From ce96c05d52546596afd884df76fd6cb44bfb74f2 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 10 Apr 2024 12:34:45 +0200 Subject: [PATCH] ovpnmain.cgi: Fix checking custom routes Signed-off-by: Michael Tremer --- doc/language_issues.de | 3 ++ doc/language_issues.en | 3 +- doc/language_issues.es | 3 ++ doc/language_issues.fr | 3 ++ doc/language_issues.it | 3 ++ doc/language_issues.nl | 3 ++ doc/language_issues.pl | 3 +- doc/language_issues.ru | 3 ++ doc/language_issues.tr | 3 ++ doc/language_missings | 8 +++++ html/cgi-bin/ovpnmain.cgi | 66 ++++++++++++++------------------------- langs/en/cgi-bin/en.pl | 1 + 12 files changed, 55 insertions(+), 47 deletions(-) diff --git a/doc/language_issues.de b/doc/language_issues.de index 1c92b2d38..61ab6f05c 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -595,6 +595,8 @@ WARNING: translation string unused: ovpn config WARNING: translation string unused: ovpn device WARNING: translation string unused: ovpn dl WARNING: translation string unused: ovpn engines +WARNING: translation string unused: ovpn errmsg green already pushed +WARNING: translation string unused: ovpn errmsg invalid ip or mask WARNING: translation string unused: ovpn error md5 WARNING: translation string unused: ovpn generating the root and host certificates WARNING: translation string unused: ovpn log @@ -991,6 +993,7 @@ WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings WARNING: untranslated string: ovpn dhcp settings = DHCP Settings WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet +WARNING: untranslated string: ovpn errmsg invalid route = Invalid route WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn fqdn = FQDN diff --git a/doc/language_issues.en b/doc/language_issues.en index 3d3c3a7a1..136b4b460 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1441,8 +1441,7 @@ WARNING: untranslated string: ovpn crypt options = unknown string WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings WARNING: untranslated string: ovpn dhcp settings = DHCP Settings WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet -WARNING: untranslated string: ovpn errmsg green already pushed = Route for green network is always set -WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-address or subnetmask +WARNING: untranslated string: ovpn errmsg invalid route = Invalid route WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn fqdn = FQDN diff --git a/doc/language_issues.es b/doc/language_issues.es index 0fea87bf3..5a38bbe00 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -652,6 +652,8 @@ WARNING: translation string unused: ovpn dh parameters WARNING: translation string unused: ovpn dh upload WARNING: translation string unused: ovpn dl WARNING: translation string unused: ovpn engines +WARNING: translation string unused: ovpn errmsg green already pushed +WARNING: translation string unused: ovpn errmsg invalid ip or mask WARNING: translation string unused: ovpn error dh WARNING: translation string unused: ovpn error md5 WARNING: translation string unused: ovpn generating the root and host certificates @@ -1053,6 +1055,7 @@ WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings WARNING: untranslated string: ovpn dhcp settings = DHCP Settings WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet +WARNING: untranslated string: ovpn errmsg invalid route = Invalid route WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn fqdn = FQDN diff --git a/doc/language_issues.fr b/doc/language_issues.fr index e3ca5de4b..e98af2a75 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -626,6 +626,8 @@ WARNING: translation string unused: ovpn config WARNING: translation string unused: ovpn device WARNING: translation string unused: ovpn dl WARNING: translation string unused: ovpn engines +WARNING: translation string unused: ovpn errmsg green already pushed +WARNING: translation string unused: ovpn errmsg invalid ip or mask WARNING: translation string unused: ovpn error md5 WARNING: translation string unused: ovpn generating the root and host certificates WARNING: translation string unused: ovpn log @@ -997,6 +999,7 @@ WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings WARNING: untranslated string: ovpn dhcp settings = DHCP Settings WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet +WARNING: untranslated string: ovpn errmsg invalid route = Invalid route WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn fqdn = FQDN diff --git a/doc/language_issues.it b/doc/language_issues.it index ffe5c6ee2..8e16c0f04 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -581,6 +581,8 @@ WARNING: translation string unused: ovpn config WARNING: translation string unused: ovpn device WARNING: translation string unused: ovpn dl WARNING: translation string unused: