp3072' $checked{'ESP_GROUPTYPE'}{'modp3072'}>MODP-3072</option>\r
- <option value='modp2048' $checked{'ESP_GROUPTYPE'}{'modp2048'}>MODP-2048</option>\r
- <option value='modp1536' $checked{'ESP_GROUPTYPE'}{'modp1536'}>MODP-1536</option>\r
- <option value='modp1024' $checked{'ESP_GROUPTYPE'}{'modp1024'}>MODP-1024</option>\r
- <option value='modp768' $checked{'ESP_GROUPTYPE'}{'modp768'}>MODP-768</option></select></td></tr>\r
- <tr><td colspan='4'><input type='CHECKBOX' name='ONLY_PROPOSED' $checked{'ONLY_PROPOSED'}{'on'} />\r
- $Lang::tr{'use only proposed settings'}</td></tr>\r
- </table>\r
-EOF\r
- ;\r
- &Header::closebox();\r
- print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";\r
- print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";\r
- &Header::closebigbox();\r
- &Header::closepage();\r
- exit(0);\r
-\r
- ADVANCED_END:\r
-}\r
-\r
-###\r
-### Default status page\r
-###\r
- %cgiparams = ();\r
- %cahash = ();\r
- %confighash = ();\r
- &General::readhash("${General::swroot}/vpn/settings", \%cgiparams);\r
- &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
-\r
- my @status = `/usr/sbin/ipsec auto --status`;\r
-\r
- # suggest a default name for this side\r
- if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {\r
- if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {\r
- my $ipaddr = <IPADDR>;\r
- close IPADDR;\r
- chomp ($ipaddr);\r
- $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];\r
- if ($cgiparams{'VPN_IP'} eq '') {\r
- $cgiparams{'VPN_IP'} = $ipaddr;\r
- }\r
- }\r
- }\r
- # no IP found, use %defaultroute\r
- $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq '');\r
- \r
- $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'}));\r
- map ($checked{$_} = $cgiparams{$_} eq 'on' ? "checked='checked'" : '',\r
- ('ENABLED','ENABLED_BLUE','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',\r
- 'DBG_KLIPS','DBG_DNS','DBG_NAT_T'));\r
-\r
-\r
- &Header::showhttpheaders();\r
- &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
- &Header::openbigbox('100%', 'LEFT', '', $errormessage);\r
-\r
- if ($errormessage) {\r
- &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});\r
- print "<class name='base'>$errormessage\n";\r
- print " </class>\n";\r
- &Header::closebox();\r
- }\r
-\r
- &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'});\r
- print <<END\r
- <form method='post'>\r
- <table width='100%'>\r
- <tr>\r
- <td width='25%' class='base' nowrap='nowrap'>$Lang::tr{'local vpn hostname/ip'}:</td>\r
- <td width='25%'><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' /></td>\r
- <td width='25%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td>\r
- </tr>\r
-END\r
- ;\r
- if ($netsettings{'BLUE_DEV'} ne '') {\r
- print <<END\r
- <tr>\r
- <td width='25%' class='base' nowrap='nowrap'>$Lang::tr{'vpn on blue'}:</td>\r
- <td></td>\r
- <td width='25%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED_BLUE' $checked{'ENABLED_BLUE'} /></td>\r
- </tr>\r
-END\r
- ;\r
- }\r
-print <<END\r
- <td width='25%' class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}: <img src='/blob.gif' alt='*' /></td>\r
- <td width='25%'><input type='text' name='VPN_DELAYED_START' value='$cgiparams{'VPN_DELAYED_START'}' /></td>\r
- <td width='25%' class='base' nowrap='nowrap'>$Lang::tr{'override mtu'}: <img src='/blob.gif' alt='*' /></td>\r
- <td width='25%'><input type='text' name='VPN_OVERRIDE_MTU' value='$cgiparams{'VPN_OVERRIDE_MTU'}' /></td>\r
-</table>\r
-<table width='100%'>\r
-<tr><td>PLUTO DEBUG</td>\r
- <td>crypt:<input type='checkbox' name='DBG_CRYPT' $checked{'DBG_CRYPT'} /></td>\r
- <td>parsing:<input type='checkbox' name='DBG_PARSING' $checked{'DBG_PARSING'} /></td>\r
- <td>emitting:<input type='checkbox' name='DBG_EMITTING' $checked{'DBG_EMITTING'} /></td>\r
- <td>control:<input type='checkbox' name='DBG_CONTROL' $checked{'DBG_CONTROL'} /></td>\r
- <td>klips:<input type='checkbox' name='DBG_KLIPS' $checked{'DBG_KLIPS'} /></td>\r
- <td>dns:<input type='checkbox' name='DBG_DNS' $checked{'DBG_DNS'} /></td>\r
- <td>nat_t:<input type='checkbox' name='DBG_NAT_T' $checked{'DBG_NAT_T'} /></td>\r
-</tr></table>\r
-<hr />\r
-<table width='100%'>\r
-<tr>\r
- <td class='base' valign='top'><img src='/blob.gif' alt='*' /></td>\r
- <td width='70%' class='base'>$Lang::tr{'vpn delayed start help'}</td>\r
- <td width='30%' align='center' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>\r
-</tr>\r
-</table>\r
-END\r
-; \r
- print "</form>";\r
- &Header::closebox();\r
-\r
- &Header::openbox('100%', 'LEFT', $Lang::tr{'connection status and controlc'});\r
- print <<END\r
- <table width='100%' border='0' cellspacing='1' cellpadding='0'>\r
- <tr>\r
- <td width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></td>\r
- <td width='22%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></td>\r
- <td width='23%' class='boldbase' align='center'><b>$Lang::tr{'common name'}</b></td>\r
- <td width='30%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b><br /><img src='/images/null.gif' width='125' height='1' border='0' alt='L2089' /></td>\r
- <td width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></td>\r
- <td width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></td>\r
- </tr>\r
-END\r
- ;\r
- my $id = 0;\r
- my $gif;\r
- foreach my $key (keys %confighash) {\r
- if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }\r
-\r
- if ($id % 2) {\r
- print "<tr bgcolor='${Header::table1colour}'>\n";\r
- } else {\r
- print "<tr bgcolor='${Header::table2colour}'>\n";\r
- }\r
- print "<td align='center' nowrap='nowrap'>$confighash{$key}[1]</td>";\r
- print "<td align='center' nowrap='nowrap'>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")</td>";\r
- if ($confighash{$key}[4] eq 'cert') {\r
- print "<td align='left' nowrap='nowrap'>$confighash{$key}[2]</td>";\r
- } else {\r
- print "<td align='left'> </td>";\r
- }\r
- print "<td align='center'>$confighash{$key}[25]</td>";\r
- my $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourred}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b></td></tr></table>";\r
- if ($confighash{$key}[0] eq 'off') {\r
- $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourblue}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b></td></tr></table>";\r
- } else {\r
- foreach my $line (@status) {\r
- if ($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) {\r
- $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourgreen}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b></td></tr></table>";\r
- }\r
- }\r
- }\r
- print <<END\r
- <td align='center'>$active</td>\r
- <form method='post' name='frm${key}a'><td align='center'>\r
- <input type='image' name='$Lang::tr{'restart'}' src='/images/reload.gif' alt='$Lang::tr{'restart'}' title='$Lang::tr{'restart'}' border='0' />\r
- <input type='hidden' name='ACTION' value='$Lang::tr{'restart'}' />\r
- <input type='hidden' name='KEY' value='$key' />\r
- </td></form>\r
-END\r
- ;\r
- if ($confighash{$key}[4] eq 'cert') {\r
- print <<END\r
- <form method='post' name='frm${key}b'><td align='center'>\r
- <input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' border='0' />\r
- <input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' />\r
- <input type='hidden' name='KEY' value='$key' />\r
- </td></form>\r
-END\r
- ; } else {\r
- print "<td> </td>";\r
- }\r
- if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") { \r
- print <<END\r
- <form method='post' name='frm${key}c'><td align='center'>\r
- <input type='image' name='$Lang::tr{'download pkcs12 file'}' src='/images/floppy.gif' alt='$Lang::tr{'download pkcs12 file'}' title='$Lang::tr{'download pkcs12 file'}' border='0' />\r
- <input type='hidden' name='ACTION' value='$Lang::tr{'download pkcs12 file'}' />\r
- <input type='hidden' name='KEY' value='$key' />\r
- </td></form>\r
-END\r
- ; } elsif ($confighash{$key}[4] eq 'cert') {\r
- print <<END\r
- <form method='post' name='frm${key}c'><td align='center'>\r
- <input type='image' name='$Lang::tr{'download certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' title='$Lang::tr{'download certificate'}' border='0' />\r
- <input type='hidden' name='ACTION' value='$Lang::tr{'download certificate'}' />\r
- <input type='hidden' name='KEY' value='$key' />\r
- </td></form>\r
-END\r
- ; } else {\r
- print "<td> </td>";\r
- }\r
- print <<END\r
- <form method='post' name='frm${key}d'><td align='center'>\r
- <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' border='0' />\r
- <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />\r
- <input type='hidden' name='KEY' value='$key' />\r
- </td></form>\r
-\r
- <form method='post' name='frm${key}e'><td align='center'>\r
- <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />\r
- <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' width='20' height='20' border='0'/>\r
- <input type='hidden' name='KEY' value='$key' />\r
- </td></form>\r
- <form method='post' name='frm${key}f'><td align='center'>\r
- <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />\r
- <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' width='20' height='20' border='0' />\r
- <input type='hidden' name='KEY' value='$key' />\r
- </td></form>\r
- </tr>\r
-END\r
- ;\r
- $id++;\r
- }\r
- ;\r
-\r
- # If the config file contains entries, print Key to action icons\r
- if ( $id ) {\r
- print <<END\r
- <table>\r
- <tr>\r
- <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td>\r
- <td> <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>\r
- <td class='base'>$Lang::tr{'click to disable'}</td>\r
- <td> <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>\r
- <td class='base'>$Lang::tr{'show certificate'}</td>\r
- <td> <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>\r
- <td class='base'>$Lang::tr{'edit'}</td>\r
- <td> <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>\r
- <td class='base'>$Lang::tr{'remove'}</td>\r
- </tr>\r
- <tr>\r
- <td> </td>\r
- <td> <img src='/images/off.gif' alt='?OFF' /></td>\r
- <td class='base'>$Lang::tr{'click to enable'}</td>\r
- <td> <img src='/images/floppy.gif' alt='?FLOPPY' /></td>\r
- <td class='base'>$Lang::tr{'download certificate'}</td>\r
- <td> <img src='/images/reload.gif' alt='?RELOAD'/></td>\r
- <td class='base'>$Lang::tr{'restart'}</td>\r
- </tr>\r
- </table>\r
-END\r
- ;\r
- }\r
-\r
- print <<END\r
- <table width='100%'>\r
- <form method='post'>\r
- <tr><td align='center' colspan='9'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>\r
- </form>\r
- </table>\r
-END\r
- ;\r
- &Header::closebox();\r
-\r
- &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}:");\r
- print <<EOF\r
- <table width='100%' border='0' cellspacing='1' cellpadding='0'>\r
- <tr>\r
- <td width='25%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></td>\r
- <td width='65%' class='boldbase' align='center'><b>$Lang::tr{'subject'}</b></td>\r
- <td width='10%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></td>\r
- </tr>\r
-EOF\r
- ;\r
- if (-f "${General::swroot}/ca/cacert.pem") {\r
- my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`;\r
- $casubject =~ /Subject: (.*)[\n]/;\r
- $casubject = $1;\r
- $casubject =~ s+/Email+, E+;\r
- $casubject =~ s/ ST=/ S=/;\r
-\r
- print <<END\r
- <tr bgcolor='${Header::table2colour}'>\r
- <td class='base'>$Lang::tr{'root certificate'}</td>\r
- <td class='base'>$casubject</td>\r
- <form method='post' name='frmrootcrta'><td width='3%' align='center'>\r
- <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' />\r
- <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' width='20' height='20' border='0' />\r
- </td></form>\r
- <form method='post' name='frmrootcrtb'><td width='3%' align='center'>\r
- <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' border='0' />\r
- <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' />\r
- </td></form>\r
- <td width='4%'> </td></tr>\r
-END\r
- ;\r
- } else {\r
- # display rootcert generation buttons\r
- print <<END\r
- <tr bgcolor='${Header::table2colour}'>\r
- <td class='base'>$Lang::tr{'root certificate'}:</td>\r
- <td class='base'>$Lang::tr{'not present'}</td>\r
- <td colspan='3'> </td></tr>\r
-END\r
- ;\r
- }\r
-\r
- if (-f "${General::swroot}/certs/hostcert.pem") {\r
- my $hostsubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`;\r
- $hostsubject =~ /Subject: (.*)[\n]/;\r
- $hostsubject = $1;\r
- $hostsubject =~ s+/Email+, E+;\r
- $hostsubject =~ s/ ST=/ S=/;\r
-\r
- print <<END\r
- <tr bgcolor='${Header::table1colour}'>\r
- <td class='base'>$Lang::tr{'host certificate'}</td>\r
- <td class='base'>$hostsubject</td>\r
- <form method='post' name='frmhostcrta'><td width='3%' align='center'>\r
- <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' />\r
- <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' width='20' height='20' border='0' />\r
- </td></form>\r
- <form method='post' name='frmhostcrtb'><td width='3%' align='center'>\r
- <input type='image' name='$Lang::tr{'download host certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download host certificate'}' title='$Lang::tr{'download host certificate'}' border='0' />\r
- <input type='hidden' name='ACTION' value='$Lang::tr{'download host certificate'}' />\r
- </td></form>\r
- <td width='4%'> </td></tr>\r
-END\r
- ;\r
- } else {\r
- # Nothing\r
- print <<END\r
- <tr bgcolor='${Header::table1colour}'>\r
- <td width='25%' class='base'>$Lang::tr{'host certificate'}:</td>\r
- <td class='base'>$Lang::tr{'not present'}</td>\r
- </td><td colspan='3'> </td></tr>\r
-END\r
- ;\r
- }\r
-\r
- if (! -f "${General::swroot}/ca/cacert.pem") {\r
- print "<tr><td colspan='5' align='center'><form method='post'>";\r
- print "<input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' />";\r
- print "</form></td></tr>\n";\r
- }\r
-\r
- if (keys %cahash > 0) {\r
- foreach my $key (keys %cahash) {\r
- if (($key + 1) % 2) {\r
- print "<tr bgcolor='${Header::table1colour}'>\n";\r
- } else {\r
- print "<tr bgcolor='${Header::table2colour}'>\n";\r
- }\r
- print "<td class='base'>$cahash{$key}[0]</td>\n";\r
- print "<td class='base'>$cahash{$key}[1]</td>\n";\r
- print <<END\r
- <form method='post' name='cafrm${key}a'><td align='center'>\r
- <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' border='0' />\r
- <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' />\r
- <input type='hidden' name='KEY' value='$key' />\r
- </td></form>\r
- <form method='post' name='cafrm${key}b'><td align='center'>\r
- <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' border='0' />\r
- <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' />\r
- <input type='hidden' name='KEY' value='$key' />\r
- </td></form>\r
- <form method='post' name='cafrm${key}c'><td align='center'>\r
- <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />\r
- <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' width='20' height='20' border='0' />\r
- <input type='hidden' name='KEY' value='$key' />\r
- </td></form></tr>\r
-END\r
- ;\r
- }\r
- }\r
-\r
- print "</table>";\r
-\r
- # If the file contains entries, print Key to action icons\r
- if ( -f "${General::swroot}/ca/cacert.pem") {\r
- print <<END\r
- <table>\r
- <tr>\r
- <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td>\r
- <td> <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>\r
- <td class='base'>$Lang::tr{'show certificate'}</td>\r
- <td> <img src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' /></td>\r
- <td class='base'>$Lang::tr{'download certificate'}</td>\r
- </tr>\r
- </table>\r
-END\r
- ;\r
- }\r
- print <<END\r
- <form method='post' enctype='multipart/form-data'>\r
- <table width='100%' border='0' cellspacing='1' cellpadding='0'>\r
- <tr><td class='base' nowrap='nowrap'>$Lang::tr{'ca name'}:</td>\r
- <td nowrap='nowrap'><input type='text' name='CA_NAME' value='$cgiparams{'CA_NAME'}' size='15' />\r
- <td nowrap='nowrap'><input type='file' name='FH' size='30' /></td>\r
- <td nowrap='nowrap'><input type='submit' name='ACTION' value='$Lang::tr{'upload ca certificate'}' /></td>\r
- </tr></table></form>\r
-END\r
- ;\r
- &Header::closebox();\r
-\r
- print "<div align='center'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /></div></form>\n";\r
- print "$Lang::tr{'this feature has been sponsored by'} : ";\r
- print "<a href='http://www.seminolegas.com/' target='_blank'>Seminole Canada Gas Company</a>.\n";\r
-\r
- &Header::closebigbox();\r
- &Header::closepage();\r
+#!/usr/bin/perl
+#
+# This file is part of the IPFire Firewall.
