]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blame - html/cgi-bin/vpnmain.cgi
projects / people / teissler / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
neues Theme hinzugefuegt, geloeschtes icons wieder hinzugefuegt
[people/teissler/ipfire-2.x.git] / html / cgi-bin / vpnmain.cgi
CommitLineData
ac1cfefa 1#!/usr/bin/perl
ac1cfefa
MT		 2
3use Net::DNS;
4use File::Copy;
5use File::Temp qw/ tempfile tempdir /;
6use strict;
7
8# enable only the following on debugging purpose
9#use warnings;
10#use CGI::Carp 'fatalsToBrowser';
11
986e08d9 12require '/var/ipfire/general-functions.pl';
ac1cfefa
MT		 13require "${General::swroot}/lang.pl";
14require "${General::swroot}/header.pl";
ac1cfefa
MT		 15require "${General::swroot}/countries.pl";
16
17#workaround to suppress a warning when a variable is used only once
ed84e8b8 18my @dummy = ( ${Header::colourgreen}, ${Header::colourblue} );
ac1cfefa
MT		 19undef (@dummy);
20
21###
22### Initialize variables
23###
ed84e8b8 24my $sleepDelay = 4; # after a call to ipsecctrl S or R, wait this delay (seconds) before reading status
ac1cfefa
MT		 25 # (let the ipsec do its job)
26my %netsettings=();
ed84e8b8
MT		 27our %cgiparams=();
28our %vpnsettings=();
ac1cfefa
MT		 29my %checked=();
30my %confighash=();
31my %cahash=();
32my %selected=();
33my $warnmessage = '';
34my $errormessage = '';
ed84e8b8 35
ac1cfefa
MT		 36&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
37$cgiparams{'ENABLED'} = 'off';
ac1cfefa 38$cgiparams{'EDIT_ADVANCED'} = 'off';
ac1cfefa
MT		 39$cgiparams{'ACTION'} = '';
40$cgiparams{'CA_NAME'} = '';
41$cgiparams{'DBG_CRYPT'} = '';
42$cgiparams{'DBG_PARSING'} = '';
43$cgiparams{'DBG_EMITTING'} = '';
44$cgiparams{'DBG_CONTROL'} = '';
45$cgiparams{'DBG_KLIPS'} = '';
46$cgiparams{'DBG_DNS'} = '';
47$cgiparams{'DBG_NAT_T'} = '';
ed84e8b8
MT		 48$cgiparams{'KEY'} = '';
49$cgiparams{'TYPE'} = '';
50$cgiparams{'ADVANCED'} = '';
51$cgiparams{'INTERFACE'} = '';
52$cgiparams{'NAME'} = '';
53$cgiparams{'LOCAL_SUBNET'} = '';
54$cgiparams{'REMOTE_SUBNET'} = '';
55$cgiparams{'REMOTE'} = '';
56$cgiparams{'LOCAL_ID'} = '';
57$cgiparams{'REMOTE_ID'} = '';
58$cgiparams{'REMARK'} = '';
59$cgiparams{'PSK'} = '';
60$cgiparams{'CERT_NAME'} = '';
61$cgiparams{'CERT_EMAIL'} = '';
62$cgiparams{'CERT_OU'} = '';
63$cgiparams{'CERT_ORGANIZATION'} = '';
64$cgiparams{'CERT_CITY'} = '';
65$cgiparams{'CERT_STATE'} = '';
66$cgiparams{'CERT_COUNTRY'} = '';
67$cgiparams{'SUBJECTALTNAME'} = '';
68$cgiparams{'CERT_PASS1'} = '';
69$cgiparams{'CERT_PASS2'} = '';
70$cgiparams{'ROOTCERT_HOSTNAME'} = '';
71$cgiparams{'ROOTCERT_COUNTRY'} = '';
72$cgiparams{'P12_PASS'} = '';
73$cgiparams{'ROOTCERT_ORGANIZATION'} = '';
74$cgiparams{'ROOTCERT_HOSTNAME'} = '';
75$cgiparams{'ROOTCERT_EMAIL'} = '';
76$cgiparams{'ROOTCERT_OU'} = '';
77$cgiparams{'ROOTCERT_CITY'} = '';
78$cgiparams{'ROOTCERT_STATE'} = '';
ac1cfefa
MT		 79
80&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
81
82###
83### Useful functions
84###
85sub valid_dns_host {
86 my $hostname = $_[0];
87 unless ($hostname) { return "No hostname"};
88 my $res = new Net::DNS::Resolver;
89 my $query = $res->search("$hostname");
90 if ($query) {
91 foreach my $rr ($query->answer) {
92 ## Potential bug - we are only looking at A records:
93 return 0 if $rr->type eq "A";
94 }
95 } else {
96 return $res->errorstring;
97 }
98}
ed84e8b8
MT		 99###
100### Just return true is one interface is vpn enabled
101###
102sub vpnenabled {
5fd30232 103 return ($vpnsettings{'ENABLED'} eq 'on');
ed84e8b8
MT		 104}
105###
106### old version: maintain serial number to one, without explication.
