X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=4fb2349956f538739767e689d3a79a01e783b3c8;hp=1c2a810020db1c530c729f7679a696e5fa8ce205;hb=cdd4cf4094df9562f53e175ece8f0bcc4a1cf2f1;hpb=425465ede9a9206efb00aabd954373d780710366

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 1c2a810020..4fb2349956 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -64,6 +64,8 @@ my %cahash=();
 my %selected=();
 my $warnmessage = '';
 my $errormessage = '';
+my $cryptoerror = '';
+my $cryptowarning = '';
 my %settings=();
 my $routes_push_file = '';
 my $confighost="${General::swroot}/fwhosts/customhosts";
@@ -97,6 +99,8 @@ $cgiparams{'DCIPHER'} = '';
 $cgiparams{'DAUTH'} = '';
 $cgiparams{'TLSAUTH'} = '';
 $routes_push_file = "${General::swroot}/ovpn/routes_push";
+# Perform crypto and configration test
+&pkiconfigcheck;
 
 # Add CCD files if not already presant
 unless (-e $routes_push_file) {
@@ -170,7 +174,12 @@ sub cleanssldatabase
 	print FILE "";
 	close FILE;
     }
+    if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt.attr")) {
+      print FILE "";
+      close FILE;
+    }
     unlink ("${General::swroot}/ovpn/certs/index.txt.old");
+    unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old");
     unlink ("${General::swroot}/ovpn/certs/serial.old");
     unlink ("${General::swroot}/ovpn/certs/01.pem");
 }
@@ -185,7 +194,11 @@ sub newcleanssldatabase
     if (! -s ">${General::swroot}/ovpn/certs/index.txt") {
 	system ("touch ${General::swroot}/ovpn/certs/index.txt");
     }
+    if (! -s ">${General::swroot}/ovpn/certs/index.txt.attr") {
+      system ("touch ${General::swroot}/ovpn/certs/index.txt.attr");
+    }
     unlink ("${General::swroot}/ovpn/certs/index.txt.old");
+    unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old");
     unlink ("${General::swroot}/ovpn/certs/serial.old");
 }
 
@@ -199,6 +212,45 @@ sub deletebackupcert
 	}
 }
 
+###
+### Check for PKI and configure problems
+###
+
+sub pkiconfigcheck
+{
+	# Warning if DH parameter is 1024 bit
+	if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
+		my $dhparameter = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}`;
+		my @dhbit = ($dhparameter =~ /(\d+)/);
+		if ($1 < 2048) {
+			$cryptoerror = "$Lang::tr{'ovpn error dh'}";
+			goto CRYPTO_ERROR;
+		}
+	}
+
+	# Warning if md5 is in usage
+	if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+		my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+		if ($signature =~ /md5WithRSAEncryption/) {
+			$cryptoerror = "$Lang::tr{'ovpn error md5'}";
+			goto CRYPTO_ERROR;
+		}
+	}
+
+	CRYPTO_ERROR:
+
+	# Warning if certificate is not compliant to RFC3280 TLS rules
+	if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+		my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+		if ($extendkeyusage !~ /TLS Web Server Authentication/) {
+			$cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
+			goto CRYPTO_WARNING;
+		}
+	}
+
+	CRYPTO_WARNING:
+}
+
 sub writeserverconf {
     my %sovpnsettings = ();  
     my @temp = ();  
@@ -228,7 +280,7 @@ sub writeserverconf {
     print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
     #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
 
-    # Check if we are using mssfix, fragment or mtu-disc and set the corretct mtu of 1500.
+    # Check if we are using mssfix, fragment and set the corretct mtu of 1500.
     # If we doesn't use one of them, we can use the configured mtu value.
     if ($sovpnsettings{'MSSFIX'} eq 'on') 
 	{ print CONF "tun-mtu 1500\n"; }
@@ -1069,7 +1121,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   close(CLIENTCONF);
 
 }
-  
+
 ###
 ### Save main settings
 ###
@@ -1181,7 +1233,7 @@ SETTINGS_ERROR:
 	    delete $confighash{$cgiparams{'$key'}};
 	}
 
-	system ("/usr/local/bin/openvpnctrl -drrd $name");
+	system ("/usr/local/bin/openvpnctrl -drrd $name &>/dev/null");
     }
     while ($file = glob("${General::swroot}/ovpn/ca/*")) {
 	unlink $file;
@@ -1291,7 +1343,6 @@ END
 		<form method='post'><input type='hidden' name='AREUSURE' value='yes' />
 		<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
 			<select name='DHLENGHT'>
-				<option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn weak'})</option>
 				<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
 				<option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
 				<option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
@@ -1337,7 +1388,7 @@ END
 	goto UPLOADCA_ERROR;
     }
     my $temp = `/usr/bin/openssl dhparam -text -in $filename`;
-    if ($temp !~ /DH Parameters: \((1024|2048|3072|4096) bit\)/) {
+    if ($temp !~ /DH Parameters: \((2048|3072|4096) bit\)/) {
         $errormessage = $Lang::tr{'not a valid dh key'};
         unlink ($filename);
         goto UPLOADCA_ERROR;
@@ -1973,7 +2024,6 @@ END
 	    </select></td>
 	<tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
 		<td class='base'><select name='DHLENGHT'>
-				<option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn weak'})</option>
 				<option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
 				<option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
 				<option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
@@ -2142,15 +2192,6 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
    if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";}
    if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";}
    }
-   if (($confighash{$cgiparams{'KEY'}}[38] eq 'yes') ||
-       ($confighash{$cgiparams{'KEY'}}[38] eq 'maybe') ||
-       ($confighash{$cgiparams{'KEY'}}[38] eq 'no' )) {
-	if (($confighash{$cgiparams{'KEY'}}[23] ne 'on') || ($confighash{$cgiparams{'KEY'}}[24] eq '')) {
-		if ($tunmtu eq '1500' ) {
-			print CLIENTCONF "mtu-disc $confighash{$cgiparams{'KEY'}}[38]\n";
-		}
-	}
-   }
    # Check host certificate if X509 is RFC3280 compliant.
    # If not, old --ns-cert-type directive will be used.
    # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
@@ -2231,7 +2272,7 @@ else
     print CLIENTCONF "dev tun\r\n";
     print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
 
