X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=077f5ab6c483f0dc96dc5a6da35bbeb1f77ff4ca;hb=016859ffe4910a0b7b3a71875d67c31aab369a1b;hp=976300fc72e77dd3e23e26bca243dc61faaa4606;hpb=b5ea63f85c7d2ff107cd5f1cf985e98e75a84efe;p=people%2Fpmueller%2Fipfire-2.x.git
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 976300fc72..077f5ab6c4 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -35,7 +35,7 @@ require '/var/ipfire/general-functions.pl';
require "${General::swroot}/lang.pl";
require "${General::swroot}/header.pl";
require "${General::swroot}/countries.pl";
-require "${General::swroot}/geoip-functions.pl";
+require "${General::swroot}/location-functions.pl";
# enable only the following on debugging purpose
#use warnings;
@@ -47,7 +47,7 @@ undef (@dummy);
my %color = ();
my %mainsettings = ();
&General::readhash("${General::swroot}/main/settings", \%mainsettings);
-&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
###
### Initialize variables
@@ -174,7 +174,12 @@ sub cleanssldatabase
print FILE "";
close FILE;
}
+ if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt.attr")) {
+ print FILE "";
+ close FILE;
+ }
unlink ("${General::swroot}/ovpn/certs/index.txt.old");
+ unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old");
unlink ("${General::swroot}/ovpn/certs/serial.old");
unlink ("${General::swroot}/ovpn/certs/01.pem");
}
@@ -187,9 +192,13 @@ sub newcleanssldatabase
close FILE;
}
if (! -s ">${General::swroot}/ovpn/certs/index.txt") {
- system ("touch ${General::swroot}/ovpn/certs/index.txt");
+ &General::system("touch", "${General::swroot}/ovpn/certs/index.txt");
+ }
+ if (! -s ">${General::swroot}/ovpn/certs/index.txt.attr") {
+ &General::system("touch", "${General::swroot}/ovpn/certs/index.txt.attr");
}
unlink ("${General::swroot}/ovpn/certs/index.txt.old");
+ unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old");
unlink ("${General::swroot}/ovpn/certs/serial.old");
}
@@ -211,18 +220,21 @@ sub pkiconfigcheck
{
# Warning if DH parameter is 1024 bit
if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
- my $dhparameter = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}`;
- my @dhbit = ($dhparameter =~ /(\d+)/);
- if ($1 < 2048) {
- $cryptoerror = "$Lang::tr{'ovpn error dh'}";
- goto CRYPTO_ERROR;
+ my @dhparameter = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}");
+
+ foreach my $line (@dhparameter) {
+ my @dhbit = ($line =~ /(\d+)/);
+ if ($1 < 2048) {
+ $cryptoerror = "$Lang::tr{'ovpn error dh'}";
+ goto CRYPTO_ERROR;
+ }
}
}
# Warning if md5 is in usage
if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
- my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
- if ($signature =~ /md5WithRSAEncryption/) {
+ my @signature = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
+ if (grep(/md5WithRSAEncryption/, @signature) ) {
$cryptoerror = "$Lang::tr{'ovpn error md5'}";
goto CRYPTO_ERROR;
}
@@ -232,8 +244,8 @@ sub pkiconfigcheck
# Warning if certificate is not compliant to RFC3280 TLS rules
if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
- my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
- if ($extendkeyusage !~ /TLS Web Server Authentication/) {
+ my @extendkeyusage = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
+ if ( ! grep(/TLS Web Server Authentication/, @extendkeyusage)) {
$cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
goto CRYPTO_WARNING;
}
@@ -271,14 +283,7 @@ sub writeserverconf {
print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
#print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
- # Check if we are using mssfix, fragment and set the corretct mtu of 1500.
- # If we doesn't use one of them, we can use the configured mtu value.
- if ($sovpnsettings{'MSSFIX'} eq 'on')
- { print CONF "tun-mtu 1500\n"; }
- elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp')
- { print CONF "tun-mtu 1500\n"; }
- else
- { print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; }
+ print CONF "tun-mtu $sovpnsettings{'DMTU'}\n";
if ($vpnsettings{'ROUTES_PUSH'} ne '') {
@temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'});
@@ -311,6 +316,8 @@ sub writeserverconf {
}
if ($sovpnsettings{MSSFIX} eq 'on') {
print CONF "mssfix\n";
+ } else {
+ print CONF "mssfix 0\n";
}
if ($sovpnsettings{FRAGMENT} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') {
print CONF "fragment $sovpnsettings{'FRAGMENT'}\n";
@@ -323,11 +330,10 @@ sub writeserverconf {
print CONF "status /var/run/ovpnserver.log 30\n";
print CONF "ncp-disable\n";
print CONF "cipher $sovpnsettings{DCIPHER}\n";
- if ($sovpnsettings{'DAUTH'} eq '') {
- print CONF "";
- } else {
print CONF "auth $sovpnsettings{'DAUTH'}\n";
- }
+ # Set TLSv2 as minimum
+ print CONF "tls-version-min 1.2\n";
+
if ($sovpnsettings{'TLSAUTH'} eq 'on') {
print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
}
@@ -349,10 +355,10 @@ sub writeserverconf {
print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n";
}
- if ($sovpnsettings{DHCP_WINS} eq '') {
+ if ($sovpnsettings{MAX_CLIENTS} eq '') {
print CONF "max-clients 100\n";
}
- if ($sovpnsettings{DHCP_WINS} ne '') {
+ if ($sovpnsettings{MAX_CLIENTS} ne '') {
print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n";
}
print CONF "tls-verify /usr/lib/openvpn/verify\n";
@@ -366,6 +372,11 @@ sub writeserverconf {
} else {
print CONF "verb 3\n";
}
+
+ print CONF "# Log clients connecting/disconnecting\n";
+ print CONF "client-connect \"/usr/sbin/openvpn-metrics client-connect\"\n";
+ print CONF "client-disconnect \"/usr/sbin/openvpn-metrics client-disconnect\"\n";
+
# Print server.conf.local if entries exist to server.conf
if ( !-z $local_serverconf && $sovpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') {
open (LSC, "$local_serverconf");
@@ -460,10 +471,7 @@ sub addccdnet
$errormessage=$Lang::tr{'ccd err invalidnet'};
return;
}
-
- $errormessage=&General::checksubnets($ccdname,$ccdnet);
-
-
+
if (!$errormessage) {
my %ccdconfhash=();
$baseaddress=&General::getnetworkip($ccdip,$subcidr);
@@ -487,6 +495,13 @@ sub modccdnet
my $oldname=$_[1];
my %ccdconfhash=();
my %ccdhash=();
+
+ # Check if the new name is valid.