107### this : let the counter go, so that each cert is numbered.
108###
ac1cfefa
MT		 109sub cleanssldatabase
110{
111 if (open(FILE, ">${General::swroot}/certs/serial")) {
112 print FILE "01";
113 close FILE;
114 }
115 if (open(FILE, ">${General::swroot}/certs/index.txt")) {
116 print FILE "";
117 close FILE;
118 }
119 unlink ("${General::swroot}/certs/index.txt.old");
120 unlink ("${General::swroot}/certs/serial.old");
121 unlink ("${General::swroot}/certs/01.pem");
122}
123sub newcleanssldatabase
124{
125 if (! -s "${General::swroot}/certs/serial" ) {
126 open(FILE, ">${General::swroot}/certs/serial");
127 print FILE "01";
128 close FILE;
129 }
130 if (! -s ">${General::swroot}/certs/index.txt") {
131 system ("touch ${General::swroot}/certs/index.txt");
132 }
133 unlink ("${General::swroot}/certs/index.txt.old");
134 unlink ("${General::swroot}/certs/serial.old");
135# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete
136}
ed84e8b8
MT		 137
138###
139### Call openssl and return errormessage if any
140###
141sub callssl ($) {
142 my $opt = shift;
143 my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr
144 my $ret = '';
145 foreach my $line (split (/\n/, $retssl)) {
146 &General::log("ipsec", "$line") if (0); # 1 for verbose logging
147 $ret .= '<br>'.$line if ( $line =~ /error|unknown/ );
148 }
149 if ($ret) {
150 $ret= &Header::cleanhtml($ret);
151 }
152 return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : '' ;
153}
154###
155### Obtain a CN from given cert
156###
157sub getCNfromcert ($) {
158 #&General::log("ipsec", "Extracting name from $_[0]...");
159 my $temp = `/usr/bin/openssl x509 -text -in $_[0]`;
160 $temp =~ /Subject:.*CN=(.*)[\n]/;
161 $temp = $1;
162 $temp =~ s+/Email+, E+;
163 $temp =~ s/ ST=/ S=/;
164 $temp =~ s/,//g;
165 $temp =~ s/\'//g;
166 return $temp;
167}
168###
169### Obtain Subject from given cert
170###
171sub getsubjectfromcert ($) {
172 #&General::log("ipsec", "Extracting subject from $_[0]...");
173 my $temp = `/usr/bin/openssl x509 -text -in $_[0]`;
174 $temp =~ /Subject: (.*)[\n]/;
175 $temp = $1;
176 $temp =~ s+/Email+, E+;
177 $temp =~ s/ ST=/ S=/;
178 return $temp;
179}
180###
181### Combine local subnet and connection name to make a unique name for each connection section
182### (this sub is not used now)
183###
184sub makeconnname ($) {
185 my $conn = shift;
186 my $subnet = shift;
187
188 $subnet =~ /^(.*?)\/(.*?)$/; # $1=IP $2=mask
189 my $ip = unpack('N', &Socket::inet_aton($1));
190 if (length ($2) > 2) {
191 my $mm = unpack('N', &Socket::inet_aton($2));
192 while ( ($mm & 1)==0 ) {
193 $ip >>= 1;
194 $mm >>= 1;
195 };
196 } else {
197 $ip >>= (32 - $2);
198 }
199 return sprintf ("%s-%X", $conn, $ip);
200}
201###
202### Write a config file.
203###
204###Type=Host : GUI can choose the interface used (RED,GREEN,BLUE) and
205### the side is always defined as 'left'.
206### configihash[14]: 'VHOST' is allowed
207###
ed84e8b8 208
ac1cfefa
MT		 209sub writeipsecfiles {
210 my %lconfighash = ();
211 my %lvpnsettings = ();
212 &General::readhasharray("${General::swroot}/vpn/config", \%lconfighash);
213 &General::readhash("${General::swroot}/vpn/settings", \%lvpnsettings);
214
215 open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die "Unable to open ${General::swroot}/vpn/ipsec.conf: $!";
216 open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") or die "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!";
217 flock CONF, 2;
218 flock SECRETS, 2;
05207d69 219 print CONF "version 2\n\n";
ac1cfefa 220 print CONF "config setup\n";
ed84e8b8 221 #create an ipsec Interface for each 'enabled' ones
5fd30232 222 #loop trought configuration and add physical interfaces to the list
ed84e8b8 223 my $interfaces = "\tinterfaces=\"";
5fd30232
MT		 224 foreach my $key (keys %lconfighash) {
225 next if ($lconfighash{$key}[0] ne 'on');
226 $interfaces .= "%defaultroute " if ($interfaces !~ /defaultroute/ && $lconfighash{$key}[26] eq 'RED');
227 $interfaces .= "ipsec1=$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN');
228 $interfaces .= "ipsec2=$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE');
229 $interfaces .= "ipsec3=$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE');
230 }
ed84e8b8
MT		 231 print CONF $interfaces . "\"\n";
232
ac1cfefa
MT		 233 my $plutodebug = ''; # build debug list
234 map ($plutodebug .= $lvpnsettings{$_} eq 'on' ? lc (substr($_,4)).' ' : '',
235 ('DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
236 'DBG_KLIPS','DBG_DNS','DBG_NAT_T'));
237 $plutodebug = 'none' if $plutodebug eq ''; # if nothing selected, use 'none'.
