X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Fvpnmain.cgi;h=3652627e9b3e48d17de98e822ef774e04488c565;hb=f605a2d303f9239963b0049ff308b25b7782b691;hp=2b523bbc4d7641b1b6e4793a39210f5838737317;hpb=5b2e16dde2920a411919ef20ace35f1c1d6813b0;p=ipfire-2.x.git diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 2b523bbc4d..3652627e9b 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -124,6 +124,7 @@ $cgiparams{'MODE'} = "tunnel"; $cgiparams{'INTERFACE_MODE'} = ""; $cgiparams{'INTERFACE_ADDRESS'} = ""; $cgiparams{'INTERFACE_MTU'} = 1500; +$cgiparams{'DNS_SERVERS'} = ""; &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); my %APPLE_CIPHERS = ( @@ -207,10 +208,12 @@ sub newcleanssldatabase { close FILE; } if (! -s ">${General::swroot}/certs/index.txt") { - system ("touch ${General::swroot}/certs/index.txt"); + open(FILE, ">${General::swroot}/certs/index.txt"); + close(FILE); } if (! -s ">${General::swroot}/certs/index.txt.attr") { - system ("touch ${General::swroot}/certs/index.txt.attr"); + open(FILE, ">${General::swroot}/certs/index.txt.attr"); + close(FILE); } unlink ("${General::swroot}/certs/index.txt.old"); unlink ("${General::swroot}/certs/index.txt.attr.old"); @@ -349,6 +352,12 @@ sub writeipsecfiles { print CONF "\tleftfirewall=yes\n"; print CONF "\tlefthostaccess=yes\n"; + + # Always send the host certificate + if ($lconfighash{$key}[3] eq 'host') { + print CONF "\tleftsendcert=always\n"; + } + print CONF "\tright=$lconfighash{$key}[10]\n"; if ($lconfighash{$key}[3] eq 'net') { @@ -511,6 +520,13 @@ sub writeipsecfiles { # Fragmentation print CONF "\tfragmentation=yes\n"; + # DNS Servers for RW + if ($lconfighash{$key}[3] eq 'host') { + my @servers = split(/\|/, $lconfighash{$key}[39]); + + print CONF "\trightdns=" . join(",", @servers) . "\n"; + } + print CONF "\n"; } #foreach key @@ -554,9 +570,9 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings); &writeipsecfiles(); if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S'); + &General::system('/usr/local/bin/ipsecctrl', 'S'); } else { - system('/usr/local/bin/ipsecctrl', 'D'); + &General::system('/usr/local/bin/ipsecctrl', 'D'); } sleep $sleepDelay; SAVE_ERROR: @@ -581,7 +597,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg } &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); - system('/usr/local/bin/ipsecctrl', 'R'); + &General::system('/usr/local/bin/ipsecctrl', 'R'); sleep $sleepDelay; ### @@ -659,8 +675,7 @@ END unlink ($filename); goto UPLOADCA_ERROR; } else { - move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); - if ($? ne 0) { + unless(move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")) { $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; unlink ($filename); goto UPLOADCA_ERROR; @@ -672,7 +687,7 @@ END $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")); &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash); - system('/usr/local/bin/ipsecctrl', 'R'); + &General::system('/usr/local/bin/ipsecctrl', 'R'); sleep $sleepDelay; UPLOADCA_ERROR: @@ -688,8 +703,8 @@ END &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', ''); &Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; - $output = &Header::cleanhtml($output,"y"); + my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); + my $output = &Header::cleanhtml(join("", @output) ,"y"); print "
$output
\n"; &Header::closebox(); print "
$Lang::tr{'back'}
"; @@ -710,7 +725,9 @@ END print "Content-Type: application/force-download\n"; print "Content-Type: application/octet-stream\r\n"; print "Content-Disposition: attachment; filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; + + my @cert = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); + print "@cert"; exit(0); } else { $errormessage = $Lang::tr{'invalid key'}; @@ -725,21 +742,21 @@ END if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { foreach my $key (keys %confighash) { - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; - if ($test =~ /: OK/) { + my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/certs/$confighash{$key}[1]cert.pem"); + if (grep(/: OK/, @test)) { # Delete connection unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem"); unlink ("${General::swroot}/certs/$confighash{$key}[1].p12"); delete $confighash{$key}; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); - system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled); + &General::system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled); } } unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); delete $cahash{$cgiparams{'KEY'}}; &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash); - system('/usr/local/bin/ipsecctrl', 'R'); + &General::system('/usr/local/bin/ipsecctrl', 'R'); sleep $sleepDelay; } else { $errormessage = $Lang::tr{'invalid key'}; @@ -754,8 +771,8 @@ END my $assignedcerts = 0; if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { foreach my $key (keys %confighash) { - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; - if ($test =~ /: OK/) { + my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/certs/$confighash{$key}[1]cert.pem"); + if (grep(/: OK/, @test)) { $assignedcerts++; } } @@ -791,7 +808,7 @@ END unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); delete $cahash{$cgiparams{'KEY'}}; &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash); - system('/usr/local/bin/ipsecctrl', 'R'); + &General::system('/usr/local/bin/ipsecctrl', 'R'); sleep $sleepDelay; } } else { @@ -803,18 +820,18 @@ END ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} || $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { - my $output; + my @output; &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', ''); if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { &Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`; + @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ca/cacert.pem"); } else { &Header::openbox('100%', 'left', "$Lang::tr{'host certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`; + @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/certs/hostcert.pem"); } - $output = &Header::cleanhtml($output,"y"); + my $output = &Header::cleanhtml(join("", @output) ,"y"); print "
$output
\n"; &Header::closebox(); print "
$Lang::tr{'back'}
"; @@ -829,7 +846,9 @@ END if ( -f "${General::swroot}/ca/cacert.pem" ) { print "Content-Type: application/force-download\n"; print "Content-Disposition: attachment; filename=cacert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ca/cacert.pem`; + + my @cert = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ca/cacert.pem"); + print join("", @cert); exit(0); } ### @@ -839,7 +858,9 @@ END if ( -f "${General::swroot}/certs/hostcert.pem" ) { print "Content-Type: application/force-download\n"; print "Content-Disposition: attachment; filename=hostcert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/certs/hostcert.pem`; + + my @cert = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/certs/hostcert.pem"); + print join("", @cert); exit(0); } ### @@ -925,20 +946,23 @@ END if (!$errormessage) { &General::log("ipsec", "Moving cacert..."); - move("/tmp/newcacert", "${General::swroot}/ca/cacert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + unless(move("/tmp/newcacert", "${General::swroot}/ca/cacert.pem")) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + } } if (!$errormessage) { &General::log("ipsec", "Moving host cert..."); - move("/tmp/newhostcert", "${General::swroot}/certs/hostcert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + unless(move("/tmp/newhostcert", "${General::swroot}/certs/hostcert.pem")) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + } } if (!$errormessage) { &General::log("ipsec", "Moving private key..."); - move("/tmp/newhostkey", "${General::swroot}/certs/hostkey.