+ if(!&General::validhostname($newname)) {
+ $errormessage=$Lang::tr{'ccd err invalidname'};
+ return;
+ }
+
&General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
foreach my $key (keys %ccdconfhash) {
if ($ccdconfhash{$key}[0] eq $oldname) {
@@ -722,7 +737,7 @@ sub writecollectdconf {
close(COLLECTDVPN);
# Reload collectd afterwards
- system("/usr/local/bin/collectdctrl restart &>/dev/null");
+ &General::system("/usr/local/bin/collectdctrl", "restart");
}
#hier die refresh page
@@ -752,11 +767,11 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} ||
#start openvpn server
if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'}){
&emptyserverlog();
- system('/usr/local/bin/openvpnctrl', '-s');
+ &General::system("/usr/local/bin/openvpnctrl", "-s");
}
#stop openvpn server
if ($cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'}){
- system('/usr/local/bin/openvpnctrl', '-k');
+ &General::system("/usr/local/bin/openvpnctrl", "-k");
&emptyserverlog();
}
# #restart openvpn server
@@ -782,13 +797,12 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
$vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'};
$vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'};
$vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'};
+ $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
$vpnsettings{'ADDITIONAL_CONFIGS'} = $cgiparams{'ADDITIONAL_CONFIGS'};
$vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'};
$vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
$vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
$vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
- $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
- $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
my @temp=();
if ($cgiparams{'FRAGMENT'} eq '') {
@@ -876,7 +890,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
undef $vpnsettings{'ROUTES_PUSH'};
&write_routepushfile;
}
- if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 255 )) {
+ if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 1024 )) {
$errormessage = $Lang::tr{'invalid input for max clients'};
goto ADV_ERROR;
}
@@ -896,17 +910,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
$errormessage = $Lang::tr{'invalid input for keepalive 1:2'};
goto ADV_ERROR;
}
- # Create ta.key for tls-auth if not presant
- if ($cgiparams{'TLSAUTH'} eq 'on') {
- if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
- system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
- if ($?) {
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
- goto ADV_ERROR;
- }
- }
- }
-
&General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
&writeserverconf();#hier ok
}
@@ -970,7 +973,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
print SERVERCONF "tun-mtu $tunmtu\n";
if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragment $cgiparams{'FRAGMENT'}\n";}
- if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; };
+ if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; } else { print SERVERCONF "mssfix 0\n" };
}
print SERVERCONF "# Auth. Server\n";
@@ -993,6 +996,9 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
}
+ # Set TLSv1.2 as minimum
+ print SERVERCONF "tls-version-min 1.2\n";
+
if ($cgiparams{'COMPLZO'} eq 'on') {
print SERVERCONF "# Enable Compression\n";
print SERVERCONF "comp-lzo\n";
@@ -1066,14 +1072,14 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
print CLIENTCONF "tun-mtu $tunmtu\n";
if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragment $cgiparams{'FRAGMENT'}\n";}
- if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; };
+ if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; } else { print CLIENTCONF "mssfix 0\n" };
}
# Check host certificate if X509 is RFC3280 compliant.
# If not, old --ns-cert-type directive will be used.
# If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
- my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
- if ($hostcert !~ /TLS Web Server Authentication/) {
+ my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
+ if ( ! grep(/TLS Web Server Authentication/, @hostcert)) {
print CLIENTCONF "ns-cert-type server\n";
} else {
print CLIENTCONF "remote-cert-tls server\n";
@@ -1095,6 +1101,9 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
}
+ # Set TLSv1.2 as minimum
+ print CLIENTCONF "tls-version-min 1.2\n";
+
if ($cgiparams{'COMPLZO'} eq 'on') {
print CLIENTCONF "# Enable Compression\n";
print CLIENTCONF "comp-lzo\n";
@@ -1187,6 +1196,18 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
goto SETTINGS_ERROR;
}
+ # Create ta.key for tls-auth if not presant
+ if ($cgiparams{'TLSAUTH'} eq 'on') {
+ if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
+ # This system call is safe, because all arguements are passed as an array.