ed84e8b8 238 print CONF "\tklipsdebug=\"none\"\n";
ac1cfefa 239 print CONF "\tplutodebug=\"$plutodebug\"\n";
05207d69
MT		 240 # deprecated in ipsec.conf version 2
241 #print CONF "\tplutoload=%search\n";
242 #print CONF "\tplutostart=%search\n";
ac1cfefa
MT		 243 print CONF "\tuniqueids=yes\n";
244 print CONF "\tnat_traversal=yes\n";
245 print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne '');
246 print CONF "\tvirtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16";
247 print CONF ",%v4:!$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
248 if (length($netsettings{'ORANGE_DEV'}) > 2) {
249 print CONF ",%v4:!$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
250 }
251 if (length($netsettings{'BLUE_DEV'}) > 2) {
252 print CONF ",%v4:!$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
253 }
254 foreach my $key (keys %lconfighash) {
255 if ($lconfighash{$key}[3] eq 'net') {
256 print CONF ",%v4:!$lconfighash{$key}[11]";
257 }
258 }
259 print CONF "\n\n";
260 print CONF "conn %default\n";
261 print CONF "\tkeyingtries=0\n";
262 print CONF "\tdisablearrivalcheck=no\n";
263 print CONF "\n";
264
265 if (-f "${General::swroot}/certs/hostkey.pem") {
266 print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n"
267 }
ed84e8b8
MT		 268 my $last_secrets = ''; # old the less specifics connections
269
ac1cfefa 270 foreach my $key (keys %lconfighash) {
ed84e8b8 271 next if ($lconfighash{$key}[0] ne 'on');
ac1cfefa 272
ed84e8b8
MT		 273 #remote peer is not set? => use '%any'
274 $lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq '');
ac1cfefa 275
5fd30232 276 my $localside;
ed84e8b8 277 if ($lconfighash{$key}[26] eq 'BLUE') {
5fd30232 278 $localside = $netsettings{'BLUE_ADDRESS'};
ed84e8b8 279 } elsif ($lconfighash{$key}[26] eq 'GREEN') {
5fd30232
MT		 280 $localside = $netsettings{'GREEN_ADDRESS'};
281 } elsif ($lconfighash{$key}[26] eq 'ORANGE') {
282 $localside = $netsettings{'ORANGE_ADDRESS'};
283 } else { # it is RED
284 $localside = $lvpnsettings{'VPN_IP'};
ed84e8b8 285 }
ac1cfefa 286
5fd30232
MT		 287 print CONF "conn $lconfighash{$key}[1] #$lconfighash{$key}[26]\n";
288 print CONF "\tleft=$localside\n";
289 print CONF "\tleftnexthop=%defaultroute\n" if ($lconfighash{$key}[26] eq 'RED' && $lvpnsettings{'VPN_IP'} ne '%defaultroute');
290 print CONF "\tleftsubnet=$lconfighash{$key}[8]\n";
291
292 print CONF "\tright=$lconfighash{$key}[10]\n";
ed84e8b8 293 if ($lconfighash{$key}[3] eq 'net') {
5fd30232
MT		 294 print CONF "\trightsubnet=$lconfighash{$key}[11]\n";
295 print CONF "\trightnexthop=%defaultroute\n";
296 } elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') { #vhost allowed for roadwarriors?
