X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=077f5ab6c483f0dc96dc5a6da35bbeb1f77ff4ca;hb=016859ffe4910a0b7b3a71875d67c31aab369a1b;hp=976300fc72e77dd3e23e26bca243dc61faaa4606;hpb=b5ea63f85c7d2ff107cd5f1cf985e98e75a84efe;p=people%2Fpmueller%2Fipfire-2.x.git diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 976300fc72..077f5ab6c4 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -35,7 +35,7 @@ require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; require "${General::swroot}/countries.pl"; -require "${General::swroot}/geoip-functions.pl"; +require "${General::swroot}/location-functions.pl"; # enable only the following on debugging purpose #use warnings; @@ -47,7 +47,7 @@ undef (@dummy); my %color = (); my %mainsettings = (); &General::readhash("${General::swroot}/main/settings", \%mainsettings); -&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); +&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color); ### ### Initialize variables @@ -174,7 +174,12 @@ sub cleanssldatabase print FILE ""; close FILE; } + if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt.attr")) { + print FILE ""; + close FILE; + } unlink ("${General::swroot}/ovpn/certs/index.txt.old"); + unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old"); unlink ("${General::swroot}/ovpn/certs/serial.old"); unlink ("${General::swroot}/ovpn/certs/01.pem"); } @@ -187,9 +192,13 @@ sub newcleanssldatabase close FILE; } if (! -s ">${General::swroot}/ovpn/certs/index.txt") { - system ("touch ${General::swroot}/ovpn/certs/index.txt"); + &General::system("touch", "${General::swroot}/ovpn/certs/index.txt"); + } + if (! -s ">${General::swroot}/ovpn/certs/index.txt.attr") { + &General::system("touch", "${General::swroot}/ovpn/certs/index.txt.attr"); } unlink ("${General::swroot}/ovpn/certs/index.txt.old"); + unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old"); unlink ("${General::swroot}/ovpn/certs/serial.old"); } @@ -211,18 +220,21 @@ sub pkiconfigcheck { # Warning if DH parameter is 1024 bit if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { - my $dhparameter = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}`; - my @dhbit = ($dhparameter =~ /(\d+)/); - if ($1 < 2048) { - $cryptoerror = "$Lang::tr{'ovpn error dh'}"; - goto CRYPTO_ERROR; + my @dhparameter = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"); + + foreach my $line (@dhparameter) { + my @dhbit = ($line =~ /(\d+)/); + if ($1 < 2048) { + $cryptoerror = "$Lang::tr{'ovpn error dh'}"; + goto CRYPTO_ERROR; + } } } # Warning if md5 is in usage if (-f "${General::swroot}/ovpn/certs/servercert.pem") { - my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; - if ($signature =~ /md5WithRSAEncryption/) { + my @signature = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); + if (grep(/md5WithRSAEncryption/, @signature) ) { $cryptoerror = "$Lang::tr{'ovpn error md5'}"; goto CRYPTO_ERROR; } @@ -232,8 +244,8 @@ sub pkiconfigcheck # Warning if certificate is not compliant to RFC3280 TLS rules if (-f "${General::swroot}/ovpn/certs/servercert.pem") { - my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; - if ($extendkeyusage !~ /TLS Web Server Authentication/) { + my @extendkeyusage = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); + if ( ! grep(/TLS Web Server Authentication/, @extendkeyusage)) { $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}"; goto CRYPTO_WARNING; } @@ -271,14 +283,7 @@ sub writeserverconf { print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n"; - # Check if we are using mssfix, fragment and set the corretct mtu of 1500. - # If we doesn't use one of them, we can use the configured mtu value. - if ($sovpnsettings{'MSSFIX'} eq 'on') - { print CONF "tun-mtu 1500\n"; } - elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') - { print CONF "tun-mtu 1500\n"; } - else - { print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; } + print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; if ($vpnsettings{'ROUTES_PUSH'} ne '') { @temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'}); @@ -311,6 +316,8 @@ sub writeserverconf { } if ($sovpnsettings{MSSFIX} eq 'on') { print CONF "mssfix\n"; + } else { + print CONF "mssfix 0\n"; } if ($sovpnsettings{FRAGMENT} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') { print CONF "fragment $sovpnsettings{'FRAGMENT'}\n"; @@ -323,11 +330,10 @@ sub writeserverconf { print CONF "status /var/run/ovpnserver.log 30\n"; print CONF "ncp-disable\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; - if ($sovpnsettings{'DAUTH'} eq '') { - print CONF ""; - } else { print CONF "auth $sovpnsettings{'DAUTH'}\n"; - } + # Set TLSv2 as minimum + print CONF "tls-version-min 1.2\n"; + if ($sovpnsettings{'TLSAUTH'} eq 'on') { print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; } @@ -349,10 +355,10 @@ sub writeserverconf { print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n"; } - if ($sovpnsettings{DHCP_WINS} eq '') { + if ($sovpnsettings{MAX_CLIENTS} eq '') { print CONF "max-clients 100\n"; } - if ($sovpnsettings{DHCP_WINS} ne '') { + if ($sovpnsettings{MAX_CLIENTS} ne '') { print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n"; } print CONF "tls-verify /usr/lib/openvpn/verify\n"; @@ -366,6 +372,11 @@ sub writeserverconf { } else { print CONF "verb 3\n"; } + + print CONF "# Log clients connecting/disconnecting\n"; + print CONF "client-connect \"/usr/sbin/openvpn-metrics client-connect\"\n"; + print CONF "client-disconnect \"/usr/sbin/openvpn-metrics client-disconnect\"\n"; + # Print server.conf.local if entries exist to server.conf if ( !