+ system("/usr/sbin/openvpn", "--genkey", "--secret", "${General::swroot}/ovpn/certs/ta.key");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ goto SETTINGS_ERROR;
+ }
+ }
+ }
+
$vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'};
$vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'};
$vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
@@ -1198,11 +1219,28 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
$vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
$vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
$vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
+ $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
+ $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
#wrtie enable
- if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");}
- if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_orange 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_orange 2>/dev/null");}
- if ( $vpnsettings{'ENABLED'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable 2>/dev/null");}
+ if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {
+ &General::system("touch", "${General::swroot}/ovpn/enable_blue");
+ } else {
+ unlink(${General::swroot}/ovpn/enable_blue);
+ }
+
+ if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) {
+ &General::system("touch", "${General::swroot}/ovpn/enable_orange");
+ } else {
+ unlink("${General::swroot}/ovpn/enable_orange");
+ }
+
+ if ( $vpnsettings{'ENABLED'} eq 'on' ) {
+ &General::system("touch", "${General::swroot}/ovpn/enable");
+ } else {
+ unlink("${General::swroot}/ovpn/enable");
+ }
+
#new settings for daemon
&General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
&writeserverconf();#hier ok
@@ -1215,7 +1253,7 @@ SETTINGS_ERROR:
&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
# Kill all N2N connections
- system("/usr/local/bin/openvpnctrl -kn2n &>/dev/null");
+ &General::system("/usr/local/bin/openvpnctrl", "-kn2n");
foreach my $key (keys %confighash) {
my $name = $confighash{$cgiparams{'$key'}}[1];
@@ -1224,7 +1262,7 @@ SETTINGS_ERROR:
delete $confighash{$cgiparams{'$key'}};
}
- system ("/usr/local/bin/openvpnctrl -drrd $name &>/dev/null");
+ &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$name");
}
while ($file = glob("${General::swroot}/ovpn/ca/*")) {
unlink $file;
@@ -1263,7 +1301,7 @@ SETTINGS_ERROR:
close FILE;
}
while ($file = glob("${General::swroot}/ovpn/n2nconf/*")) {
- system ("rm -rf $file");
+ unlink($file);
}
# Remove everything from the collectd configuration
@@ -1309,7 +1347,8 @@ END
unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
}
# Create Diffie Hellmann Parameter
- system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
+ # The system call is safe, because all arguments are passed as an array.
+ system("/usr/bin/openssl", "dhparam", "-out", "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
if ($?) {
$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
@@ -1368,7 +1407,7 @@ END
### Upload DH key
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) {
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ unless (ref ($cgiparams{'FH'})) {
$errormessage = $Lang::tr{'there was no file upload'};
goto UPLOADCA_ERROR;
}
@@ -1378,8 +1417,8 @@ END
$errormessage = $!;
goto UPLOADCA_ERROR;
}
- my $temp = `/usr/bin/openssl dhparam -text -in $filename`;
- if ($temp !~ /DH Parameters: \((2048|3072|4096) bit\)/) {
+ my @temp = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$filename");
+ if ( ! grep(/DH Parameters: \((2048|3072|4096) bit\)/, @temp)) {
$errormessage = $Lang::tr{'not a valid dh key'};
unlink ($filename);
goto UPLOADCA_ERROR;
@@ -1425,7 +1464,7 @@ END
}
}
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ unless (ref ($cgiparams{'FH'})) {
$errormessage = $Lang::tr{'there was no file upload'};
goto UPLOADCA_ERROR;
}
@@ -1435,8 +1474,8 @@ END
$errormessage = $!;
goto UPLOADCA_ERROR;
}
- my $temp = `/usr/bin/openssl x509 -text -in $filename`;
- if ($temp !~ /CA:TRUE/i) {
+ my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "$filename");
+ if ( ! grep(/CA:TRUE/i, @temp )) {
$errormessage = $Lang::tr{'not a valid ca certificate'};
unlink ($filename);
goto UPLOADCA_ERROR;
@@ -1449,11 +1488,19 @@ END
}
}
- my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem`;
- $casubject =~ /Subject: (.*)[\n]/;
- $casubject = $1;
- $casubject =~ s+/Email+, E+;
- $casubject =~ s/ ST=/ S=/;
+ @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem");
+ my $casubject;
+
+ foreach my $line (@casubject) {
+ if ($line =~ /Subject: (.*)[\n]/) {
+ $casubject = $1;
+ $casubject =~ s+/Email+, E+;
+ $casubject =~ s/ ST=/ S=/;
+
+ last;
+ }
+ }
+
$casubject = &Header::cleanhtml($casubject);
my $key = &General::findhasharraykey (\%cahash);
@@ -1475,9 +1522,9 @@ END
&Header::openpage($Lang::tr{'ovpn'}, 1, '');
&Header::openbigbox('100%', 'LEFT', '', $errormessage);
&Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:");
- my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
- $output = &Header::cleanhtml($output,"y");
- print "
$output
\n";
+ my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
+ @output = &Header::cleanhtml(@output,"y");
+ print "@output
\n";
&Header::closebox();
print "";
&Header::closebigbox();
@@ -1496,7 +1543,10 @@ END
if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
print "Content-Type: application/octet-stream\r\n";
print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
- print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
+
+ my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
+ print "@tmp";
+
exit(0);
} else {
$errormessage = $Lang::tr{'invalid key'};
@@ -1511,8 +1561,8 @@ END
if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
foreach my $key (keys %confighash) {
- my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`;
- if ($test =~ /: OK/) {
+ my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
+ if (grep(/: OK/, @test)) {
# Delete connection
# if ($vpnsettings{'ENABLED'} eq 'on' ||
# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
@@ -1542,8 +1592,8 @@ END
my $assignedcerts = 0;
if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
foreach my $key (keys %confighash) {