ed84e8b8
MT		 297 print CONF "\trightsubnet=vhost:%no,%priv\n";
298 }
299
300 # Local Cert and Remote Cert (unless auth is DN dn-auth)
301 if ($lconfighash{$key}[4] eq 'cert') {
5fd30232
MT		 302 print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n";
303 print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if ($lconfighash{$key}[2] ne '%auth-dn');
ed84e8b8
MT		 304 }
305
306 # Local and Remote IDs
5fd30232
MT		 307 print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]);
308 print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]);
ed84e8b8
MT		 309
310 # Algorithms
311 if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) {
312 print CONF "\tike=";
313 my @encs = split('\|', $lconfighash{$key}[18]);
314 my @ints = split('\|', $lconfighash{$key}[19]);
315 my @groups = split('\|', $lconfighash{$key}[20]);
316 my $comma = 0;
317 foreach my $i (@encs) {
318 foreach my $j (@ints) {
319 foreach my $k (@groups) {
320 if ($comma != 0) { print CONF ","; } else { $comma = 1; }
321 print CONF "$i-$j-modp$k";
322 }
323 }
324 }
325 if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
326 print CONF "!\n";
ac1cfefa 327 } else {
ed84e8b8
MT		 328 print CONF "\n";
329 }
330 }
331 if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) {
332 print CONF "\tesp=";
333 my @encs = split('\|', $lconfighash{$key}[21]);
334 my @ints = split('\|', $lconfighash{$key}[22]);
335 my $comma = 0;
336 foreach my $i (@encs) {
337 foreach my $j (@ints) {
338 if ($comma != 0) { print CONF ","; } else { $comma = 1; }
339 print CONF "$i-$j";
340 }
ac1cfefa 341 }
ed84e8b8
MT		 342 if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
343 print CONF "!\n";
344 } else {
345 print CONF "\n";
346 }
347 }
348 if ($lconfighash{$key}[23]) {
349 print CONF "\tpfsgroup=$lconfighash{$key}[23]\n";
350 }
351
352 # Lifetimes
353 print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" if ($lconfighash{$key}[16]);
354 print CONF "\tkeylife=$lconfighash{$key}[17]h\n" if ($lconfighash{$key}[17]);
355
356 # Aggresive mode
357 print CONF "\taggrmode=yes\n" if ($lconfighash{$key}[12] eq 'on');
358
359 # Compression
360 print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on');
361
362 # Dead Peer Detection
363 print CONF "\tdpddelay=30\n";
364 print CONF "\tdpdtimeout=120\n";
365 print CONF "\tdpdaction=$lconfighash{$key}[27]\n";
366
367 # Disable pfs ?
368 print CONF "\tpfs=". ($lconfighash{$key}[28] eq 'on' ? "yes\n" : "no\n");
369
370 # Build Authentication details: LEFTid RIGHTid : PSK psk
371 my $psk_line;
372 if ($lconfighash{$key}[4] eq 'psk') {
ed84e8b8
MT		 373 $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ;
374 $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address?
375 $psk_line .= " : PSK '$lconfighash{$key}[5]'\n";
376 # if the line contains %any, it is less specific than two IP or ID, so move it at end of file.
377 if ($psk_line =~ /%any/) {
378 $last_secrets .= $psk_line;
ac1cfefa 379 } else {
ed84e8b8 380 print SECRETS $psk_line;
ac1cfefa 381 }
ed84e8b8
MT		 382 print CONF "\tauthby=secret\n";
383 } else {
384 print CONF "\tauthby=rsasig\n";
385 print CONF "\tleftrsasigkey=%cert\n";
386 print CONF "\trightrsasigkey=%cert\n";
387 }
ac1cfefa 388
ed84e8b8
MT		 389 # Automatically start only if a net-to-net connection
390 if ($lconfighash{$key}[3] eq 'host') {
391 print CONF "\tauto=add\n";
392 } else {
393 print CONF "\tauto=start\n";
394 }
395 print CONF "\n";
396 }#foreach key
397 print SECRETS $last_secrets if ($last_secrets);
ac1cfefa
MT		 398 close(CONF);
399 close(SECRETS);
400}
401
402###
403### Save main settings
404###
405if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
406 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
407 unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})
408 || $cgiparams{'VPN_IP'} eq '%defaultroute' ) {
409 $errormessage = $Lang::tr{'invalid input for hostname'};
410 goto SAVE_ERROR;
411 }
412
413 unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds !
414 $errormessage = $Lang::tr{'invalid time period'};
415 goto SAVE_ERROR;
416 }
417
418 unless ($cgiparams{'VPN_OVERRIDE_MTU'} =~ /^(|[0-9]{1,5})$/ ) { #allow 0-99999
419 $errormessage = $Lang::tr{'vpn mtu invalid'};
420 goto SAVE_ERROR;
421 }
422
ed84e8b8
MT		 423 unless ($cgiparams{'VPN_WATCH'} =~ /^(|off|on)$/ ) {
424 $errormessage = $Lang::tr{'invalid input'};
425 goto SAVE_ERROR;
426 }
427
ac1cfefa 428 map ($vpnsettings{$_} = $cgiparams{$_},
5fd30232 429 ('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
ac1cfefa
MT		 430 'DBG_KLIPS','DBG_DNS','DBG_NAT_T'));
431
432 $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
433 $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};
434 $vpnsettings{'VPN_OVERRIDE_MTU'} = $cgiparams{'VPN_OVERRIDE_MTU'};
ed84e8b8 435 $vpnsettings{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'};
ac1cfefa
MT		 436 &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
437 &writeipsecfiles();
ed84e8b8 438 if (&vpnenabled) {
ac1cfefa
MT		 439 system('/usr/local/bin/ipsecctrl', 'S');
440 } else {
441 system('/usr/local/bin/ipsecctrl', 'D');
442 }
443 sleep $sleepDelay;
444 SAVE_ERROR:
445###
446### Reset all step 2
447###
ed84e8b8 448} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && $cgiparams{'AREUSURE'} eq 'yes') {
ac1cfefa
MT		 449 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
450
451 foreach my $key (keys %confighash) {
452 if ($confighash{$key}[4] eq 'cert') {
453 delete $confighash{$key};
454 }
455 }