+#
+# IPFire is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# IPFire is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with IPFire; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+# Copyright (C) 2003-05-25 Mark Wormgoor <mark@wormgoor.com>
+#
+# $Id: vpnmain.cgi,v 1.10.2.69 2006/01/31 02:07:19 franck78 Exp $
+#
+
+use Net::DNS;
+use File::Copy;
+use File::Temp qw/ tempfile tempdir /;
+use strict;
+
+# enable only the following on debugging purpose
+#use warnings;
+#use CGI::Carp 'fatalsToBrowser';
+
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/lang.pl";
+require "${General::swroot}/header.pl";
+
+require "${General::swroot}/countries.pl";
+
+#workaround to suppress a warning when a variable is used only once
+my @dummy = ( ${Header::colourgreen} );
+undef (@dummy);
+
+###
+### Initialize variables
+###
+my $sleepDelay = '4s'; # after a call to ipsecctrl S or R, wait this delay (seconds) before reading status
+ # (let the ipsec do its job)
+my %netsettings=();
+my %cgiparams=();
+my %vpnsettings=();
+my %checked=();
+my %confighash=();
+my %cahash=();
+my %selected=();
+my $warnmessage = '';
+my $errormessage = '';
+&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
+$cgiparams{'ENABLED'} = 'off';
+$cgiparams{'ENABLED_BLUE'} = 'off';
+$cgiparams{'EDIT_ADVANCED'} = 'off';
+$cgiparams{'NAT'} = 'off';
+$cgiparams{'COMPRESSION'} = 'off';
+$cgiparams{'ONLY_PROPOSED'} = 'off';
+$cgiparams{'ACTION'} = '';
+$cgiparams{'CA_NAME'} = '';
+$cgiparams{'DBG_CRYPT'} = '';
+$cgiparams{'DBG_PARSING'} = '';
+$cgiparams{'DBG_EMITTING'} = '';
+$cgiparams{'DBG_CONTROL'} = '';
+$cgiparams{'DBG_KLIPS'} = '';
+$cgiparams{'DBG_DNS'} = '';
+$cgiparams{'DBG_NAT_T'} = '';
+
+&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
+
+###
+### Useful functions
+###
+sub valid_dns_host {
+ my $hostname = $_[0];
+ unless ($hostname) { return "No hostname"};
+ my $res = new Net::DNS::Resolver;
+ my $query = $res->search("$hostname");
+ if ($query) {
+ foreach my $rr ($query->answer) {
+ ## Potential bug - we are only looking at A records:
+ return 0 if $rr->type eq "A";
+ }
+ } else {
+ return $res->errorstring;
+ }
+}
+
+#
+# old version: maintain serial number to one, without explication.
+# this : let the counter go, so that each cert is numbered.
+#
+sub cleanssldatabase
+{
+ if (open(FILE, ">${General::swroot}/certs/serial")) {
+ print FILE "01";
+ close FILE;
+ }
+ if (open(FILE, ">${General::swroot}/certs/index.txt")) {
+ print FILE "";
+ close FILE;
+ }
+ unlink ("${General::swroot}/certs/index.txt.old");
+ unlink ("${General::swroot}/certs/serial.old");
+ unlink ("${General::swroot}/certs/01.pem");
+}
+sub newcleanssldatabase
+{
+ if (! -s "${General::swroot}/certs/serial" ) {
+ open(FILE, ">${General::swroot}/certs/serial");
+ print FILE "01";
+ close FILE;
+ }
+ if (! -s ">${General::swroot}/certs/index.txt") {
+ system ("touch ${General::swroot}/certs/index.txt");
+ }
+ unlink ("${General::swroot}/certs/index.txt.old");
+ unlink ("${General::swroot}/certs/serial.old");
+# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete
+}
+
+sub writeipsecfiles {
+ my %lconfighash = ();
+ my %lvpnsettings = ();
+ &General::readhasharray("${General::swroot}/vpn/config", \%lconfighash);
+ &General::readhash("${General::swroot}/vpn/settings", \%lvpnsettings);
+
+ open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die "Unable to open ${General::swroot}/vpn/ipsec.conf: $!";
+ open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") or die "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!";
+ flock CONF, 2;
+ flock SECRETS, 2;
+ print CONF "config setup\n";
+ if ($lvpnsettings{'ENABLED_BLUE'} eq 'on')
+ {
+ if ($lvpnsettings{'ENABLED'} eq 'on')
+ {
+ print CONF "\tinterfaces=\"%defaultroute ipsec1=$netsettings{'BLUE_DEV'}\"\n";
+ } else {
+ print CONF "\tinterfaces=ipsec0=$netsettings{'BLUE_DEV'}\n";
+ }
+ } else {
+ print CONF "\tinterfaces=%defaultroute\n";
+ }
+
+ my $plutodebug = ''; # build debug list
+ map ($plutodebug .= $lvpnsettings{$_} eq 'on' ? lc (substr($_,4)).' ' : '',
+ ('DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
+ 'DBG_KLIPS','DBG_DNS','DBG_NAT_T'));
+ $plutodebug = 'none' if $plutodebug eq ''; # if nothing selected, use 'none'.
+ print CONF "\tklipsdebug=none\n";
+ print CONF "\tplutodebug=\"$plutodebug\"\n";
+ print CONF "\tplutoload=%search\n";
+ print CONF "\tplutostart=%search\n";
+ print CONF "\tuniqueids=yes\n";
+ print CONF "\tnat_traversal=yes\n";
+ print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne '');
+ print CONF "\tvirtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16";
+ print CONF ",%v4:!$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
+ if (length($netsettings{'ORANGE_DEV'}) > 2) {
+ print CONF ",%v4:!$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
+ }
+ if (length($netsettings{'BLUE_DEV'}) > 2) {
+ print CONF ",%v4:!$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
+ }
+ foreach my $key (keys %lconfighash) {
+ if ($lconfighash{$key}[3] eq 'net') {
+ print CONF ",%v4:!$lconfighash{$key}[11]";
+ }
+ }
+ print CONF "\n\n";
+ print CONF "conn %default\n";
+ print CONF "\tkeyingtries=0\n";
+ print CONF "\tdisablearrivalcheck=no\n";
+ print CONF "\n";
+
+ if (-f "${General::swroot}/certs/hostkey.pem") {
+ print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n"
+ }
+
+ foreach my $key (keys %lconfighash) {
+ if ($lconfighash{$key}[0] eq 'on') {
+ if ($lconfighash{$key}[10] eq '') { $lconfighash{$key}[10] = '%any'; }
+
+ print CONF "conn $lconfighash{$key}[1]\n";
+ #always choose LEFT localside for roadwarrior
+ if ($lconfighash{$key}[3] eq 'host' || $lconfighash{$key}[6] eq 'left') {
+ if ($lconfighash{$key}[26] eq 'BLUE')
+ {
+ print CONF "\tleft=$netsettings{'BLUE_ADDRESS'}\n";
+# print CONF "\tleftnexthop=$netsettings{'BLUE_NETADDRESS'}\n";
+ }
+ elsif ($lconfighash{$key}[26] eq 'ORANGE')
+ {
+ print CONF "\tleft=$netsettings{'ORANGE_ADDRESS'}\n";
+ }
+ elsif ($lconfighash{$key}[26] eq 'GREEN')
+ {
+ print CONF "\tleft=$netsettings{'GREEN_ADDRESS'}\n";
+ }
+ elsif ($lconfighash{$key}[26] eq 'RED')
+ {
+ print CONF "\tleft=$lvpnsettings{'VPN_IP'}\n";
+ print CONF "\tleftnexthop=%defaultroute\n" if ($lvpnsettings{'VPN_IP'} ne '%defaultroute');
+ }
+ print CONF "\tleftsubnet=$lconfighash{$key}[8]\n";
+ print CONF "\tright=$lconfighash{$key}[10]\n";
+ if ($lconfighash{$key}[3] eq 'net') {
+ print CONF "\trightsubnet=$lconfighash{$key}[11]\n";
+ print CONF "\trightnexthop=%defaultroute\n";
+ } elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') {
+ print CONF "\trightsubnet=vhost:%no,%priv\n";
+ }
+ if ($lconfighash{$key}[4] eq 'cert') {
+ print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n";
+ print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n";
+ }
+ } else {
+ print CONF "\tright=$lvpnsettings{'VPN_IP'}\n";
+ print CONF "\trightsubnet=$lconfighash{$key}[8]\n";
+ print CONF "\trightnexthop=%defaultroute\n" if ($lvpnsettings{'VPN_IP'} ne '%defaultroute');
+ print CONF "\tleft=$lconfighash{$key}[10]\n";
+ if ($lconfighash{$key}[3] eq 'net') {
+ print CONF "\tleftsubnet=$lconfighash{$key}[11]\n";
+ print CONF "\tleftnexthop=%defaultroute\n";
+ }
+ if ($lconfighash{$key}[4] eq 'cert') {
+ print CONF "\trightcert=${General::swroot}/certs/hostcert.pem\n";
+ print CONF "\tleftcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n";
+ }
+ }
+ print CONF "\tleftid=$lconfighash{$key}[7]\n" if ($lconfighash{$key}[7]);
+ print CONF "\trightid=$lconfighash{$key}[9]\n" if ($lconfighash{$key}[9]);
+
+ # Algorithms
+ if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) {
+ print CONF "\tike=";
+ my @encs = split('\|', $lconfighash{$key}[18]);
+ my @ints = split('\|', $lconfighash{$key}[19]);
+ my @groups = split('\|', $lconfighash{$key}[20]);
+ my $comma = 0;
+ foreach my $i (@encs) {
+ foreach my $j (@ints) {
+ foreach my $k (@groups) {
+ if ($comma != 0) { print CONF ","; } else { $comma = 1; }
+ print CONF "$i-$j-modp$k";
+ }
+ }
+ }
+ if ($lconfighash{$key}[24] eq 'on') {
+ print CONF "!\n";
+ } else {
+ print CONF "\n";
+ }
+ }
+ if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) {
+ print CONF "\tesp=";
+ my @encs = split('\|', $lconfighash{$key}[21]);
+ my @ints = split('\|', $lconfighash{$key}[22]);
+ my $comma = 0;
+ foreach my $i (@encs) {
+ foreach my $j (@ints) {
+ if ($comma != 0) { print CONF ","; } else { $comma = 1; }
+ print CONF "$i-$j";
+ }
+ }
+ if ($lconfighash{$key}[24] eq 'on') {
+ print CONF "!\n";
+ } else {
+ print CONF "\n";
+ }
+ }
+ if ($lconfighash{$key}[23]) {
+ print CONF "\tpfsgroup=$lconfighash{$key}[23]\n";
+ }
+
+ # Lifetimes
+ if ($lconfighash{$key}[16]) {
+ print CONF "\tikelifetime=$lconfighash{$key}[16]h\n";
+ }
+ if ($lconfighash{$key}[17]) {
+ print CONF "\tkeylife=$lconfighash{$key}[17]h\n";
+ }
+
+ # Compression
+ if ($lconfighash{$key}[13] eq 'on') {
+ print CONF "\tcompress=yes\n";
+ }
+
+ # Dead Peer Detection
+ print CONF "\tdpddelay=30\n";
+ print CONF "\tdpdtimeout=120\n";
+ print CONF "\tdpdaction=$lconfighash{$key}[27]\n";
+
+ # Disable pfs ?
