X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=439390228268846e8fa4fa4c44f0baaab205d502;hb=faec909e1aa3d164739a8740d0958cc8e420a6a7;hp=94e723ba2cbc56317998324c5a65e9ba0945b40f;hpb=98ae3af84418c3f21b0a7365bb5bf780046642f4;p=people%2Fpmueller%2Fipfire-2.x.git diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 94e723ba2c..4393902282 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -35,6 +35,7 @@ require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; require "${General::swroot}/countries.pl"; +require "${General::swroot}/geoip-functions.pl"; # enable only the following on debugging purpose #use warnings; @@ -63,6 +64,8 @@ my %cahash=(); my %selected=(); my $warnmessage = ''; my $errormessage = ''; +my $cryptoerror = ''; +my $cryptowarning = ''; my %settings=(); my $routes_push_file = ''; my $confighost="${General::swroot}/fwhosts/customhosts"; @@ -96,6 +99,8 @@ $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; +# Perform crypto and configration test +&pkiconfigcheck; # Add CCD files if not already presant unless (-e $routes_push_file) { @@ -169,7 +174,12 @@ sub cleanssldatabase print FILE ""; close FILE; } + if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt.attr")) { + print FILE ""; + close FILE; + } unlink ("${General::swroot}/ovpn/certs/index.txt.old"); + unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old"); unlink ("${General::swroot}/ovpn/certs/serial.old"); unlink ("${General::swroot}/ovpn/certs/01.pem"); } @@ -184,7 +194,11 @@ sub newcleanssldatabase if (! -s ">${General::swroot}/ovpn/certs/index.txt") { system ("touch ${General::swroot}/ovpn/certs/index.txt"); } + if (! -s ">${General::swroot}/ovpn/certs/index.txt.attr") { + system ("touch ${General::swroot}/ovpn/certs/index.txt.attr"); + } unlink ("${General::swroot}/ovpn/certs/index.txt.old"); + unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old"); unlink ("${General::swroot}/ovpn/certs/serial.old"); } @@ -198,6 +212,45 @@ sub deletebackupcert } } +### +### Check for PKI and configure problems +### + +sub pkiconfigcheck +{ + # Warning if DH parameter is 1024 bit + if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { + my $dhparameter = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}`; + my @dhbit = ($dhparameter =~ /(\d+)/); + if ($1 < 2048) { + $cryptoerror = "$Lang::tr{'ovpn error dh'}"; + goto CRYPTO_ERROR; + } + } + + # Warning if md5 is in usage + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($signature =~ /md5WithRSAEncryption/) { + $cryptoerror = "$Lang::tr{'ovpn error md5'}"; + goto CRYPTO_ERROR; + } + } + + CRYPTO_ERROR: + + # Warning if certificate is not compliant to RFC3280 TLS rules + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($extendkeyusage !~ /TLS Web Server Authentication/) { + $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}"; + goto CRYPTO_WARNING; + } + } + + CRYPTO_WARNING: +} + sub writeserverconf { my %sovpnsettings = (); my @temp = (); @@ -227,7 +280,7 @@ sub writeserverconf { print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n"; - # Check if we are using mssfix, fragment or mtu-disc and set the corretct mtu of 1500. + # Check if we are using mssfix, fragment and set the corretct mtu of 1500. # If we doesn't use one of them, we can use the configured mtu value. if ($sovpnsettings{'MSSFIX'} eq 'on') { print CONF "tun-mtu 1500\n"; } @@ -279,11 +332,8 @@ sub writeserverconf { print CONF "status /var/run/ovpnserver.log 30\n"; print CONF "ncp-disable\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; - if ($sovpnsettings{'DAUTH'} eq '') { - print CONF ""; - } else { print CONF "auth $sovpnsettings{'DAUTH'}\n"; - } + if ($sovpnsettings{'TLSAUTH'} eq 'on') { print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; } @@ -416,10 +466,7 @@ sub addccdnet $errormessage=$Lang::tr{'ccd err invalidnet'}; return; } - - $errormessage=&General::checksubnets($ccdname,$ccdnet); - - + if (!