ed84e8b8 456 while (my $file = glob("${General::swroot}/{ca,certs,crls,private}/*")) {
ac1cfefa
MT		 457 unlink $file
458 }
459 &cleanssldatabase();
460 if (open(FILE, ">${General::swroot}/vpn/caconfig")) {
461 print FILE "";
462 close FILE;
463 }
464 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
465 &writeipsecfiles();
466 system('/usr/local/bin/ipsecctrl', 'R');
467 sleep $sleepDelay;
468
469###
470### Reset all step 1
471###
ed84e8b8 472} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) {
ac1cfefa
MT		 473 &Header::showhttpheaders();
474 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
ed84e8b8
MT		 475 &Header::openbigbox('100%', 'left', '', '');
476 &Header::openbox('100%', 'left', $Lang::tr{'are you sure'});
ac1cfefa 477 print <<END
ed84e8b8
MT		 478 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
479 <table width='100%'>
480 <tr>
481 <td align='center'>
482 <input type='hidden' name='AREUSURE' value='yes' />
483 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
484 $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}</td>
485 </tr><tr>
486 <td align='center'>
487 <input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' />
488 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td>
489 </tr>
490 </table>
491 </form>
ac1cfefa
MT		 492END
493 ;
494 &Header::closebox();
495 &Header::closebigbox();
496 &Header::closepage();
497 exit (0);
498
499###
500### Upload CA Certificate
501###
502} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {
503 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
504
505 if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) {
506 $errormessage = $Lang::tr{'name must only contain characters'};
507 goto UPLOADCA_ERROR;
508 }
509
510 if (length($cgiparams{'CA_NAME'}) >60) {
511 $errormessage = $Lang::tr{'name too long'};
512 goto VPNCONF_ERROR;
513 }
514
515 if ($cgiparams{'CA_NAME'} eq 'ca') {
516 $errormessage = $Lang::tr{'name is invalid'};
517 goto UPLOAD_CA_ERROR;
518 }
519
520 # Check if there is no other entry with this name
521 foreach my $key (keys %cahash) {
522 if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) {
523 $errormessage = $Lang::tr{'a ca certificate with this name already exists'};
524 goto UPLOADCA_ERROR;
525 }
526 }
527
528 if (ref ($cgiparams{'FH'}) ne 'Fh') {
529 $errormessage = $Lang::tr{'there was no file upload'};
530 goto UPLOADCA_ERROR;
531 }
532 # Move uploaded ca to a temporary file
533 (my $fh, my $filename) = tempfile( );
534 if (copy ($cgiparams{'FH'}, $fh) != 1) {
535 $errormessage = $!;
536 goto UPLOADCA_ERROR;
537 }
538 my $temp = `/usr/bin/openssl x509 -text -in $filename`;
539 if ($temp !~ /CA:TRUE/i) {
540 $errormessage = $Lang::tr{'not a valid ca certificate'};
541 unlink ($filename);
542 goto UPLOADCA_ERROR;
543 } else {
544 move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem");
545 if ($? ne 0) {
546 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
547 unlink ($filename);
548 goto UPLOADCA_ERROR;
549 }
550 }
551
ac1cfefa
MT		 552 my $key = &General::findhasharraykey (\%cahash);
553 $cahash{$key}[0] = $cgiparams{'CA_NAME'};
ed84e8b8 554 $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"));
ac1cfefa
MT		 555 &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
556 system('/usr/local/bin/ipsecctrl', 'R');
557 sleep $sleepDelay;
558
559 UPLOADCA_ERROR:
560
561###
562### Display ca certificate
563###
564} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) {
565 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
566
567 if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {
568 &Header::showhttpheaders();
569 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
ed84e8b8
MT		 570 &Header::openbigbox('100%', 'left', '', '');
571 &Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:");
ac1cfefa
MT		 572 my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
573 $output = &Header::cleanhtml($output,"y");
574 print "<pre>$output</pre>\n";
575 &Header::closebox();
576 print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
577 &Header::closebigbox();
578 &Header::closepage();
579 exit(0);
580 } else {
581 $errormessage = $Lang::tr{'invalid key'};
582 }
583
584###
ed84e8b8 585### Export ca certificate to browser
ac1cfefa
MT		 586###
587} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) {
588 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
589
590 if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
ed84e8b8 591 print "Content-Type: application/force-download\n";
ac1cfefa 592 print "Content-Type: application/octet-stream\r\n";
ed84e8b8 593 print "Content-Disposition: attachment; filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
ac1cfefa
MT		 594 print `/usr/bin/openssl x509 -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
595 exit(0);
596 } else {
597 $errormessage = $Lang::tr{'invalid key'};
598 }
599
600###
601### Remove ca certificate (step 2)
602###
603} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') {
604 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
605 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
606
607 if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
608 foreach my $key (keys %confighash) {
609 my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
610 if ($test =~ /: OK/) {
611 # Delete connection
ed84e8b8 612 system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled);
ac1cfefa
MT		 613 unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem");
614 unlink ("${General::swroot}/certs/$confighash{$key}[1].p12");
615 delete $confighash{$key};