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + unless(move("/tmp/newhostkey", "${General::swroot}/certs/hostkey.pem")) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + } } #cleanup temp files @@ -1202,7 +1226,7 @@ END ROOTCERT_SUCCESS: if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S'); + &General::system('/usr/local/bin/ipsecctrl', 'S'); sleep $sleepDelay; } ROOTCERT_SKIP: @@ -1214,7 +1238,12 @@ END print "Content-Type: application/force-download\n"; print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n"; print "Content-Type: application/octet-stream\r\n\r\n"; - print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; + + open(FILE, "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + my @p12 = ; + close(FILE); + print join("", @p12); + exit (0); # Export Apple profile to browser @@ -1232,13 +1261,23 @@ END my $uuid1 = $uuid->create_str(); my $uuid2 = $uuid->create_str(); + my $ca = ""; + my $ca_uuid = $uuid->create_str(); + my $cert = ""; my $cert_uuid = $uuid->create_str(); - # Read and encode certificate + # Read and encode the CA & certificate if ($confighash{$key}[4] eq "cert") { + my $ca_path = "${General::swroot}/ca/cacert.pem"; my $cert_path = "${General::swroot}/certs/$confighash{$key}[1].p12"; + # Read the CA and encode it into Base64 + open(CA, "<${ca_path}"); + local($/) = undef; # slurp + $ca = MIME::Base64::encode_base64(); + close(CA); + # Read certificate and encode it into Base64 open(CERT, "<${cert_path}"); local($/) = undef; # slurp @@ -1376,14 +1415,28 @@ END # Left ID if ($confighash{$key}[9]) { + my $leftid = $confighash{$key}[9]; + + # Strip leading @ from FQDNs + if ($leftid =~ m/^@(.*)$/) { + $leftid = $1; + } + print " LocalIdentifier\n"; - print " $confighash{$key}[9]\n"; + print " $leftid\n"; } # Right ID if ($confighash{$key}[7]) { + my $rightid = $confighash{$key}[7]; + + # Strip leading @ from FQDNs + if ($rightid =~ m/^@(.*)$/) { + $rightid = $1; + } + print " RemoteIdentifier\n"; - print " $confighash{$key}[7]\n"; + print " $rightid\n"; } if ($confighash{$key}[4] eq "cert") { @@ -1414,6 +1467,8 @@ END print " \n"; print " PayloadIdentifier\n"; print " org.example.vpn1.client\n"; + print " PayloadDisplayName\n"; + print " $confighash{$key}[1]\n"; print " PayloadUUID\n"; print " ${cert_uuid}\n"; print " PayloadType\n"; @@ -1429,6 +1484,25 @@ END print " \n"; print " \n"; + + print " \n"; + print " PayloadIdentifier\n"; + print " org.example.ca\n"; + print " PayloadUUID\n"; + print " ${ca_uuid}\n"; + print " PayloadType\n"; + print " com.apple.security.root\n"; + print " PayloadVersion\n"; + print " 1\n"; + print " PayloadContent\n"; + print " \n"; + + foreach (split /\n/,${ca}) { + print " $_\n"; + } + + print " \n"; + print " \n"; } print " \n"; @@ -1448,8 +1522,8 @@ END &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', ''); &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; - $output = &Header::cleanhtml($output,"y"); + my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + my $output = &Header::cleanhtml(join("", @output) ,"y"); print "
$output
\n"; &Header::closebox(); print "
$Lang::tr{'back'}
"; @@ -1467,7 +1541,12 @@ END if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { print "Content-Type: application/force-download\n"; print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n"; - print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; + + open(FILE, "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + my @pem = ; + close(FILE); + print "@pem"; + exit (0); } @@ -1484,12 +1563,12 @@ END $confighash{$cgiparams{'KEY'}}[0] = 'on'; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); - system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled); + &General::system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled); } else { $confighash{$cgiparams{'KEY'}}[0] = 'off'; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); - system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); + &General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); } sleep $sleepDelay; } else { @@ -1505,7 +1584,7 @@ END if ($confighash{$cgiparams{'KEY'}}) { if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); + &General::system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); sleep $sleepDelay; } } else { @@ -1525,7 +1604,7 @@ END delete $confighash{$cgiparams{'KEY'}}; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); - system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); + &General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); } else { $errormessage = $Lang::tr{'invalid key'}; } @@ -1612,6 +1691,7 @@ END $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36]; $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37]; $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38]; + $cgiparams{'DNS_SERVERS'} = $confighash{$cgiparams{'KEY'}}[39]; if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -1745,6 +1825,16 @@ END } } + if ($cgiparams{'TYPE'} eq 'host') { + my @servers = split(",", $cgiparams{'DNS_SERVERS'}); + foreach my $server (@servers) { + unless (&Network::check_ip_address($server)) { + $errormessage = $Lang::tr{'ipsec dns server address is invalid'}; + goto VPNCONF_ERROR; + } + } + } + if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { $errormessage = $Lang::tr{'invalid input'}; goto VPNCONF_ERROR; @@ -1882,8 +1972,8 @@ END unshift (@names,$cahash{$x}[0]); } if ($casubject) { # a new one! - my $temp = `/usr/bin/openssl x509 -text -in /tmp/newcacert`; - if ($temp !~ /CA:TRUE/i) { + my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "/tmp/newcacert"); + if (! grep(/CA:TRUE/, @temp)) { $errormessage = $Lang::tr{'not a valid ca certificate'}; } else { #compute a name for it @@ -1891,22 +1981,26 @@ END while (grep(/Imported-$idx/, @names) ) {$idx++}; $cgiparams{'CA_NAME'}="Imported-$idx"; $cgiparams{'CERT_NAME'}=&Header::cleanhtml(getCNfromcert ('/tmp/newhostcert')); - move("/tmp/newcacert", "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + + unless(move("/tmp/newcacert", "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + } + if (!$errormessage) { my $key = &General::findhasharraykey (\%cahash); $cahash{$key}[0] = $cgiparams{'CA_NAME'}; $cahash{$key}[1] = $casubject; &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash); - system('/usr/local/bin/ipsecctrl', 'R'); + &General::system('/usr/local/bin/ipsecctrl', 'R'); } } } } if (!$errormessage) { &General::log("ipsec", "Moving host cert..."); - move("/tmp/newhostcert", "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + unless(move("/tmp/newhostcert", "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem")) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + } } #cleanup temp files @@ -1938,12 +2032,12 @@ END # Verify the certificate has a valid CA and move it &General::log("ipsec", "Validating imported cert against our known CA..."); my $validca = 1; #assume ok - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/cacert.pem $filename`; - if ($test !~ /: OK/) { + my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/cacert.pem", "$filename"); + if (! grep(/: OK/, @test)) { my $validca = 0; foreach my $key (keys %cahash) { - $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`; - if ($test =~ /: OK/) { + @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/$cahash{$key}[0]cert.pem", "$filename"); + if (grep(/: OK/, @test)) { $validca = 1; last; } @@ -1954,9 +2048,8 @@ END unlink ($filename); goto VPNCONF_ERROR; } else { - move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + unless (move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem")) { + $errormessage = "$Lang::tr{'certificate file move failed'} ($filename): $!"; unlink ($filename); goto VPNCONF_ERROR; } @@ -2147,7 +2240,7 @@ END my $key = $cgiparams{'KEY'}; if (! $key) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -2198,6 +2291,7 @@ END $confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'}; $confighash{$key}[37] = $cgiparams{'INTERFACE_ADDRESS'}; $confighash{$key}[38] = $cgiparams{'INTERFACE_MTU'}; + $confighash{$key}[39] = join("|", split(",", $cgiparams{'DNS_SERVERS'})); # free unused fields! $confighash{$key}[15] = 'off'; @@ -2205,7 +2299,7 @@ END &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S', $key); + &General::system('/usr/local/bin/ipsecctrl', 'S', $key); sleep $sleepDelay; } if ($cgiparams{'EDIT_ADVANCED'} eq 'on') { @@ -2266,11 +2360,11 @@ END #use default advanced value $cgiparams{'IKE_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256'; #[19]; - $cgiparams{'IKE_GROUPTYPE'} = 'curve25519|curve448|4096|3072|2048'; #[20]; + $cgiparams{'IKE_GROUPTYPE'} = 'curve448|curve25519|4096|3072|2048'; #[20]; $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; $cgiparams{'ESP_ENCRYPTION'} = 