X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=e76a688fe7dcda0b77bf716eb2538342cd775b00;hb=f93238725f2f73975dff1a2c67820d9480a100e6;hp=424a5c98445cea88724f298a152035e60ceebe68;hpb=a4fd232541bf5002eb7e256727d2b10c89b6d1bf;p=people%2Fpmueller%2Fipfire-2.x.git diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 424a5c9844..e76a688fe7 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -35,6 +35,7 @@ require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; require "${General::swroot}/countries.pl"; +require "${General::swroot}/geoip-functions.pl"; # enable only the following on debugging purpose #use warnings; @@ -63,6 +64,8 @@ my %cahash=(); my %selected=(); my $warnmessage = ''; my $errormessage = ''; +my $cryptoerror = ''; +my $cryptowarning = ''; my %settings=(); my $routes_push_file = ''; my $confighost="${General::swroot}/fwhosts/customhosts"; @@ -92,11 +95,12 @@ $cgiparams{'ROUTES_PUSH'} = ''; $cgiparams{'DCOMPLZO'} = 'off'; $cgiparams{'MSSFIX'} = ''; $cgiparams{'number'} = ''; -$cgiparams{'PMTU_DISCOVERY'} = ''; $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; +# Perform crypto and configration test +&pkiconfigcheck; # Add CCD files if not already presant unless (-e $routes_push_file) { @@ -170,7 +174,12 @@ sub cleanssldatabase print FILE ""; close FILE; } + if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt.attr")) { + print FILE ""; + close FILE; + } unlink ("${General::swroot}/ovpn/certs/index.txt.old"); + unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old"); unlink ("${General::swroot}/ovpn/certs/serial.old"); unlink ("${General::swroot}/ovpn/certs/01.pem"); } @@ -185,7 +194,11 @@ sub newcleanssldatabase if (! -s ">${General::swroot}/ovpn/certs/index.txt") { system ("touch ${General::swroot}/ovpn/certs/index.txt"); } + if (! -s ">${General::swroot}/ovpn/certs/index.txt.attr") { + system ("touch ${General::swroot}/ovpn/certs/index.txt.attr"); + } unlink ("${General::swroot}/ovpn/certs/index.txt.old"); + unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old"); unlink ("${General::swroot}/ovpn/certs/serial.old"); } @@ -199,6 +212,45 @@ sub deletebackupcert } } +### +### Check for PKI and configure problems +### + +sub pkiconfigcheck +{ + # Warning if DH parameter is 1024 bit + if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { + my $dhparameter = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}`; + my @dhbit = ($dhparameter =~ /(\d+)/); + if ($1 < 2048) { + $cryptoerror = "$Lang::tr{'ovpn error dh'}"; + goto CRYPTO_ERROR; + } + } + + # Warning if md5 is in usage + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($signature =~ /md5WithRSAEncryption/) { + $cryptoerror = "$Lang::tr{'ovpn error md5'}"; + goto CRYPTO_ERROR; + } + } + + CRYPTO_ERROR: + + # Warning if certificate is not compliant to RFC3280 TLS rules + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + if ($extendkeyusage !~ /TLS Web Server Authentication/) { + $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}"; + goto CRYPTO_WARNING; + } + } + + CRYPTO_WARNING: +} + sub writeserverconf { my %sovpnsettings = (); my @temp = (); @@ -228,16 +280,12 @@ sub writeserverconf { print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n"; - # Check if we are using mssfix, fragment or mtu-disc and set the corretct mtu of 1500. + # Check if we are using mssfix, fragment and set the corretct mtu of 1500. # If we doesn't use one of them, we can use the configured mtu value. if ($sovpnsettings{'MSSFIX'} eq 'on') { print CONF "tun-mtu 1500\n"; } elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') { print CONF "tun-mtu 1500\n"; } - elsif (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) - { print CONF "tun-mtu 1500\n"; } else { print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; } @@ -277,13 +325,6 @@ sub writeserverconf { print CONF "fragment $sovpnsettings{'FRAGMENT'}\n"; } - # Check