616 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
617 &writeipsecfiles();
618 }
619 }
620 unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
621 delete $cahash{$cgiparams{'KEY'}};
622 &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
623 system('/usr/local/bin/ipsecctrl', 'R');
624 sleep $sleepDelay;
625 } else {
626 $errormessage = $Lang::tr{'invalid key'};
627 }
628###
629### Remove ca certificate (step 1)
630###
631} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) {
632 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
633 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
634
635 my $assignedcerts = 0;
636 if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
637 foreach my $key (keys %confighash) {
638 my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
639 if ($test =~ /: OK/) {
640 $assignedcerts++;
641 }
642 }
643 if ($assignedcerts) {
644 &Header::showhttpheaders();
645 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
ed84e8b8
MT		 646 &Header::openbigbox('100%', 'left', '', '');
647 &Header::openbox('100%', 'left', $Lang::tr{'are you sure'});
ac1cfefa 648 print <<END
ed84e8b8
MT		 649 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
650 <table width='100%'>
651 <tr>
652 <td align='center'>
653 <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
654 <input type='hidden' name='AREUSURE' value='yes' /></td>
655 </tr><tr>
656 <td align='center'>
657 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>
658 $Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}</td>
659 </tr><tr>
660 <td align='center'>
661 <input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
662 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td>
663 </tr>
664 </table>
665 </form>
ac1cfefa
MT		 666END
667 ;
668 &Header::closebox();
669 &Header::closebigbox();
670 &Header::closepage();
671 exit (0);
672 } else {
673 unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
674 delete $cahash{$cgiparams{'KEY'}};
675 &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
676 system('/usr/local/bin/ipsecctrl', 'R');
677 sleep $sleepDelay;
678 }
679 } else {
680 $errormessage = $Lang::tr{'invalid key'};
681 }
682
683###
684### Display root certificate
685###
686} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
687 $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
688 my $output;
689 &Header::showhttpheaders();
690 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
ed84e8b8 691 &Header::openbigbox('100%', 'left', '', '');
ac1cfefa 692 if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
ed84e8b8 693 &Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:");
ac1cfefa
MT		 694 $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`;
695 } else {
ed84e8b8 696 &Header::openbox('100%', 'left', "$Lang::tr{'host certificate'}:");
ac1cfefa
MT		 697 $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`;
698 }
699 $output = &Header::cleanhtml($output,"y");
700 print "<pre>$output</pre>\n";
701 &Header::closebox();
702 print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
703 &Header::closebigbox();
704 &Header::closepage();
705 exit(0);
706
707###
ed84e8b8 708### Export root certificate to browser
ac1cfefa
MT		 709###
710} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) {
711 if ( -f "${General::swroot}/ca/cacert.pem" ) {
ed84e8b8
MT		 712 print "Content-Type: application/force-download\n";
713 print "Content-Disposition: attachment; filename=cacert.pem\r\n\r\n";
ac1cfefa
MT		 714 print `/usr/bin/openssl x509 -in ${General::swroot}/ca/cacert.pem`;
715 exit(0);
716 }
717###
ed84e8b8 718### Export host certificate to browser
ac1cfefa
MT		 719###
720} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) {
721 if ( -f "${General::swroot}/certs/hostcert.pem" ) {
ed84e8b8
MT		 722 print "Content-Type: application/force-download\n";
723 print "Content-Disposition: attachment; filename=hostcert.pem\r\n\r\n";
ac1cfefa
MT		 724 print `/usr/bin/openssl x509 -in ${General::swroot}/certs/hostcert.pem`;
725 exit(0);
726 }
727###
ed84e8b8 728### Form for generating/importing the caroot+host certificate
ac1cfefa
MT		 729###
730} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
731 $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
732
ac1cfefa
MT		 733 if (-f "${General::swroot}/ca/cacert.pem") {
734 $errormessage = $Lang::tr{'valid root certificate already exists'};
ed84e8b8 735 goto ROOTCERT_SKIP;
ac1cfefa
MT		 736 }
737
ed84e8b8
MT		 738 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
739 # fill in initial values
740 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
741 if (-e "${General::swroot}/red/active" && open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
ac1cfefa
MT		 742 my $ipaddr = <IPADDR>;
743 close IPADDR;
744 chomp ($ipaddr);
745 $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
746 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
747 $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
748 }
749 }
ed84e8b8 750 $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});
ac1cfefa 751 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
ed84e8b8 752 &General::log("ipsec", "Importing from p12...");
ac1cfefa
MT		 753
754 if (ref ($cgiparams{'FH'}) ne 'Fh') {
755 $errormessage = $Lang::tr{'there was no file upload'};
756 goto ROOTCERT_ERROR;
757 }
758
759 # Move uploaded certificate request to a temporary file
760 (my $fh, my $filename) = tempfile( );
761 if (copy ($cgiparams{'FH'}, $fh) != 1) {
762 $errormessage = $!;
763 goto ROOTCERT_ERROR;