-z $local_serverconf && $sovpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') { open (LSC, "$local_serverconf"); @@ -460,10 +471,7 @@ sub addccdnet $errormessage=$Lang::tr{'ccd err invalidnet'}; return; } - - $errormessage=&General::checksubnets($ccdname,$ccdnet); - - + if (!$errormessage) { my %ccdconfhash=(); $baseaddress=&General::getnetworkip($ccdip,$subcidr); @@ -487,6 +495,13 @@ sub modccdnet my $oldname=$_[1]; my %ccdconfhash=(); my %ccdhash=(); + + # Check if the new name is valid. + if(!&General::validhostname($newname)) { + $errormessage=$Lang::tr{'ccd err invalidname'}; + return; + } + &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); foreach my $key (keys %ccdconfhash) { if ($ccdconfhash{$key}[0] eq $oldname) { @@ -722,7 +737,7 @@ sub writecollectdconf { close(COLLECTDVPN); # Reload collectd afterwards - system("/usr/local/bin/collectdctrl restart &>/dev/null"); + &General::system("/usr/local/bin/collectdctrl", "restart"); } #hier die refresh page @@ -752,11 +767,11 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} || #start openvpn server if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'}){ &emptyserverlog(); - system('/usr/local/bin/openvpnctrl', '-s'); + &General::system("/usr/local/bin/openvpnctrl", "-s"); } #stop openvpn server if ($cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'}){ - system('/usr/local/bin/openvpnctrl', '-k'); + &General::system("/usr/local/bin/openvpnctrl", "-k"); &emptyserverlog(); } # #restart openvpn server @@ -782,13 +797,12 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'}; $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'}; $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'}; + $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; $vpnsettings{'ADDITIONAL_CONFIGS'} = $cgiparams{'ADDITIONAL_CONFIGS'}; $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'}; $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; - $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; - $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; my @temp=(); if ($cgiparams{'FRAGMENT'} eq '') { @@ -876,7 +890,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { undef $vpnsettings{'ROUTES_PUSH'}; &write_routepushfile; } - if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 255 )) { + if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 1024 )) { $errormessage = $Lang::tr{'invalid input for max clients'}; goto ADV_ERROR; } @@ -896,17 +910,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $errormessage = $Lang::tr{'invalid input for keepalive 1:2'}; goto ADV_ERROR; } - # Create ta.key for tls-auth if not presant - if ($cgiparams{'TLSAUTH'} eq 'on') { - if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - goto ADV_ERROR; - } - } - } - &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); &writeserverconf();#hier ok } @@ -970,7 +973,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}}; print SERVERCONF "tun-mtu $tunmtu\n"; if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragment $cgiparams{'FRAGMENT'}\n";} - if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; }; + if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; } else { print SERVERCONF "mssfix 0\n" }; } print SERVERCONF "# Auth. Server\n"; @@ -993,6 +996,9 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; } + # Set TLSv1.2 as minimum + print SERVERCONF "tls-version-min 1.2\n"; + if ($cgiparams{'COMPLZO'} eq 'on') { print SERVERCONF "# Enable Compression\n"; print SERVERCONF "comp-lzo\n"; @@ -1066,14 +1072,14 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}}; print CLIENTCONF "tun-mtu $tunmtu\n"; if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragment $cgiparams{'FRAGMENT'}\n";} - if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; }; + if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; } else { print CLIENTCONF "mssfix 0\n" }; } # Check host certificate if X509 is RFC3280 compliant. # If not, old --ns-cert-type directive will be used. # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. - my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; - if ($hostcert !