- my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`;
- if ($test =~ /: OK/) {
+ my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
+ if (grep(/: OK/, @test)) {
$assignedcerts++;
}
}
@@ -1582,19 +1632,19 @@ END
###
}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
$cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
- my $output;
+ my @output;
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'ovpn'}, 1, '');
&Header::openbigbox('100%', 'LEFT', '', '');
if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
&Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:");
- $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`;
+ @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
} else {
&Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:");
- $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
}
- $output = &Header::cleanhtml($output,"y");
- print "$output
\n";
+ @output = &Header::cleanhtml(@output,"y");
+ print "@output
\n";
&Header::closebox();
print "";
&Header::closebigbox();
@@ -1608,7 +1658,10 @@ END
if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
print "Content-Type: application/octet-stream\r\n";
print "Content-Disposition: filename=cacert.pem\r\n\r\n";
- print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/ca/cacert.pem`;
+
+ my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
+ print "@tmp";
+
exit(0);
}
@@ -1619,7 +1672,10 @@ END
if ( -f "${General::swroot}/ovpn/certs/servercert.pem" ) {
print "Content-Type: application/octet-stream\r\n";
print "Content-Disposition: filename=servercert.pem\r\n\r\n";
- print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/certs/servercert.pem`;
+
+ my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
+ print "@tmp";
+
exit(0);
}
@@ -1630,7 +1686,13 @@ END
if ( -f "${General::swroot}/ovpn/certs/ta.key" ) {
print "Content-Type: application/octet-stream\r\n";
print "Content-Disposition: filename=ta.key\r\n\r\n";
- print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`;
+
+ open(FILE, "${General::swroot}/ovpn/certs/ta.key");
+ my @tmp = ;
+ close(FILE);
+
+ print "@tmp";
+
exit(0);
}
@@ -1658,8 +1720,7 @@ END
}
}
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
-
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ unless (ref ($cgiparams{'FH'})) {
$errormessage = $Lang::tr{'there was no file upload'};
goto ROOTCERT_ERROR;
}
@@ -1908,6 +1969,7 @@ END
}
# Sign the host certificate request
+ # This system call is safe, because all argeuments are passed as an array.
system('/usr/bin/openssl', 'ca', '-days', '999999',
'-batch', '-notext',
'-in', "${General::swroot}/ovpn/certs/serverreq.pem",
@@ -1929,6 +1991,7 @@ END
}
# Create an empty CRL
+ # System call is safe, because all arguments are passed as array.
system('/usr/bin/openssl', 'ca', '-gencrl',
'-out', "${General::swroot}/ovpn/crls/cacrl.pem",
'-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
@@ -1943,7 +2006,16 @@ END
# } else {
# &cleanssldatabase();
}
+ # Create ta.key for tls-auth
+ # This system call is safe, because all arguments are passed as an array.
+ system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ &cleanssldatabase();
+ goto ROOTCERT_ERROR;
+ }
# Create Diffie Hellmann Parameter
+ # The system call is safe, because all arguments are passed as an array.
system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
if ($?) {
$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
@@ -1957,13 +2029,6 @@ END
# } else {
# &cleanssldatabase();
}
- # Create ta.key for tls-auth
- system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
- if ($?) {
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
- &cleanssldatabase();
- goto ROOTCERT_ERROR;
- }
goto ROOTCERT_SUCCESS;
}
ROOTCERT_ERROR:
@@ -2065,7 +2130,7 @@ END
}
ROOTCERT_SUCCESS:
- system ("chmod 600 ${General::swroot}/ovpn/certs/serverkey.pem");
+ &General::system("chmod", "600", "${General::swroot}/ovpn/certs/serverkey.pem");
# if ($vpnsettings{'ENABLED'} eq 'on' ||
# $vpnsettings{'ENABLE_BLUE'} eq 'on') {
# system('/usr/local/bin/ipsecctrl', 'S');
@@ -2083,8 +2148,12 @@ END
&General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
-# my $n2nactive = '';
- my $n2nactive = `/bin/ps ax|grep $confighash{$cgiparams{'KEY'}}[1]|grep -v grep|awk \'{print \$1}\'`;
+ my $n2nactive = '';
+ my @ps = &General::system_output("/bin/ps", "ax");
+
+ if(grep(/$confighash{$cgiparams{'KEY'}}[1]/, @ps)) {
+ $n2nactive = "1";
+ }
if ($confighash{$cgiparams{'KEY'}}) {
if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
@@ -2092,7 +2161,7 @@ END
&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
- system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]);
+ &General::system("/usr/local/bin/openvpnctrl", "-sn2n", "$confighash{$cgiparams{'KEY'}}[1]");
&writecollectdconf();
}
} else {
@@ -2102,7 +2171,7 @@ END
if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
if ($n2nactive ne '') {
- system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]);
+ &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]");
&writecollectdconf();
}
@@ -2181,13 +2250,13 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1500'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]};
print CLIENTCONF "tun-mtu $tunmtu\n";
if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";}
- if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";}
+ if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";} else { print CLIENTCONF "mssfix 0\n"; }
}
# Check host certificate if X509 is RFC3280 compliant.
# If not, old --ns-cert-type directive will be used.
# If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
- my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
- if ($hostcert !~ /TLS Web Server Authentication/) {
+ my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
+ if (! grep(/TLS Web Server Authentication/, @hostcert)) {
print CLIENTCONF "ns-cert-type server\n";
} else {
print CLIENTCONF "remote-cert-tls server\n";
@@ -2262,15 +2331,7 @@ else
print CLIENTCONF "nobind\r\n";
print CLIENTCONF "dev tun\r\n";
print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
-
- # Check if we are using fragment, mssfix and set MTU to 1500
- # or use configured value.