if a valid operating mode has been choosen and use it. - if (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || - ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) { - print CONF "mtu-disc $sovpnsettings{'PMTU_DISCOVERY'}\n"; - } - if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) { print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n"; } @@ -291,11 +332,8 @@ sub writeserverconf { print CONF "status /var/run/ovpnserver.log 30\n"; print CONF "ncp-disable\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; - if ($sovpnsettings{'DAUTH'} eq '') { - print CONF ""; - } else { print CONF "auth $sovpnsettings{'DAUTH'}\n"; - } + if ($sovpnsettings{'TLSAUTH'} eq 'on') { print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; } @@ -317,10 +355,10 @@ sub writeserverconf { print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n"; } - if ($sovpnsettings{DHCP_WINS} eq '') { + if ($sovpnsettings{MAX_CLIENTS} eq '') { print CONF "max-clients 100\n"; } - if ($sovpnsettings{DHCP_WINS} ne '') { + if ($sovpnsettings{MAX_CLIENTS} ne '') { print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n"; } print CONF "tls-verify /usr/lib/openvpn/verify\n"; @@ -428,10 +466,7 @@ sub addccdnet $errormessage=$Lang::tr{'ccd err invalidnet'}; return; } - - $errormessage=&General::checksubnets($ccdname,$ccdnet); - - + if (!$errormessage) { my %ccdconfhash=(); $baseaddress=&General::getnetworkip($ccdip,$subcidr); @@ -750,14 +785,12 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'}; $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'}; $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'}; + $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; $vpnsettings{'ADDITIONAL_CONFIGS'} = $cgiparams{'ADDITIONAL_CONFIGS'}; $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'}; $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; - $vpnsettings{'PMTU_DISCOVERY'} = $cgiparams{'PMTU_DISCOVERY'}; - $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; - $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; my @temp=(); if ($cgiparams{'FRAGMENT'} eq '') { @@ -777,16 +810,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'}; } - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { - - if (($cgiparams{'MSSFIX'} eq 'on') || ($cgiparams{'FRAGMENT'} ne '')) { - $errormessage = $Lang::tr{'ovpn mtu-disc with mssfix or fragment'}; - goto ADV_ERROR; - } - } - if ($cgiparams{'DHCP_DOMAIN'} ne ''){ unless (&General::validdomainname($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) { $errormessage = $Lang::tr{'invalid input for dhcp domain'}; @@ -875,17 +898,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $errormessage = $Lang::tr{'invalid input for keepalive 1:2'}; goto ADV_ERROR; } - # Create ta.key for tls-auth if not presant - if ($cgiparams{'TLSAUTH'} eq 'on') { - if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - goto ADV_ERROR; - } - } - } - &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); &writeserverconf();#hier ok } @@ -952,16 +964,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; }; } - # Check if a valid operating mode has been choosen and use it. - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { - if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) { - if($cgiparams{'MTU'} eq '1500') { - print SERVERCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n"; - } - } - } print SERVERCONF "# Auth. Server\n"; print SERVERCONF "tls-server\n"; print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; @@ -970,12 +972,18 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; print SERVERCONF "# Cipher\n"; print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n"; - if ($cgiparams{'DAUTH'} eq '') { - print SERVERCONF "auth SHA1\n"; + + # If GCM cipher is used, do not use --auth + if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') || + ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') || + ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) { + print SERVERCONF unless "# HMAC algorithm\n"; + print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n"; } else { - print SERVERCONF "# HMAC algorithm\n"; - print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; + print SERVERCONF "# HMAC algorithm\n"; + print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; } + if ($cgiparams{'COMPLZO'} eq 'on') { print SERVERCONF "# Enable Compression\n"; print SERVERCONF "comp-lzo\n"; @@ -1052,16 +1060,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; }; } - # Check if a valid operating mode has been choosen and use it. - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || - ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { - if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) { - if ($cgiparams{'MTU'} eq '1500') { - print CLIENTCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n"; - } - } - } # Check host certificate if X509 is RFC3280 compliant. # If not, old --ns-cert-type directive will be used. # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. @@ -1076,12 +1074,18 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "# Cipher\n"; print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n"; print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n"; - if ($cgiparams{'DAUTH'} eq '') { - print CLIENTCONF "auth SHA1\n"; + + # If GCM cipher is used, do not use --auth + if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') || + ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') || + ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) { + print CLIENTCONF unless "# HMAC algorithm\n"; + print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n"; } else { - print CLIENTCONF "# HMAC algorithm\n"; - print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; } + if ($cgiparams{'COMPLZO'} eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\n"; @@ -1099,7 +1103,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General close(CLIENTCONF); } - + ### ### Save main settings ### @@ -1174,6 +1178,17 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SETTINGS_ERROR; } + # Create ta.key for tls-auth if not presant + if ($cgiparams{'TLSAUTH'} eq 'on') { + if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto SETTINGS_ERROR; + } + } + } + $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'}; $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'}; $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; @@ -1185,6 +1200,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; + $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; + $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; #wrtie enable if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");} @@ -1211,7 +1228,7 @@ SETTINGS_ERROR: delete $confighash{$cgiparams{'$key'}}; } - system ("/usr/local/bin/openvpnctrl -drrd $name"); + system ("/usr/local/bin/openvpnctrl -drrd $name &>/dev/null"); } while ($file = glob("${General::swroot}/ovpn/ca/*")) { unlink $file; @@ -1321,7 +1338,6 @@ END
$Lang::tr{'ovpn dh'}: + $Lang::tr{'comp-lzo'} + + $Lang::tr{'openvpn default'}: off ($Lang::tr{'attention'} exploitable via Voracle) + + $Lang::tr{'ovpn add conf'} @@ -2795,14 +2781,6 @@ print < - - - $Lang::tr{'ovpn mtu-disc'} - $Lang::tr{'ovpn mtu-disc yes'} - $Lang::tr{'ovpn mtu-disc maybe'} - $Lang::tr{'ovpn mtu-disc no'} - $Lang::tr{'ovpn mtu-disc off'} -
@@ -2832,36 +2810,6 @@ print <
- - - - - - - - - - - -
$Lang::tr{'ovpn crypt options'}
$Lang::tr{'ovpn ha'} - $Lang::tr{'openvpn default'}: SHA1 (160 $Lang::tr{'bit'})
- - - - - - - - - - -
HMAC tls-auth