~ /TLS Web Server Authentication/) { + my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); + if ( ! grep(/TLS Web Server Authentication/, @hostcert)) { print CLIENTCONF "ns-cert-type server\n"; } else { print CLIENTCONF "remote-cert-tls server\n"; @@ -1095,6 +1101,9 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; } + # Set TLSv1.2 as minimum + print CLIENTCONF "tls-version-min 1.2\n"; + if ($cgiparams{'COMPLZO'} eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\n"; @@ -1187,6 +1196,18 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SETTINGS_ERROR; } + # Create ta.key for tls-auth if not presant + if ($cgiparams{'TLSAUTH'} eq 'on') { + if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { + # This system call is safe, because all arguements are passed as an array. + system("/usr/sbin/openvpn", "--genkey", "--secret", "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto SETTINGS_ERROR; + } + } + } + $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'}; $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'}; $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; @@ -1198,11 +1219,28 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; + $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; + $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; #wrtie enable - if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");} - if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_orange 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_orange 2>/dev/null");} - if ( $vpnsettings{'ENABLED'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable 2>/dev/null");} + if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) { + &General::system("touch", "${General::swroot}/ovpn/enable_blue"); + } else { + unlink(${General::swroot}/ovpn/enable_blue); + } + + if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) { + &General::system("touch", "${General::swroot}/ovpn/enable_orange"); + } else { + unlink("${General::swroot}/ovpn/enable_orange"); + } + + if ( $vpnsettings{'ENABLED'} eq 'on' ) { + &General::system("touch", "${General::swroot}/ovpn/enable"); + } else { + unlink("${General::swroot}/ovpn/enable"); + } + #new settings for daemon &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); &writeserverconf();#hier ok @@ -1215,7 +1253,7 @@ SETTINGS_ERROR: &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); # Kill all N2N connections - system("/usr/local/bin/openvpnctrl -kn2n &>/dev/null"); + &General::system("/usr/local/bin/openvpnctrl", "-kn2n"); foreach my $key (keys %confighash) { my $name = $confighash{$cgiparams{'$key'}}[1]; @@ -1224,7 +1262,7 @@ SETTINGS_ERROR: delete $confighash{$cgiparams{'$key'}}; } - system ("/usr/local/bin/openvpnctrl -drrd $name &>/dev/null"); + &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$name"); } while ($file = glob("${General::swroot}/ovpn/ca/*")) { unlink $file; @@ -1263,7 +1301,7 @@ SETTINGS_ERROR: close FILE; } while ($file = glob("${General::swroot}/ovpn/n2nconf/*")) { - system ("rm -rf $file"); + unlink($file); } # Remove everything from the collectd configuration @@ -1309,7 +1347,8 @@ END unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; } # Create Diffie Hellmann Parameter - system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); + # The system call is safe, because all arguments are passed as an array. + system("/usr/bin/openssl", "dhparam", "-out", "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); @@ -1368,7 +1407,7 @@ END ### Upload DH key ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) { - if (ref ($cgiparams{'FH'}) ne 'Fh') { + unless (ref ($cgiparams{'FH'})) { $errormessage = $Lang::tr{'there was no file upload'}; goto UPLOADCA_ERROR; } @@ -1378,8 +1417,8 @@ END $errormessage = $!; goto UPLOADCA_ERROR; } - my $temp = `/usr/bin/openssl dhparam -text -in $filename`; - if ($temp !~ /DH Parameters: \((2048|3072|4096) bit\)/) { + my @temp = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$filename"); + if ( ! grep(/DH Parameters: \((2048|3072|4096) bit\)/, @temp)) { $errormessage = $Lang::tr{'not a valid dh key'}; unlink ($filename); goto UPLOADCA_ERROR; @@ -1425,7 +1464,7 @@ END } } - if (ref ($cgiparams{'FH'}) ne 'Fh') { + unless (ref ($cgiparams{'FH'})) { $errormessage = $Lang::tr{'there was no file upload'}; goto UPLOADCA_ERROR; } @@ -1435,8 +1474,8 @@ END $errormessage = $!; goto UPLOADCA_ERROR; } - my $temp = `/usr/bin/openssl x509 -text -in $filename`; - if ($temp !~ /CA:TRUE/i) { + my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "$filename"); + if ( ! grep(/CA:TRUE/i, @temp )) { $errormessage = $Lang::tr{'not a valid ca certificate'}; unlink ($filename); goto UPLOADCA_ERROR; @@ -1449,11 +1488,19 @@ END } } - my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem`; - $casubject =~ /Subject: (.*)[\n]/; - $casubject = $1; - $casubject =~ s+/Email+, E+; - $casubject =~ s/ ST=/ S=/; + @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem"); + my $casubject; + + foreach my $line (@casubject) { + if ($line =~ /Subject: (.*)[\n]/) { + $casubject = $1; + $casubject =~ s+/Email+, E+; + $casubject =~ s/ ST=/ S=/; + + last; + } + } + $casubject = &Header::cleanhtml($casubject); my $key = &General::findhasharraykey (\%cahash); @@ -1475,9 +1522,9 @@ END &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; + my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); + @output = &Header::cleanhtml(@output,"y"); + print "
@output
\n"; &Header::closebox(); print "