- if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' )
- { print CLIENTCONF "tun-mtu 1500\r\n"; }
- elsif ($vpnsettings{MSSFIX} eq 'on')
- { print CLIENTCONF "tun-mtu 1500\r\n"; }
- else
- { print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; }
+ print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n";
if ( $vpnsettings{'ENABLED'} eq 'on'){
print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n";
@@ -2305,6 +2366,7 @@ else
$zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
# Extract the certificate
+ # This system call is safe, because all arguments are passed as an array.
system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
'-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:');
if ($?) {
@@ -2315,6 +2377,7 @@ else
print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n";
# Extract the key
+ # This system call is safe, because all arguments are passed as an array.
system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
'-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
if ($?) {
@@ -2335,11 +2398,8 @@ else
$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
}
print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
- if ($vpnsettings{'DAUTH'} eq '') {
- print CLIENTCONF "";
- } else {
print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
- }
+
if ($vpnsettings{'TLSAUTH'} eq 'on') {
if ($cgiparams{'MODE'} eq 'insecure') {
print CLIENTCONF ";";
@@ -2354,8 +2414,8 @@ else
# Check host certificate if X509 is RFC3280 compliant.
# If not, old --ns-cert-type directive will be used.
# If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
- my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
- if ($hostcert !~ /TLS Web Server Authentication/) {
+ my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
+ if (! grep(/TLS Web Server Authentication/, @hostcert)) {
print CLIENTCONF "ns-cert-type server\r\n";
} else {
print CLIENTCONF "remote-cert-tls server\r\n";
@@ -2363,6 +2423,8 @@ else
print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n";
if ($vpnsettings{MSSFIX} eq 'on') {
print CLIENTCONF "mssfix\r\n";
+ } else {
+ print CLIENTCONF "mssfix 0\r\n";
}
if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) {
print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";
@@ -2455,8 +2517,8 @@ else
if ($confighash{$cgiparams{'KEY'}}) {
# Revoke certificate if certificate was deleted and rewrite the CRL
- my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
- my $tempA = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
+ &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf)";
+ &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
###
# m.a.d net2net
@@ -2464,7 +2526,7 @@ else
if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {
# Stop the N2N connection before it is removed
- system("/usr/local/bin/openvpnctrl -kn2n $confighash{$cgiparams{'KEY'}}[1] &>/dev/null");
+ &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]");
my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf");
my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
@@ -2506,10 +2568,10 @@ else
# CCD end
# Update collectd configuration and delete all RRD files of the removed connection
&writecollectdconf();
- system ("/usr/local/bin/openvpnctrl -drrd $confighash{$cgiparams{'KEY'}}[1]");
+ &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]");
delete $confighash{$cgiparams{'KEY'}};
- my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
+ &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
} else {
@@ -2525,7 +2587,12 @@ else
print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
print "Content-Type: application/octet-stream\r\n\r\n";
- print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
+
+ open(FILE, "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
+ my @tmp = ;
+ close(FILE);
+
+ print "@tmp";
exit (0);
###
@@ -2539,9 +2606,9 @@ else
&Header::openpage($Lang::tr{'ovpn'}, 1, '');
&Header::openbigbox('100%', 'LEFT', '', '');
&Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:");
- my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
- $output = &Header::cleanhtml($output,"y");
- print "$output
\n";
+ my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
+ @output = &Header::cleanhtml(@output,"y");
+ print "@output
\n";
&Header::closebox();
print "";
&Header::closebigbox();
@@ -2561,9 +2628,9 @@ else
&Header::openpage($Lang::tr{'ovpn'}, 1, '');
&Header::openbigbox('100%', 'LEFT', '', '');
&Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:");
- my $output = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`;
- $output = &Header::cleanhtml($output,"y");
- print "$output
\n";
+ my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem");
+ @output = &Header::cleanhtml(@output,"y");
+ print "@output
\n";
&Header::closebox();
print "";
&Header::closebigbox();
@@ -2583,9 +2650,13 @@ else
&Header::openpage($Lang::tr{'ovpn'}, 1, '');
&Header::openbigbox('100%', 'LEFT', '', '');
&Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}:");
- my $output = `/bin/cat ${General::swroot}/ovpn/certs/ta.key`;
- $output = &Header::cleanhtml($output,"y");
- print "$output
\n";
+
+ open(FILE, "${General::swroot}/ovpn/certs/ta.key");
+ my @output = ;
+ close(FILE);
+
+ @output = &Header::cleanhtml(@output,"y");
+ print "@output
\n";
&Header::closebox();
print "";
&Header::closebigbox();
@@ -2606,9 +2677,9 @@ else
&Header::openpage($Lang::tr{'ovpn'}, 1, '');
&Header::openbigbox('100%', 'LEFT', '', '');
&Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:");
- my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`;
- $output = &Header::cleanhtml($output,"y");
- print "$output
\n";
+ my @output = &General::system_output("/usr/bin/openssl", "crl", "-text", "-noout", "-in", "${General::swroot}/ovpn/crls/cacrl.pem");
+ @output = &Header::cleanhtml(@output,"y");
+ print "@output
\n";
&Header::closebox();
print "";