END if ( -e "/var/run/openvpn.pid"){ @@ -3042,6 +2990,7 @@ END $Lang::tr{'common name'} $Lang::tr{'real address'} + $Lang::tr{'country'} $Lang::tr{'virtual address'} $Lang::tr{'loged in at'} $Lang::tr{'bytes sent'} @@ -3081,6 +3030,11 @@ END $users[$uid]{'BytesSent'} = &sizeformat($match[4]); $users[$uid]{'Since'} = $match[5]; $users[$uid]{'Proto'} = $proto; + + # get country code for "RealAddress"... + my $ccode = &GeoIP::lookup((split ':', $users[$uid]{'RealAddress'})[0]); + my $flag_icon = &GeoIP::get_flag_icon($ccode); + $users[$uid]{'Country'} = "$ccode"; $uid++; } } @@ -3107,7 +3061,8 @@ END } print "$users[$idx-1]{'CommonName'}"; print "$users[$idx-1]{'RealAddress'}"; - print "$users[$idx-1]{'VirtualAddress'}"; + print "$users[$idx-1]{'Country'}"; + print "$users[$idx-1]{'VirtualAddress'}"; print "$users[$idx-1]{'Since'}"; print "$users[$idx-1]{'BytesSent'}"; print "$users[$idx-1]{'BytesReceived'}"; @@ -3262,9 +3217,8 @@ END &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); -# Check if a file is uploaded - - if (ref ($cgiparams{'FH'}) ne 'Fh') { + # Check if a file is uploaded + unless (ref ($cgiparams{'FH'})) { $errormessage = $Lang::tr{'there was no file upload'}; goto N2N_ERROR; } @@ -3380,7 +3334,6 @@ my $complzoactive; my $mssfixactive; my $authactive; my $n2nfragment; -my @n2nmtudisc = split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]); my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]); my @n2nproto = split(/-/, $n2nproto2[1]); my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]); @@ -3416,7 +3369,6 @@ $n2nremsub[2] =~ s/\n|\r//g; $n2nlocalsub[2] =~ s/\n|\r//g; $n2nfragment[1] =~ s/\n|\r//g; $n2nmgmt[2] =~ s/\n|\r//g; -$n2nmtudisc[1] =~ s/\n|\r//g; $n2ncipher[1] =~ s/\n|\r//g; $n2nauth[1] =~ s/\n|\r//g; chomp ($complzoactive); @@ -3493,7 +3445,6 @@ foreach my $dkey (keys %confighash) { $confighash{$key}[29] = $n2nport[1]; $confighash{$key}[30] = $complzoactive; $confighash{$key}[31] = $n2ntunmtu[1]; - $confighash{$key}[38] = $n2nmtudisc[1]; $confighash{$key}[39] = $n2nauth[1]; $confighash{$key}[40] = $n2ncipher[1]; $confighash{$key}[41] = 'disabled'; @@ -3533,9 +3484,8 @@ foreach my $dkey (keys %confighash) { MSSFIX:$confighash{$key}[23] Fragment:$confighash{$key}[24] $Lang::tr{'MTU'}$confighash{$key}[31] - $Lang::tr{'ovpn mtu-disc'}$confighash{$key}[38] Management Port $confighash{$key}[22] - $Lang::tr{'ovpn hmac'}:$confighash{$key}[39] + $Lang::tr{'ovpn tls auth'}:$confighash{$key}[39] $Lang::tr{'cipher'}$confighash{$key}[40]    @@ -3633,7 +3583,6 @@ if ($confighash{$cgiparams{'KEY'}}) { $cgiparams{'CCD_DNS1'} = $confighash{$cgiparams{'KEY'}}[35]; $cgiparams{'CCD_DNS2'} = $confighash{$cgiparams{'KEY'}}[36]; $cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37]; - $cgiparams{'PMTU_DISCOVERY'} = $confighash{$cgiparams{'KEY'}}[38]; $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39]; $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40]; $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41]; @@ -3902,22 +3851,6 @@ if ($cgiparams{'TYPE'} eq 'net') { goto VPNCONF_ERROR; } - if ($cgiparams{'PMTU_DISCOVERY'} ne 'off') { - if (($cgiparams{'FRAGMENT'} ne '') || ($cgiparams{'MSSFIX'} eq 'on')) { - $errormessage = $Lang::tr{'ovpn mtu-disc with mssfix or fragment'}; - unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; - goto VPNCONF_ERROR; - } - } - - if (($cgiparams{'PMTU_DISCOVERY'} ne 'off') && ($cgiparams{'MTU'} ne '1500')) { - $errormessage = $Lang::tr{'ovpn mtu-disc and mtu not 1500'}; - unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; - goto VPNCONF_ERROR; - } - if ( &validdotmask ($cgiparams{'LOCAL_SUBNET'})) { $errormessage = $Lang::tr{'openvpn prefix local subnet'}; unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; @@ -4040,6 +3973,16 @@ if ($cgiparams{'TYPE'} eq 'net') { goto VPNCONF_ERROR; } + # Check for N2N that OpenSSL maximum of valid days will not be exceeded + if ($cgiparams{'TYPE'} eq 'net') { + if ($cgiparams{'DAYS_VALID'} >= '999999') { + $errormessage = $Lang::tr{'invalid input for valid till days'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } + } + if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { $errormessage = $Lang::tr{'invalid input'}; goto VPNCONF_ERROR; @@ -4064,7 +4007,7 @@ if ($cgiparams{'TYPE'} eq 'net') { $errormessage = $Lang::tr{'cant change certificates'}; goto VPNCONF_ERROR; } - if (ref ($cgiparams{'FH'}) ne 'Fh') { + unless (ref ($cgiparams{'FH'})) { $errormessage = $Lang::tr{'there was no file upload'}; goto VPNCONF_ERROR; } @@ -4095,7 +4038,7 @@ if ($cgiparams{'TYPE'} eq 'net') { } my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; - $temp =~ /Subject:.