X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fvpnmain.cgi;h=1d75356406ffc81e741979a711d1ba87c026aaa8;hp=052b3e3092e4405df36dbd087383605cad8d5ec6;hb=3bcb59ab211cec80576e8e0c1202364e3001defc;hpb=9063a04e94587fc38f410ec2234275417de201ad diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 052b3e3092..1d75356406 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -310,67 +310,33 @@ sub writeipsecfiles { # Algorithms if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) { - print CONF "\tike="; - my @encs = split('\|', $lconfighash{$key}[18]); - my @ints = split('\|', $lconfighash{$key}[19]); - my @groups = split('\|', $lconfighash{$key}[20]); - my $comma = 0; - foreach my $i (@encs) { - foreach my $j (@ints) { - foreach my $k (@groups) { - if ($comma != 0) { print CONF ","; } else { $comma = 1; } - - my @l = split("", $k); - if ($l[0] eq "e") { - shift @l; - print CONF "$i-$j-ecp".join("", @l); - } else { - print CONF "$i-$j-modp$k"; - } - } - } - } - if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? - print CONF "!\n"; - } else { - print CONF "\n"; - } + my @encs = split('\|', $lconfighash{$key}[18]); + my @ints = split('\|', $lconfighash{$key}[19]); + my @groups = split('\|', $lconfighash{$key}[20]); + + my @algos = &make_algos("ike", \@encs, \@ints, \@groups, 1); + print CONF "\tike=" . join(",", @algos); + + if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? + print CONF "!\n"; + } else { + print CONF "\n"; + } } + if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) { - print CONF "\tesp="; - my @encs = split('\|', $lconfighash{$key}[21]); - my @ints = split('\|', $lconfighash{$key}[22]); - my @groups = split('\|', $lconfighash{$key}[20]); - my $comma = 0; - foreach my $i (@encs) { - foreach my $j (@ints) { - my $modp = ""; - if ($pfs eq "on") { - foreach my $k (@groups) { - if ($comma != 0) { print CONF ","; } else { $comma = 1; } - if ($pfs eq "on") { - my @l = split("", $k); - if ($l[0] eq "e") { - $modp = ""; - } else { - $modp = "-modp$k"; - } - } else { - $modp = ""; - } - print CONF "$i-$j$modp"; - } - } else { - if ($comma != 0) { print CONF ","; } else { $comma = 1; } - print CONF "$i-$j"; - } + my @encs = split('\|', $lconfighash{$key}[21]); + my @ints = split('\|', $lconfighash{$key}[22]); + my @groups = split('\|', $lconfighash{$key}[20]); + + my @algos = &make_algos("esp", \@encs, \@ints, \@groups, ($pfs eq "on")); + print CONF "\tesp=" . join(",", @algos); + + if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? + print CONF "!\n"; + } else { + print CONF "\n"; } - } - if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? - print CONF "!\n"; - } else { - print CONF "\n"; - } } # IKE V1 or V2 @@ -397,12 +363,12 @@ sub writeipsecfiles { print CONF "\tdpddelay=0\n"; } } else { - my $dpddelay = $lconfighash{$key}[30]; + my $dpddelay = $lconfighash{$key}[31]; if (!$dpddelay) { $dpddelay = 30; } print CONF "\tdpddelay=$dpddelay\n"; - my $dpdtimeout = $lconfighash{$key}[31]; + my $dpdtimeout = $lconfighash{$key}[30]; if (!$dpdtimeout) { $dpdtimeout = 120; } @@ -435,6 +401,10 @@ sub writeipsecfiles { } else { print CONF "\tauto=start\n"; } + + # Fragmentation + print CONF "\tfragmentation=yes\n"; + print CONF "\n"; }#foreach key print SECRETS $last_secrets if ($last_secrets); @@ -511,7 +481,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', ''); &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); print <$Lang::tr{'capswarning'}: $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'} -
+
$Lang::tr{'upload p12 file'}: $Lang::tr{'pkcs12 file password'}: * @@ -1141,7 +1111,7 @@ END if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', ''); &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:"); my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; @@ -1225,13 +1195,13 @@ END } else { $errormessage = $Lang::tr{'invalid key'}; } - + &General::firewall_reload(); ### ### Choose between adding a host-net or net-net connection ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', ''); &Header::openbox('100%', 'left', $Lang::tr{'connection type'}); print <".$warnmessage; + } + } + if ($cgiparams{'AUTH'} eq 'psk') { if (! length($cgiparams{'PSK'}) ) { $errormessage = $Lang::tr{'pre-shared key is too short'}; @@ -1444,7 +1413,7 @@ END # Sign the certificate request &General::log("ipsec", "Signing your cert $cgiparams{'NAME'}..."); - my $opt = " ca -days 999999"; + my $opt = " ca -md sha256 -days 999999"; $opt .= " -batch -notext"; $opt .= " -in $filename"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; @@ -1674,12 +1643,12 @@ END (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./; - # Create the Host certificate request + # Create the Client certificate request &General::log("ipsec", "Creating a cert..."); if (open(STDIN, "-|")) { my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache"; - $opt .= " -newkey rsa:1024"; + $opt .= " -newkey rsa:2048"; $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; @@ -1701,7 +1670,7 @@ END exit (0); } - # Sign the host certificate request + # Sign the client certificate request &General::log("ipsec", "Signing the cert $cgiparams{'NAME'}..."); #No easy way for specifying the contain of subjectAltName without writing a config file... @@ -1710,13 +1679,14 @@ END basicConstraints=CA:FALSE nsComment="OpenSSL Generated Certificate" subjectKeyIdentifier=hash + extendedKeyUsage=clientAuth authorityKeyIdentifier=keyid,issuer:always END ; print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); close ($fh); - my $opt = " ca -days 999999 -batch -notext"; + my $opt = " ca -md sha256 -days 999999 -batch -notext"; $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; $opt .