+ print CONF "\tpfs=$lconfighash{$key}[28]\n";
+
+ # Print Authentication details
+ if ($lconfighash{$key}[4] eq 'psk') {
+ if ($lconfighash{$key}[6] eq 'left'){
+ if ($lconfighash{$key}[26] eq 'BLUE') {
+ print SECRETS ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $netsettings{'BLUE_ADDRESS'}) . " ";
+ print SECRETS $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10];
+ print SECRETS " : PSK \"$lconfighash{$key}[5]\"\n";
+ } else {
+ print SECRETS ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $lvpnsettings{'VPN_IP'}) . " ";
+ print SECRETS $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10];
+ print SECRETS " : PSK \"$lconfighash{$key}[5]\"\n";
+ }
+ } else {
+ if ($lconfighash{$key}[26] eq 'BLUE') {
+ print SECRETS ($lconfighash{$key}[9] ? $lconfighash{$key}[9] : $netsettings{'BLUE_ADDRESS'}) . " ";
+ print SECRETS $lconfighash{$key}[7] ? $lconfighash{$key}[7] : $lconfighash{$key}[10];
+ print SECRETS " : PSK \"$lconfighash{$key}[5]\"\n";
+ } else {
+ print SECRETS ($lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lvpnsettings{'VPN_IP'}) . " ";
+ print SECRETS $lconfighash{$key}[7] ? $lconfighash{$key}[7] : $lconfighash{$key}[10];
+ print SECRETS " : PSK \"$lconfighash{$key}[5]\"\n";
+ }
+ }
+
+ print CONF "\tauthby=secret\n";
+ } else {
+ print CONF "\tauthby=rsasig\n";
+ }
+
+ # Automatically start only if a net-to-net connection
+ if ($lconfighash{$key}[3] eq 'host') {
+ print CONF "\tauto=add\n";
+ } else {
+ print CONF "\tauto=start\n";
+ }
+ print CONF "\n";
+ }#on
+ }#foreach key
+
+ close(CONF);
+ close(SECRETS);
+}
+
+###
+### Save main settings
+###
+if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
+ &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+ unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})
+ || $cgiparams{'VPN_IP'} eq '%defaultroute' ) {
+ $errormessage = $Lang::tr{'invalid input for hostname'};
+ goto SAVE_ERROR;
+ }
+
+ unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds !
+ $errormessage = $Lang::tr{'invalid time period'};
+ goto SAVE_ERROR;
+ }
+
+ unless ($cgiparams{'VPN_OVERRIDE_MTU'} =~ /^(|[0-9]{1,5})$/ ) { #allow 0-99999
+ $errormessage = $Lang::tr{'vpn mtu invalid'};
+ goto SAVE_ERROR;
+ }
+
+ map ($vpnsettings{$_} = $cgiparams{$_},
+ ('ENABLED','ENABLED_BLUE','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
+ 'DBG_KLIPS','DBG_DNS','DBG_NAT_T'));
+
+ $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
+ $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};
+ $vpnsettings{'VPN_OVERRIDE_MTU'} = $cgiparams{'VPN_OVERRIDE_MTU'};
+ &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
+ &writeipsecfiles();
+ if ($vpnsettings{'ENABLED'} eq 'on' ||
+ $vpnsettings{'ENABLED_BLUE'} eq 'on') {
+ system('/usr/local/bin/ipsecctrl', 'S');
+ } else {
+ system('/usr/local/bin/ipsecctrl', 'D');
+ }
+ sleep $sleepDelay;
+ SAVE_ERROR:
+###
+### Reset all step 2
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'} && $cgiparams{'AREUSURE'} eq 'yes') {
+ my $file = '';
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+
+ foreach my $key (keys %confighash) {
+ if ($confighash{$key}[4] eq 'cert') {
+ delete $confighash{$key};
+ }
+ }
+ while ($file = glob("${General::swroot}/{ca,certs,crls,private}/*")) {
+ unlink $file
+ }
+ &cleanssldatabase();
+ if (open(FILE, ">${General::swroot}/vpn/caconfig")) {
+ print FILE "";
+ close FILE;
+ }
+ &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
+ &writeipsecfiles();
+ system('/usr/local/bin/ipsecctrl', 'R');
+ sleep $sleepDelay;
+
+###
+### Reset all step 1
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'}) {
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+ &Header::openbigbox('100%', 'LEFT', '', '');
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});
+ print <<END
+ <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />
+ <tr><td align='center'>
+ <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
+ $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}
+ <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' />
+ <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>
+ </form></table>
+END
+ ;
+ &Header::closebox();
+ &Header::closebigbox();
+ &Header::closepage();
+ exit (0);
+
+###
+### Upload CA Certificate
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {
+ &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
+
+ if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) {
+ $errormessage = $Lang::tr{'name must only contain characters'};
+ goto UPLOADCA_ERROR;
+ }
+
+ if (length($cgiparams{'CA_NAME'}) >60) {
+ $errormessage = $Lang::tr{'name too long'};
+ goto VPNCONF_ERROR;
+ }
+
+ if ($cgiparams{'CA_NAME'} eq 'ca') {
+ $errormessage = $Lang::tr{'name is invalid'};
+ goto UPLOAD_CA_ERROR;
+ }
+
+ # Check if there is no other entry with this name
+ foreach my $key (keys %cahash) {
+ if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) {
+ $errormessage = $Lang::tr{'a ca certificate with this name already exists'};
+ goto UPLOADCA_ERROR;
+ }
+ }
+
+ if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ $errormessage = $Lang::tr{'there was no file upload'};
+ goto UPLOADCA_ERROR;
+ }
+ # Move uploaded ca to a temporary file
+ (my $fh, my $filename) = tempfile( );
+ if (copy ($cgiparams{'FH'}, $fh) != 1) {
+ $errormessage = $!;
+ goto UPLOADCA_ERROR;
+ }
+ my $temp = `/usr/bin/openssl x509 -text -in $filename`;
+ if ($temp !~ /CA:TRUE/i) {
+ $errormessage = $Lang::tr{'not a valid ca certificate'};
+ unlink ($filename);
+ goto UPLOADCA_ERROR;
+ } else {
+ move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem");
+ if ($? ne 0) {
+ $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
+ unlink ($filename);
+ goto UPLOADCA_ERROR;
+ }
+ }
+
+ my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem`;
+ $casubject =~ /Subject: (.*)[\n]/;
+ $casubject = $1;
+ $casubject =~ s+/Email+, E+;
+ $casubject =~ s/ ST=/ S=/;
+ $casubject = &Header::cleanhtml($casubject);
+
+ my $key = &General::findhasharraykey (\%cahash);
+ $cahash{$key}[0] = $cgiparams{'CA_NAME'};
+ $cahash{$key}[1] = $casubject;
+ &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
+ system('/usr/local/bin/ipsecctrl', 'R');
+ sleep $sleepDelay;
+
+ UPLOADCA_ERROR:
+
+###
+### Display ca certificate
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) {
+ &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
+
+ if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+ &Header::openbigbox('100%', 'LEFT', '', '');
+ &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:");
+ my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
+ $output = &Header::cleanhtml($output,"y");
+ print "<pre>$output</pre>\n";
+ &Header::closebox();
+ print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
+ &Header::closebigbox();
+ &Header::closepage();
+ exit(0);
+ } else {
+ $errormessage = $Lang::tr{'invalid key'};
+ }
+
+###
+### Download ca certificate
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) {
+ &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
+
+ if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
+ print "Content-Type: application/octet-stream\r\n";
+ print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
+ print `/usr/bin/openssl x509 -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
+ exit(0);
+ } else {
+ $errormessage = $Lang::tr{'invalid key'};
+ }
+
+###
+### Remove ca certificate (step 2)
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') {
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+ &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
+
+ if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
+ foreach my $key (keys %confighash) {
+ my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
+ if ($test =~ /: OK/) {
+ # Delete connection
+ if ($vpnsettings{'ENABLED'} eq 'on' ||
+ $vpnsettings{'ENABLED_BLUE'} eq 'on') {
+ system('/usr/local/bin/ipsecctrl', 'D', $key);
+ }
+ unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem");
+ unlink ("${General::swroot}/certs/$confighash{$key}[1].p12");
+ delete $confighash{$key};
+ &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
+ &writeipsecfiles();
+ }
+ }
+ unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
+ delete $cahash{$cgiparams{'KEY'}};
+ &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
+ system('/usr/local/bin/ipsecctrl', 'R');
+ sleep $sleepDelay;
+ } else {
+ $errormessage = $Lang::tr{'invalid key'};
+ }
+###
+### Remove ca certificate (step 1)
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) {
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+ &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
+
+ my $assignedcerts = 0;
+ if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
+ foreach my $key (keys %confighash) {
+ my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
+ if ($test =~ /: OK/) {
+ $assignedcerts++;
+ }
+ }
+ if ($assignedcerts) {
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+ &Header::openbigbox('100%', 'LEFT', '', '');
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});
+ print <<END
+ <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />
+ <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
+ <tr><td align='center'>
+ <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: $assignedcerts
+ $Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}
+ <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
+ <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>
+ </form></table>
+END
+ ;
+ &Header::closebox();
+ &Header::closebigbox();
+ &Header::closepage();
+ exit (0);
+ } else {
+ unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
+ delete $cahash{$cgiparams{'KEY'}};
+ &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
+ system('/usr/local/bin/ipsecctrl', 'R');
+ sleep $sleepDelay;
+ }
+ } else {
+ $errormessage = $Lang::tr{'invalid key'};
+ }
+
+###
+### Display root certificate
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
+ $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
+ my $output;
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+ &Header::openbigbox('100%', 'LEFT', '', '');
+ if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
+ &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:");
+ $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`;
+ } else {
+ &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:");
+ $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`;
+ }
+ $output = &Header::cleanhtml($output,"y");
+ print "<pre>$output</pre>\n";
+ &Header::closebox();
+ print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
+ &Header::closebigbox();
+ &Header::closepage();
+ exit(0);
+
+###
+### Download root certificate
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) {
+ if ( -f "${General::swroot}/ca/cacert.pem" ) {
+ print "Content-Type: application/octet-stream\r\n";
+ print "Content-Disposition: filename=cacert.pem\r\n\r\n";
+ print `/usr/bin/openssl x509 -in ${General::swroot}/ca/cacert.pem`;
+ exit(0);
+ }
+###
+### Download host certificate
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) {
+ if ( -f "${General::swroot}/certs/hostcert.pem" ) {
+ print "Content-Type: application/octet-stream\r\n";
+ print "Content-Disposition: filename=hostcert.pem\r\n\r\n";
+ print `/usr/bin/openssl x509 -in ${General::swroot}/certs/hostcert.pem`;
+ exit(0);
+ }
+###
+### Form for generating a root certificate
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
+ $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
+
+ &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+ if (-f "${General::swroot}/ca/cacert.pem") {
+ $errormessage = $Lang::tr{'valid root certificate already exists'};
+ $cgiparams{'ACTION'} = '';
+ goto ROOTCERT_ERROR;
+ }
+
+ if (($cgiparams{'ROOTCERT_HOSTNAME'} eq '') && -e "${General::swroot}/red/active") {
+ if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
+ my $ipaddr = <IPADDR>;
+ close IPADDR;
+ chomp ($ipaddr);
+ $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
+ if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
+ $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
+ }
+ }
+ } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
+
+ if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ $errormessage = $Lang::tr{'there was no file upload'};
+ goto ROOTCERT_ERROR;
+ }
+
+ # Move uploaded certificate request to a temporary file
+ (my $fh, my $filename) = tempfile( );
+ if (copy ($cgiparams{'FH'}, $fh) != 1) {
+ $errormessage = $!;
+ goto ROOTCERT_ERROR;
+ }
+
+ # Create a temporary dirctory
+ my $tempdir = tempdir( CLEANUP => 1 );
+
+ # Extract the CA certificate from the file
+ my $pid = open(OPENSSL, "|-");
+ $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
+ if ($pid) { # parent
+ if ($cgiparams{'P12_PASS'} ne '') {
+ print OPENSSL "$cgiparams{'P12_PASS'}\n";
+ }
+ close (OPENSSL);
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ unlink ($filename);
+ goto ROOTCERT_ERROR;
+ }
+ } else { # child
+ unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys',
+ '-in', $filename,
+ '-out', "$tempdir/cacert.pem")) {
+ $errormessage = "$Lang::tr{'cant start openssl'}: $!";
+ unlink ($filename);
+ goto ROOTCERT_ERROR;
+ }
+ }
+
+ # Extract the Host certificate from the file
+ $pid = open(OPENSSL, "|-");
+ $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
+ if ($pid) { # parent
+ if ($cgiparams{'P12_PASS'} ne '') {
+ print OPENSSL "$cgiparams{'P12_PASS'}\n";
+ }
+ close (OPENSSL);
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ unlink ($filename);
+ goto ROOTCERT_ERROR;
+ }
+ } else { # child
+ unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys',
+ '-in', $filename,
+ '-out', "$tempdir/hostcert.pem")) {
+ $errormessage = "$Lang::tr{'cant start openssl'}: $!";
+ unlink ($filename);
+ goto ROOTCERT_ERROR;
+ }
+ }
+
+ # Extract the Host key from the file
+ $pid = open(OPENSSL, "|-");
+ $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
+ if ($pid) { # parent
+ if ($cgiparams{'P12_PASS'} ne '') {
+ print OPENSSL "$cgiparams{'P12_PASS'}\n";
+ }
+ close (OPENSSL);
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ unlink ($filename);
+ goto ROOTCERT_ERROR;
+ }
+ } else { # child
+ unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts',
+ '-nodes',
+ '-in', $filename,
+ '-out', "$tempdir/hostkey.pem")) {
+ $errormessage = "$Lang::tr{'cant start openssl'}: $!";
+ unlink ($filename);
+ goto ROOTCERT_ERROR;
+ }
+ }
+
+ move("$tempdir/cacert.pem", "${General::swroot}/ca/cacert.pem");
+ if ($? ne 0) {
+ $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
+ unlink ($filename);
+ unlink ("${General::swroot}/ca/cacert.pem");
+ unlink ("${General::swroot}/certs/hostcert.pem");
+ unlink ("${General::swroot}/certs/hostkey.pem");
+ goto ROOTCERT_ERROR;
+ }
+
+ move("$tempdir/hostcert.pem", "${General::swroot}/certs/hostcert.pem");
+ if ($? ne 0) {
+ $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
+ unlink ($filename);
+ unlink ("${General::swroot}/ca/cacert.pem");
+ unlink ("${General::swroot}/certs/hostcert.pem");
+ unlink ("${General::swroot}/certs/hostkey.pem");
+ goto ROOTCERT_ERROR;
+ }
+
+ move("$tempdir/hostkey.pem", "${General::swroot}/certs/hostkey.pem");
+ if ($? ne 0) {
+ $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
+ unlink ($filename);
+ unlink ("${General::swroot}/ca/cacert.pem");
+ unlink ("${General::swroot}/certs/hostcert.pem");
+ unlink ("${General::swroot}/certs/hostkey.pem");
+ goto ROOTCERT_ERROR;
+ }
+
+ # Create an empty CRL
+ system('/usr/bin/openssl', 'ca', '-gencrl',
+ '-out', "${General::swroot}/crls/cacrl.pem");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ unlink ("${General::swroot}/certs/hostkey.pem");
+ unlink ("${General::swroot}/certs/hostcert.pem");
+ unlink ("${General::swroot}/ca/cacert.pem");
+ unlink ("${General::swroot}/crls/cacrl.pem");
+ &cleanssldatabase();
+ goto ROOTCERT_ERROR;
+ } else {
+ &cleanssldatabase();
+ }
+
+ goto ROOTCERT_SUCCESS;
+
+ } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {
+
+ # Validate input since the form was submitted
+ if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){
+ $errormessage = $Lang::tr{'organization cant be empty'};
+ goto ROOTCERT_ERROR;
+ }
+ if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) {
+ $errormessage = $Lang::tr{'organization too long'};
+ goto ROOTCERT_ERROR;
+ }
+ if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
+ $errormessage = $Lang::tr{'invalid input for organization'};
+ goto ROOTCERT_ERROR;
+ }
+ if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){
+ $errormessage = $Lang::tr{'hostname cant be empty'};
+ goto ROOTCERT_ERROR;
+ }
+ unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) {
+ $errormessage = $Lang::tr{'invalid input for hostname'};
+ goto ROOTCERT_ERROR;
+ }
+ if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) {
+ $errormessage = $Lang::tr{'invalid input for e-mail address'};
+ goto ROOTCERT_ERROR;
+ }
+ if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) {
+ $errormessage = $Lang::tr{'e-mail address too long'};
+ goto ROOTCERT_ERROR;
+ }
+ if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
+ $errormessage = $Lang::tr{'invalid input for department'};
+ goto ROOTCERT_ERROR;
+ }
+ if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
+ $errormessage = $Lang::tr{'invalid input for city'};
+ goto ROOTCERT_ERROR;
+ }
+ if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
+ $errormessage = $Lang::tr{'invalid input for state or province'};
+ goto ROOTCERT_ERROR;
+ }
+ if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) {
+ $errormessage = $Lang::tr{'invalid input for country'};
+ goto ROOTCERT_ERROR;
+ }
+
+ # Copy the cgisettings to vpnsettings and save the configfile
+ $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'};
+ $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'};
+ $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'};
+ $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'};
+ $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'};
+ $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'};
+ $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'};
+ &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
+
+ # Replace empty strings with a .