*CN=(.*)[\n]/; + $temp =~ /Subject:.*CN\s?=\s?(.*)[\n]/; $temp = $1; $temp =~ s+/Email+, E+; $temp =~ s/ ST=/ S=/; @@ -4111,7 +4054,7 @@ if ($cgiparams{'TYPE'} eq 'net') { $errormessage = $Lang::tr{'cant change certificates'}; goto VPNCONF_ERROR; } - if (ref ($cgiparams{'FH'}) ne 'Fh') { + unless (ref ($cgiparams{'FH'})) { $errormessage = $Lang::tr{'there was no file upload'}; goto VPNCONF_ERROR; } @@ -4149,7 +4092,7 @@ if ($cgiparams{'TYPE'} eq 'net') { } my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; - $temp =~ /Subject:.*CN=(.*)[\n]/; + $temp =~ /Subject:.*CN\s?=\s?(.*)[\n]/; $temp = $1; $temp =~ s+/Email+, E+; $temp =~ s/ ST=/ S=/; @@ -4217,11 +4160,29 @@ if ($cgiparams{'TYPE'} eq 'net') { $errormessage = $Lang::tr{'passwords do not match'}; goto VPNCONF_ERROR; } - if ($cgiparams{'DAYS_VALID'} ne '' && $cgiparams{'DAYS_VALID'} !~ /^[0-9]+$/) { + if ($cgiparams{'DAYS_VALID'} eq '' && $cgiparams{'DAYS_VALID'} !~ /^[0-9]+$/) { $errormessage = $Lang::tr{'invalid input for valid till days'}; goto VPNCONF_ERROR; } + # Check for RW that OpenSSL maximum of valid days will not be exceeded + if ($cgiparams{'TYPE'} eq 'host') { + if ($cgiparams{'DAYS_VALID'} >= '999999') { + $errormessage = $Lang::tr{'invalid input for valid till days'}; + goto VPNCONF_ERROR; + } + } + + # Check for RW if client name is already set + if ($cgiparams{'TYPE'} eq 'host') { + foreach my $key (keys %confighash) { + if ($confighash{$key}[1] eq $cgiparams{'NAME'}) { + $errormessage = $Lang::tr{'a connection with this name already exists'}; + goto VPNCONF_ERROR; + } + } + } + # Replace empty strings with a . (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; @@ -4361,7 +4322,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[35] = $cgiparams{'CCD_DNS1'}; $confighash{$key}[36] = $cgiparams{'CCD_DNS2'}; $confighash{$key}[37] = $cgiparams{'CCD_WINS'}; - $confighash{$key}[38] = $cgiparams{'PMTU_DISCOVERY'}; $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'}; @@ -4477,7 +4437,6 @@ if ($cgiparams{'TYPE'} eq 'net') { ### $cgiparams{'MSSFIX'} = 'on'; $cgiparams{'FRAGMENT'} = '1300'; - $cgiparams{'PMTU_DISCOVERY'} = 'off'; $cgiparams{'DAUTH'} = 'SHA512'; ### # m.a.d n2n end @@ -4495,7 +4454,7 @@ if ($cgiparams{'TYPE'} eq 'net') { $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'}; $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'}; $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'}; - $cgiparams{'DAYS_VALID'} = $vpnsettings{'DAYS_VALID'}; + $cgiparams{'DAYS_VALID'} = $vpnsettings{'DAYS_VALID'} = '730'; } VPNCONF_ERROR: @@ -4539,11 +4498,9 @@ if ($cgiparams{'TYPE'} eq 'net') { $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; - if ($cgiparams{'PMTU_DISCOVERY'} eq '') { - $cgiparams{'PMTU_DISCOVERY'} = 'off'; - } - $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; - + $selected{'DCIPHER'}{'AES-256-GCM'} = ''; + $selected{'DCIPHER'}{'AES-192-GCM'} = ''; + $selected{'DCIPHER'}{'AES-128-GCM'} = ''; $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; @@ -4568,12 +4525,10 @@ if ($cgiparams{'TYPE'} eq 'net') { $selected{'DAUTH'}{'SHA384'} = ''; $selected{'DAUTH'}{'SHA256'} = ''; $selected{'DAUTH'}{'SHA1'} = ''; - # If no hash algorythm has been choosen yet, select - # the old default value (SHA1) for compatiblity