= " -extfile $v3extname"; @@ -1879,12 +1849,12 @@ END $cgiparams{'REMOTE_ID'} = ''; #use default advanced value - $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[18]; - $cgiparams{'IKE_INTEGRITY'} = 'sha2_256|sha|md5'; #[19]; + $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; + $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; #[19]; $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20]; $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; - $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[21]; - $cgiparams{'ESP_INTEGRITY'} = 'sha2_256|sha1|md5'; #[22]; + $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; + $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; #[22]; $cgiparams{'ESP_GROUPTYPE'} = ''; #[23]; $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; $cgiparams{'COMPRESSION'} = 'on'; #[13]; @@ -1911,7 +1881,7 @@ END $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); if ($errormessage) { &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); @@ -2138,7 +2108,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes256|aes192|aes128|3des|camellia256|camellia192|camellia128)$/) { + if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2149,7 +2119,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha|md5|aesxcbc)$/) { + if ($val !~ /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2179,7 +2149,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(aes256|aes192|aes128|3des|camellia256|camellia192|camellia128)$/) { + if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2190,7 +2160,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha1|md5|aesxcbc)$/) { + if ($val !~ /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2290,6 +2260,15 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = ''; $checked{'IKE_ENCRYPTION'}{'3des'} = ''; $checked{'IKE_ENCRYPTION'}{'camellia256'} = ''; $checked{'IKE_ENCRYPTION'}{'camellia192'} = ''; @@ -2321,6 +2300,15 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = ''; $checked{'ESP_ENCRYPTION'}{'3des'} = ''; $checked{'ESP_ENCRYPTION'}{'camellia256'} = ''; $checked{'ESP_ENCRYPTION'}{'camellia192'} = ''; @@ -2353,7 +2341,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'"; &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); if ($errormessage) { @@ -2399,24 +2387,42 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || $Lang::tr{'encryption'} @@ -2428,9 +2434,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || + - @@ -2438,9 +2444,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || + - @@ -2458,14 +2464,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || - IKE+ESP: $Lang::tr{'use only proposed settings'} + IKE+ESP: $Lang::tr{'use only proposed settings'} @@ -2602,7 +2608,7 @@ EOF $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : ''; &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); if ($errormessage) { @@ -2612,6 +2618,16 @@ EOF &Header::closebox(); } + if ($warnmessage) { + &Header::openbox('100%', 'left', $Lang::tr{'warning messages'}); + print "$warnmessage
"; + print "$Lang::tr{'fwdfw warn1'}
"; + &Header::closebox(); + print"
"; + &Header::closepage(); + exit 0; + } + &Header::openbox('100%', 'left', $Lang::tr{'global settings'}); print < @@ -2632,17 +2648,18 @@ print <$Lang::tr{'host to net vpn'}: * - + +
- + - +
*$Lang::tr{'this field may be blank'}$Lang::tr{'this field may be blank'}
**  $Lang::tr{'vpn delayed start help'}
END @@ -2685,21 +2702,24 @@ END print " "; } print "$confighash{$key}[25]"; + my $col1="bgcolor='${Header::colourred}'"; # get real state - my $active = "
$Lang::tr{'capsclosed'}
"; + my $active = "$Lang::tr{'capsclosed'}"; foreach my $line (@status) { if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) || ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) { - $active = "
$Lang::tr{'capsopen'}
"; + $col1="bgcolor='${Header::colourgreen}'"; + $active = "$Lang::tr{'capsopen'}"; } } # move to blueif really down - if ($confighash{$key}[0] eq 'off' && $active =~ /${Header::colourred}/ ) { - $active = "
$Lang::tr{'capsclosed'}
"; + if ($confighash{$key}[0] eq 'off' && $col1 =~ /${Header::colourred}/ ) { + $col1="bgcolor='${Header::colourblue}'"; + $active = "$Lang::tr{'capsclosed'}"; } print <$active + $active
@@ -2806,7 +2826,7 @@ END print < - + @@ -2816,7 +2836,7 @@ END ; &Header::closebox(); - &Header::openbox('100%', 'left', "$Lang::tr{'certificate authorities'}:"); + &Header::openbox('100%', 'left', "$Lang::tr{'certificate authorities'}"); print < @@ -2949,6 +2969,7 @@ END } my $createCA = -f "${General::swroot}/ca/cacert.pem" ? '' : ""; print <
@@ -2961,7 +2982,7 @@ END - +
$Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}:
@@ -2970,3 +2991,56 @@ END &Header::closebox(); &Header::closebigbox(); &Header::closepage(); + +sub array_unique($) { + my $array = shift; + my @unique = (); + + my %seen = (); + foreach my $e (@$array) { + next if $seen{$e}++; + push(@unique, $e); + } + + return @unique; +} + +sub make_algos($$$$$) { + my ($mode, $encs, $ints, $grps, $pfs) = @_; + my @algos = (); + + foreach my $enc (@$encs) { + foreach my $int (@$ints) { + foreach my $grp (@$grps) { + my @algo = ($enc); + + if ($mode eq "ike") { + push(@algo, $int); + + if ($grp =~ m/^e(\d+)/) { + push(@algo, "ecp$1"); + } else { + push(@algo, "modp$grp"); + } + + } elsif ($mode eq "esp" && $pfs) { + my $is_aead = ($enc =~ m/[cg]cm/); + + if (!$is_aead) { + push(@algo, $int); + } + + if ($grp =~ m/^e(\d+)/) { + push(@algo, "ecp$1"); + } else { + push(@algo, "modp$grp"); + } + } + + push(@algos, join("-", @algo)); + } + } + } + + return &array_unique(\@algos); +}