&Header::closebigbox();
@@ -2645,9 +2716,6 @@ ADV_ERROR:
if ($cgiparams{'LOG_VERB'} eq '') {
$cgiparams{'LOG_VERB'} = '3';
}
- if ($cgiparams{'DAUTH'} eq '') {
- $cgiparams{'DAUTH'} = 'SHA512';
- }
if ($cgiparams{'TLSAUTH'} eq '') {
$cgiparams{'TLSAUTH'} = 'off';
}
@@ -2657,6 +2725,9 @@ ADV_ERROR:
$checked{'REDIRECT_GW_DEF1'}{'off'} = '';
$checked{'REDIRECT_GW_DEF1'}{'on'} = '';
$checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED';
+ $checked{'DCOMPLZO'}{'off'} = '';
+ $checked{'DCOMPLZO'}{'on'} = '';
+ $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
$checked{'ADDITIONAL_CONFIGS'}{'off'} = '';
$checked{'ADDITIONAL_CONFIGS'}{'on'} = '';
$checked{'ADDITIONAL_CONFIGS'}{$cgiparams{'ADDITIONAL_CONFIGS'}} = 'CHECKED';
@@ -2676,15 +2747,6 @@ ADV_ERROR:
$selected{'LOG_VERB'}{'10'} = '';
$selected{'LOG_VERB'}{'11'} = '';
$selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED';
- $selected{'DAUTH'}{'whirlpool'} = '';
- $selected{'DAUTH'}{'SHA512'} = '';
- $selected{'DAUTH'}{'SHA384'} = '';
- $selected{'DAUTH'}{'SHA256'} = '';
- $selected{'DAUTH'}{'SHA1'} = '';
- $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
- $checked{'TLSAUTH'}{'off'} = '';
- $checked{'TLSAUTH'}{'on'} = '';
- $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'status ovpn'}, 1, '');
@@ -2744,7 +2806,7 @@ print <
- | | | | |
+ | | | | |
@@ -2757,6 +2819,11 @@ print <
+ $Lang::tr{'comp-lzo'} |
+ |
+ $Lang::tr{'openvpn default'}: off ($Lang::tr{'attention'} exploitable via Voracle) |
+
+
$Lang::tr{'ovpn add conf'} |
|
@@ -2814,36 +2881,6 @@ print <
-
-
- $Lang::tr{'ovpn crypt options'} |
-
-
- | | | |
-
- $Lang::tr{'ovpn ha'} |
-
- |
- $Lang::tr{'openvpn default'}: SHA1 (160 $Lang::tr{'bit'}) |
-
-
-
-
END
if ( -e "/var/run/openvpn.pid"){
@@ -3066,8 +3103,8 @@ END
$users[$uid]{'Proto'} = $proto;
# get country code for "RealAddress"...
- my $ccode = &GeoIP::lookup((split ':', $users[$uid]{'RealAddress'})[0]);
- my $flag_icon = &GeoIP::get_flag_icon($ccode);
+ my $ccode = &Location::Functions::lookup_country_code((split ':', $users[$uid]{'RealAddress'})[0]);
+ my $flag_icon = &Location::Functions::get_flag_icon($ccode);
$users[$uid]{'Country'} = "";
$uid++;
}
@@ -3130,7 +3167,12 @@ END
if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n";
print "Content-Type: application/octet-stream\r\n\r\n";
- print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
+
+ open(FILE, "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
+ my @tmp = ;
+ close(FILE);
+
+ print "@tmp";
exit (0);
}
@@ -3251,9 +3293,8 @@ END
&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
-# Check if a file is uploaded
-
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ # Check if a file is uploaded
+ unless (ref ($cgiparams{'FH'})) {
$errormessage = $Lang::tr{'there was no file upload'};
goto N2N_ERROR;
}
@@ -3520,7 +3561,7 @@ foreach my $dkey (keys %confighash) {
Fragment: | $confighash{$key}[24] |
$Lang::tr{'MTU'} | $confighash{$key}[31] |
Management Port | $confighash{$key}[22] |
- $Lang::tr{'ovpn hmac'}: | $confighash{$key}[39] |
+ $Lang::tr{'ovpn tls auth'}: | $confighash{$key}[39] |
$Lang::tr{'cipher'} | $confighash{$key}[40] |
| |
@@ -3793,41 +3834,42 @@ if ($cgiparams{'TYPE'} eq 'host') {
#CCD End
- if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
- $errormessage = $Lang::tr{'connection type is invalid'};
- if ($cgiparams{'TYPE'} eq 'net') {
- unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
- rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
- }
- goto VPNCONF_ERROR;
+ if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
+ $errormessage = $Lang::tr{'connection type is invalid'};
+ if ($cgiparams{'TYPE'} eq 'net') {
+ unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
+ rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
+ goto VPNCONF_ERROR;
+ }
+ goto VPNCONF_ERROR;
}
-
if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
- $errormessage = $Lang::tr{'name must only contain characters'};
- if ($cgiparams{'TYPE'} eq 'net') {
- unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
- rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
- }
- goto VPNCONF_ERROR;
- }
+ $errormessage = $Lang::tr{'name must only contain characters'};
+ if ($cgiparams{'TYPE'} eq 'net') {
+ goto VPNCONF_ERROR;
+ }
+ goto VPNCONF_ERROR;
+ }
if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
- $errormessage = $Lang::tr{'name is invalid'};
- if ($cgiparams{'TYPE'} eq 'net') {
- unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
- rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
- }
- goto VPNCONF_ERROR;
+ $errormessage = $Lang::tr{'name is invalid'};
+ if ($cgiparams{'TYPE'} eq 'net') {
+ unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
+ rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
+ goto VPNCONF_ERROR;
+ }
+ goto VPNCONF_ERROR;
}
if (length($cgiparams{'NAME'}) >60) {
- $errormessage = $Lang::tr{'name too long'};
- if ($cgiparams{'TYPE'} eq 'net') {
- unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
- rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
- }
- goto VPNCONF_ERROR;
+ $errormessage = $Lang::tr{'name too long'};
+ if ($cgiparams{'TYPE'} eq 'net') {
+ unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
+ rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
+ goto VPNCONF_ERROR;
+ }
+ goto VPNCONF_ERROR;
}
###
@@ -4042,7 +4084,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
$errormessage = $Lang::tr{'cant change certificates'};
goto VPNCONF_ERROR;
}
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ unless (ref ($cgiparams{'FH'})) {
$errormessage = $Lang::tr{'there was no file upload'};
goto VPNCONF_ERROR;
}
@@ -4056,6 +4098,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
# Sign the certificate request and move it
# Sign the host certificate request
+ # The system call is safe, because all arguments are passed as an array.
