X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=077f5ab6c483f0dc96dc5a6da35bbeb1f77ff4ca;hb=016859ffe4910a0b7b3a71875d67c31aab369a1b;hp=68a70d14777f4d07711201e7f08b71c0d636eab6;hpb=4e5a35c123926c1a2a1b8d831f59563fd436835b;p=people%2Fpmueller%2Fipfire-2.x.git diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 68a70d1477..077f5ab6c4 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -47,7 +47,7 @@ undef (@dummy); my %color = (); my %mainsettings = (); &General::readhash("${General::swroot}/main/settings", \%mainsettings); -&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); +&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color); ### ### Initialize variables @@ -192,10 +192,10 @@ sub newcleanssldatabase close FILE; } if (! -s ">${General::swroot}/ovpn/certs/index.txt") { - system ("touch ${General::swroot}/ovpn/certs/index.txt"); + &General::system("touch", "${General::swroot}/ovpn/certs/index.txt"); } if (! -s ">${General::swroot}/ovpn/certs/index.txt.attr") { - system ("touch ${General::swroot}/ovpn/certs/index.txt.attr"); + &General::system("touch", "${General::swroot}/ovpn/certs/index.txt.attr"); } unlink ("${General::swroot}/ovpn/certs/index.txt.old"); unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old"); @@ -220,18 +220,21 @@ sub pkiconfigcheck { # Warning if DH parameter is 1024 bit if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { - my $dhparameter = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}`; - my @dhbit = ($dhparameter =~ /(\d+)/); - if ($1 < 2048) { - $cryptoerror = "$Lang::tr{'ovpn error dh'}"; - goto CRYPTO_ERROR; + my @dhparameter = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"); + + foreach my $line (@dhparameter) { + my @dhbit = ($line =~ /(\d+)/); + if ($1 < 2048) { + $cryptoerror = "$Lang::tr{'ovpn error dh'}"; + goto CRYPTO_ERROR; + } } } # Warning if md5 is in usage if (-f "${General::swroot}/ovpn/certs/servercert.pem") { - my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; - if ($signature =~ /md5WithRSAEncryption/) { + my @signature = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); + if (grep(/md5WithRSAEncryption/, @signature) ) { $cryptoerror = "$Lang::tr{'ovpn error md5'}"; goto CRYPTO_ERROR; } @@ -241,8 +244,8 @@ sub pkiconfigcheck # Warning if certificate is not compliant to RFC3280 TLS rules if (-f "${General::swroot}/ovpn/certs/servercert.pem") { - my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; - if ($extendkeyusage !~ /TLS Web Server Authentication/) { + my @extendkeyusage = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); + if ( ! grep(/TLS Web Server Authentication/, @extendkeyusage)) { $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}"; goto CRYPTO_WARNING; } @@ -734,7 +737,7 @@ sub writecollectdconf { close(COLLECTDVPN); # Reload collectd afterwards - system("/usr/local/bin/collectdctrl restart &>/dev/null"); + &General::system("/usr/local/bin/collectdctrl", "restart"); } #hier die refresh page @@ -764,11 +767,11 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} || #start openvpn server if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'}){ &emptyserverlog(); - system('/usr/local/bin/openvpnctrl', '-s'); + &General::system("/usr/local/bin/openvpnctrl", "-s"); } #stop openvpn server if ($cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'}){ - system('/usr/local/bin/openvpnctrl', '-k'); + &General::system("/usr/local/bin/openvpnctrl", "-k"); &emptyserverlog(); } # #restart openvpn server @@ -1075,8 +1078,8 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General # Check host certificate if X509 is RFC3280 compliant. # If not, old --ns-cert-type directive will be used. # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. - my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; - if ($hostcert !~ /TLS Web Server Authentication/) { + my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); + if ( ! grep(/TLS Web Server Authentication/, @hostcert)) { print CLIENTCONF "ns-cert-type server\n"; } else { print CLIENTCONF "remote-cert-tls server\n"; @@ -1196,7 +1199,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg # Create ta.key for tls-auth if not presant if ($cgiparams{'TLSAUTH'} eq 'on') { if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + # This system call is safe, because all arguements are passed as an array. + system("/usr/sbin/openvpn", "--genkey", "--secret", "${General::swroot}/ovpn/certs/ta.key"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; goto SETTINGS_ERROR; @@ -1219,9 +1223,24 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; #wrtie enable - if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");} - if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_orange 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_orange 2>/dev/null");} - if ( $vpnsettings{'ENABLED'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable 2>/dev/null");} + if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) { + &General::system("touch", "${General::swroot}/ovpn/enable_blue"); + } else { + unlink(${General::swroot}/ovpn/enable_blue); + } + + if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) { + &General::system("touch", "${General::swroot}/ovpn/enable_orange"); + } else { + unlink("${General::swroot}/ovpn/enable_orange"); + } + + if ( $vpnsettings{'ENABLED'} eq 'on' ) { + &General::system("touch", "${General::swroot}/ovpn/enable"); + } else { + unlink("${General::swroot}/ovpn/enable"); + } + #new settings for daemon &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); &writeserverconf();#hier ok @@ -1234,7 +1253,7 @@ SETTINGS_ERROR: &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); # Kill all N2N connections - system("/usr/local/bin/openvpnctrl -kn2n &>/dev/null"); + &General::system("/usr/local/bin/openvpnctrl", "-kn2n"); foreach my $key (keys %confighash) { my $name = $confighash{$cgiparams{'$key'}}[1]; @@ -1243,7 +1262,7 @@ SETTINGS_ERROR: delete $confighash{$cgiparams{'$key'}}; } - system ("/usr/local/bin/openvpnctrl -drrd $name &>/dev/null"); + &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$name"); } while ($file = glob("${General::swroot}/ovpn/ca/*")) { unlink $file; @@ -1282,7 +1301,7 @@ SETTINGS_ERROR: close FILE; } while ($file = glob("${General::swroot}/ovpn/n2nconf/*")) { - system ("rm -rf $file"); + unlink($file); } # Remove everything from the collectd configuration @@ -1328,7 +1347,8 @@ END unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; } # Create Diffie Hellmann Parameter - system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); + # The system call is safe, because all arguments are passed as an array. + system("/usr/bin/openssl", "dhparam", "-out", "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); @@ -1397,8 +1417,8 @@ END $errormessage = $!; goto UPLOADCA_ERROR; } - my $temp = `/usr/bin/openssl dhparam -text -in $filename`; - if ($temp !