764 }
765
ac1cfefa 766 # Extract the CA certificate from the file
ed84e8b8
MT		 767 &General::log("ipsec", "Extracting caroot from p12...");
768 if (open(STDIN, "-|")) {
769 my $opt = " pkcs12 -cacerts -nokeys";
770 $opt .= " -in $filename";
771 $opt .= " -out /tmp/newcacert";
772 $errormessage = &callssl ($opt);
773 } else { #child
774 print "$cgiparams{'P12_PASS'}\n";
775 exit (0);
ac1cfefa
MT		 776 }
777
ed84e8b8
MT		 778 # Extract the Host certificate from the file
779 if (!$errormessage) {
780 &General::log("ipsec", "Extracting host cert from p12...");
781 if (open(STDIN, "-|")) {
782 my $opt = " pkcs12 -clcerts -nokeys";
783 $opt .= " -in $filename";
784 $opt .= " -out /tmp/newhostcert";
785 $errormessage = &callssl ($opt);
786 } else { #child
787 print "$cgiparams{'P12_PASS'}\n";
788 exit (0);
ac1cfefa
MT		 789 }
790 }
791
792 # Extract the Host key from the file
ed84e8b8
MT		 793 if (!$errormessage) {
794 &General::log("ipsec", "Extracting private key from p12...");
795 if (open(STDIN, "-|")) {
796 my $opt = " pkcs12 -nocerts -nodes";
797 $opt .= " -in $filename";
798 $opt .= " -out /tmp/newhostkey";
799 $errormessage = &callssl ($opt);
800 } else { #child
801 print "$cgiparams{'P12_PASS'}\n";
802 exit (0);
803 }
804 }
805
806 if (!$errormessage) {
807 &General::log("ipsec", "Moving cacert...");
808 move("/tmp/newcacert", "${General::swroot}/ca/cacert.pem");
809 $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
810 }
811
812 if (!$errormessage) {
813 &General::log("ipsec", "Moving host cert...");
814 move("/tmp/newhostcert", "${General::swroot}/certs/hostcert.pem");
815 $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
ac1cfefa
MT		 816 }
817
ed84e8b8
MT		 818 if (!$errormessage) {
819 &General::log("ipsec", "Moving private key...");
820 move("/tmp/newhostkey", "${General::swroot}/certs/hostkey.pem");
821 $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
ac1cfefa 822 }
ed84e8b8
MT		 823
824 #cleanup temp files
825 unlink ($filename);
826 unlink ('/tmp/newcacert');
827 unlink ('/tmp/newhostcert');
828 unlink ('/tmp/newhostkey');
829 if ($errormessage) {
ac1cfefa
MT		 830 unlink ("${General::swroot}/ca/cacert.pem");
831 unlink ("${General::swroot}/certs/hostcert.pem");
832 unlink ("${General::swroot}/certs/hostkey.pem");
833 goto ROOTCERT_ERROR;
ac1cfefa
MT		 834 }
835
ed84e8b8
MT		 836 # Create empty CRL cannot be done because we don't have
837 # the private key for this CAROOT
5fd30232 838 # IPFire can only import certificates
ed84e8b8
MT		 839
840 &General::log("ipsec", "p12 import completed!");
841 &cleanssldatabase();
ac1cfefa
MT		 842 goto ROOTCERT_SUCCESS;
843
844 } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {
845
846 # Validate input since the form was submitted
847 if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){
848 $errormessage = $Lang::tr{'organization cant be empty'};
849 goto ROOTCERT_ERROR;
850 }
851 if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) {
852 $errormessage = $Lang::tr{'organization too long'};
853 goto ROOTCERT_ERROR;
854 }
855 if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
856 $errormessage = $Lang::tr{'invalid input for organization'};
857 goto ROOTCERT_ERROR;
858 }
859 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){
860 $errormessage = $Lang::tr{'hostname cant be empty'};
861 goto ROOTCERT_ERROR;
862 }
863 unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) {
864 $errormessage = $Lang::tr{'invalid input for hostname'};
865 goto ROOTCERT_ERROR;
866 }
867 if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) {
868 $errormessage = $Lang::tr{'invalid input for e-mail address'};
869 goto ROOTCERT_ERROR;
870 }
871 if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) {
872 $errormessage = $Lang::tr{'e-mail address too long'};
873 goto ROOTCERT_ERROR;
874 }
875 if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
876 $errormessage = $Lang::tr{'invalid input for department'};
877 goto ROOTCERT_ERROR;
878 }
879 if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
880 $errormessage = $Lang::tr{'invalid input for city'};
881 goto ROOTCERT_ERROR;
882 }
883 if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
884 $errormessage = $Lang::tr{'invalid input for state or province'};
885 goto ROOTCERT_ERROR;
886 }
887 if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) {
888 $errormessage = $Lang::tr{'invalid input for country'};
889 goto ROOTCERT_ERROR;
890 }
ed84e8b8
MT		 891 #the exact syntax is a list comma separated of
892 # email:any-validemail
893 # URI: a uniform resource indicator
894 # DNS: a DNS domain name
895 # RID: a registered OBJECT IDENTIFIER
896 # IP: an IP address
897 # example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com
898
899 if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) {
900 $errormessage = $Lang::tr{'vpn altname syntax'};
901 goto VPNCONF_ERROR;
902 }
ac1cfefa
MT		 903
904 # Copy the cgisettings to vpnsettings and save the configfile
905 $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'};
906 $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'};
907 $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'};
908 $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'};
909 $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'};
910 $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'};
911 $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'};
912 &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
913
914 # Replace empty strings with a .
