From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 10 Apr 2024 10:34:45 +0000 (+0200)
Subject: ovpnmain.cgi: Fix checking custom routes
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=13c52637b0617b6c8ac873c16ca1003aebb41570;p=people%2Fms%2Fipfire-2.x.git

ovpnmain.cgi: Fix checking custom routes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/doc/language_issues.de b/doc/language_issues.de
index 74ab128a3..726e43470 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -613,6 +613,8 @@ WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
 WARNING: translation string unused: ovpn engines
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn error md5
 WARNING: translation string unused: ovpn generating the root and host certificates
 WARNING: translation string unused: ovpn log
@@ -1036,6 +1038,7 @@ WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.en b/doc/language_issues.en
index b3a0d7057..d4cbfde1f 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -1441,8 +1441,7 @@ WARNING: untranslated string: ovpn crypt options = unknown string
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
-WARNING: untranslated string: ovpn errmsg green already pushed = Route for green network is always set
-WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-address or subnetmask
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 0206db325..07eddf59c 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -644,6 +644,8 @@ WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
 WARNING: translation string unused: ovpn engines
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn error md5
 WARNING: translation string unused: ovpn generating the root and host certificates
 WARNING: translation string unused: ovpn log
@@ -1056,6 +1058,7 @@ WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index c3eb58e34..e35cb30b9 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -642,6 +642,8 @@ WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
 WARNING: translation string unused: ovpn engines
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn error md5
 WARNING: translation string unused: ovpn generating the root and host certificates
 WARNING: translation string unused: ovpn log
@@ -1060,6 +1062,7 @@ WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 7d1e40977..2ca8fc2fa 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -593,6 +593,8 @@ WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
 WARNING: translation string unused: ovpn engines
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn generating the root and host certificates
 WARNING: translation string unused: ovpn hmac
 WARNING: translation string unused: ovpn log
@@ -1294,6 +1296,7 @@ WARNING: untranslated string: ovpn connection name = Connection Name
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 95c77658a..df2c8e536 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -594,6 +594,8 @@ WARNING: translation string unused: override mtu
 WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn log
 WARNING: translation string unused: ovpn mtu-disc
 WARNING: translation string unused: ovpn mtu-disc and mtu not 1500
@@ -1318,6 +1320,7 @@ WARNING: untranslated string: ovpn crypt options = unknown string
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 455a6cb4f..06bd45e65 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1473,8 +1473,7 @@ WARNING: untranslated string: ovpn crypt options = unknown string
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
-WARNING: untranslated string: ovpn errmsg green already pushed = Route for green network is always set
-WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-address or subnetmask
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 3093e1b69..0a7058955 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -519,6 +519,8 @@ WARNING: translation string unused: override mtu
 WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn log
 WARNING: translation string unused: ovpn on blue
 WARNING: translation string unused: ovpn on orange
@@ -1471,6 +1473,7 @@ WARNING: untranslated string: ovpn crypt options = unknown string
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index 71517ed27..007478e40 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -623,6 +623,8 @@ WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
 WARNING: translation string unused: ovpn engines
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn generating the root and host certificates
 WARNING: translation string unused: ovpn hmac
 WARNING: translation string unused: ovpn log
@@ -1209,6 +1211,7 @@ WARNING: untranslated string: ovpn connection name = Connection Name
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_missings b/doc/language_missings
index 92462b788..1d3c9d4f1 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -91,6 +91,7 @@
 < ovpn crypto settings
 < ovpn dhcp settings
 < ovpn dynamic client subnet
+< ovpn errmsg invalid route
 < ovpn fallback cipher
 < ovpn fallback cipher help
 < ovpn fqdn
@@ -159,6 +160,7 @@
 < ovpn crypto settings
 < ovpn dhcp settings
 < ovpn dynamic client subnet
+< ovpn errmsg invalid route
 < ovpn fallback cipher
 < ovpn fallback cipher help
 < ovpn fqdn
@@ -221,6 +223,7 @@
 < ovpn crypto settings
 < ovpn dhcp settings
 < ovpn dynamic client subnet
+< ovpn errmsg invalid route
 < ovpn fallback cipher
 < ovpn fallback cipher help
 < ovpn fqdn
@@ -697,6 +700,7 @@
 < ovpn crypto settings
 < ovpn dhcp settings
 < ovpn dynamic client subnet
+< ovpn errmsg invalid route
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
@@ -1354,6 +1358,7 @@
 < ovpn dhcp settings
 < ovpn dynamic client subnet
 < ovpn engines
+< ovpn errmsg invalid route
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
@@ -2330,6 +2335,7 @@
 < ovpn engines
 < ovpn errmsg green already pushed
 < ovpn errmsg invalid ip or mask
+< ovpn errmsg invalid route
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
@@ -3440,6 +3446,7 @@
 < ovpn dhcp settings
 < ovpn dynamic client subnet
 < ovpn engines
+< ovpn errmsg invalid route
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
@@ -4054,6 +4061,7 @@
 < ovpn crypto settings
 < ovpn dhcp settings
 < ovpn dynamic client subnet
+< ovpn errmsg invalid route
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 23cb95d51..6c021c1c3 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -893,9 +893,7 @@ sub writecollectdconf {
 