system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}",
'-batch', '-notext',
'-in', $filename,
@@ -4072,11 +4115,19 @@ if ($cgiparams{'TYPE'} eq 'net') {
&deletebackupcert();
}
- my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
- $temp =~ /Subject:.*CN\s?=\s?(.*)[\n]/;
- $temp = $1;
- $temp =~ s+/Email+, E+;
- $temp =~ s/ ST=/ S=/;
+ my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
+ my $temp;
+
+ foreach my $line (@temp) {
+ if ($line =~ /Subject:.*CN\s?=\s?(.*)[\n]/) {
+ $temp = $1;
+ $temp =~ s+/Email+, E+;
+ $temp =~ s/ ST=/ S=/;
+
+ last;
+ }
+ }
+
$cgiparams{'CERT_NAME'} = $temp;
$cgiparams{'CERT_NAME'} =~ s/,//g;
$cgiparams{'CERT_NAME'} =~ s/\'//g;
@@ -4089,7 +4140,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
$errormessage = $Lang::tr{'cant change certificates'};
goto VPNCONF_ERROR;
}
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ unless (ref ($cgiparams{'FH'})) {
$errormessage = $Lang::tr{'there was no file upload'};
goto VPNCONF_ERROR;
}
@@ -4102,13 +4153,13 @@ if ($cgiparams{'TYPE'} eq 'net') {
# Verify the certificate has a valid CA and move it
my $validca = 0;
- my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/cacert.pem $filename`;
- if ($test =~ /: OK/) {
+ my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/cacert.pem", "$filename");
+ if (grep(/: OK/, @test)) {
$validca = 1;
} else {
foreach my $key (keys %cahash) {
- $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem $filename`;
- if ($test =~ /: OK/) {
+ @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem", "$filename");
+ if (grep(/: OK/, @test)) {
$validca = 1;
}
}
@@ -4126,11 +4177,19 @@ if ($cgiparams{'TYPE'} eq 'net') {
}
}
- my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
- $temp =~ /Subject:.*CN\s?=\s?(.*)[\n]/;
- $temp = $1;
- $temp =~ s+/Email+, E+;
- $temp =~ s/ ST=/ S=/;
+ my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
+ my $temp;
+
+ foreach my $line (@temp) {
+ if ($line =~ /Subject:.*CN\s?=\s?(.*)[\n]/) {
+ $temp = $1;
+ $temp =~ s+/Email+, E+;
+ $temp =~ s/ ST=/ S=/;
+
+ last;
+ }
+ }
+
$cgiparams{'CERT_NAME'} = $temp;
$cgiparams{'CERT_NAME'} =~ s/,//g;
$cgiparams{'CERT_NAME'} =~ s/\'//g;
@@ -4257,6 +4316,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
}
# Sign the host certificate request
+ # The system call is safe, because all arguments are passed as an array.
system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}",
'-batch', '-notext',
'-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
@@ -4275,6 +4335,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
}
# Create the pkcs12 file
+ # The system call is safe, because all arguments are passed as an array.
system('/usr/bin/openssl', 'pkcs12', '-export',
'-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
'-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
@@ -4440,21 +4501,24 @@ if ($cgiparams{'TYPE'} eq 'net') {
if ($cgiparams{'TYPE'} eq 'net') {
- if (-e "/var/run/$confighash{$key}[1]n2n.pid") {
- system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]);
+ if (-e "/var/run/$confighash{$key}[1]n2n.pid") {
+ &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]");
- &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
- my $key = $cgiparams{'KEY'};
- if (! $key) {
- $key = &General::findhasharraykey (\%confighash);
- foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";}
- }
- $confighash{$key}[0] = 'on';
- &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
+ &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
+ my $key = $cgiparams{'KEY'};
+ if (! $key) {
+ $key = &General::findhasharraykey (\%confighash);
+ foreach my $i (0 .. 31) {
+ $confighash{$key}[$i] = "";
+ }
+ }
+
+ $confighash{$key}[0] = 'on';
+ &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
- system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]);
- }
- }
+ &General::system("/usr/local/bin/openvpnctrl", "-sn2n", "$confighash{$cgiparams{'KEY'}}[1]");
+ }
+ }
###
# m.a.d n2n end
@@ -4560,12 +4624,10 @@ if ($cgiparams{'TYPE'} eq 'net') {
$selected{'DAUTH'}{'SHA384'} = '';
$selected{'DAUTH'}{'SHA256'} = '';
$selected{'DAUTH'}{'SHA1'} = '';
- # If no hash algorythm has been choosen yet, select
- # the old default value (SHA1) for compatiblity reasons.