$Lang::tr{'back'}
"; &Header::closebigbox(); @@ -1496,7 +1543,10 @@ END if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { print "Content-Type: application/octet-stream\r\n"; print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; + + my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); + print "@tmp"; + exit(0); } else { $errormessage = $Lang::tr{'invalid key'}; @@ -1511,8 +1561,8 @@ END if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { foreach my $key (keys %confighash) { - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`; - if ($test =~ /: OK/) { + my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem"); + if (grep(/: OK/, @test)) { # Delete connection # if ($vpnsettings{'ENABLED'} eq 'on' || # $vpnsettings{'ENABLED_BLUE'} eq 'on') { @@ -1542,8 +1592,8 @@ END my $assignedcerts = 0; if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { foreach my $key (keys %confighash) { - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`; - if ($test =~ /: OK/) { + my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem"); + if (grep(/: OK/, @test)) { $assignedcerts++; } } @@ -1582,19 +1632,19 @@ END ### }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} || $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { - my $output; + my @output; &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; + @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem"); } else { &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); } - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; + @output = &Header::cleanhtml(@output,"y"); + print "
@output
\n"; &Header::closebox(); print "
$Lang::tr{'back'}
"; &Header::closebigbox(); @@ -1608,7 +1658,10 @@ END if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) { print "Content-Type: application/octet-stream\r\n"; print "Content-Disposition: filename=cacert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/ca/cacert.pem`; + + my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/cacert.pem"); + print "@tmp"; + exit(0); } @@ -1619,7 +1672,10 @@ END if ( -f "${General::swroot}/ovpn/certs/servercert.pem" ) { print "Content-Type: application/octet-stream\r\n"; print "Content-Disposition: filename=servercert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/certs/servercert.pem`; + + my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); + print "@tmp"; + exit(0); } @@ -1630,7 +1686,13 @@ END if ( -f "${General::swroot}/ovpn/certs/ta.key" ) { print "Content-Type: application/octet-stream\r\n"; print "Content-Disposition: filename=ta.key\r\n\r\n"; - print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; + + open(FILE, "${General::swroot}/ovpn/certs/ta.key"); + my @tmp = ; + close(FILE); + + print "@tmp"; + exit(0); } @@ -1658,8 +1720,7 @@ END } } } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { - - if (ref ($cgiparams{'FH'}) ne 'Fh') { + unless (ref ($cgiparams{'FH'})) { $errormessage = $Lang::tr{'there was no file upload'}; goto ROOTCERT_ERROR; } @@ -1908,6 +1969,7 @@ END } # Sign the host certificate request + # This system call is safe, because all argeuments are passed as an array. system('/usr/bin/openssl', 'ca', '-days', '999999', '-batch', '-notext', '-in', "${General::swroot}/ovpn/certs/serverreq.pem", @@ -1929,6 +1991,7 @@ END } # Create an empty CRL + # System call is safe, because all arguments are passed as array. system('/usr/bin/openssl', 'ca', '-gencrl', '-out', "${General::swroot}/ovpn/crls/cacrl.pem", '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); @@ -1943,7 +2006,16 @@ END # } else { # &cleanssldatabase(); } + # Create ta.key for tls-auth + # This system call is safe, because all arguments are passed as an array. + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + &cleanssldatabase(); + goto ROOTCERT_ERROR; + } # Create Diffie Hellmann Parameter + # The system call is safe, because all arguments are passed as an array. system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; @@ -1957,13 +2029,6 @@ END # } else { # &cleanssldatabase(); } - # Create ta.key for tls-auth - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - &cleanssldatabase(); - goto ROOTCERT_ERROR; - } goto ROOTCERT_SUCCESS; } ROOTCERT_ERROR: @@ -2065,7 +2130,7 @@ END } ROOTCERT_SUCCESS: - system ("chmod 600 ${General::swroot}/ovpn/certs/serverkey.pem"); + &General::system("chmod", "600", "${General::swroot}/ovpn/certs/serverkey.pem"); # if ($vpnsettings{'ENABLED'} eq 'on' || # $vpnsettings{'ENABLE_BLUE'} eq 'on') { # system('/usr/local/bin/ipsecctrl', 'S'); @@ -2083,8 +2148,12 @@ END &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); -# my $n2nactive = ''; - my $n2nactive = `/bin/ps ax|grep $confighash{$cgiparams{'KEY'}}[1]|grep -v grep|awk \'{print \$1}\'`; + my $n2nactive = ''; + my @ps = &General::system_output("/bin/ps", "ax"); + + if(grep(/$confighash{$cgiparams{'KEY'}}[1]/, @ps)) { + $n2nactive = "1"; + } if ($confighash{$cgiparams{'KEY'}}) { if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { @@ -2092,7 +2161,7 @@ END &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ - system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); + &General::system("/usr/local/bin/openvpnctrl", "-sn2n", "$confighash{$cgiparams{'KEY'}}[1]"); &writecollectdconf(); } } else { @@ -2102,7 +2171,7 @@ END if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ if ($n2nactive ne '') { - system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]); + &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]"); &writecollectdconf(); } @@ -2181,13 +2250,13 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1500'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]}; print CLIENTCONF "tun-mtu $tunmtu\n"; if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";} - if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";} + if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";} else { print CLIENTCONF "mssfix 0\n"; } } # Check host certificate if X509 is RFC3280 compliant. # If not, old --ns-cert-type directive will be used. # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. - my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; - if ($hostcert !~ /TLS Web Server Authentication/) { + my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); + if (! grep(/TLS Web Server Authentication/, @hostcert)) { print CLIENTCONF "ns-cert-type server\n"; } else { print CLIENTCONF "remote-cert-tls server\n"; @@ -2262,15 +2331,7 @@ else print CLIENTCONF "nobind\r\n"; print CLIENTCONF "dev tun\r\n"; print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n"; - - # Check if we are using fragment, mssfix and set MTU to 1500 - # or use configured value. - if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) - { print CLIENTCONF "tun-mtu 1500\r\n"; } - elsif ($vpnsettings{MSSFIX} eq 'on') - { print CLIENTCONF "tun-mtu 1500\r\n"; } - else - { print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; } + print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; if ( $vpnsettings{'ENABLED'} eq 'on'){ print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n"; @@ -2305,6 +2366,7 @@ else $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; # Extract the certificate + # This system call is safe, because all arguments are passed as an array. system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); if ($?) { @@ -2315,6 +2377,7 @@ else print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n"; # Extract the key + # This system call is safe, because all arguments are passed as an array. system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); if ($?) { @@ -2335,11 +2398,8 @@ else $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; - if ($vpnsettings{'DAUTH'} eq '') { - print CLIENTCONF ""; - } else { print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; - } + if ($vpnsettings{'TLSAUTH'} eq 'on') { if ($cgiparams{'MODE'} eq 'insecure') { print CLIENTCONF ";"; @@ -2354,8 +2414,8 @@ else # Check host certificate if X509 is RFC3280 compliant. # If not, old --ns-cert-type directive will be used. # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. - my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; - if ($hostcert !~ /TLS Web Server Authentication/) { + my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); + if (! grep(/TLS Web Server Authentication/, @hostcert)) { print CLIENTCONF "ns-cert-type server\r\n"; } else { print CLIENTCONF "remote-cert-tls server\r\n"; @@ -2363,6 +2423,8 @@ else print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n"; if ($vpnsettings{MSSFIX} eq 'on') { print CLIENTCONF "mssfix\r\n"; + } else { + print CLIENTCONF "mssfix 0\r\n"; } if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) { print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n"; @@ -2455,8 +2517,8 @@ else if ($confighash{$cgiparams{'KEY'}}) { # Revoke certificate if certificate was deleted and rewrite the CRL - my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; - my $tempA = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf)"; + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); ### # m.a.d net2net @@ -2464,7 +2526,7 @@ else if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { # Stop the N2N connection before it is removed - system("/usr/local/bin/openvpnctrl -kn2n $confighash{$cgiparams{'KEY'}}[1] &>/dev/null"); + &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]"); my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf"); my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); @@ -2506,10 +2568,10 @@ else # CCD end # Update collectd configuration and delete all RRD files of the removed connection &writecollectdconf(); - system ("/usr/local/bin/openvpnctrl -drrd $confighash{$cgiparams{'KEY'}}[1]"); + &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); delete $confighash{$cgiparams{'KEY'}}; - my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); } else { @@ -2525,7 +2587,12 @@ else print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n"; print "Content-Type: application/octet-stream\r\n\r\n"; - print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; + + open(FILE, "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + my @tmp = ; + close(FILE); + + print "@tmp"; exit (0); ### @@ -2539,9 +2606,9 @@ else &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; + my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + @output = &Header::cleanhtml(@output,"y"); + print "