reasons. - if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA1'; - } $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + $checked{'TLSAUTH'}{'off'} = ''; + $checked{'TLSAUTH'}{'on'} = ''; + $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; if (1) { &Header::showhttpheaders(); @@ -4629,6 +4584,15 @@ if ($cgiparams{'TYPE'} eq 'net') { } else { print ""; } + + # If GCM ciphers are in usage, HMAC menu is disabled + my $hmacdisabled; + if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') || + ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') || + ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) { + $hmacdisabled = "disabled='disabled'"; + }; + print <    @@ -4692,39 +4656,33 @@ if ($cgiparams{'TYPE'} eq 'net') { - $Lang::tr{'ovpn mtu-disc'} - - $Lang::tr{'ovpn mtu-disc yes'} - $Lang::tr{'ovpn mtu-disc maybe'} - $Lang::tr{'ovpn mtu-disc no'} - $Lang::tr{'ovpn mtu-disc off'} - - -
$Lang::tr{'ovpn crypt options'}: $Lang::tr{'cipher'} - + + + - - - - - - + + + + + + $Lang::tr{'ovpn ha'}: - @@ -4738,6 +4696,22 @@ if ($cgiparams{'TYPE'} eq 'net') { END ; } + +#### JAVA SCRIPT #### +# Validate N2N cipher. If GCM will be used, HMAC menu will be disabled onchange +print< + var disable_options = false; + document.getElementById('n2ncipher').onchange = function () { + if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) { + document.getElementById('n2nhmac').setAttribute('disabled', true); + } else { + document.getElementById('n2nhmac').removeAttribute('disabled'); + } + } + +END + #jumper print "$Lang::tr{'remark title'}"; print ""; @@ -4858,7 +4832,7 @@ END if ($cgiparams{'TYPE'} eq 'host') { print < -  $Lang::tr{'valid till'} (days): +  $Lang::tr{'valid till'} (days): *   $Lang::tr{'pkcs12 file password'}: @@ -4873,7 +4847,7 @@ END }else{ print < -  $Lang::tr{'valid till'} (days): +  $Lang::tr{'valid till'} (days): *         @@ -5090,8 +5064,20 @@ END $cgiparams{'MSSFIX'} = 'off'; } if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA512'; - } + if (-z "${General::swroot}/ovpn/ovpnconfig") { + $cgiparams{'DAUTH'} = 'SHA512'; + } + foreach my $key (keys %confighash) { + if ($confighash{$key}[3] ne 'host') { + $cgiparams{'DAUTH'} = 'SHA512'; + } else { + $cgiparams{'DAUTH'} = 'SHA1'; + } + } + } + if ($cgiparams{'TLSAUTH'} eq '') { + $cgiparams{'TLSAUTH'} = 'off'; + } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; } @@ -5109,6 +5095,9 @@ END $selected{'DPROTOCOL'}{'tcp'} = ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED'; + $selected{'DCIPHER'}{'AES-256-GCM'} = ''; + $selected{'DCIPHER'}{'AES-192-GCM'} = ''; + $selected{'DCIPHER'}{'AES-128-GCM'} = ''; $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; @@ -5131,6 +5120,10 @@ END $selected{'DAUTH'}{'SHA1'} = ''; $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + $checked{'TLSAUTH'}{'off'} = ''; + $checked{'TLSAUTH'}{'on'} = ''; + $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; + $checked{'DCOMPLZO'}{'off'} = ''; $checked{'DCOMPLZO'}{'on'} = ''; $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; @@ -5151,6 +5144,20 @@ END &Header::closebox(); } + if ($cryptoerror) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'}); + print "$cryptoerror"; + print " "; + &Header::closebox(); + } + + if ($cryptowarning) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'}); + print "$cryptowarning"; + print " "; + &Header::closebox(); + } + if ($warnmessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'}); print "$warnmessage
"; @@ -5191,8 +5198,16 @@ END if (&haveOrangeNet()) { print "$Lang::tr{'ovpn on orange'}"; print ""; - } - print <
+ + $Lang::tr{'net config'}: + +
+ $Lang::tr{'local vpn hostname/ip'}:
$Lang::tr{'ovpn subnet'}
$Lang::tr{'protocol'} @@ -5202,26 +5217,52 @@ END $Lang::tr{'MTU'}  + + +
+ + $Lang::tr{'ovpn crypt options'}: + +
+ + + $Lang::tr{'ovpn ha'} + + $Lang::tr{'cipher'} - $Lang::tr{'comp-lzo'} - + +
+ + $Lang::tr{'ovpn tls auth'} + + +

END ;