-    # Check if we are using fragment, mssfix or mtu-disc and set MTU to 1500
+    # Check if we are using fragment, mssfix and set MTU to 1500
     # or use configured value.
     if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' )
 	{ print CLIENTCONF "tun-mtu 1500\r\n"; }
@@ -3337,7 +3378,6 @@ my $complzoactive;
 my $mssfixactive;
 my $authactive;
 my $n2nfragment;
-my @n2nmtudisc = split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]);
 my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]);
 my @n2nproto = split(/-/, $n2nproto2[1]);
 my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]);
@@ -3373,7 +3413,6 @@ $n2nremsub[2] =~ s/\n|\r//g;
 $n2nlocalsub[2] =~ s/\n|\r//g;
 $n2nfragment[1] =~ s/\n|\r//g;
 $n2nmgmt[2] =~ s/\n|\r//g;
-$n2nmtudisc[1] =~ s/\n|\r//g;
 $n2ncipher[1] =~ s/\n|\r//g;
 $n2nauth[1] =~ s/\n|\r//g;
 chomp ($complzoactive);
@@ -3450,7 +3489,6 @@ foreach my $dkey (keys %confighash) {
 	$confighash{$key}[29] = $n2nport[1];
 	$confighash{$key}[30] = $complzoactive;
 	$confighash{$key}[31] = $n2ntunmtu[1];
-	$confighash{$key}[38] = $n2nmtudisc[1];
 	$confighash{$key}[39] = $n2nauth[1];
 	$confighash{$key}[40] = $n2ncipher[1];
 	$confighash{$key}[41] = 'disabled';
@@ -3490,7 +3528,6 @@ foreach my $dkey (keys %confighash) {
 		<tr><td class='boldbase' nowrap='nowrap'>MSSFIX:</td><td><b>$confighash{$key}[23]</b></td></tr>
 		<tr><td class='boldbase' nowrap='nowrap'>Fragment:</td><td><b>$confighash{$key}[24]</b></td></tr>
 		<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}</td><td><b>$confighash{$key}[31]</b></td></tr>
-		<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn mtu-disc'}</td><td><b>$confighash{$key}[38]</b></td></tr>
 		<tr><td class='boldbase' nowrap='nowrap'>Management Port </td><td><b>$confighash{$key}[22]</b></td></tr>
 		<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn hmac'}:</td><td><b>$confighash{$key}[39]</b></td></tr>
 		<tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td><td><b>$confighash{$key}[40]</b></td></tr>
@@ -4045,7 +4082,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
 	    }
 
 	    my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
-	    $temp =~ /Subject:.*CN=(.*)[\n]/;
+	    $temp =~ /Subject:.*CN\s?=\s?(.*)[\n]/;
 	    $temp = $1;
 	    $temp =~ s+/Email+, E+;
 	    $temp =~ s/ ST=/ S=/;
@@ -4099,7 +4136,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
 	    }
 
 	    my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
-	    $temp =~ /Subject:.*CN=(.*)[\n]/;
+	    $temp =~ /Subject:.*CN\s?=\s?(.*)[\n]/;
 	    $temp = $1;
 	    $temp =~ s+/Email+, E+;
 	    $temp =~ s/ ST=/ S=/;
@@ -4180,6 +4217,16 @@ if ($cgiparams{'TYPE'} eq 'net') {
 		}
 	    }
 
+		# Check for RW if client name is already set
+		if ($cgiparams{'TYPE'} eq 'host') {
+			foreach my $key (keys %confighash) {
+				if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
+					$errormessage = $Lang::tr{'a connection with this name already exists'};
+					goto VPNCONF_ERROR;
+				}
+			}
+		}
+
 	    # Replace empty strings with a .
 	    (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
 	    (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
@@ -4451,7 +4498,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
 	$cgiparams{'CERT_CITY'}         = $vpnsettings{'ROOTCERT_CITY'};
 	$cgiparams{'CERT_STATE'}        = $vpnsettings{'ROOTCERT_STATE'};
 	$cgiparams{'CERT_COUNTRY'}      = $vpnsettings{'ROOTCERT_COUNTRY'};
-	$cgiparams{'DAYS_VALID'}     	= $vpnsettings{'DAYS_VALID'};
+	$cgiparams{'DAYS_VALID'}     	= $vpnsettings{'DAYS_VALID'} = '730';
     }
 
     VPNCONF_ERROR:
@@ -5127,6 +5174,20 @@ END
 	&Header::closebox();
     }
 
+	if ($cryptoerror) {
+		&Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'});
+		print "<class name='base'>$cryptoerror";
+		print "&nbsp;</class>";
+		&Header::closebox();
+	}
+
+	if ($cryptowarning) {
+		&Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'});
+		print "<class name='base'>$cryptowarning";
+		print "&nbsp;</class>";
+		&Header::closebox();
+	}
+
 	if ($warnmessage) {
 		&Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});
 		print "$warnmessage<br>";