$errormessage) { my %ccdconfhash=(); $baseaddress=&General::getnetworkip($ccdip,$subcidr); @@ -738,13 +785,12 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'}; $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'}; $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'}; + $vpnsettings{'COMPLZO'} = $cgiparams{'DCOMPLZO'}; $vpnsettings{'ADDITIONAL_CONFIGS'} = $cgiparams{'ADDITIONAL_CONFIGS'}; $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'}; $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; - $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; - $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; my @temp=(); if ($cgiparams{'FRAGMENT'} eq '') { @@ -1068,7 +1114,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General close(CLIENTCONF); } - + ### ### Save main settings ### @@ -1154,6 +1200,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; + $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; + $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; #wrtie enable if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");} @@ -1180,7 +1228,7 @@ SETTINGS_ERROR: delete $confighash{$cgiparams{'$key'}}; } - system ("/usr/local/bin/openvpnctrl -drrd $name"); + system ("/usr/local/bin/openvpnctrl -drrd $name &>/dev/null"); } while ($file = glob("${General::swroot}/ovpn/ca/*")) { unlink $file; @@ -1290,7 +1338,6 @@ END
$Lang::tr{'ovpn dh'}: + $Lang::tr{'comp-lzo'} + + $Lang::tr{'openvpn default'}: off ($Lang::tr{'attention'} exploitable via Voracle) + + $Lang::tr{'ovpn add conf'} @@ -2781,36 +2811,6 @@ print <
- - - - - - - - - - - -
$Lang::tr{'ovpn crypt options'}
$Lang::tr{'ovpn ha'} - $Lang::tr{'openvpn default'}: SHA1 (160 $Lang::tr{'bit'})
- - - - - - - - - - -
HMAC tls-auth
END if ( -e "/var/run/openvpn.pid"){ @@ -2991,6 +2991,7 @@ END $Lang::tr{'common name'} $Lang::tr{'real address'} + $Lang::tr{'country'} $Lang::tr{'virtual address'} $Lang::tr{'loged in at'} $Lang::tr{'bytes sent'} @@ -3030,6 +3031,11 @@ END $users[$uid]{'BytesSent'} = &sizeformat($match[4]); $users[$uid]{'Since'} = $match[5]; $users[$uid]{'Proto'} = $proto; + + # get country code for "RealAddress"... + my $ccode = &GeoIP::lookup((split ':', $users[$uid]{'RealAddress'})[0]); + my $flag_icon = &GeoIP::get_flag_icon($ccode); + $users[$uid]{'Country'} = "$ccode"; $uid++; } } @@ -3056,7 +3062,8 @@ END } print "$users[$idx-1]{'CommonName'}"; print "$users[$idx-1]{'RealAddress'}"; - print "$users[$idx-1]{'VirtualAddress'}"; + print "$users[$idx-1]{'Country'}"; + print "$users[$idx-1]{'VirtualAddress'}"; print "$users[$idx-1]{'Since'}"; print "$users[$idx-1]{'BytesSent'}"; print "$users[$idx-1]{'BytesReceived'}"; @@ -3329,7 +3336,6 @@ my $complzoactive; my $mssfixactive; my $authactive; my $n2nfragment; -my @n2nmtudisc = split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]); my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]); my @n2nproto = split(/-/, $n2nproto2[1]); my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]); @@ -3365,7 +3371,6 @@ $n2nremsub[2] =~ s/\n|\r//g; $n2nlocalsub[2] =~ s/\n|\r//g; $n2nfragment[1] =~ s/\n|\r//g; $n2nmgmt[2] =~ s/\n|\r//g; -$n2nmtudisc[1] =~ s/\n|\r//g; $n2ncipher[1] =~ s/\n|\r//g; $n2nauth[1] =~ s/\n|\r//g; chomp ($complzoactive); @@ -3442,7 +3447,6 @@ foreach my $dkey (keys %confighash) { $confighash{$key}[29] = $n2nport[1]; $confighash{$key}[30] = $complzoactive; $confighash{$key}[31] = $n2ntunmtu[1]; - $confighash{$key}[38] = $n2nmtudisc[1]; $confighash{$key}[39] = $n2nauth[1]; $confighash{$key}[40] = $n2ncipher[1]; $confighash{$key}[41] = 'disabled'; @@ -3482,9 +3486,8 @@ foreach my $dkey (keys %confighash) { MSSFIX:$confighash{$key}[23] Fragment:$confighash{$key}[24] $Lang::tr{'MTU'}$confighash{$key}[31] - $Lang::tr{'ovpn mtu-disc'}$confighash{$key}[38] Management Port $confighash{$key}[22] - $Lang::tr{'ovpn hmac'}:$confighash{$key}[39] + $Lang::tr{'ovpn tls auth'}:$confighash{$key}[39] $Lang::tr{'cipher'}$confighash{$key}[40]    @@ -3972,6 +3975,16 @@ if ($cgiparams{'TYPE'} eq 'net') { goto VPNCONF_ERROR; } + # Check for N2N that OpenSSL maximum of valid days will not be exceeded + if ($cgiparams{'TYPE'} eq 'net') { + if ($cgiparams{'DAYS_VALID'} >= '999999') { + $errormessage = $Lang::tr{'invalid input for valid till days'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } + } + if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { $errormessage = $Lang::tr{'invalid input'}; goto VPNCONF_ERROR; @@ -4027,7 +4040,7 @@ if ($cgiparams{'TYPE'} eq 'net') { } my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; - $temp =~ /Subject:.*CN=(.*)[\n]/; + $temp =~ /Subject:.*CN\s?=\s?(.