'chacha20poly1305|aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256'; #[22]; - $cgiparams{'ESP_GROUPTYPE'} = 'curve25519|curve448|4096|3072|2048'; #[23]; + $cgiparams{'ESP_GROUPTYPE'} = 'curve448|curve25519|4096|3072|2048'; #[23]; $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; $cgiparams{'COMPRESSION'} = 'off'; #[13]; $cgiparams{'ONLY_PROPOSED'} = 'on'; #[24]; @@ -2280,6 +2374,7 @@ END $cgiparams{'INTERFACE_MODE'} = ""; $cgiparams{'INTERFACE_ADDRESS'} = ""; $cgiparams{'INTERFACE_MTU'} = 1500; + $cgiparams{'DNS_SERVERS'} = ""; } VPNCONF_ERROR: @@ -2376,11 +2471,8 @@ END EOF } - my $disabled; - my $blob; - if ($cgiparams{'TYPE'} eq 'host') { - $disabled = "disabled='disabled'"; - } elsif ($cgiparams{'TYPE'} eq 'net') { + my $blob = ""; + if ($cgiparams{'TYPE'} eq 'net') { $blob = "*"; }; @@ -2390,6 +2482,9 @@ EOF my @remote_subnets = split(/\|/, $cgiparams{'REMOTE_SUBNET'}); my $remote_subnets = join(",", @remote_subnets); + my @dns_servers = split(/\|/, $cgiparams{'DNS_SERVERS'}); + my $dns_servers = join(",", @dns_servers); + print < $Lang::tr{'enabled'} @@ -2425,10 +2520,26 @@ END - $Lang::tr{'remote subnet'} $blob +END + + if ($cgiparams{'TYPE'} eq "net") { + print <$Lang::tr{'remote subnet'} * + + + +END + + } elsif ($cgiparams{'TYPE'} eq "host") { + print <$Lang::tr{'dns servers'}: - + +END + } + + print < $Lang::tr{'vpn local id'}: @@ -2634,7 +2745,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(curve25519|curve448|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) { + if ($val !~ /^(curve448|curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2675,7 +2786,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(curve25519|curve448|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) { + if ($val !~ /^(curve448|curve25519|e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|768|1024|1536|2048|3072|4096|6144|8192|none)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2734,7 +2845,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); + &General::system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); sleep $sleepDelay; } goto ADVANCED_END; @@ -2764,6 +2875,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $cgiparams{'INTERFACE_MODE'} = $confighash{$cgiparams{'KEY'}}[36]; $cgiparams{'INTERFACE_ADDRESS'} = $confighash{$cgiparams{'KEY'}}[37]; $cgiparams{'INTERFACE_MTU'} = $confighash{$cgiparams{'KEY'}}[38]; + $cgiparams{'DNS_SERVERS'} = $confighash{$cgiparams{'KEY'}}[39]; if (!$cgiparams{'DPD_DELAY'}) { $cgiparams{'DPD_DELAY'} = 30; @@ -2814,8 +2926,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; } - $checked{'IKE_GROUPTYPE'}{'curve25519'} = ''; $checked{'IKE_GROUPTYPE'}{'curve448'} = ''; + $checked{'IKE_GROUPTYPE'}{'curve25519'} = ''; $checked{'IKE_GROUPTYPE'}{'768'} = ''; $checked{'IKE_GROUPTYPE'}{'1024'} = ''; $checked{'IKE_GROUPTYPE'}{'1536'} = ''; @@ -2854,8 +2966,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; } - $checked{'ESP_GROUPTYPE'}{'curve25519'} = ''; $checked{'ESP_GROUPTYPE'}{'curve448'} = ''; + $checked{'ESP_GROUPTYPE'}{'curve25519'} = ''; $checked{'ESP_GROUPTYPE'}{'768'} = ''; $checked{'ESP_GROUPTYPE'}{'1024'} = ''; $checked{'ESP_GROUPTYPE'}{'1536'} = ''; @@ -3019,8 +3131,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $Lang::tr{'grouptype'} - + @@ -3182,7 +3294,7 @@ EOF &General::readhasharray("${General::swroot}/vpn/config", \%confighash); $cgiparams{'CA_NAME'} = ''; - my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`; + my @status = &General::system_output("/usr/local/bin/ipsecctrl", "I"); $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : ''; @@ -3616,7 +3728,7 @@ sub make_algos($$$$$) { if ($grp =~ m/^e(.*)$/) { push(@algo, "ecp$1"); - } elsif ($grp =~ m/curve(25519|448)/) { + } elsif ($grp =~ m/curve(448|25519)/) { push(@algo, "$grp"); } else { push(@algo, "modp$grp"); @@ -3633,7 +3745,7 @@ sub make_algos($$$$$) { # noop } elsif ($grp =~ m/^e(.*)$/) { push(@algo, "ecp$1"); - } elsif ($grp =~ m/curve(25519|448)/) { + } elsif ($grp =~ m/curve(448|25519)/) { push(@algo, "$grp"); } else { push(@algo, "modp$grp");