- if ($cgiparams{'DAUTH'} eq '') {
- $cgiparams{'DAUTH'} = 'SHA1';
- }
$selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
+ $checked{'TLSAUTH'}{'off'} = '';
+ $checked{'TLSAUTH'}{'on'} = '';
+ $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
if (1) {
&Header::showhttpheaders();
@@ -5073,7 +5135,9 @@ END
&General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
- my @status = `/bin/cat /var/run/ovpnserver.log`;
+ open(FILE, "/var/run/ovpnserver.log");
+ my @status = ;
+ close(FILE);
if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
@@ -5101,8 +5165,20 @@ END
$cgiparams{'MSSFIX'} = 'off';
}
if ($cgiparams{'DAUTH'} eq '') {
- $cgiparams{'DAUTH'} = 'SHA512';
- }
+ if (-z "${General::swroot}/ovpn/ovpnconfig") {
+ $cgiparams{'DAUTH'} = 'SHA512';
+ }
+ foreach my $key (keys %confighash) {
+ if ($confighash{$key}[3] ne 'host') {
+ $cgiparams{'DAUTH'} = 'SHA512';
+ } else {
+ $cgiparams{'DAUTH'} = 'SHA1';
+ }
+ }
+ }
+ if ($cgiparams{'TLSAUTH'} eq '') {
+ $cgiparams{'TLSAUTH'} = 'off';
+ }
if ($cgiparams{'DOVPN_SUBNET'} eq '') {
$cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
}
@@ -5145,6 +5221,10 @@ END
$selected{'DAUTH'}{'SHA1'} = '';
$selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
+ $checked{'TLSAUTH'}{'off'} = '';
+ $checked{'TLSAUTH'}{'on'} = '';
+ $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
+
$checked{'DCOMPLZO'}{'off'} = '';
$checked{'DCOMPLZO'}{'on'} = '';
$checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
@@ -5219,8 +5299,16 @@ END
if (&haveOrangeNet()) {
print "$Lang::tr{'ovpn on orange'} | ";
print " | ";
- }
- print <
|
+
+ $Lang::tr{'net config'}: |
+
+
|
+
$Lang::tr{'local vpn hostname/ip'}:
|
$Lang::tr{'ovpn subnet'}
|
$Lang::tr{'protocol'} |
@@ -5230,6 +5318,24 @@ END
|
$Lang::tr{'MTU'} |
|
+
+
+
|
+
+ $Lang::tr{'ovpn crypt options'}: |
+
+
|
+
+
+ $Lang::tr{'ovpn ha'} |
+
+ |
$Lang::tr{'cipher'} |
|
-
$Lang::tr{'comp-lzo'} |
- |
+
+
|
+
+ $Lang::tr{'ovpn tls auth'} |
+ |
+
+
|
END
;
@@ -5338,9 +5449,17 @@ END
#} else {
#print " | ";
#}
- my $cavalid = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`;
- $cavalid =~ /Not After : (.*)[\n]/;
- $cavalid = $1;
+ my @cavalid = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
+ my $cavalid;
+
+ foreach my $line (@cavalid) {
+ if ($line =~ /Not After : (.*)[\n]/) {
+ $cavalid = $1;
+
+ last;
+ }
+ }
+
print "$confighash{$key}[25] | ";
$col1="bgcolor='${Header::colourred}'";
my $active = "$Lang::tr{'capsclosed'}";
@@ -5551,11 +5670,19 @@ END
my $col4="bgcolor='$color{'color20'}'";
if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
- my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`;
- $casubject =~ /Subject: (.*)[\n]/;
- $casubject = $1;
- $casubject =~ s+/Email+, E+;
- $casubject =~ s/ ST=/ S=/;
+ my @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
+ my $casubject;
+
+ foreach my $line (@casubject) {
+ if ($line =~ /Subject: (.*)[\n]/) {
+ $casubject = $1;
+ $casubject =~ s+/Email+, E+;
+ $casubject =~ s/ ST=/ S=/;
+
+ last;
+ }
+ }
+
print <
$Lang::tr{'root certificate'} |
@@ -5585,11 +5712,18 @@ END
}
if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
- my $hostsubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
- $hostsubject =~ /Subject: (.*)[\n]/;
- $hostsubject = $1;
- $hostsubject =~ s+/Email+, E+;
- $hostsubject =~ s/ ST=/ S=/;
+ my @hostsubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
+ my $hostsubject;
+
+ foreach my $line (@hostsubject) {
+ if ($line =~ /Subject: (.*)[\n]/) {
+ $hostsubject = $1;
+ $hostsubject =~ s+/Email+, E+;
+ $hostsubject =~ s/ ST=/ S=/;
+
+ last;
+ }
+ }
print <
@@ -5621,10 +5755,16 @@ END
# Adding DH parameter to chart
if (-f "${General::swroot}/ovpn/ca/dh1024.pem") {
- my $dhsubject = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`;
- $dhsubject =~ / (.*)[\n]/;
- $dhsubject = $1;
+ my @dhsubject = &System_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem");
+ my $dhsubject;
+
+ foreach my $line (@dhsubject) {
+ if ($line =~ / (.*)[\n]/) {
+ $dhsubject = $1;
+ last;
+ }
+ }
print <
@@ -5654,9 +5794,19 @@ END
# Adding ta.key to chart
if (-f "${General::swroot}/ovpn/certs/ta.key") {
- my $tasubject = `/bin/cat ${General::swroot}/ovpn/certs/ta.key`;
- $tasubject =~ /# (.*)[\n]/;
- $tasubject = $1;
+ open(FILE, "${General::swroot}/ovpn/certs/ta.key");
+ my @tasubject = ;
+ close(FILE);
+
+ my $tasubject;
+ foreach my $line (@tasubject) {
+ if($line =~ /# (.*)[\n]/) {
+ $tasubject = $1;
+
+ last;
+ }
+ }
+
print <