ovpn engines +WARNING: translation string unused: ovpn errmsg green already pushed +WARNING: translation string unused: ovpn errmsg invalid ip or mask WARNING: translation string unused: ovpn generating the root and host certificates WARNING: translation string unused: ovpn hmac WARNING: translation string unused: ovpn log @@ -1239,6 +1241,7 @@ WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings WARNING: untranslated string: ovpn dhcp settings = DHCP Settings WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet +WARNING: untranslated string: ovpn errmsg invalid route = Invalid route WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn fqdn = FQDN diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 9e664823d..804e19175 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -581,6 +581,8 @@ WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn config WARNING: translation string unused: ovpn device WARNING: translation string unused: ovpn dl +WARNING: translation string unused: ovpn errmsg green already pushed +WARNING: translation string unused: ovpn errmsg invalid ip or mask WARNING: translation string unused: ovpn log WARNING: translation string unused: ovpn mtu-disc WARNING: translation string unused: ovpn mtu-disc and mtu not 1500 @@ -1262,6 +1264,7 @@ WARNING: untranslated string: ovpn crypt options = unknown string WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings WARNING: untranslated string: ovpn dhcp settings = DHCP Settings WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet +WARNING: untranslated string: ovpn errmsg invalid route = Invalid route WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn fqdn = FQDN diff --git a/doc/language_issues.pl b/doc/language_issues.pl index c542aa13f..9833159c3 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1419,8 +1419,7 @@ WARNING: untranslated string: ovpn crypt options = unknown string WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings WARNING: untranslated string: ovpn dhcp settings = DHCP Settings WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet -WARNING: untranslated string: ovpn errmsg green already pushed = Route for green network is always set -WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-address or subnetmask +WARNING: untranslated string: ovpn errmsg invalid route = Invalid route WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn fqdn = FQDN diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 7005aba33..77c1f66cf 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -507,6 +507,8 @@ WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn config WARNING: translation string unused: ovpn device WARNING: translation string unused: ovpn dl +WARNING: translation string unused: ovpn errmsg green already pushed +WARNING: translation string unused: ovpn errmsg invalid ip or mask WARNING: translation string unused: ovpn log WARNING: translation string unused: ovpn on blue WARNING: translation string unused: ovpn on orange @@ -1417,6 +1419,7 @@ WARNING: untranslated string: ovpn crypt options = unknown string WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings WARNING: untranslated string: ovpn dhcp settings = DHCP Settings WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet +WARNING: untranslated string: ovpn errmsg invalid route = Invalid route WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn fqdn = FQDN diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 336d2db9c..c2b3e19d1 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -611,6 +611,8 @@ WARNING: translation string unused: ovpn config WARNING: translation string unused: ovpn device WARNING: translation string unused: ovpn dl WARNING: translation string unused: ovpn engines +WARNING: translation string unused: ovpn errmsg green already pushed +WARNING: translation string unused: ovpn errmsg invalid ip or mask WARNING: translation string unused: ovpn generating the root and host certificates WARNING: translation string unused: ovpn hmac WARNING: translation string unused: ovpn log @@ -1155,6 +1157,7 @@ WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings WARNING: untranslated string: ovpn dhcp settings = DHCP Settings WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet +WARNING: untranslated string: ovpn errmsg invalid route = Invalid route WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn fqdn = FQDN diff --git a/doc/language_missings b/doc/language_missings index ea0025558..c9b3ce789 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -85,6 +85,7 @@ < ovpn crypto settings < ovpn dhcp settings < ovpn dynamic client subnet +< ovpn errmsg invalid route < ovpn fallback cipher < ovpn fallback cipher help < ovpn fqdn @@ -160,6 +161,7 @@ < ovpn crypto settings < ovpn dhcp