@output
\n"; &Header::closebox(); print "
$Lang::tr{'back'}
"; &Header::closebigbox(); @@ -2561,9 +2628,9 @@ else &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:"); - my $output = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; + my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem"); + @output = &Header::cleanhtml(@output,"y"); + print "
@output
\n"; &Header::closebox(); print "
$Lang::tr{'back'}
"; &Header::closebigbox(); @@ -2583,9 +2650,13 @@ else &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}:"); - my $output = `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; + + open(FILE, "${General::swroot}/ovpn/certs/ta.key"); + my @output = ; + close(FILE); + + @output = &Header::cleanhtml(@output,"y"); + print "
@output
\n"; &Header::closebox(); print "
$Lang::tr{'back'}
"; &Header::closebigbox(); @@ -2606,9 +2677,9 @@ else &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); - my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; + my @output = &General::system_output("/usr/bin/openssl", "crl", "-text", "-noout", "-in", "${General::swroot}/ovpn/crls/cacrl.pem"); + @output = &Header::cleanhtml(@output,"y"); + print "
@output
\n"; &Header::closebox(); print "
$Lang::tr{'back'}
"; &Header::closebigbox(); @@ -2645,9 +2716,6 @@ ADV_ERROR: if ($cgiparams{'LOG_VERB'} eq '') { $cgiparams{'LOG_VERB'} = '3'; } - if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA512'; - } if ($cgiparams{'TLSAUTH'} eq '') { $cgiparams{'TLSAUTH'} = 'off'; } @@ -2657,6 +2725,9 @@ ADV_ERROR: $checked{'REDIRECT_GW_DEF1'}{'off'} = ''; $checked{'REDIRECT_GW_DEF1'}{'on'} = ''; $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED'; + $checked{'DCOMPLZO'}{'off'} = ''; + $checked{'DCOMPLZO'}{'on'} = ''; + $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; $checked{'ADDITIONAL_CONFIGS'}{'off'} = ''; $checked{'ADDITIONAL_CONFIGS'}{'on'} = ''; $checked{'ADDITIONAL_CONFIGS'}{$cgiparams{'ADDITIONAL_CONFIGS'}} = 'CHECKED'; @@ -2676,15 +2747,6 @@ ADV_ERROR: $selected{'LOG_VERB'}{'10'} = ''; $selected{'LOG_VERB'}{'11'} = ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; - $selected{'DAUTH'}{'whirlpool'} = ''; - $selected{'DAUTH'}{'SHA512'} = ''; - $selected{'DAUTH'}{'SHA384'} = ''; - $selected{'DAUTH'}{'SHA256'} = ''; - $selected{'DAUTH'}{'SHA1'} = ''; - $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; - $checked{'TLSAUTH'}{'off'} = ''; - $checked{'TLSAUTH'}{'on'} = ''; - $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; &Header::showhttpheaders(); &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); @@ -2744,7 +2806,7 @@ print < - + @@ -2757,6 +2819,11 @@ print < + $Lang::tr{'comp-lzo'} + + $Lang::tr{'openvpn default'}: off ($Lang::tr{'attention'} exploitable via Voracle) + + $Lang::tr{'ovpn add conf'} @@ -2814,36 +2881,6 @@ print <
- - - - - - - - - - - -
$Lang::tr{'ovpn crypt options'}
$Lang::tr{'ovpn ha'} - $Lang::tr{'openvpn default'}: SHA1 (160 $Lang::tr{'bit'})
- - - - - - - - - - -
HMAC tls-auth
END if ( -e "/var/run/openvpn.pid"){ @@ -3066,8 +3103,8 @@ END $users[$uid]{'Proto'} = $proto; # get country code for "RealAddress"... - my $ccode = &GeoIP::lookup((split ':', $users[$uid]{'RealAddress'})[0]); - my $flag_icon = &GeoIP::get_flag_icon($ccode); + my $ccode = &Location::Functions::lookup_country_code((split ':', $users[$uid]{'RealAddress'})[0]); + my $flag_icon = &Location::Functions::get_flag_icon($ccode); $users[$uid]{'Country'} = "$ccode"; $uid++; } @@ -3130,7 +3167,12 @@ END if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n"; print "Content-Type: application/octet-stream\r\n\r\n"; - print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; + + open(FILE, "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + my @tmp = ; + close(FILE); + + print "@tmp"; exit (0); } @@ -3251,9 +3293,8 @@ END &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); -# Check if a file is uploaded - - if (ref ($cgiparams{'FH'}) ne 'Fh') { + # Check if a file is uploaded + unless (ref ($cgiparams{'FH'})) { $errormessage = $Lang::tr{'there was no file upload'}; goto N2N_ERROR; } @@ -3520,7 +3561,7 @@ foreach my $dkey (keys %confighash) { Fragment:$confighash{$key}[24] $Lang::tr{'MTU'}$confighash{$key}[31] Management Port $confighash{$key}[22] - $Lang::tr{'ovpn hmac'}:$confighash{$key}[39] + $Lang::tr{'ovpn tls auth'}:$confighash{$key}[39] $Lang::tr{'cipher'}$confighash{$key}[40]    @@ -3793,41 +3834,42 @@ if ($cgiparams{'TYPE'} eq 'host') { #CCD End - if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { - $errormessage = $Lang::tr{'connection type is invalid'}; - if ($cgiparams{'TYPE'} eq 'net') { - unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; - } - goto VPNCONF_ERROR; + if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { + $errormessage = $Lang::tr{'connection type is invalid'}; + if ($cgiparams{'TYPE'} eq 'net') { + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } + goto VPNCONF_ERROR; } - if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { - $errormessage = $Lang::tr{'name must only contain characters'}; - if ($cgiparams{'TYPE'} eq 'net') { - unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; - } - goto VPNCONF_ERROR; - } + $errormessage = $Lang::tr{'name must only contain characters'}; + if ($cgiparams{'TYPE'} eq 'net') { + goto VPNCONF_ERROR; + } + goto VPNCONF_ERROR; + } if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) { - $errormessage = $Lang::tr{'name is invalid'}; - if ($cgiparams{'TYPE'} eq 'net') { - unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; - } - goto VPNCONF_ERROR; + $errormessage = $Lang::tr{'name is invalid'}; + if ($cgiparams{'TYPE'} eq 'net') { + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } + goto VPNCONF_ERROR; } if (length($cgiparams{'NAME'}) >60) { - $errormessage = $Lang::tr{'name too long'}; - if ($cgiparams{'TYPE'} eq 'net') { - unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; - } - goto VPNCONF_ERROR; + $errormessage = $Lang::tr{'name too long'}; + if ($cgiparams{'TYPE'} eq 'net') { + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } + goto VPNCONF_ERROR; } ### @@ -4042,7 +4084,7 @@ if ($cgiparams{'TYPE'} eq 'net') { $errormessage = $Lang::tr{'cant change certificates'}; goto VPNCONF_ERROR; } - if (ref ($cgiparams{'FH'}) ne 'Fh') { + unless (ref ($cgiparams{'FH'})) { $errormessage = $Lang::tr{'there was no file upload'}; goto VPNCONF_ERROR; } @@ -4056,6 +4098,7 @@ if ($cgiparams{'TYPE'} eq 'net') { # Sign the certificate request and move it # Sign the host certificate request + # The system call is safe, because all arguments are passed as an array. system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}", '-batch', '-notext', '-in', $filename, @@ -4072,11 +4115,19 @@ if ($cgiparams{'TYPE'} eq 'net') { &deletebackupcert(); } - my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; - $temp =~ /Subject:.*CN\s?=\s?(.*)[\n]/; - $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; + my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + my $temp; + + foreach my $line (@temp) { + if ($line =~ /Subject:.*CN\s?=\s?(.*)[\n]/) { + $temp = $1; + $temp =~ s+/Email+, E+; + $temp =~ s/ ST=/ S=/; + + last; + } + } + $cgiparams{'CERT_NAME'} = $temp; $cgiparams{'CERT_NAME'} =~ s/,//g; $cgiparams{'CERT_NAME'} =~ s/\'//g; @@ -4089,7 +4140,7 @@ if ($cgiparams{'TYPE'} eq 'net') { $errormessage = $Lang::tr{'cant change certificates'}; goto VPNCONF_ERROR; } - if (ref ($cgiparams{'FH'}) ne 'Fh') { + unless (ref ($cgiparams{'FH'})) { $errormessage = $Lang::tr{'there was no file upload'}; goto VPNCONF_ERROR; } @@ -4102,13 +4153,13 @@ if ($cgiparams{'TYPE'} eq 'net') { # Verify the certificate has a valid CA and move it my $validca = 0; - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/cacert.pem $filename`; - if ($test =~ /: OK/) { + my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/cacert.pem", "$filename"); + if (grep(/: OK/, @test)) { $validca = 1; } else { foreach my $key (keys %cahash) { - $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem $filename`; - if ($test =~ /: OK/) { + @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem", "$filename"); + if (grep(/: OK/, @test)) { $validca = 1; } } @@ -4126,11 +4177,19 @@ if ($cgiparams{'TYPE'} eq 'net') { } } - my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; - $temp =~ /Subject:.*CN\s?=\s?(.*)[\n]/; - $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; + my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + my $temp; + + foreach my $line (@temp) { + if ($line =~ /Subject:.*CN\s?=\s?(.*)[\n]/) { + $temp = $1; + $temp =~ s+/Email+, E+; + $temp =~ s/ ST=/ S=/; + + last; + } + } + $cgiparams{'CERT_NAME'} = $temp; $cgiparams{'CERT_NAME'} =~ s/,//g; $cgiparams{'CERT_NAME'} =~ s/\'//g; @@ -4257,6 +4316,7 @@ if ($cgiparams{'TYPE'} eq 'net') { } # Sign the host certificate request + # The system call is safe, because all arguments are passed as an array. system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}", '-batch', '-notext', '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", @@ -4275,6 +4335,7 @@ if ($cgiparams{'TYPE'} eq 'net') { } # Create the pkcs12 file + # The system call is safe, because all arguments are passed as an array. system('/usr/bin/openssl', 'pkcs12', '-export', '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", @@ -4440,21 +4501,24 @@ if ($cgiparams{'TYPE'} eq 'net') { if ($cgiparams{'TYPE'} eq 'net') { - if (-e "/var/run/$confighash{$key}[1]n2n.pid") { - system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]); + if (-e "/var/run/$confighash{$key}[1]n2n.pid") { + &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]"); - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - my $key = $cgiparams{'KEY'}; - if (! $key) { - $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";} - } - $confighash{$key}[0] = 'on'; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + my $key = $cgiparams{'KEY'}; + if (! $key) { + $key = &General::findhasharraykey (\%confighash); + foreach my $i (0 .. 