+ (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./;
+ (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./;
+ (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./;
+
+ # Create the CA certificate
+ my $pid = open(OPENSSL, "|-");
+ $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
+ if ($pid) { # parent
+ print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
+ print OPENSSL "$state\n";
+ print OPENSSL "$city\n";
+ print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
+ print OPENSSL "$ou\n";
+ print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n";
+ print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
+ close (OPENSSL);
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ unlink ("${General::swroot}/private/cakey.pem");
+ unlink ("${General::swroot}/ca/cacert.pem");
+ goto ROOTCERT_ERROR;
+ }
+ } else { # child
+ unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
+ '-days', '999999', '-newkey', 'rsa:2048',
+ '-keyout', "${General::swroot}/private/cakey.pem",
+ '-out', "${General::swroot}/ca/cacert.pem")) {
+ $errormessage = "$Lang::tr{'cant start openssl'}: $!";
+ goto ROOTCERT_ERROR;
+ }
+ }
+
+ # Create the Host certificate request
+ $pid = open(OPENSSL, "|-");
+ $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
+ if ($pid) { # parent
+ print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
+ print OPENSSL "$state\n";
+ print OPENSSL "$city\n";
+ print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
+ print OPENSSL "$ou\n";
+ print OPENSSL "$cgiparams{'ROOTCERT_HOSTNAME'}\n";
+ print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
+ print OPENSSL ".\n";
+ print OPENSSL ".\n";
+ close (OPENSSL);
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ unlink ("${General::swroot}/certs/hostkey.pem");
+ unlink ("${General::swroot}/certs/hostreq.pem");
+ goto ROOTCERT_ERROR;
+ }
+ } else { # child
+ unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
+ '-newkey', 'rsa:1024',
+ '-keyout', "${General::swroot}/certs/hostkey.pem",
+ '-out', "${General::swroot}/certs/hostreq.pem")) {
+ $errormessage = "$Lang::tr{'cant start openssl'}: $!";
+ unlink ("${General::swroot}/certs/hostkey.pem");
+ unlink ("${General::swroot}/certs/hostreq.pem");
+ unlink ("${General::swroot}/private/cakey.pem");
+ unlink ("${General::swroot}/ca/cacert.pem");
+ goto ROOTCERT_ERROR;
+ }
+ }
+
+ # Sign the host certificate request
+ system('/usr/bin/openssl', 'ca', '-days', '999999',
+ '-batch', '-notext',
+ '-in', "${General::swroot}/certs/hostreq.pem",
+ '-out', "${General::swroot}/certs/hostcert.pem");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ unlink ("${General::swroot}/private/cakey.pem");
+ unlink ("${General::swroot}/ca/cacert.pem");
+ unlink ("${General::swroot}/certs/hostkey.pem");
+ unlink ("${General::swroot}/certs/hostreq.pem");
+ unlink ("${General::swroot}/certs/hostcert.pem");
+ &cleanssldatabase();
+ goto ROOTCERT_ERROR;
+ } else {
+ unlink ("${General::swroot}/certs/hostreq.pem");
+ &cleanssldatabase();
+ }
+
+ # Create an empty CRL
+ system('/usr/bin/openssl', 'ca', '-gencrl',
+ '-out', "${General::swroot}/crls/cacrl.pem");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ unlink ("${General::swroot}/certs/hostkey.pem");
+ unlink ("${General::swroot}/certs/hostcert.pem");
+ unlink ("${General::swroot}/ca/cacert.pem");
+ unlink ("${General::swroot}/crls/cacrl.pem");
+ &cleanssldatabase();
+ goto ROOTCERT_ERROR;
+ } else {
+ &cleanssldatabase();
+ }
+ goto ROOTCERT_SUCCESS;
+ }
+ ROOTCERT_ERROR:
+ if ($cgiparams{'ACTION'} ne '') {
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+ &Header::openbigbox('100%', 'LEFT', '', $errormessage);
+ if ($errormessage) {
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
+ print "<class name='base'>$errormessage";
+ print " </class>";
+ &Header::closebox();
+ }
+ &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificates'}:");
+ print <<END
+ <form method='post' enctype='multipart/form-data'>
+ <table width='100%' border='0' cellspacing='1' cellpadding='0'>
+ <tr><td width='30%' class='base'>$Lang::tr{'organization name'}:</td>
+ <td width='35%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td>
+ <td width='35%' colspan='2'> </td></tr>
+ <tr><td class='base'>$Lang::tr{'ipfires hostname'}:</td>
+ <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td>
+ <td colspan='2'> </td></tr>
+ <tr><td class='base'>$Lang::tr{'your e-mail'}: <img src='/blob.gif' alt='*' /></td>
+ <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td>
+ <td colspan='2'> </td></tr>
+ <tr><td class='base'>$Lang::tr{'your department'}: <img src='/blob.gif' alt='*' /></td>
+ <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td>
+ <td colspan='2'> </td></tr>
+ <tr><td class='base'>$Lang::tr{'city'}: <img src='/blob.gif' alt='*' /></td>
+ <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td>
+ <td colspan='2'> </td></tr>
+ <tr><td class='base'>$Lang::tr{'state or province'}: <img src='/blob.gif' alt='*' /></td>
+ <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td>
+ <td colspan='2'> </td></tr>
+ <tr><td class='base'>$Lang::tr{'country'}:</td>
+ <td class='base'><select name='ROOTCERT_COUNTRY'>
+END
+ ;
+ foreach my $country (sort keys %{Countries::countries}) {
+ print "<option value='$Countries::countries{$country}'";
+ if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) {
+ print " selected='selected'";
+ }
+ print ">$country</option>";
+ }
+ print <<END
+ </select></td>
+ <td colspan='2'> </td></tr>
+ <tr><td> </td>
+ <td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td>
+ <td> </td><td> </td></tr>
+ <tr><td class='base' align='left' valign='top'>
+ <img src='/blob.gif' valign='top' alt='*' /> $Lang::tr{'this field may be blank'}</td>
+ <td class='base' align='left'>
+ <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
+ $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'}
+ </td></tr>
+ <tr><td colspan='4'><hr /></td></tr>
+ <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td>
+ <td nowrap='nowrap'><input type='file' name='FH' size='32'></td>
+ <td colspan='2'> </td></tr>
+ <tr><td class='base'>$Lang::tr{'pkcs12 file password'}: <img src='/blob.gif' alt='*' /></td>
+ <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td>
+ <td colspan='2'> </td></tr>
+ <tr><td> </td>
+ <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td>
+ <td colspan='2'> </td></tr>
+ <tr><td class='base' colspan='4' align='left'>
+ <img src='/blob.gif' valign='top' alt='*' /> $Lang::tr{'this field may be blank'}</td></tr>
+ </form></table>
+END
+ ;
+ &Header::closebox();
+
+ &Header::closebigbox();
+ &Header::closepage();
+ exit(0)
+ }
+
+ ROOTCERT_SUCCESS:
+ if ($vpnsettings{'ENABLED'} eq 'on' ||
+ $vpnsettings{'ENABLE_BLUE'} eq 'on') {
+ system('/usr/local/bin/ipsecctrl', 'S');
+ sleep $sleepDelay;
+ }
+###
+### Download PKCS12 file
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) {
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+
+ print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
+ print "Content-Type: application/octet-stream\r\n\r\n";
+ print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
+ exit (0);
+
+###
+### Display certificate
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) {
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+
+ if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+ &Header::openbigbox('100%', 'LEFT', '', '');
+ &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:");
+ my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
+ $output = &Header::cleanhtml($output,"y");
+ print "<pre>$output</pre>\n";
+ &Header::closebox();
+ print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
+ &Header::closebigbox();
+ &Header::closepage();
+ exit(0);
+ }
+
+###
+### Download Certificate
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) {
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+
+ if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
+ print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n";
+ print "Content-Type: application/octet-stream\r\n\r\n";
+ print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
+ exit (0);
+ }
+
+###
+### Enable/Disable connection
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
+
+ &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+
+ if ($confighash{$cgiparams{'KEY'}}) {
+ if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
+ $confighash{$cgiparams{'KEY'}}[0] = 'on';
+ &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
+ &writeipsecfiles();
+ if ($vpnsettings{'ENABLED'} eq 'on' ||
+ $vpnsettings{'ENABLED_BLUE'} eq 'on') {
+ system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
+ sleep $sleepDelay;
+ }
+ } else {
+ $confighash{$cgiparams{'KEY'}}[0] = 'off';
+ if ($vpnsettings{'ENABLED'} eq 'on' ||
+ $vpnsettings{'ENABLED_BLUE'} eq 'on') {
+ system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
+ }
+ &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
+ &writeipsecfiles();
+ }
+ } else {
+ $errormessage = $Lang::tr{'invalid key'};
+ }
+
+###
+### Restart connection
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) {
+ &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+
+ if ($confighash{$cgiparams{'KEY'}}) {
+ if ($vpnsettings{'ENABLED'} eq 'on' ||
+ $vpnsettings{'ENABLED_BLUE'} eq 'on') {
+ system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
+ sleep $sleepDelay;
+ }
+ } else {
+ $errormessage = $Lang::tr{'invalid key'};
+ }
+
+###
+### Remove connection
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
+ &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+
+ if ($confighash{$cgiparams{'KEY'}}) {
+ if ($vpnsettings{'ENABLED'} eq 'on' ||
+ $vpnsettings{'ENABLED_BLUE'} eq 'on') {
+ system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
+ }
+ unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
+ unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
+ delete $confighash{$cgiparams{'KEY'}};
+ &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
+ &writeipsecfiles();
+ } else {
+ $errormessage = $Lang::tr{'invalid key'};
+ }
+
+###
+### Choose between adding a host-net or net-net connection
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {
+ &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+ &Header::openbigbox('100%', 'LEFT', '', '');
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'});
+ print <<END
+ <b>$Lang::tr{'connection type'}:</b><br />
+ <table><form method='post'>
+ <tr><td><input type='radio' name='TYPE' value='host' checked /></td>
+ <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>
+ <tr><td><input type='radio' name='TYPE' value='net' /></td>
+ <td class='base'>$Lang::tr{'net to net vpn'}</td></tr>
+ <tr><td align='center' colspan='2'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
+ </form></table>
+END
+ ;
+ &Header::closebox();
+ &Header::closebigbox();
+ &Header::closepage();
+ exit (0);
+###
+### Adding a new connection
+###
+} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) ||
+ ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) ||
+ ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {
+
+ &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+ &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+
+ if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
+ if (! $confighash{$cgiparams{'KEY'}}[0]) {
+ $errormessage = $Lang::tr{'invalid key'};
+ goto VPNCONF_END;
+ }
+ $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0];
+ $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1];
+ $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];
+ $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];
+ $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];
+ $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6];
+ $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7];
+ $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8];
+ $cgiparams{'REMOTE_ID'} = $confighash{$cgiparams{'KEY'}}[9];
+ $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
+ $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];
+ $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
+ $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];
+ $cgiparams{'DPD_ACTION'}= $confighash{$cgiparams{'KEY'}}[27];
+ $cgiparams{'PFS_YES_NO'}= $confighash{$cgiparams{'KEY'}}[28];
+
+ } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
+ $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
+ if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
+ $errormessage = $Lang::tr{'connection type is invalid'};
+ goto VPNCONF_ERROR;
+ }
+
+ if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
+ $errormessage = $Lang::tr{'name must only contain characters'};
+ goto VPNCONF_ERROR;
+ }
+
+ if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
+ $errormessage = $Lang::tr{'name is invalid'};
+ goto VPNCONF_ERROR;
+ }
+
+ if (length($cgiparams{'NAME'}) >60) {
+ $errormessage = $Lang::tr{'name too long'};
+ goto VPNCONF_ERROR;
+ }
+
+ if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) {
+ $errormessage = $Lang::tr{'ipfire side is invalid'};
+ goto VPNCONF_ERROR;
+ }
+
+ # Check if there is no other entry with this name
+ if (! $cgiparams{'KEY'}) {
+ foreach my $key (keys %confighash) {
+ if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
+ $errormessage = $Lang::tr{'a connection with this name already exists'};
+ goto VPNCONF_ERROR;
+ }
+ }
+ }
+
+ if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) {
+ $errormessage = $Lang::tr{'invalid input for remote host/ip'};
+ goto VPNCONF_ERROR;
+ }
+
+ if ($cgiparams{'REMOTE'}) {
+ if (! &General::validip($cgiparams{'REMOTE'})) {
+ if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
+ $errormessage = $Lang::tr{'invalid input for remote host/ip'};
+ goto VPNCONF_ERROR;
+ } else {
+ if (&valid_dns_host($cgiparams{'REMOTE'})) {
+ $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}";
+ }
+ }
+ }
+ }
+
+ unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {
+ $errormessage = $Lang::tr{'local subnet is invalid'};
+ goto VPNCONF_ERROR;
+ }
+
+ # Check if there is no other entry without IP-address and PSK
+ if ($cgiparams{'REMOTE'} eq '') {
+ foreach my $key (keys %confighash) {
+ if(($cgiparams{'KEY'} ne $key) &&
+ ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') &&
+ $confighash{$key}[10] eq '') {
+ $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'};
+ goto VPNCONF_ERROR;
+ }
+ }
+ }
+ if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {
+ $errormessage = $Lang::tr{'remote subnet is invalid'};
+ goto VPNCONF_ERROR;
+ }
+
+ if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto VPNCONF_ERROR;
+ }
+
+ if (($cgiparams{'LOCAL_ID'} !~ /^(|@[a-zA-Z0-9_.-]*)$/) ||
+ ($cgiparams{'REMOTE_ID'} !~ /^(|@[a-zA-Z0-9_.-]*)$/) ||
+ (($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne ''))
+ ) {
+ $errormessage = $Lang::tr{'invalid local-remote id'};
+ goto VPNCONF_ERROR;
+ }
+
+ if ($cgiparams{'AUTH'} eq 'psk') {
+ if (! length($cgiparams{'PSK'}) ) {
+ $errormessage = $Lang::tr{'pre-shared key is too short'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'PSK'} =~ /['",&]/) { # " ' correct coloring syntax editor !
