OpenVPN: x509 and DH-parameter check with Warnings and error messages in WUI

[ipfire-2.x.git] / html / cgi-bin / ovpnmain.cgi

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 5cd19a0f38f564c54e672814e0b5918134889b17..f06e7cf03c8b854adc58e8b81f8c616aaffc9c34 100644 (file)
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -64,6 +64,8 @@ my %cahash=();
 my %selected=();
 my $warnmessage = '';
 my $errormessage = '';
+my $cryptoerror = '';
+my $cryptowarning = '';
 my %settings=();
 my $routes_push_file = '';
 my $confighost="${General::swroot}/fwhosts/customhosts";
@@ -97,6 +99,8 @@ $cgiparams{'DCIPHER'} = '';
 $cgiparams{'DAUTH'} = '';
 $cgiparams{'TLSAUTH'} = '';
 $routes_push_file = "${General::swroot}/ovpn/routes_push";
+# Perform crypto and configration test
+&pkiconfigcheck;
 
 # Add CCD files if not already presant
 unless (-e $routes_push_file) {
@@ -199,6 +203,45 @@ sub deletebackupcert
        }
 }
 
+###
+### Check for PKI and configure problems
+###
+
+sub pkiconfigcheck
+{
+       # Warning if DH parameter is 1024 bit
+       if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
+               my $dhparameter = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}`;
+               my @dhbit = ($dhparameter =~ /(\d+)/);
+               if ($1 < 2048) {
+                       $cryptoerror = "$Lang::tr{'ovpn error dh'}";
+                       goto CRYPTO_ERROR;
+               }
+       }
+
+       # Warning if md5 is in usage
+       if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+               my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+               if ($signature =~ /md5WithRSAEncryption/) {
+                       $cryptoerror = "$Lang::tr{'ovpn error md5'}";
+                       goto CRYPTO_ERROR;
+               }
+       }
+
+       CRYPTO_ERROR:
+
+       # Warning if certificate is not compliant to RFC3280 TLS rules
+       if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+               my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+               if ($extendkeyusage !~ /TLS Web Server Authentication/) {
+                       $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
+                       goto CRYPTO_WARNING;
+               }
+       }
+
+       CRYPTO_WARNING:
+}
+
 sub writeserverconf {
     my %sovpnsettings = ();  
     my @temp = ();  
@@ -1069,7 +1112,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   close(CLIENTCONF);
 
 }
-  
+
 ###
 ### Save main settings
 ###
@@ -1336,7 +1379,7 @@ END
        goto UPLOADCA_ERROR;
     }
     my $temp = `/usr/bin/openssl dhparam -text -in $filename`;
-    if ($temp !~ /DH Parameters: \((1024|2048|3072|4096) bit\)/) {
+    if ($temp !~ /DH Parameters: \((2048|3072|4096) bit\)/) {
         $errormessage = $Lang::tr{'not a valid dh key'};
         unlink ($filename);
         goto UPLOADCA_ERROR;
@@ -5135,6 +5178,20 @@ END
        &Header::closebox();
     }
 
+       if ($cryptoerror) {
+               &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'});
+               print "<class name='base'>$cryptoerror";
+               print "&nbsp;</class>";
+               &Header::closebox();
+       }
+
+       if ($cryptowarning) {
+               &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'});
+               print "<class name='base'>$cryptowarning";
+               print "&nbsp;</class>";
+               &Header::closebox();
+       }
+
        if ($warnmessage) {
                &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});
                print "$warnmessage<br>";