~ /DH Parameters: \((2048|3072|4096) bit\)/) { + my @temp = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$filename"); + if ( ! grep(/DH Parameters: \((2048|3072|4096) bit\)/, @temp)) { $errormessage = $Lang::tr{'not a valid dh key'}; unlink ($filename); goto UPLOADCA_ERROR; @@ -1454,8 +1474,8 @@ END $errormessage = $!; goto UPLOADCA_ERROR; } - my $temp = `/usr/bin/openssl x509 -text -in $filename`; - if ($temp !~ /CA:TRUE/i) { + my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "$filename"); + if ( ! grep(/CA:TRUE/i, @temp )) { $errormessage = $Lang::tr{'not a valid ca certificate'}; unlink ($filename); goto UPLOADCA_ERROR; @@ -1468,11 +1488,19 @@ END } } - my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem`; - $casubject =~ /Subject: (.*)[\n]/; - $casubject = $1; - $casubject =~ s+/Email+, E+; - $casubject =~ s/ ST=/ S=/; + @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem"); + my $casubject; + + foreach my $line (@casubject) { + if ($line =~ /Subject: (.*)[\n]/) { + $casubject = $1; + $casubject =~ s+/Email+, E+; + $casubject =~ s/ ST=/ S=/; + + last; + } + } + $casubject = &Header::cleanhtml($casubject); my $key = &General::findhasharraykey (\%cahash); @@ -1494,9 +1522,9 @@ END &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output\n"; + my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); + @output = &Header::cleanhtml(@output,"y"); + print "
@output\n"; &Header::closebox(); print ""; &Header::closebigbox(); @@ -1515,7 +1543,10 @@ END if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { print "Content-Type: application/octet-stream\r\n"; print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; + + my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); + print "@tmp"; + exit(0); } else { $errormessage = $Lang::tr{'invalid key'}; @@ -1530,8 +1561,8 @@ END if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { foreach my $key (keys %confighash) { - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`; - if ($test =~ /: OK/) { + my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem"); + if (grep(/: OK/, @test)) { # Delete connection # if ($vpnsettings{'ENABLED'} eq 'on' || # $vpnsettings{'ENABLED_BLUE'} eq 'on') { @@ -1561,8 +1592,8 @@ END my $assignedcerts = 0; if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { foreach my $key (keys %confighash) { - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`; - if ($test =~ /: OK/) { + my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem"); + if (grep(/: OK/, @test)) { $assignedcerts++; } } @@ -1601,19 +1632,19 @@ END ### }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} || $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { - my $output; + my @output; &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; + @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem"); } else { &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); } - $output = &Header::cleanhtml($output,"y"); - print "
$output\n"; + @output = &Header::cleanhtml(@output,"y"); + print "
@output\n"; &Header::closebox(); print ""; &Header::closebigbox(); @@ -1627,7 +1658,10 @@ END if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) { print "Content-Type: application/octet-stream\r\n"; print "Content-Disposition: filename=cacert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/ca/cacert.pem`; + + my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/cacert.pem"); + print "@tmp"; + exit(0); } @@ -1638,7 +1672,10 @@ END if ( -f "${General::swroot}/ovpn/certs/servercert.pem" ) { print "Content-Type: application/octet-stream\r\n"; print "Content-Disposition: filename=servercert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/certs/servercert.pem`; + + my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); + print "@tmp"; + exit(0); } @@ -1649,7 +1686,13 @@ END if ( -f "${General::swroot}/ovpn/certs/ta.key" ) { print "Content-Type: application/octet-stream\r\n"; print "Content-Disposition: filename=ta.key\r\n\r\n"; - print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; + + open(FILE, "${General::swroot}/ovpn/certs/ta.key"); + my @tmp =
$output\n"; + my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + @output = &Header::cleanhtml(@output,"y"); + print "
@output\n"; &Header::closebox(); print ""; &Header::closebigbox(); @@ -2570,9 +2628,9 @@ else &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:"); - my $output = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output\n"; + my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem"); + @output = &Header::cleanhtml(@output,"y"); + print "
@output\n"; &Header::closebox(); print ""; &Header::closebigbox(); @@ -2592,9 +2650,13 @@ else &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}:"); - my $output = `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; - $output = &Header::cleanhtml($output,"y"); - print "
$output\n"; + + open(FILE, "${General::swroot}/ovpn/certs/ta.key"); + my @output =
@output\n"; &Header::closebox(); print ""; &Header::closebigbox(); @@ -2615,9 +2677,9 @@ else &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); - my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output\n"; + my @output = &General::system_output("/usr/bin/openssl", "crl", "-text", "-noout", "-in", "${General::swroot}/ovpn/crls/cacrl.pem"); + @output = &Header::cleanhtml(@output,"y"); + print "
@output\n"; &Header::closebox(); print ""; &Header::closebigbox(); @@ -3105,7 +3167,12 @@ END if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n"; print "Content-Type: application/octet-stream\r\n\r\n"; - print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; + + open(FILE, "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + my @tmp =