settings < ovpn dynamic client subnet +< ovpn errmsg invalid route < ovpn fallback cipher < ovpn fallback cipher help < ovpn fqdn @@ -203,6 +205,7 @@ < ovpn crypto settings < ovpn dhcp settings < ovpn dynamic client subnet +< ovpn errmsg invalid route < ovpn fallback cipher < ovpn fallback cipher help < ovpn fqdn @@ -589,6 +592,7 @@ < ovpn crypto settings < ovpn dhcp settings < ovpn dynamic client subnet +< ovpn errmsg invalid route < ovpn error md5 < ovpn fallback cipher < ovpn fallback cipher help @@ -1157,6 +1161,7 @@ < ovpn dhcp settings < ovpn dynamic client subnet < ovpn engines +< ovpn errmsg invalid route < ovpn error md5 < ovpn fallback cipher < ovpn fallback cipher help @@ -2045,6 +2050,7 @@ < ovpn engines < ovpn errmsg green already pushed < ovpn errmsg invalid ip or mask +< ovpn errmsg invalid route < ovpn error md5 < ovpn fallback cipher < ovpn fallback cipher help @@ -3066,6 +3072,7 @@ < ovpn dhcp settings < ovpn dynamic client subnet < ovpn engines +< ovpn errmsg invalid route < ovpn error md5 < ovpn fallback cipher < ovpn fallback cipher help @@ -3591,6 +3598,7 @@ < ovpn crypto settings < ovpn dhcp settings < ovpn dynamic client subnet +< ovpn errmsg invalid route < ovpn error md5 < ovpn fallback cipher < ovpn fallback cipher help diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index af160dd2e..611a360ed 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -893,9 +893,7 @@ sub writecollectdconf { if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); - #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too, - #DAN this value has to leave. -#new settings for daemon + $vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'}; $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'}; $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; @@ -909,7 +907,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; - my @temp=(); # We must have at least one cipher selected if ($cgiparams{'DATACIPHERS'} eq '') { @@ -975,54 +972,37 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { goto ADV_ERROR; } } + + # Validate pushed routes if ($cgiparams{'ROUTES_PUSH'} ne ''){ - @temp = split(/\n/,$cgiparams{'ROUTES_PUSH'}); - undef $vpnsettings{'ROUTES_PUSH'}; + my @temp = split(/\n/, $cgiparams{'ROUTES_PUSH'}); - foreach my $tmpip (@temp) - { - s/^\s+//g; s/\s+$//g; + # Reset stored routes + $vpnsettings{'ROUTES_PUSH'} = ""; - if ($tmpip) - { - $tmpip=~s/\s*$//g; - unless (&General::validipandmask($tmpip)) { - $errormessage = "$tmpip ".$Lang::tr{'ovpn errmsg invalid ip or mask'}; - goto ADV_ERROR; - } - my ($ip, $cidr) = split("\/",&General::ipcidr2msk($tmpip)); + foreach my $route (@temp) { + chomp($route); - if ($ip eq $Network::ethernet{'GREEN_NETADDRESS'} && $cidr eq $Network::ethernet{'GREEN_NETMASK'}) { - $errormessage = $Lang::tr{'ovpn errmsg green already pushed'}; - goto ADV_ERROR; - } + # Remove any excess whitespace + $route =~ s/^\s+//g; + $route =~ s/\s+$//g; - my %ccdroutehash=(); - &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); - foreach my $key (keys %ccdroutehash) { - foreach my $i (1 .. $#{$ccdroutehash{$key}}) { - if ( $ip."/".$cidr eq $ccdroutehash{$key}[$i] ){ - $errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ; - goto ADV_ERROR; - } - my ($ip2,$cidr2) = split(/\//,$ccdroutehash{$key}[$i]); - if (&General::IpInSubnet ($ip,$ip2,$cidr2)){ - $errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ; - goto ADV_ERROR; - } - } + # Skip empty lines + next if ($route eq ""); + + unless (&Network::check_subnet($route)) { + $errormessage = "$Lang::tr{'ovpn errmsg invalid route'}: $route"; + goto ADV_ERROR; } - $vpnsettings{'ROUTES_PUSH'} .= $tmpip."\n"; + $vpnsettings{'ROUTES_PUSH'} .= $route . "\n"; } - } - &write_routepushfile; - undef $vpnsettings{'ROUTES_PUSH'}; - } - else { - undef $vpnsettings{'ROUTES_PUSH'}; - &write_routepushfile; + + &write_routepushfile(); + + undef $vpnsettings{'ROUTES_PUSH'}; } + if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 1024 )) { $errormessage = $Lang::tr{'invalid input for max clients'}; goto ADV_ERROR; diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index dc3509f40..f93e70e90 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2028,6 +2028,7 @@ 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for green network is always set', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', +'ovpn errmsg invalid route' => 'Invalid route', 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore.
Please update to the latest IPFire version and generate a new root and host certificate.

All OpenVPN clients needs then to be renewed!
', 'ovpn fallback cipher' => 'Fallback Cipher', 'ovpn fallback cipher help' => 'This cipher is being used by clients that do not support cipher negotiation.', -- 2.39.5