+ $errormessage = $Lang::tr{'invalid characters found in pre-shared key'};
+ goto VPNCONF_ERROR;
+ }
+ } elsif ($cgiparams{'AUTH'} eq 'certreq') {
+ if ($cgiparams{'KEY'}) {
+ $errormessage = $Lang::tr{'cant change certificates'};
+ goto VPNCONF_ERROR;
+ }
+ if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ $errormessage = $Lang::tr{'there was no file upload'};
+ goto VPNCONF_ERROR;
+ }
+
+ # Move uploaded certificate request to a temporary file
+ (my $fh, my $filename) = tempfile( );
+ if (copy ($cgiparams{'FH'}, $fh) != 1) {
+ $errormessage = $!;
+ goto VPNCONF_ERROR;
+ }
+
+ # Sign the certificate request and move it
+ # Sign the host certificate request
+ system('/usr/bin/openssl', 'ca', '-days', '999999',
+ '-batch', '-notext',
+ '-in', $filename,
+ '-out', "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ unlink ($filename);
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
+ &cleanssldatabase();
+ goto VPNCONF_ERROR;
+ } else {
+ unlink ($filename);
+ &cleanssldatabase();
+ }
+
+ my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem`;
+ $temp =~ /Subject:.*CN=(.*)[\n]/;
+ $temp = $1;
+ $temp =~ s+/Email+, E+;
+ $temp =~ s/ ST=/ S=/;
+ $cgiparams{'CERT_NAME'} = $temp;
+ $cgiparams{'CERT_NAME'} =~ s/,//g;
+ $cgiparams{'CERT_NAME'} =~ s/\'//g;
+ if ($cgiparams{'CERT_NAME'} eq '') {
+ $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
+ goto VPNCONF_ERROR;
+ }
+ } elsif ($cgiparams{'AUTH'} eq 'certfile') {
+ if ($cgiparams{'KEY'}) {
+ $errormessage = $Lang::tr{'cant change certificates'};
+ goto VPNCONF_ERROR;
+ }
+ if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ $errormessage = $Lang::tr{'there was no file upload'};
+ goto VPNCONF_ERROR;
+ }
+ # Move uploaded certificate to a temporary file
+ (my $fh, my $filename) = tempfile( );
+ if (copy ($cgiparams{'FH'}, $fh) != 1) {
+ $errormessage = $!;
+ goto VPNCONF_ERROR;
+ }
+
+ # Verify the certificate has a valid CA and move it
+ my $validca = 0;
+ my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/cacert.pem $filename`;
+ if ($test =~ /: OK/) {
+ $validca = 1;
+ } else {
+ foreach my $key (keys %cahash) {
+ $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`;
+ if ($test =~ /: OK/) {
+ $validca = 1;
+ }
+ }
+ }
+ if (! $validca) {
+ $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'};
+ unlink ($filename);
+ goto VPNCONF_ERROR;
+ } else {
+ move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
+ if ($? ne 0) {
+ $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
+ unlink ($filename);
+ goto VPNCONF_ERROR;
+ }
+ }
+
+ my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem`;
+ $temp =~ /Subject:.*CN=(.*)[\n]/;
+ $temp = $1;
+ $temp =~ s+/Email+, E+;
+ $temp =~ s/ ST=/ S=/;
+ $cgiparams{'CERT_NAME'} = $temp;
+ $cgiparams{'CERT_NAME'} =~ s/,//g;
+ $cgiparams{'CERT_NAME'} =~ s/\'//g;
+ if ($cgiparams{'CERT_NAME'} eq '') {
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
+ $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
+ goto VPNCONF_ERROR;
+ }
+ } elsif ($cgiparams{'AUTH'} eq 'certgen') {
+ if ($cgiparams{'KEY'}) {
+ $errormessage = $Lang::tr{'cant change certificates'};
+ goto VPNCONF_ERROR;
+ }
+ # Validate input since the form was submitted
+ if (length($cgiparams{'CERT_NAME'}) >60) {
+ $errormessage = $Lang::tr{'name too long'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
+ $errormessage = $Lang::tr{'invalid input for name'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
+ $errormessage = $Lang::tr{'invalid input for e-mail address'};
+ goto VPNCONF_ERROR;
+ }
+ if (length($cgiparams{'CERT_EMAIL'}) > 40) {
+ $errormessage = $Lang::tr{'e-mail address too long'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
+ $errormessage = $Lang::tr{'invalid input for department'};
+ goto VPNCONF_ERROR;
+ }
+ if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {
+ $errormessage = $Lang::tr{'organization too long'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
+ $errormessage = $Lang::tr{'invalid input for organization'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
+ $errormessage = $Lang::tr{'invalid input for city'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
+ $errormessage = $Lang::tr{'invalid input for state or province'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {
+ $errormessage = $Lang::tr{'invalid input for country'};
+ goto VPNCONF_ERROR;
+ }
+ if (length($cgiparams{'CERT_PASS1'}) < 5) {
+ $errormessage = $Lang::tr{'password too short'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
+ $errormessage = $Lang::tr{'passwords do not match'};
+ goto VPNCONF_ERROR;
+ }
+
+ # Replace empty strings with a .
+ (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
+ (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
+ (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
+
+ # Create the Host certificate request
+ my $pid = open(OPENSSL, "|-");
+ $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;};
+ if ($pid) { # parent
+ print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n";
+ print OPENSSL "$state\n";
+ print OPENSSL "$city\n";
+ print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n";
+ print OPENSSL "$ou\n";
+ print OPENSSL "$cgiparams{'CERT_NAME'}\n";
+ print OPENSSL "$cgiparams{'CERT_EMAIL'}\n";
+ print OPENSSL ".\n";
+ print OPENSSL ".\n";
+ close (OPENSSL);
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
+ goto VPNCONF_ERROR;
+ }
+ } else { # child
+ unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
+ '-newkey', 'rsa:1024',
+ '-keyout', "${General::swroot}/certs/$cgiparams{'NAME'}key.pem",
+ '-out', "${General::swroot}/certs/$cgiparams{'NAME'}req.pem")) {
+ $errormessage = "$Lang::tr{'cant start openssl'}: $!";
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
+ goto VPNCONF_ERROR;
+ }
+ }
+
+ # Sign the host certificate request
+ system('/usr/bin/openssl', 'ca', '-days', '999999',
+ '-batch', '-notext',
+ '-in', "${General::swroot}/certs/$cgiparams{'NAME'}req.pem",
+ '-out', "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
+ &cleanssldatabase();
+ goto VPNCONF_ERROR;
+ } else {
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
+ &cleanssldatabase();
+ }
+
+ # Create the pkcs12 file
+ system('/usr/bin/openssl', 'pkcs12', '-export',
+ '-inkey', "${General::swroot}/certs/$cgiparams{'NAME'}key.pem",
+ '-in', "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem",
+ '-name', $cgiparams{'NAME'},
+ '-passout', "pass:$cgiparams{'CERT_PASS1'}",
+ '-certfile', "${General::swroot}/ca/cacert.pem",
+ '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA",
+ '-out', "${General::swroot}/certs/$cgiparams{'NAME'}.p12");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}.p12");
+ goto VPNCONF_ERROR;
+ } else {
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
+ }
+ } elsif ($cgiparams{'AUTH'} eq 'cert') {
+ ;# Nothing, just editing
+ } else {
+ $errormessage = $Lang::tr{'invalid input for authentication method'};
+ goto VPNCONF_ERROR;
+ }
+
+ # Check if there is no other entry with this common name
+ if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {
+ foreach my $key (keys %confighash) {
+ if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {
+ $errormessage = $Lang::tr{'a connection with this common name already exists'};
+ goto VPNCONF_ERROR;
+ }
+ }
+ }
+
+ # Save the config
+ my $key = $cgiparams{'KEY'};
+ if (! $key) {
+ $key = &General::findhasharraykey (\%confighash);
+ foreach my $i (0 .. 28) { $confighash{$key}[$i] = "";}
+ }
+ $confighash{$key}[0] = $cgiparams{'ENABLED'};
+ $confighash{$key}[1] = $cgiparams{'NAME'};
+ if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') {
+ $confighash{$key}[2] = $cgiparams{'CERT_NAME'};
+ }
+ $confighash{$key}[3] = $cgiparams{'TYPE'};
+ if ($cgiparams{'AUTH'} eq 'psk') {
+ $confighash{$key}[4] = 'psk';
+ $confighash{$key}[5] = $cgiparams{'PSK'};
+ } else {
+ $confighash{$key}[4] = 'cert';
+ }
+ if ($cgiparams{'TYPE'} eq 'net') {
+ $confighash{$key}[6] = $cgiparams{'SIDE'};
+ $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};
+ }
+ $confighash{$key}[7] = $cgiparams{'LOCAL_ID'};
+ $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};
+ $confighash{$key}[9] = $cgiparams{'REMOTE_ID'};
+ $confighash{$key}[10] = $cgiparams{'REMOTE'};
+ $confighash{$key}[25] = $cgiparams{'REMARK'};
+ $confighash{$key}[26] = $cgiparams{'INTERFACE'};
+ $confighash{$key}[27] = $cgiparams{'DPD_ACTION'};
+ $confighash{$key}[28] = $cgiparams{'PFS_YES_NO'};
+
+ #use default advanced value
+ $confighash{$key}[14] = 'on';
+ $confighash{$key}[13] = 'off';
+ $confighash{$key}[18] = 'aes128|3des';
+ $confighash{$key}[19] = 'sha|md5';
+ $confighash{$key}[20] = '1536|1024';
+ $confighash{$key}[16] = '1';
+ $confighash{$key}[21] = 'aes128|3des';
+ $confighash{$key}[22] = 'sha1|md5';
+ $confighash{$key}[23] = '';
+ $confighash{$key}[17] = '8';
+ $confighash{$key}[24] = 'off';
+
+ #free unused fields!
