require "${General::swroot}/lang.pl";
require "${General::swroot}/header.pl";
require "${General::swroot}/countries.pl";
+require "${General::swroot}/geoip-functions.pl";
# enable only the following on debugging purpose
#use warnings;
my %selected=();
my $warnmessage = '';
my $errormessage = '';
+my $cryptoerror = '';
+my $cryptowarning = '';
my %settings=();
my $routes_push_file = '';
my $confighost="${General::swroot}/fwhosts/customhosts";
$cgiparams{'DAUTH'} = '';
$cgiparams{'TLSAUTH'} = '';
$routes_push_file = "${General::swroot}/ovpn/routes_push";
+# Perform crypto and configration test
+&pkiconfigcheck;
# Add CCD files if not already presant
unless (-e $routes_push_file) {
}
}
+###
+### Check for PKI and configure problems
+###
+
+sub pkiconfigcheck
+{
+ # Warning if DH parameter is 1024 bit
+ if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
+ my $dhparameter = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}`;
+ my @dhbit = ($dhparameter =~ /(\d+)/);
+ if ($1 < 2048) {
+ $cryptoerror = "$Lang::tr{'ovpn error dh'}";
+ goto CRYPTO_ERROR;
+ }
+ }
+
+ # Warning if md5 is in usage
+ if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+ my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($signature =~ /md5WithRSAEncryption/) {
+ $cryptoerror = "$Lang::tr{'ovpn error md5'}";
+ goto CRYPTO_ERROR;
+ }
+ }
+
+ CRYPTO_ERROR:
+
+ # Warning if certificate is not compliant to RFC3280 TLS rules
+ if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+ my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+ if ($extendkeyusage !~ /TLS Web Server Authentication/) {
+ $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
+ goto CRYPTO_WARNING;
+ }
+ }
+
+ CRYPTO_WARNING:
+}
+
sub writeserverconf {
my %sovpnsettings = ();
my @temp = ();
print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
#print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
- # Check if we are using mssfix, fragment or mtu-disc and set the corretct mtu of 1500.
+ # Check if we are using mssfix, fragment and set the corretct mtu of 1500.
# If we doesn't use one of them, we can use the configured mtu value.
if ($sovpnsettings{'MSSFIX'} eq 'on')
{ print CONF "tun-mtu 1500\n"; }
close(CLIENTCONF);
}
-
+
###
### Save main settings
###
delete $confighash{$cgiparams{'$key'}};
}
- system ("/usr/local/bin/openvpnctrl -drrd $name");
+ system ("/usr/local/bin/openvpnctrl -drrd $name &>/dev/null");
}
while ($file = glob("${General::swroot}/ovpn/ca/*")) {
unlink $file;
<form method='post'><input type='hidden' name='AREUSURE' value='yes' />
<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
<select name='DHLENGHT'>
- <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn weak'})</option>
<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
<option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
<option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
goto UPLOADCA_ERROR;
}
my $temp = `/usr/bin/openssl dhparam -text -in $filename`;
- if ($temp !~ /DH Parameters: \((1024|2048|3072|4096) bit\)/) {
+ if ($temp !~ /DH Parameters: \((2048|3072|4096) bit\)/) {
$errormessage = $Lang::tr{'not a valid dh key'};
unlink ($filename);
goto UPLOADCA_ERROR;
</select></td>
<tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
<td class='base'><select name='DHLENGHT'>
- <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn weak'}</option>
<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
<option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
<option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";}
if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";}
}
- if (($confighash{$cgiparams{'KEY'}}[38] eq 'yes') ||
- ($confighash{$cgiparams{'KEY'}}[38] eq 'maybe') ||
- ($confighash{$cgiparams{'KEY'}}[38] eq 'no' )) {
- if (($confighash{$cgiparams{'KEY'}}[23] ne 'on') || ($confighash{$cgiparams{'KEY'}}[24] eq '')) {
- if ($tunmtu eq '1500' ) {
- print CLIENTCONF "mtu-disc $confighash{$cgiparams{'KEY'}}[38]\n";