*)[\n]/; $temp = $1; $temp =~ s+/Email+, E+; $temp =~ s/ ST=/ S=/; @@ -4081,7 +4094,7 @@ if ($cgiparams{'TYPE'} eq 'net') { } my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; - $temp =~ /Subject:.*CN=(.*)[\n]/; + $temp =~ /Subject:.*CN\s?=\s?(.*)[\n]/; $temp = $1; $temp =~ s+/Email+, E+; $temp =~ s/ ST=/ S=/; @@ -4149,11 +4162,29 @@ if ($cgiparams{'TYPE'} eq 'net') { $errormessage = $Lang::tr{'passwords do not match'}; goto VPNCONF_ERROR; } - if ($cgiparams{'DAYS_VALID'} ne '' && $cgiparams{'DAYS_VALID'} !~ /^[0-9]+$/) { + if ($cgiparams{'DAYS_VALID'} eq '' && $cgiparams{'DAYS_VALID'} !~ /^[0-9]+$/) { $errormessage = $Lang::tr{'invalid input for valid till days'}; goto VPNCONF_ERROR; } + # Check for RW that OpenSSL maximum of valid days will not be exceeded + if ($cgiparams{'TYPE'} eq 'host') { + if ($cgiparams{'DAYS_VALID'} >= '999999') { + $errormessage = $Lang::tr{'invalid input for valid till days'}; + goto VPNCONF_ERROR; + } + } + + # Check for RW if client name is already set + if ($cgiparams{'TYPE'} eq 'host') { + foreach my $key (keys %confighash) { + if ($confighash{$key}[1] eq $cgiparams{'NAME'}) { + $errormessage = $Lang::tr{'a connection with this name already exists'}; + goto VPNCONF_ERROR; + } + } + } + # Replace empty strings with a . (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; @@ -4425,7 +4456,7 @@ if ($cgiparams{'TYPE'} eq 'net') { $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'}; $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'}; $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'}; - $cgiparams{'DAYS_VALID'} = $vpnsettings{'DAYS_VALID'}; + $cgiparams{'DAYS_VALID'} = $vpnsettings{'DAYS_VALID'} = '730'; } VPNCONF_ERROR: @@ -4496,12 +4527,10 @@ if ($cgiparams{'TYPE'} eq 'net') { $selected{'DAUTH'}{'SHA384'} = ''; $selected{'DAUTH'}{'SHA256'} = ''; $selected{'DAUTH'}{'SHA1'} = ''; - # If no hash algorythm has been choosen yet, select - # the old default value (SHA1) for compatiblity reasons. - if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA1'; - } $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + $checked{'TLSAUTH'}{'off'} = ''; + $checked{'TLSAUTH'}{'on'} = ''; + $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; if (1) { &Header::showhttpheaders(); @@ -4805,7 +4834,7 @@ END if ($cgiparams{'TYPE'} eq 'host') { print < -  $Lang::tr{'valid till'} (days): +  $Lang::tr{'valid till'} (days): *   $Lang::tr{'pkcs12 file password'}: @@ -4820,7 +4849,7 @@ END }else{ print < -  $Lang::tr{'valid till'} (days): +  $Lang::tr{'valid till'} (days): *         @@ -5037,8 +5066,20 @@ END $cgiparams{'MSSFIX'} = 'off'; } if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA512'; - } + if (-z "${General::swroot}/ovpn/ovpnconfig") { + $cgiparams{'DAUTH'} = 'SHA512'; + } + foreach my $key (keys %confighash) { + if ($confighash{$key}[3] ne 'host') { + $cgiparams{'DAUTH'} = 'SHA512'; + } else { + $cgiparams{'DAUTH'} = 'SHA1'; + } + } + } + if ($cgiparams{'TLSAUTH'} eq '') { + $cgiparams{'TLSAUTH'} = 'off'; + } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; } @@ -5081,6 +5122,10 @@ END $selected{'DAUTH'}{'SHA1'} = ''; $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + $checked{'TLSAUTH'}{'off'} = ''; + $checked{'TLSAUTH'}{'on'} = ''; + $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; + $checked{'DCOMPLZO'}{'off'} = ''; $checked{'DCOMPLZO'}{'on'} = ''; $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; @@ -5101,6 +5146,20 @@ END &Header::closebox(); } + if ($cryptoerror) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'}); + print "$cryptoerror"; + print " "; + &Header::closebox(); + } + + if ($cryptowarning) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'}); + print "$cryptowarning"; + print " "; + &Header::closebox(); + } + if ($warnmessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'}); print "$warnmessage
"; @@ -5141,8 +5200,16 @@ END if (&haveOrangeNet()) { print "$Lang::tr{'ovpn on orange'}"; print ""; - } - print <
+ + $Lang::tr{'net config'}: + +
+ $Lang::tr{'local vpn hostname/ip'}:
$Lang::tr{'ovpn subnet'}
$Lang::tr{'protocol'} @@ -5152,6 +5219,24 @@ END $Lang::tr{'MTU'}  + + +
+ + $Lang::tr{'ovpn crypt options'}: + +
+ + + $Lang::tr{'ovpn ha'} + + $Lang::tr{'cipher'} - $Lang::tr{'comp-lzo'} - + +
+ + $Lang::tr{'ovpn tls auth'} + + +

END ;