+ #$confighash{$key}[12] = '';
+ #$confighash{$key}[15] = '';
+
+ &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
+ &writeipsecfiles();
+ if ($vpnsettings{'ENABLED'} eq 'on' ||
+ $vpnsettings{'ENABLED_BLUE'} eq 'on') {
+ system('/usr/local/bin/ipsecctrl', 'S', $key);
+ sleep $sleepDelay;
+ }
+ if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {
+ $cgiparams{'KEY'} = $key;
+ $cgiparams{'ACTION'} = $Lang::tr{'advanced'};
+ }
+ goto VPNCONF_END;
+ } else { # add new connection
+ $cgiparams{'ENABLED'} = 'on';
+ $cgiparams{'SIDE'} = 'left';
+ if ( ! -f "${General::swroot}/private/cakey.pem" ) {
+ $cgiparams{'AUTH'} = 'psk';
+ } elsif ( ! -f "${General::swroot}/ca/cacert.pem") {
+ $cgiparams{'AUTH'} = 'certfile';
+ } else {
+ $cgiparams{'AUTH'} = 'certgen';
+ }
+ $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
+ $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
+ $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};
+ $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};
+ $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};
+
+ # choose appropriate dpd action
+ if ($cgiparams{'TYPE'} eq 'host') {
+ $cgiparams{'DPD_ACTION'} = 'clear';
+ } else {
+ $cgiparams{'DPD_ACTION'} = 'hold'; #restart when available!
+ }
+
+ # Default is yes for 'pfs'
+ $cgiparams{'PFS_YES_NO'} = 'yes';
+
+ # ID are empty
+ $cgiparams{'LOCAL_ID'} = '';
+ $cgiparams{'REMOTE_ID'} = '';
+
+ }
+
+ VPNCONF_ERROR:
+ $checked{'ENABLED'}{'off'} = '';
+ $checked{'ENABLED'}{'on'} = '';
+ $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'";
+ $checked{'ENABLED_BLUE'}{'off'} = '';
+ $checked{'ENABLED_BLUE'}{'on'} = '';
+ $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = "checked='checked'";
+
+ $checked{'EDIT_ADVANCED'}{'off'} = '';
+ $checked{'EDIT_ADVANCED'}{'on'} = '';
+ $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = "checked='checked'";
+
+ $selected{'SIDE'}{'left'} = '';
+ $selected{'SIDE'}{'right'} = '';
+ $selected{'SIDE'}{$cgiparams{'SIDE'}} = "selected='selected'";
+
+ $checked{'AUTH'}{'psk'} = '';
+ $checked{'AUTH'}{'certreq'} = '';
+ $checked{'AUTH'}{'certgen'} = '';
+ $checked{'AUTH'}{'certfile'} = '';
+ $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
+
+ $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = "selected='selected'";
+ $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";
+ $selected{'PFS_YES_NO'}{$cgiparams{'PFS_YES_NO'}} = "selected='selected'";
+
+ if (1) {
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+ &Header::openbigbox('100%', 'LEFT', '', $errormessage);
+ if ($errormessage) {
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
+ print "<class name='base'>$errormessage";
+ print " </class>";
+ &Header::closebox();
+ }
+
+ if ($warnmessage) {
+ &Header::openbox('100%', 'LEFT', "$Lang::tr{'warning messages'}:");
+ print "<class name='base'>$warnmessage";
+ print " </class>";
+ &Header::closebox();
+ }
+
+ print "<form method='post' enctype='multipart/form-data'>";
+ print "<input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' />";
+
+ if ($cgiparams{'KEY'}) {
+ print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />";
+ print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />";
+ }
+
+ &Header::openbox('100%', 'LEFT', "$Lang::tr{'connection'}:");
+ print "<table width='100%'>";
+ print "<tr><td width='25%' class='boldbase'>$Lang::tr{'name'}:</td>";
+ if ($cgiparams{'KEY'}) {
+ print "<td width='25%' class='base'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' /><b>$cgiparams{'NAME'}</b></td>";
+ } else {
+ print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' size='30' /></td>";
+ }
+ print "<td>$Lang::tr{'enabled'}</td><td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td></tr>";
+
+ if ($cgiparams{'TYPE'} eq 'host') {
+
+ print "<tr><td>$Lang::tr{'interface'}</td>";
+ print "<td><select name='INTERFACE'>";
+ print "<option value='RED' $selected{'INTERFACE'}{'RED'}>RED</option>";
+ print "<option value='BLUE' $selected{'INTERFACE'}{'BLUE'}>BLUE</option>" if ($netsettings{'BLUE_DEV'} ne '');
+# print "<option value='GREEN' $selected{'INTERFACE'}{'GREEN'}>GREEN</option>";
+# print "<option value='ORANGE' $selected{'INTERFACE'}{'ORANGE'}>ORANGE</option>";
+ print "</select></td></tr>";
+ print <<END
+ <tr><td class='boldbase'>$Lang::tr{'local subnet'}</td>
+ <td><input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size='30' /></td>
+ <td colspan='2'> </td></tr>
+ <tr><td class='boldbase'>$Lang::tr{'remote host/ip'}: <img src='/blob.gif' alt='*' /></td>
+ <td><input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size='30' /></td>
+ <td colspan='2'> </td></tr>
+END
+ ;
+ } else {
+ print <<END
+ <tr><input type='hidden' name='INTERFACE' value='RED' />
+ <td class='boldbase' nowrap='nowrap'>$Lang::tr{'ipfire side'}</td>
+ <td><select name='SIDE'><option value='left' $selected{'SIDE'}{'left'}>left</option>
+ <option value='right' $selected{'SIDE'}{'right'}>right</option></select></td>
+ <td class='boldbase'>$Lang::tr{'remote host/ip'}:</td>
+ <td><input type='TEXT' name='REMOTE' value='$cgiparams{'REMOTE'}' size ='30' /></td></tr>
+ <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td>
+ <td><input type='TEXT' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size='30' /></td>
+ <td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}</td>
+ <td><input type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size='30' /></td></tr>
+END
+ ;
+ }
+ print <<END
+ <tr><td>$Lang::tr{'dpd action'}:</td>
+ <td><select name='DPD_ACTION'>
+ <option value='clear' $selected{'DPD_ACTION'}{'clear'}>clear</option>
+ <option value='hold' $selected{'DPD_ACTION'}{'hold'}>hold</option>
+ <option value='restart' $selected{'DPD_ACTION'}{'restart'}>restart</option>
+ </select> <a href='http://www.openswan.com/docs/local/README.DPD'>?</a></td>
+<!-- http://www.openswan.com/docs/local/README.DPD
+ http://bugs.xelerance.com/view.php?id=156
+ restart = clear + reinitiate connection
+--> <td width='25%'>$Lang::tr{'pfs yes no'}:</td>
+ <td width='25%'><select name='PFS_YES_NO'>
+ <option value='yes' $selected{'PFS_YES_NO'}{'yes'}>$Lang::tr{'yes'}</option>
+ <option value='no' $selected{'PFS_YES_NO'}{'no'}>$Lang::tr{'no'}</option>
+ </select></td></tr>
+ <td><b>$Lang::tr{'options'}</b></td>
+ <tr><td class='boldbase'>leftid: <img src='/blob.gif' alt='*' />
+ <br />($Lang::tr{'eg'} <tt>@xy.example.com</tt>)</td>
+ <td><input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' maxlength='50' /></td>
+ <td class='boldbase'>rightid: <img src='/blob.gif' alt='*' /></td>
+ <td><input type='text' name='REMOTE_ID' value='$cgiparams{'REMOTE_ID'}' maxlength='50' /></td></tr>
+ <tr><td class='boldbase'>$Lang::tr{'remark title'} <img src='/blob.gif' alt='*' /></td>
+ <td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td></tr>
+END
+ ;
+ if (!$cgiparams{'KEY'}) {
+ print "<tr><td colspan='3'><input type='checkbox' name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> $Lang::tr{'edit advanced settings when done'}</td></tr>";
+ }
+ print "</table>";
+ &Header::closebox();
+
+ if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'});
+ print <<END
+ <table width='100%' cellpadding='0' cellspacing='5' border='0'>
+ <tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared key'}</td>
+ <td class='base' width='50%'><input type='text' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr>
+ </table>
+END
+ ;
+ &Header::closebox();
+ } elsif (! $cgiparams{'KEY'}) {
+ my $disabled='';
+ my $cakeydisabled='';
+ my $cacrtdisabled='';
+ if ( ! -f "${General::swroot}/private/cakey.pem" ) { $cakeydisabled = "disabled='disabled'" } else { $cakeydisabled = "" };
+ if ( ! -f "${General::swroot}/ca/cacert.pem" ) { $cacrtdisabled = "disabled='disabled'" } else { $cacrtdisabled = "" };
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'});
+ print <<END
+ <table width='100%' cellpadding='0' cellspacing='5' border='0'>
+ <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} /></td>
+ <td class='base' width='45%'>$Lang::tr{'use a pre-shared key'}</td>
+ <td class='base' width='50%'><input type='text' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr>
+ <tr><td colspan='3' bgcolor='#000000'><img src='/images/null.gif' width='1' height='1' border='0' /></td></tr>
+ <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td>
+ <td class='base'>$Lang::tr{'upload a certificate request'}</td>
+ <td class='base' rowspan='2'><input type='file' name='FH' size='30' $cacrtdisabled></td></tr>
+ <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td>
+ <td class='base'>$Lang::tr{'upload a certificate'}</td></tr>
+ <tr><td colspan='3' bgcolor='#000000'><img src='/images/null.gif' width='1' height='1' BORDER='0' /></td></tr>
+ <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td>
+ <td class='base'>$Lang::tr{'generate a certificate'}</td><td> </td></tr>
+ <tr><td> </td>
+ <td class='base'>$Lang::tr{'users fullname or system hostname'}:</td>
+ <td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>
+ <tr><td> </td>
+ <td class='base'>$Lang::tr{'users email'}: <img src='/blob.gif' alt='*' /></td>
+ <td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>
+ <tr><td> </td>
+ <td class='base'>$Lang::tr{'users department'}: <img src='/blob.gif' alt='*' /></td>
+ <td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>
+ <tr><td> </td>
+ <td class='base'>$Lang::tr{'organization name'}: <img src='/blob.gif' alt='*' /></td>
+ <td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>
+ <tr><td> </td>
+ <td class='base'>$Lang::tr{'city'}: <img src='/blob.gif' alt='*' /></td>
+ <td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>
+ <tr><td> </td>
+ <td class='base'>$Lang::tr{'state or province'}: <img src='/blob.gif' alt='*' /></td>
+ <td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>
+ <tr><td> </td>
+ <td class='base'>$Lang::tr{'country'}:</td>
+ <td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
+END
+ ;
+ foreach my $country (sort keys %{Countries::countries}) {
+ print "\t\t\t<option value='$Countries::countries{$country}'";
+ if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) {
+ print " selected='selected'";
+ }
+ print ">$country</option>\n";
+ }
+ print <<END
+ </select></td></tr>
+ <tr><td> </td>
+ <td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
+ <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr>
+ <tr><td> </td><td class='base'>$Lang::tr{'pkcs12 file password'}:<BR>($Lang::tr{'confirmation'})</td>
+ <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr>
+ </table>
+END
+ ;
+ &Header::closebox();
+ }
+
+ print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
+ if ($cgiparams{'KEY'}) {
+ print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />";
+ }
+ print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
+ &Header::closebigbox();
+ &Header::closepage();
+ exit (0);
+ }
+ VPNCONF_END:
+}
+
+###
+### Advanced settings
+###
+if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
+ ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq 'yes')) {
+ &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+ if (! $confighash{$cgiparams{'KEY'}}) {
+ $errormessage = $Lang::tr{'invalid key'};
+ goto ADVANCED_END;
+ }
+
+ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
+ if ($cgiparams{'NAT'} !~ /^(on|off)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ if ($cgiparams{'COMPRESSION'} !~ /^(on|off)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ if ($cgiparams{'NAT'} eq 'on' && $cgiparams{'COMPRESSION'} eq 'on') {
+ $errormessage = $Lang::tr{'cannot enable both nat traversal and compression'};
+ goto ADVANCED_ERROR;
+ }
+ my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});
+ if ($#temp < 0) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ foreach my $val (@temp) {
+ if ($val !~ /^(aes256|aes128|3des|twofish256|twofish128|serpent256|serpent128|blowfish256|blowfish128|cast128)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ }
+ @temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
+ if ($#temp < 0) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ foreach my $val (@temp) {
+ if ($val !~ /^(sha2_512|sha2_256|sha|md5)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ }
+ @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});
+ if ($#temp < 0) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ foreach my $val (@temp) {
+ if ($val !~ /^(768|1024|1536|2048|3072|4096|6144|8192)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ }
+ if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) {
+ $errormessage = $Lang::tr{'invalid input for ike lifetime'};
+ goto ADVANCED_ERROR;
+ }
+ if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 8) {
+ $errormessage = $Lang::tr{'ike lifetime should be between 1 and 8 hours'};
+ goto ADVANCED_ERROR;
+ }
+ @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});
+ if ($#temp < 0) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ foreach my $val (@temp) {
+ if ($val !~ /^(aes256|aes128|3des|twofish256|twofish128|serpent256|serpent128|blowfish256|blowfish128)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ }
+ @temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
+ if ($#temp < 0) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ foreach my $val (@temp) {
+ if ($val !~ /^(sha2_512|sha2_256|sha1|md5)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ }
+ if ($cgiparams{'ESP_GROUPTYPE'} ne '' &&