- }
- }
- }
# Check host certificate if X509 is RFC3280 compliant.
# If not, old --ns-cert-type directive will be used.
# If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
print CLIENTCONF "dev tun\r\n";
print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
- # Check if we are using fragment, mssfix or mtu-disc and set MTU to 1500
+ # Check if we are using fragment, mssfix and set MTU to 1500
# or use configured value.
if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' )
{ print CLIENTCONF "tun-mtu 1500\r\n"; }
<tr>
<th><b>$Lang::tr{'common name'}</b></th>
<th><b>$Lang::tr{'real address'}</b></th>
+ <th><b>$Lang::tr{'country'}</b></th>
<th><b>$Lang::tr{'virtual address'}</b></th>
<th><b>$Lang::tr{'loged in at'}</b></th>
<th><b>$Lang::tr{'bytes sent'}</b></th>
$users[$uid]{'BytesSent'} = &sizeformat($match[4]);
$users[$uid]{'Since'} = $match[5];
$users[$uid]{'Proto'} = $proto;
+
+ # get country code for "RealAddress"...
+ my $ccode = &GeoIP::lookup((split ':', $users[$uid]{'RealAddress'})[0]);
+ my $flag_icon = &GeoIP::get_flag_icon($ccode);
+ $users[$uid]{'Country'} = "<a href='country.cgi#$ccode'><img src='$flag_icon' border='0' align='absmiddle' alt='$ccode' title='$ccode' /></a>";
$uid++;
}
}
}
print "<td align='left' $col>$users[$idx-1]{'CommonName'}</td>";
print "<td align='left' $col>$users[$idx-1]{'RealAddress'}</td>";
- print "<td align='left' $col>$users[$idx-1]{'VirtualAddress'}</td>";
+ print "<td align='center' $col>$users[$idx-1]{'Country'}</td>";
+ print "<td align='center' $col>$users[$idx-1]{'VirtualAddress'}</td>";
print "<td align='left' $col>$users[$idx-1]{'Since'}</td>";
print "<td align='left' $col>$users[$idx-1]{'BytesSent'}</td>";
print "<td align='left' $col>$users[$idx-1]{'BytesReceived'}</td>";
my $mssfixactive;
my $authactive;
my $n2nfragment;
-my @n2nmtudisc = split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]);
my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]);
my @n2nproto = split(/-/, $n2nproto2[1]);
my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]);
$n2nlocalsub[2] =~ s/\n|\r//g;
$n2nfragment[1] =~ s/\n|\r//g;
$n2nmgmt[2] =~ s/\n|\r//g;
-$n2nmtudisc[1] =~ s/\n|\r//g;
$n2ncipher[1] =~ s/\n|\r//g;
$n2nauth[1] =~ s/\n|\r//g;
chomp ($complzoactive);
$confighash{$key}[29] = $n2nport[1];
$confighash{$key}[30] = $complzoactive;
$confighash{$key}[31] = $n2ntunmtu[1];
- $confighash{$key}[38] = $n2nmtudisc[1];
$confighash{$key}[39] = $n2nauth[1];
$confighash{$key}[40] = $n2ncipher[1];
$confighash{$key}[41] = 'disabled';
<tr><td class='boldbase' nowrap='nowrap'>MSSFIX:</td><td><b>$confighash{$key}[23]</b></td></tr>
<tr><td class='boldbase' nowrap='nowrap'>Fragment:</td><td><b>$confighash{$key}[24]</b></td></tr>
<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}</td><td><b>$confighash{$key}[31]</b></td></tr>
- <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn mtu-disc'}</td><td><b>$confighash{$key}[38]</b></td></tr>
<tr><td class='boldbase' nowrap='nowrap'>Management Port </td><td><b>$confighash{$key}[22]</b></td></tr>
<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn hmac'}:</td><td><b>$confighash{$key}[39]</b></td></tr>
<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td><td><b>$confighash{$key}[40]</b></td></tr>
goto VPNCONF_ERROR;
}
+ # Check for N2N that OpenSSL maximum of valid days will not be exceeded
+ if ($cgiparams{'TYPE'} eq 'net') {