 if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
-    #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
-    #DAN this value has to leave.
-#new settings for daemon
+
     $vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'};
     $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
     $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
@@ -909,7 +907,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
     $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
     $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
     $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
-    my @temp=();
 
 	# We must have at least one cipher selected
 	if ($cgiparams{'DATACIPHERS'} eq '') {
@@ -975,54 +972,37 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
 		goto ADV_ERROR;
     	}
     }
+
+	# Validate pushed routes
     if ($cgiparams{'ROUTES_PUSH'} ne ''){
-	@temp = split(/\n/,$cgiparams{'ROUTES_PUSH'});
-    	undef $vpnsettings{'ROUTES_PUSH'};
+		my @temp = split(/\n/, $cgiparams{'ROUTES_PUSH'});
 
-   	foreach my $tmpip (@temp)
-	{
-		s/^\s+//g; s/\s+$//g;
+		# Reset stored routes
+		$vpnsettings{'ROUTES_PUSH'} = "";
 
-		if ($tmpip)
-		{
-			$tmpip=~s/\s*$//g;
-			unless (&General::validipandmask($tmpip)) {
-				$errormessage = "$tmpip ".$Lang::tr{'ovpn errmsg invalid ip or mask'};
-				goto ADV_ERROR;
-			}
-			my ($ip, $cidr) = split("\/",&General::ipcidr2msk($tmpip));
+		foreach my $route (@temp) {
+			chomp($route);
 
-			if ($ip eq $Network::ethernet{'GREEN_NETADDRESS'} && $cidr eq $Network::ethernet{'GREEN_NETMASK'}) {
-				$errormessage = $Lang::tr{'ovpn errmsg green already pushed'};
-				goto ADV_ERROR;
-			}
+			# Remove any excess whitespace
+			$route =~ s/^\s+//g;
+			$route =~ s/\s+$//g;
 
-			my %ccdroutehash=();
-			&General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
-			foreach my $key (keys %ccdroutehash) {
-				foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
-					if ( $ip."/".$cidr eq $ccdroutehash{$key}[$i] ){
-						$errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ;
-						goto ADV_ERROR;
-					}
-					my ($ip2,$cidr2) = split(/\//,$ccdroutehash{$key}[$i]);
-					if (&General::IpInSubnet ($ip,$ip2,$cidr2)){
-						$errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ;
-						goto ADV_ERROR;
-					}
-				}
+			# Skip empty lines
+			next if ($route eq "");
+
+			unless (&Network::check_subnet($route)) {
+				$errormessage = "$Lang::tr{'ovpn errmsg invalid route'}: $route";
+				goto ADV_ERROR;
 			}
 
-			$vpnsettings{'ROUTES_PUSH'} .= $tmpip."\n";
+			$vpnsettings{'ROUTES_PUSH'} .= $route . "\n";
 		}
-	}
-    &write_routepushfile;
-	undef $vpnsettings{'ROUTES_PUSH'};
-    }
-	else {
-	undef $vpnsettings{'ROUTES_PUSH'};
-	&write_routepushfile;
+
+	    &write_routepushfile();
+
+		undef $vpnsettings{'ROUTES_PUSH'};
     }
+
     if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 1024 )) {
         $errormessage = $Lang::tr{'invalid input for max clients'};
         goto ADV_ERROR;
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index caac27c8f..c8f50eed5 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2047,6 +2047,7 @@
 'ovpn engines' => 'Crypto engine',
 'ovpn errmsg green already pushed' => 'Route for green network is always set',
 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
+'ovpn errmsg invalid route' => 'Invalid route',
 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
 'ovpn fallback cipher' => 'Fallback Cipher',
 'ovpn fallback cipher help' => 'This cipher is being used by clients that do not support cipher negotiation.',