31) { + $confighash{$key}[$i] = ""; + } + } + + $confighash{$key}[0] = 'on'; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); - } - } + &General::system("/usr/local/bin/openvpnctrl", "-sn2n", "$confighash{$cgiparams{'KEY'}}[1]"); + } + } ### # m.a.d n2n end @@ -4560,12 +4624,10 @@ if ($cgiparams{'TYPE'} eq 'net') { $selected{'DAUTH'}{'SHA384'} = ''; $selected{'DAUTH'}{'SHA256'} = ''; $selected{'DAUTH'}{'SHA1'} = ''; - # If no hash algorythm has been choosen yet, select - # the old default value (SHA1) for compatiblity reasons. - if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA1'; - } $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + $checked{'TLSAUTH'}{'off'} = ''; + $checked{'TLSAUTH'}{'on'} = ''; + $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; if (1) { &Header::showhttpheaders(); @@ -5073,7 +5135,9 @@ END &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - my @status = `/bin/cat /var/run/ovpnserver.log`; + open(FILE, "/var/run/ovpnserver.log"); + my @status = ; + close(FILE); if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { @@ -5101,8 +5165,20 @@ END $cgiparams{'MSSFIX'} = 'off'; } if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA512'; - } + if (-z "${General::swroot}/ovpn/ovpnconfig") { + $cgiparams{'DAUTH'} = 'SHA512'; + } + foreach my $key (keys %confighash) { + if ($confighash{$key}[3] ne 'host') { + $cgiparams{'DAUTH'} = 'SHA512'; + } else { + $cgiparams{'DAUTH'} = 'SHA1'; + } + } + } + if ($cgiparams{'TLSAUTH'} eq '') { + $cgiparams{'TLSAUTH'} = 'off'; + } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; } @@ -5145,6 +5221,10 @@ END $selected{'DAUTH'}{'SHA1'} = ''; $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + $checked{'TLSAUTH'}{'off'} = ''; + $checked{'TLSAUTH'}{'on'} = ''; + $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; + $checked{'DCOMPLZO'}{'off'} = ''; $checked{'DCOMPLZO'}{'on'} = ''; $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; @@ -5219,8 +5299,16 @@ END if (&haveOrangeNet()) { print "$Lang::tr{'ovpn on orange'}"; print ""; - } - print <
+ + $Lang::tr{'net config'}: + +
+ $Lang::tr{'local vpn hostname/ip'}:
$Lang::tr{'ovpn subnet'}
$Lang::tr{'protocol'} @@ -5230,6 +5318,24 @@ END $Lang::tr{'MTU'}  + + +
+ + $Lang::tr{'ovpn crypt options'}: + +
+ + + $Lang::tr{'ovpn ha'} + + $Lang::tr{'cipher'} - $Lang::tr{'comp-lzo'} - + +
+ + $Lang::tr{'ovpn tls auth'} + + +

END ; @@ -5338,9 +5449,17 @@ END #} else { #print " "; #} - my $cavalid = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`; - $cavalid =~ /Not After : (.*)[\n]/; - $cavalid = $1; + my @cavalid = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem"); + my $cavalid; + + foreach my $line (@cavalid) { + if ($line =~ /Not After : (.*)[\n]/) { + $cavalid = $1; + + last; + } + } + print "$confighash{$key}[25]"; $col1="bgcolor='${Header::colourred}'"; my $active = "$Lang::tr{'capsclosed'}"; @@ -5551,11 +5670,19 @@ END my $col4="bgcolor='$color{'color20'}'"; if (-f "${General::swroot}/ovpn/ca/cacert.pem") { - my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; - $casubject =~ /Subject: (.*)[\n]/; - $casubject = $1; - $casubject =~ s+/Email+, E+; - $casubject =~ s/ ST=/ S=/; + my @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem"); + my $casubject; + + foreach my $line (@casubject) { + if ($line =~ /Subject: (.*)[\n]/) { + $casubject = $1; + $casubject =~ s+/Email+, E+; + $casubject =~ s/ ST=/ S=/; + + last; + } + } + print < $Lang::tr{'root certificate'} @@ -5585,11 +5712,18 @@ END } if (-f "${General::swroot}/ovpn/certs/servercert.pem") { - my $hostsubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; - $hostsubject =~ /Subject: (.*)[\n]/; - $hostsubject = $1; - $hostsubject =~ s+/Email+, E+; - $hostsubject =~ s/ ST=/ S=/; + my @hostsubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); + my $hostsubject; + + foreach my $line (@hostsubject) { + if ($line =~ /Subject: (.*)[\n]/) { + $hostsubject = $1; + $hostsubject =~ s+/Email+, E+; + $hostsubject =~ s/ ST=/ S=/; + + last; + } + } print < @@ -5621,10 +5755,16 @@ END # Adding DH parameter to chart if (-f "${General::swroot}/ovpn/ca/dh1024.pem") { - my $dhsubject = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`; - $dhsubject =~ / (.*)[\n]/; - $dhsubject = $1; + my @dhsubject = &System_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem"); + my $dhsubject; + + foreach my $line (@dhsubject) { + if ($line =~ / (.*)[\n]/) { + $dhsubject = $1; + last; + } + } print < @@ -5654,9 +5794,19 @@ END # Adding ta.key to chart if (-f "${General::swroot}/ovpn/certs/ta.key") { - my $tasubject = `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; - $tasubject =~ /# (.*)[\n]/; - $tasubject = $1; + open(FILE, "${General::swroot}/ovpn/certs/ta.key"); + my @tasubject = ; + close(FILE); + + my $tasubject; + foreach my $line (@tasubject) { + if($line =~ /# (.*)[\n]/) { + $tasubject = $1; + + last; + } + } + print <