+ if ($cgiparams{'DAYS_VALID'} >= '999999') {
+ $errormessage = $Lang::tr{'invalid input for valid till days'};
+ unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
+ rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
+ goto VPNCONF_ERROR;
+ }
+ }
+
if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto VPNCONF_ERROR;
}
my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
- $temp =~ /Subject:.*CN=(.*)[\n]/;
+ $temp =~ /Subject:.*CN\s?=\s?(.*)[\n]/;
$temp = $1;
$temp =~ s+/Email+, E+;
$temp =~ s/ ST=/ S=/;
}
my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
- $temp =~ /Subject:.*CN=(.*)[\n]/;
+ $temp =~ /Subject:.*CN\s?=\s?(.*)[\n]/;
$temp = $1;
$temp =~ s+/Email+, E+;
$temp =~ s/ ST=/ S=/;
$errormessage = $Lang::tr{'passwords do not match'};
goto VPNCONF_ERROR;
}
- if ($cgiparams{'DAYS_VALID'} ne '' && $cgiparams{'DAYS_VALID'} !~ /^[0-9]+$/) {
+ if ($cgiparams{'DAYS_VALID'} eq '' && $cgiparams{'DAYS_VALID'} !~ /^[0-9]+$/) {
$errormessage = $Lang::tr{'invalid input for valid till days'};
goto VPNCONF_ERROR;
}
+ # Check for RW that OpenSSL maximum of valid days will not be exceeded
+ if ($cgiparams{'TYPE'} eq 'host') {
+ if ($cgiparams{'DAYS_VALID'} >= '999999') {
+ $errormessage = $Lang::tr{'invalid input for valid till days'};
+ goto VPNCONF_ERROR;
+ }
+ }
+
+ # Check for RW if client name is already set
+ if ($cgiparams{'TYPE'} eq 'host') {
+ foreach my $key (keys %confighash) {
+ if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
+ $errormessage = $Lang::tr{'a connection with this name already exists'};
+ goto VPNCONF_ERROR;
+ }
+ }
+ }
+
# Replace empty strings with a .
(my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
(my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
$cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};
$cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};
$cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};
- $cgiparams{'DAYS_VALID'} = $vpnsettings{'DAYS_VALID'};
+ $cgiparams{'DAYS_VALID'} = $vpnsettings{'DAYS_VALID'} = '730';
}
VPNCONF_ERROR:
if ($cgiparams{'TYPE'} eq 'host') {
print <<END;
</select></td></tr>
- <td> </td><td class='base'>$Lang::tr{'valid till'} (days):</td>
+ <td> </td><td class='base'>$Lang::tr{'valid till'} (days): <img src='/blob.gif' alt='*' /</td>
<td class='base' nowrap='nowrap'><input type='text' name='DAYS_VALID' value='$cgiparams{'DAYS_VALID'}' size='32' $cakeydisabled /></td></tr>
<tr><td> </td>
<td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
}else{
print <<END;
</select></td></tr>
- <td> </td><td class='base'>$Lang::tr{'valid till'} (days):</td>
+ <td> </td><td class='base'>$Lang::tr{'valid till'} (days): <img src='/blob.gif' alt='*' /</td>
<td class='base' nowrap='nowrap'><input type='text' name='DAYS_VALID' value='$cgiparams{'DAYS_VALID'}' size='32' $cakeydisabled /></td></tr>
<tr><td> </td><td> </td><td> </td></tr>
<tr><td> </td><td> </td><td> </td></tr>
&Header::closebox();
}
+ if ($cryptoerror) {
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'});
+ print "<class name='base'>$cryptoerror";
+ print " </class>";
+ &Header::closebox();
+ }
+
+ if ($cryptowarning) {
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'});
+ print "<class name='base'>$cryptowarning";
+ print " </class>";
+ &Header::closebox();
+ }
+
if ($warnmessage) {
&Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});
print "$warnmessage<br>";
projects / ipfire-2.x.git / blobdiff