X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fvpnmain.cgi;h=55566d7cfb8ffa9df59c85dd4ab615ce8a162bc3;hp=26f6f5311dbf96346f454e7f873c0c9e9cbc4d49;hb=e8b3bb0edcf5b6768326b01620f318a56aaf4814;hpb=b339fb7f142ac96d440b0951728d194f0c2a5fc2 diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 26f6f5311d..55566d7cfb 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -310,67 +310,33 @@ sub writeipsecfiles { # Algorithms if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) { - print CONF "\tike="; - my @encs = split('\|', $lconfighash{$key}[18]); - my @ints = split('\|', $lconfighash{$key}[19]); - my @groups = split('\|', $lconfighash{$key}[20]); - my $comma = 0; - foreach my $i (@encs) { - foreach my $j (@ints) { - foreach my $k (@groups) { - if ($comma != 0) { print CONF ","; } else { $comma = 1; } - - my @l = split("", $k); - if ($l[0] eq "e") { - shift @l; - print CONF "$i-$j-ecp".join("", @l); - } else { - print CONF "$i-$j-modp$k"; - } - } - } - } - if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? - print CONF "!\n"; - } else { - print CONF "\n"; - } + my @encs = split('\|', $lconfighash{$key}[18]); + my @ints = split('\|', $lconfighash{$key}[19]); + my @groups = split('\|', $lconfighash{$key}[20]); + + my @algos = &make_algos("ike", \@encs, \@ints, \@groups, 1); + print CONF "\tike=" . join(",", @algos); + + if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? + print CONF "!\n"; + } else { + print CONF "\n"; + } } + if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) { - print CONF "\tesp="; - my @encs = split('\|', $lconfighash{$key}[21]); - my @ints = split('\|', $lconfighash{$key}[22]); - my @groups = split('\|', $lconfighash{$key}[20]); - my $comma = 0; - foreach my $i (@encs) { - foreach my $j (@ints) { - my $modp = ""; - if ($pfs eq "on") { - foreach my $k (@groups) { - if ($comma != 0) { print CONF ","; } else { $comma = 1; } - if ($pfs eq "on") { - my @l = split("", $k); - if ($l[0] eq "e") { - $modp = ""; - } else { - $modp = "-modp$k"; - } - } else { - $modp = ""; - } - print CONF "$i-$j$modp"; - } - } else { - if ($comma != 0) { print CONF ","; } else { $comma = 1; } - print CONF "$i-$j"; - } + my @encs = split('\|', $lconfighash{$key}[21]); + my @ints = split('\|', $lconfighash{$key}[22]); + my @groups = split('\|', $lconfighash{$key}[20]); + + my @algos = &make_algos("esp", \@encs, \@ints, \@groups, ($pfs eq "on")); + print CONF "\tesp=" . join(",", @algos); + + if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? + print CONF "!\n"; + } else { + print CONF "\n"; } - } - if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? - print CONF "!\n"; - } else { - print CONF "\n"; - } } # IKE V1 or V2 @@ -435,6 +401,10 @@ sub writeipsecfiles { } else { print CONF "\tauto=start\n"; } + + # Fragmentation + print CONF "\tfragmentation=yes\n"; + print CONF "\n"; }#foreach key print SECRETS $last_secrets if ($last_secrets); @@ -961,9 +931,9 @@ END if (!$errormessage) { &General::log("ipsec", "Creating cacert..."); if (open(STDIN, "-|")) { - my $opt = " req -x509 -nodes -rand /proc/interrupts:/proc/net/rt_cache"; + my $opt = " req -x509 -sha256 -nodes"; $opt .= " -days 999999"; - $opt .= " -newkey rsa:2048"; + $opt .= " -newkey rsa:4096"; $opt .= " -keyout ${General::swroot}/private/cakey.pem"; $opt .= " -out ${General::swroot}/ca/cacert.pem"; @@ -984,8 +954,8 @@ END if (!$errormessage) { &General::log("ipsec", "Creating host cert..."); if (open(STDIN, "-|")) { - my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache"; - $opt .= " -newkey rsa:1024"; + my $opt = " req -sha256 -nodes"; + $opt .= " -newkey rsa:2048"; $opt .= " -keyout ${General::swroot}/certs/hostkey.pem"; $opt .= " -out ${General::swroot}/certs/hostreq.pem"; $errormessage = &callssl ($opt); @@ -1020,7 +990,7 @@ END print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); close ($fh); - my $opt = " ca -days 999999"; + my $opt = " ca -md sha256 -days 999999"; $opt .= " -batch -notext"; $opt .= " -in ${General::swroot}/certs/hostreq.pem"; $opt .= " -out ${General::swroot}/certs/hostcert.pem"; @@ -1443,7 +1413,7 @@ END # Sign the certificate request &General::log("ipsec", "Signing your cert $cgiparams{'NAME'}..."); - my $opt = " ca -days 999999"; + my $opt = " ca -md sha256 -days 999999"; $opt .= " -batch -notext"; $opt .= " -in $filename"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; @@ -1673,12 +1643,12 @@ END (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./; - # Create the Host certificate request + # Create the Client certificate request &General::log("ipsec", "Creating a cert..."); if (open(STDIN, "-|")) { my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache"; - $opt .= " -newkey rsa:1024"; + $opt .= " -newkey rsa:2048"; $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; @@ -1700,7 +1670,7 @@ END exit (0); } - # Sign the host certificate request + # Sign the client certificate request &General::log("ipsec", "Signing the cert $cgiparams{'NAME'}..."); #No easy way for specifying the contain of subjectAltName without writing a config file... @@ -1709,13 +1679,14 @@ END basicConstraints=CA:FALSE nsComment="OpenSSL Generated Certificate" subjectKeyIdentifier=hash + extendedKeyUsage=clientAuth authorityKeyIdentifier=keyid,issuer:always END ; print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); close ($fh); - my $opt = " ca -days 999999 -batch -notext"; + my $opt = " ca -md sha256 -days 999999 -batch -notext"; $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; $opt .= " -extfile $v3extname"; @@ -2148,7 +2119,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha|md5|aesxcbc)$/) { + if ($val !~ /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -2189,7 +2160,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || goto ADVANCED_ERROR; } foreach my $val (@temp) { - if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha1|md5|aesxcbc)$/) { + if ($val !~ /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) { $errormessage = $Lang::tr{'invalid input'}; goto ADVANCED_ERROR; } @@ -3020,3 +2991,54 @@ END &Header::closebox(); &Header::closebigbox(); &Header::closepage(); + +sub array_unique($) { + my $array = shift; + my @unique = (); + + my %seen = (); + foreach my $e (@$array) { + next if $seen{$e}++; + push(@unique, $e); + } + + return @unique; +} + +sub make_algos($$$$$) { + my ($mode, $encs, $ints, $grps, $pfs) = @_; + my @algos = (); + + foreach my $enc (@$encs) { + foreach my $int (@$ints) { + foreach my $grp (@$grps) { + my @algo = ($enc); + + my $is_aead = ($enc =~ m/[cg]cm/); + if (!$is_aead) { + push(@algo, $int); + } + + if ($mode eq "ike") { + if ($grp =~ m/^e(\d+)/) { + push(@algo, "ecp$1"); + } else { + push(@algo, "modp$grp"); + } + } + + if ($mode eq "esp" && $pfs) { + if ($grp =~ m/^e\d+/) { + push(@algo, $grp); + } else { + push(@algo, "modp$grp"); + } + } + + push(@algos, join("-", @algo)); + } + } + } + + return &array_unique(\@algos); +}