+ $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(768|1024|1536|2048|3072|4096)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+
+ if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) {
+ $errormessage = $Lang::tr{'invalid input for esp keylife'};
+ goto ADVANCED_ERROR;
+ }
+ if ($cgiparams{'ESP_KEYLIFE'} < 1 || $cgiparams{'ESP_KEYLIFE'} > 24) {
+ $errormessage = $Lang::tr{'esp keylife should be between 1 and 24 hours'};
+ goto ADVANCED_ERROR;
+ }
+ if ($cgiparams{'ONLY_PROPOSED'} !~ /^(on|off)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ $confighash{$cgiparams{'KEY'}}[14] = $cgiparams{'NAT'};
+ $confighash{$cgiparams{'KEY'}}[13] = $cgiparams{'COMPRESSION'};
+ $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'};
+ $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'};
+ $confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'};
+ $confighash{$cgiparams{'KEY'}}[16] = $cgiparams{'IKE_LIFETIME'};
+ $confighash{$cgiparams{'KEY'}}[21] = $cgiparams{'ESP_ENCRYPTION'};
+ $confighash{$cgiparams{'KEY'}}[22] = $cgiparams{'ESP_INTEGRITY'};
+ $confighash{$cgiparams{'KEY'}}[23] = $cgiparams{'ESP_GROUPTYPE'};
+ $confighash{$cgiparams{'KEY'}}[17] = $cgiparams{'ESP_KEYLIFE'};
+ $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'};
+ &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
+ &writeipsecfiles();
+ if ($vpnsettings{'ENABLED'} eq 'on' ||
+ $vpnsettings{'ENABLED_BLUE'} eq 'on') {
+ system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
+ sleep $sleepDelay;
+ }
+ goto ADVANCED_END;
+ } else {
+
+ $cgiparams{'NAT'} = $confighash{$cgiparams{'KEY'}}[14];
+ $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13];
+ $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];
+ $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19];
+ $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20];
+ $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16];
+ $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21];
+ $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22];
+ $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23];
+ $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17];
+ $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24];
+
+ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net' || $confighash{$cgiparams{'KEY'}}[10]) {
+ $cgiparams{'NAT'} = 'off';
+ }
+ }
+
+ ADVANCED_ERROR:
+ $checked{'NAT'}{'off'} = '';
+ $checked{'NAT'}{'on'} = '';
+ $checked{'NAT'}{$cgiparams{'NAT'}} = "checked='checked'";
+ $checked{'COMPRESSION'}{'off'} = '';
+ $checked{'COMPRESSION'}{'on'} = '';
+ $checked{'COMPRESSION'}{$cgiparams{'COMPRESSION'}} = "checked='checked'";
+ $checked{'IKE_ENCRYPTION'}{'aes256'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes128'} = '';
+ $checked{'IKE_ENCRYPTION'}{'3des'} = '';
+ $checked{'IKE_ENCRYPTION'}{'twofish256'} = '';
+ $checked{'IKE_ENCRYPTION'}{'twofish128'} = '';
+ $checked{'IKE_ENCRYPTION'}{'serpent256'} = '';
+ $checked{'IKE_ENCRYPTION'}{'serpent128'} = '';
+ $checked{'IKE_ENCRYPTION'}{'blowfish256'} = '';
+ $checked{'IKE_ENCRYPTION'}{'blowfish128'} = '';
+ $checked{'IKE_ENCRYPTION'}{'cast128'} = '';
+ my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});
+ foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; }
+ $checked{'IKE_INTEGRITY'}{'sha2_512'} = '';
+ $checked{'IKE_INTEGRITY'}{'sha2_256'} = '';
+ $checked{'IKE_INTEGRITY'}{'sha'} = '';
+ $checked{'IKE_INTEGRITY'}{'md5'} = '';
+ @temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
+ foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; }
+ $checked{'IKE_GROUPTYPE'}{'768'} = '';
+ $checked{'IKE_GROUPTYPE'}{'1024'} = '';
+ $checked{'IKE_GROUPTYPE'}{'1536'} = '';
+ $checked{'IKE_GROUPTYPE'}{'2048'} = '';
+ $checked{'IKE_GROUPTYPE'}{'3072'} = '';
+ $checked{'IKE_GROUPTYPE'}{'4096'} = '';
+ $checked{'IKE_GROUPTYPE'}{'6144'} = '';
+ $checked{'IKE_GROUPTYPE'}{'8192'} = '';
+ @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});
+ foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; }
+ $checked{'ESP_ENCRYPTION'}{'aes256'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes128'} = '';
+ $checked{'ESP_ENCRYPTION'}{'3des'} = '';
+ $checked{'ESP_ENCRYPTION'}{'twofish256'} = '';
+ $checked{'ESP_ENCRYPTION'}{'twofish128'} = '';
+ $checked{'ESP_ENCRYPTION'}{'serpent256'} = '';
+ $checked{'ESP_ENCRYPTION'}{'serpent128'} = '';
+ $checked{'ESP_ENCRYPTION'}{'blowfish256'} = '';
+ $checked{'ESP_ENCRYPTION'}{'blowfish128'} = '';
+ @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});
+ foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; }
+ $checked{'ESP_INTEGRITY'}{'sha2_512'} = '';
+ $checked{'ESP_INTEGRITY'}{'sha2_256'} = '';
+ $checked{'ESP_INTEGRITY'}{'sha1'} = '';
+ $checked{'ESP_INTEGRITY'}{'md5'} = '';
+ @temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
+ foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; }
+ $checked{'ESP_GROUPTYPE'}{'modp768'} = '';
+ $checked{'ESP_GROUPTYPE'}{'modp1024'} = '';
+ $checked{'ESP_GROUPTYPE'}{'modp1536'} = '';
+ $checked{'ESP_GROUPTYPE'}{'modp2048'} = '';
+ $checked{'ESP_GROUPTYPE'}{'modp3072'} = '';
+ $checked{'ESP_GROUPTYPE'}{'modp4096'} = '';
+ $checked{'ESP_GROUPTYPE'}{$cgiparams{'ESP_GROUPTYPE'}} = "selected='selected'";
+ $checked{'ONLY_PROPOSED'}{'off'} = '';
+ $checked{'ONLY_PROPOSED'}{'on'} = '';
+ $checked{'ONLY_PROPOSED'}{$cgiparams{'ONLY_PROPOSED'}} = "checked='checked'";
+
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+ &Header::openbigbox('100%', 'LEFT', '', $errormessage);
+
+ if ($errormessage) {
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
+ print "<class name='base'>$errormessage";
+ print " </class>";
+ &Header::closebox();
+ }
+
+ if ($warnmessage) {
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});
+ print "<class name='base'>$warnmessage";
+ print " </class>";
+ &Header::closebox();
+ }
+
+ print "<form method='post' enctype='multipart/form-data'>\n";
+ print "<input type='hidden' name='ADVANCED' value='yes' />\n";
+ print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />\n";
+
+ &Header::openbox('100%', 'LEFT', "$Lang::tr{'advanced'}:");
+ print "<table width='100%'>\n";
+ print "<tr><td width='25%' class='boldbase'>$Lang::tr{'compression'}</td>\n";
+ print "<td width='25%'><input type='checkbox' name='COMPRESSION' $checked{'COMPRESSION'}{'on'} /></td>\n";
+ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {
+ print "<td width='25%'><input type='hidden' name='NAT' value='off' /></td><td width='25%'> </td></tr>\n";
+ } elsif ($confighash{$cgiparams{'KEY'}}[10]) {
+ print "<td width='25%' class='boldbase'>$Lang::tr{'nat-traversal'}</td>\n";
+ print "<td width='25%'><input type='checkbox' name='NAT' $checked{'NAT'}{'on'} disabled='disabled' /></td></tr>\n";
+ } else {
+ print "<td width='25%' class='boldbase'>$Lang::tr{'nat-traversal'}</td>\n";
+ print "<td width='25%'><input type='checkbox' name='NAT' $checked{'NAT'}{'on'} /></td></tr>\n";
+ }
+ print <<EOF
+ <tr><td width='25%' class='boldbase' valign='top'>$Lang::tr{'ike encryption'}</td>
+ <td width='25%' valign='top'><select name='IKE_ENCRYPTION' multiple='multiple' size='4'>
+ <option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>AES (256 bit)</option>
+ <option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>AES (128 bit)</option>
+ <option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>3DES</option>
+ <option value='twofish256' $checked{'IKE_ENCRYPTION'}{'twofish256'}>Twofish (256 bit)</option>
+ <option value='twofish128' $checked{'IKE_ENCRYPTION'}{'twofish128'}>Twofish (128 bit)</option>
+ <option value='serpent256' $checked{'IKE_ENCRYPTION'}{'serpent256'}>Serpent (256 bit)</option>
+ <option value='serpent128' $checked{'IKE_ENCRYPTION'}{'serpent128'}>Serpent (128 bit)</option>
+ <option value='blowfish256' $checked{'IKE_ENCRYPTION'}{'blowfish256'}>Blowfish (256 bit)</option>
+ <option value='blowfish128' $checked{'IKE_ENCRYPTION'}{'blowfish128'}>Blowfish (128 bit)</option>
+ <option value='cast128' $checked{'IKE_ENCRYPTION'}{'cast128'}>Cast (128 bit)</option></SELECT></td>
+ <td width='25%' class='boldbase' valign='top'>$Lang::tr{'ike integrity'}</td>
+ <td width='25%' valign='top'><select name='IKE_INTEGRITY' multiple='multiple' size='4'>
+ <option value='sha2_512' $checked{'IKE_INTEGRITY'}{'sha2_512'}>SHA2 (512)</option>
+ <option value='sha2_256' $checked{'IKE_INTEGRITY'}{'sha2_256'}>SHA2 (256)</option>
+ <option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA</option>
+ <option value='md5' $checked{'IKE_INTEGRITY'}{'md5'}>MD5</option></SELECT></td></tr>
+ <tr><td width='25%' class='boldbase' valign='top'>$Lang::tr{'ike lifetime'}</td>
+ <td width='25%' valign='top'><input type='text' name='IKE_LIFETIME' value='$cgiparams{'IKE_LIFETIME'}' SIZE='5'> $Lang::tr{'hours'}</td>
+ <td width='25%' class='boldbase' valign='top'>$Lang::tr{'ike grouptype'}</td>
+ <td width='25%' valign='top'><select name='IKE_GROUPTYPE' multiple='multiple' size='4'>
+ <option value='8192' $checked{'IKE_GROUPTYPE'}{'8192'}>MODP-8192</option>
+ <option value='6144' $checked{'IKE_GROUPTYPE'}{'6144'}>MODP-6144</option>
+ <option value='4096' $checked{'IKE_GROUPTYPE'}{'4096'}>MODP-4096</option>
+ <option value='3072' $checked{'IKE_GROUPTYPE'}{'3072'}>MODP-3072</option>
+ <option value='2048' $checked{'IKE_GROUPTYPE'}{'2048'}>MODP-2048</option>
+ <option value='1536' $checked{'IKE_GROUPTYPE'}{'1536'}>MODP-1536</option>
+ <option value='1024' $checked{'IKE_GROUPTYPE'}{'1024'}>MODP-1024</option>
+ <option value='768' $checked{'IKE_GROUPTYPE'}{'768'}>MODP-768</option></select></td></tr>
+ <tr><td width='25%' class='boldbase' valign='top'>$Lang::tr{'esp encryption'}</td>
+ <td width='25%' valign='top'><select name='ESP_ENCRYPTION' multiple='multiple' size='4'>
+ <option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>AES (256 bit)</option>
+ <option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>AES (128 bit)</option>
+ <option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>3DES</option>
+ <option value='twofish256' $checked{'ESP_ENCRYPTION'}{'twofish256'}>Twofish (256 bit)</option>
+ <option value='twofish128' $checked{'ESP_ENCRYPTION'}{'twofish128'}>Twofish (128 bit)</option>
+ <option value='serpent256' $checked{'ESP_ENCRYPTION'}{'serpent256'}>Serpent (256 bit)</option>
+ <option value='serpent128' $checked{'ESP_ENCRYPTION'}{'serpent128'}>Serpent (128 bit)</option>
+ <option value='blowfish256' $checked{'ESP_ENCRYPTION'}{'blowfish256'}>Blowfish (256 bit)</option>
+ <option value='blowfish128' $checked{'ESP_ENCRYPTION'}{'blowfish128'}>Blowfish (128 bit)</option></select></td>
+ <td width='25%' class='boldbase' valign='top'>$Lang::tr{'esp integrity'}</td>
+ <td width='25%' valign='top'><select name='ESP_INTEGRITY' multiple='multiple' size='4'>
+ <option value='sha2_512' $checked{'ESP_INTEGRITY'}{'sha2_512'}>SHA2 (512)</option>
+ <option value='sha2_256' $checked{'ESP_INTEGRITY'}{'sha2_256'}>SHA2 (256)</option>
+ <option value='sha1' $checked{'ESP_INTEGRITY'}{'sha1'}>SHA1</option>
+ <option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5</option></select></td></tr>
+ <tr><td width='25%' class='boldbase' valign='top'>$Lang::tr{'esp keylife'}</td>
+ <td width='25%' valign='top'><input type='text' name='ESP_KEYLIFE' value='$cgiparams{'ESP_KEYLIFE'}' size='5' /> $Lang::tr{'hours'}</td>
+ <td width='25%' class='boldbase' valign='top'>$Lang::tr{'esp grouptype'}</td>
+ <td width='25%' valign='top'><select name='ESP_GROUPTYPE'>
+ <option value=''>$Lang::tr{'phase1 group'}</option>
+ <option value='modp4096' $checked{'ESP_GROUPTYPE'}{'modp4096'}>MODP-4096</option>
+ <option value='modp3072' $checked{'ESP_GROUPTYPE'}{'modp3072'}>MODP-3072</option>
+ <option value='modp2048' $checked{'ESP_GROUPTYPE'}{'modp2048'}>MODP-2048</option>
+ <option value='modp1536' $checked{'ESP_GROUPTYPE'}{'modp1536'}>MODP-1536</option>
+ <option value='modp1024' $checked{'ESP_GROUPTYPE'}{'modp1024'}>MODP-1024</option>
+ <option value='modp768' $checked{'ESP_GROUPTYPE'}{'modp768'}>MODP-768</option></select></td></tr>
+ <tr><td colspan='4'><input type='CHECKBOX' name='ONLY_PROPOSED' $checked{'ONLY_PROPOSED'}{'on'} />
+ $Lang::tr{'use only proposed settings'}</td></tr>
+ </table>
+EOF
+ ;
+ &Header::closebox();
+ print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
+ print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
+ &Header::closebigbox();
+ &Header::closepage();
+ exit(0);
+
+ ADVANCED_END:
+}
+
+###
+### Default status page
+###
+ %cgiparams = ();
+ %cahash = ();
+ %confighash = ();
+ &General::readhash("${General::swroot}/vpn/settings", \%cgiparams);
+ &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+
+ my @status = `/usr/sbin/ipsec auto --status`;
+
+ # suggest a default name for this side
+ if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
+ if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
+ my $ipaddr = <IPADDR>;
+ close IPADDR;
+ chomp ($ipaddr);
+ $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
+ if ($cgiparams{'VPN_IP'} eq '') {
+ $cgiparams{'VPN_IP'} = $ipaddr;
+ }
+ }
+ }
+ # no IP found, use %defaultroute
+ $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq '');
+
+ $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'}));
+ map ($checked{$_} = $cgiparams{$_} eq 'on' ? "checked='checked'" : '',
+ ('ENABLED','ENABLED_BLUE','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
+ 'DBG_KLIPS','DBG_DNS','DBG_NAT_T'));
+
+
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
+ &Header::openbigbox('100%', 'LEFT', '', $errormessage);
+
+ if ($errormessage) {
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
+ print "<class name='base'>$errormessage\n";
+ print " </class>\n";
+ &Header::closebox();
+ }
+
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'});
+ print <<END
+ <form method='post'>
+ <table width='100%'>
+ <tr>
+ <td width='25%' class='base' nowrap='nowrap'>$Lang::tr{'local vpn hostname/ip'}:</td>
+ <td width='25%'><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' /></td>
+ <td width='25%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td>
+ </tr>
+END
+ ;
+ if ($netsettings{'BLUE_DEV'} ne '') {
+ print <<END
+ <tr>
+ <td width='25%' class='base' nowrap='nowrap'>$Lang::tr{'vpn on blue'}:</td>
+ <td></td>
+ <td width='25%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED_BLUE' $checked{'ENABLED_BLUE'} /></td>
+ </tr>
+END
+ ;
+ }
+print <<END
+ <td width='25%' class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}: <img src='/blob.gif' alt='*' /></td>
+ <td width='25%'><input type='text' name='VPN_DELAYED_START' value='$cgiparams{'VPN_DELAYED_START'}' /></td>
+ <td width='25%' class='base' nowrap='nowrap'>$Lang::tr{'override mtu'}: <img src='/blob.gif' alt='*' /></td>
+ <td width='25%'><input type='text' name='VPN_OVERRIDE_MTU' value='$cgiparams{'VPN_OVERRIDE_MTU'}' /></td>
+</table>
+<table width='100%'>
+<tr><td>PLUTO DEBUG</td>
+ <td>crypt:<input type='checkbox' name='DBG_CRYPT' $checked{'DBG_CRYPT'} /></td>
+ <td>parsing:<input type='checkbox' name='DBG_PARSING' $checked{'DBG_PARSING'} /></td>
+ <td>emitting:<input type='checkbox' name='DBG_EMITTING' $checked{'DBG_EMITTING'} /></td>
+ <td>control:<input type='checkbox' name='DBG_CONTROL' $checked{'DBG_CONTROL'} /></td>
+ <td>klips:<input type='checkbox' name='DBG_KLIPS' $checked{'DBG_KLIPS'} /></td>
+ <td>dns:<input type='checkbox' name='DBG_DNS' $checked{'DBG_DNS'} /></td>
+ <td>nat_t:<input type='checkbox' name='DBG_NAT_T' $checked{'DBG_NAT_T'} /></td>
+</tr></table>
+<hr />
+<table width='100%'>
+<tr>
+ <td class='base' valign='top'><img src='/blob.gif' alt='*' /></td>
+ <td width='70%' class='base'>$Lang::tr{'vpn delayed start help'}</td>
+ <td width='30%' align='center' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
+</tr>
+</table>
+END
+;
+ print "</form>";
+ &Header::closebox();
+
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'connection status and controlc'});
+ print <<END
+ <table width='100%' border='0' cellspacing='1' cellpadding='0'>
+ <tr>
+ <td width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></td>
+ <td width='22%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></td>
+ <td width='23%' class='boldbase' align='center'><b>$Lang::tr{'common name'}</b></td>
+ <td width='30%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b><br /><img src='/images/null.gif' width='125' height='1' border='0' alt='L2089' /></td>
+ <td width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></td>
+ <td width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></td>
+ </tr>
+END
+ ;
+ my $id = 0;
+ my $gif;
+ foreach my $key (keys %confighash) {
+ if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
+
+ if ($id % 2) {
+ print "<tr bgcolor='${Header::table1colour}'>\n";
+ } else {
+ print "<tr bgcolor='${Header::table2colour}'>\n";
+ }
+ print "<td align='center' nowrap='nowrap'>$confighash{$key}[1]</td>";
+ print "<td align='center' nowrap='nowrap'>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")</td>";
+ if ($confighash{$key}[4] eq 'cert') {
+ print "<td align='left' nowrap='nowrap'>$confighash{$key}[2]</td>";
+ } else {
+ print "<td align='left'> </td>";
+ }
+ print "<td align='center'>$confighash{$key}[25]</td>";
+ my $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourred}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b></td></tr></table>";
+ if ($confighash{$key}[0] eq 'off') {
+ $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourblue}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b></td></tr></table>";
+ } else {
+ foreach my $line (@status) {
+ if ($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) {
+ $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourgreen}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b></td></tr></table>";
+ }
+ }
+ }
+ print <<END
+ <td align='center'>$active</td>
+ <form method='post' name='frm${key}a'><td align='center'>
+ <input type='image' name='$Lang::tr{'restart'}' src='/images/reload.gif' alt='$Lang::tr{'restart'}' title='$Lang::tr{'restart'}' border='0' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'restart'}' />
+ <input type='hidden' name='KEY' value='$key' />
+ </td></form>
+END
+ ;
+ if ($confighash{$key}[4] eq 'cert') {
+ print <<END
+ <form method='post' name='frm${key}b'><td align='center'>
+ <input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' border='0' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' />
+ <input type='hidden' name='KEY' value='$key' />
+ </td></form>
+END
+ ; } else {
+ print "<td> </td>";
+ }
+ if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") {
+ print <<END
+ <form method='post' name='frm${key}c'><td align='center'>
+ <input type='image' name='$Lang::tr{'download pkcs12 file'}' src='/images/floppy.gif' alt='$Lang::tr{'download pkcs12 file'}' title='$Lang::tr{'download pkcs12 file'}' border='0' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'download pkcs12 file'}' />
+ <input type='hidden' name='KEY' value='$key' />
+ </td></form>
+END
+ ; } elsif ($confighash{$key}[4] eq 'cert') {
+ print <<END
+ <form method='post' name='frm${key}c'><td align='center'>
+ <input type='image' name='$Lang::tr{'download certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' title='$Lang::tr{'download certificate'}' border='0' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'download certificate'}' />
+ <input type='hidden' name='KEY' value='$key' />
+ </td></form>
+END
+ ; } else {
+ print "<td> </td>";
+ }
+ print <<END
+ <form method='post' name='frm${key}d'><td align='center'>
+ <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' border='0' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
+ <input type='hidden' name='KEY' value='$key' />
+ </td></form>
+
+ <form method='post' name='frm${key}e'><td align='center'>
+ <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
+ <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' width='20' height='20' border='0'/>
+ <input type='hidden' name='KEY' value='$key' />
+ </td></form>
+ <form method='post' name='frm${key}f'><td align='center'>
+ <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />
+ <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' width='20' height='20' border='0' />
+ <input type='hidden' name='KEY' value='$key' />
+ </td></form>
+ </tr>
+END
+ ;
+ $id++;
+ }
+ ;
+
+ # If the config file contains entries, print Key to action icons
+ if ( $id ) {
+ print <<END
+ <table>
+ <tr>
+ <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td>
+ <td> <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
+ <td class='base'>$Lang::tr{'click to disable'}</td>
+ <td> <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
+ <td class='base'>$Lang::tr{'show certificate'}</td>
+ <td> <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
+ <td class='base'>$Lang::tr{'edit'}</td>
+ <td> <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
+ <td class='base'>$Lang::tr{'remove'}</td>
+ </tr>
+ <tr>
+ <td> </td>
+ <td> <img src='/images/off.gif' alt='?OFF' /></td>
+ <td class='base'>$Lang::tr{'click to enable'}</td>
+ <td> <img src='/images/floppy.gif' alt='?FLOPPY' /></td>
+ <td class='base'>$Lang::tr{'download certificate'}</td>
+ <td> <img src='/images/reload.gif' alt='?RELOAD'/></td>
+ <td class='base'>$Lang::tr{'restart'}</td>
+ </tr>
+ </table>
+END
+ ;
+ }
+
+ print <<END
+ <table width='100%'>
+ <form method='post'>
+ <tr><td align='center' colspan='9'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
+ </form>
+ </table>
+END
+ ;
+ &Header::closebox();
+
+ &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}:");
+ print <<EOF
+ <table width='100%' border='0' cellspacing='1' cellpadding='0'>
+ <tr>
+ <td width='25%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></td>
+ <td width='65%' class='boldbase' align='center'><b>$Lang::tr{'subject'}</b></td>
+ <td width='10%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></td>
+ </tr>
+EOF
+ ;
+ if (-f "${General::swroot}/ca/cacert.pem") {
+ my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`;
+ $casubject =~ /Subject: (.*)[\n]/;
+ $casubject = $1;
+ $casubject =~ s+/Email+, E+;
+ $casubject =~ s/ ST=/ S=/;
+
+ print <<END
+ <tr bgcolor='${Header::table2colour}'>
+ <td class='base'>$Lang::tr{'root certificate'}</td>
+ <td class='base'>$casubject</td>
+ <form method='post' name='frmrootcrta'><td width='3%' align='center'>
+ <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' />
+ <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' width='20' height='20' border='0' />
+ </td></form>
+ <form method='post' name='frmrootcrtb'><td width='3%' align='center'>
+ <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' border='0' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' />
+ </td></form>
+ <td width='4%'> </td></tr>
+END
+ ;
+ } else {
+ # display rootcert generation buttons
+ print <<END
+ <tr bgcolor='${Header::table2colour}'>
+ <td class='base'>$Lang::tr{'root certificate'}:</td>
+ <td class='base'>$Lang::tr{'not present'}</td>
+ <td colspan='3'> </td></tr>
+END
+ ;
+ }
+
+ if (-f "${General::swroot}/certs/hostcert.pem") {
+ my $hostsubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`;
+ $hostsubject =~ /Subject: (.*)[\n]/;
+ $hostsubject = $1;
+ $hostsubject =~ s+/Email+, E+;
+ $hostsubject =~ s/ ST=/ S=/;
+
+ print <<END
+ <tr bgcolor='${Header::table1colour}'>
+ <td class='base'>$Lang::tr{'host certificate'}</td>
+ <td class='base'>$hostsubject</td>
+ <form method='post' name='frmhostcrta'><td width='3%' align='center'>
+ <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' />
+ <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' width='20' height='20' border='0' />
+ </td></form>
+ <form method='post' name='frmhostcrtb'><td width='3%' align='center'>
+ <input type='image' name='$Lang::tr{'download host certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download host certificate'}' title='$Lang::tr{'download host certificate'}' border='0' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'download host certificate'}' />
+ </td></form>
+ <td width='4%'> </td></tr>
+END
+ ;
+ } else {
+ # Nothing
+ print <<END
+ <tr bgcolor='${Header::table1colour}'>
+ <td width='25%' class='base'>$Lang::tr{'host certificate'}:</td>
+ <td class='base'>$Lang::tr{'not present'}</td>
+ </td><td colspan='3'> </td></tr>
+END
+ ;
+ }
+
+ if (! -f "${General::swroot}/ca/cacert.pem") {
+ print "<tr><td colspan='5' align='center'><form method='post'>";
+ print "<input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' />";
+ print "</form></td></tr>\n";
+ }
+
+ if (keys %cahash > 0) {
+ foreach my $key (keys %cahash) {
+ if (($key + 1) % 2) {
+ print "<tr bgcolor='${Header::table1colour}'>\n";
+ } else {
+ print "<tr bgcolor='${Header::table2colour}'>\n";
+ }
+ print "<td class='base'>$cahash{$key}[0]</td>\n";
+ print "<td class='base'>$cahash{$key}[1]</td>\n";
+ print <<END
+ <form method='post' name='cafrm${key}a'><td align='center'>
+ <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' border='0' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' />
+ <input type='hidden' name='KEY' value='$key' />
+ </td></form>
+ <form method='post' name='cafrm${key}b'><td align='center'>
+ <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' border='0' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' />
+ <input type='hidden' name='KEY' value='$key' />
+ </td></form>
+ <form method='post' name='cafrm${key}c'><td align='center'>
+ <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
+ <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' width='20' height='20' border='0' />
+ <input type='hidden' name='KEY' value='$key' />
+ </td></form></tr>
+END
+ ;
+ }
+ }
+
+ print "</table>";
+
+ # If the file contains entries, print Key to action icons
+ if ( -f "${General::swroot}/ca/cacert.pem") {
+ print <<END
+ <table>
+ <tr>
+ <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td>
+ <td> <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
+ <td class='base'>$Lang::tr{'show certificate'}</td>
+ <td> <img src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' /></td>
+ <td class='base'>$Lang::tr{'download certificate'}</td>
+ </tr>
+ </table>
+END
+ ;
+ }
+ print <<END
+ <form method='post' enctype='multipart/form-data'>
+ <table width='100%' border='0' cellspacing='1' cellpadding='0'>
+ <tr><td class='base' nowrap='nowrap'>$Lang::tr{'ca name'}:</td>
+ <td nowrap='nowrap'><input type='text' name='CA_NAME' value='$cgiparams{'CA_NAME'}' size='15' />
+ <td nowrap='nowrap'><input type='file' name='FH' size='30' /></td>
+ <td nowrap='nowrap'><input type='submit' name='ACTION' value='$Lang::tr{'upload ca certificate'}' /></td>
+ </tr></table></form>
+END
+ ;
+ &Header::closebox();
+
+ print "<div align='center'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /></div></form>\n";
+ print "$Lang::tr{'this feature has been sponsored by'} : ";
+ print "<a href='http://www.seminolegas.com/' target='_blank'>Seminole Canada Gas Company</a>.\n";
+
+ &Header::closebigbox();
+ &Header::closepage();