915 (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./;
916 (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./;
917 (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./;
918
919 # Create the CA certificate
ed84e8b8
MT		 920 if (!$errormessage) {
921 &General::log("ipsec", "Creating cacert...");
922 if (open(STDIN, "-|")) {
923 my $opt = " req -x509 -nodes -rand /proc/interrupts:/proc/net/rt_cache";
924 $opt .= " -days 999999";
925 $opt .= " -newkey rsa:2048";
926 $opt .= " -keyout ${General::swroot}/private/cakey.pem";
927 $opt .= " -out ${General::swroot}/ca/cacert.pem";
928
929 $errormessage = &callssl ($opt);
930 } else { #child
931 print "$cgiparams{'ROOTCERT_COUNTRY'}\n";
932 print "$state\n";
933 print "$city\n";
934 print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
935 print "$ou\n";
936 print "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n";
937 print "$cgiparams{'ROOTCERT_EMAIL'}\n";
938 exit (0);
ac1cfefa
MT		 939 }
940 }
941
942 # Create the Host certificate request
ed84e8b8
MT		 943 if (!$errormessage) {
944 &General::log("ipsec", "Creating host cert...");
945 if (open(STDIN, "-|")) {
946 my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
947 $opt .= " -newkey rsa:1024";
948 $opt .= " -keyout ${General::swroot}/certs/hostkey.pem";
949 $opt .= " -out ${General::swroot}/certs/hostreq.pem";
950 $errormessage = &callssl ($opt);
951 } else { #child
952 print "$cgiparams{'ROOTCERT_COUNTRY'}\n";
953 print "$state\n";
954 print "$city\n";
955 print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
956 print "$ou\n";
957 print "$cgiparams{'ROOTCERT_HOSTNAME'}\n";
958 print "$cgiparams{'ROOTCERT_EMAIL'}\n";
959 print ".\n";
960 print ".\n";
961 exit (0);
ac1cfefa
MT		 962 }
963 }
ed84e8b8 964
ac1cfefa 965 # Sign the host certificate request
ed84e8b8
MT		 966 if (!$errormessage) {
967 &General::log("ipsec", "Self signing host cert...");
968
969 #No easy way for specifying the contain of subjectAltName without writing a config file...
970 my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX');
971 print $fh <<END
972 basicConstraints=CA:FALSE
973 nsComment="OpenSSL Generated Certificate"
974 subjectKeyIdentifier=hash
975 authorityKeyIdentifier=keyid,issuer:always
976END
977;
978 print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
979 close ($fh);
980
981 my $opt = " ca -days 999999";
982 $opt .= " -batch -notext";
983 $opt .= " -in ${General::swroot}/certs/hostreq.pem";
984 $opt .= " -out ${General::swroot}/certs/hostcert.pem";
985 $opt .= " -extfile $v3extname";
986 $errormessage = &callssl ($opt);
987 unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed
988 unlink ($v3extname);
ac1cfefa
MT		 989 }
990
991 # Create an empty CRL
ed84e8b8
MT		 992 if (!$errormessage) {
993 &General::log("ipsec", "Creating emptycrl...");
994 my $opt = " ca -gencrl";
995 $opt .= " -out ${General::swroot}/crls/cacrl.pem";
996 $errormessage = &callssl ($opt);
997 }
998
999 # Successfully build CA / CERT!
1000 if (!$errormessage) {
ac1cfefa 1001 &cleanssldatabase();
ed84e8b8 1002 goto ROOTCERT_SUCCESS;
ac1cfefa 1003 }
ed84e8b8
MT		 1004
1005 #Cleanup
1006 unlink ("${General::swroot}/ca/cacert.pem");
1007 unlink ("${General::swroot}/certs/hostkey.pem");
1008 unlink ("${General::swroot}/certs/hostcert.pem");
1009 unlink ("${General::swroot}/crls/cacrl.pem");
1010 &cleanssldatabase();
ac1cfefa 1011 }
ed84e8b8 1012
ac1cfefa 1013 ROOTCERT_ERROR:
ed84e8b8
MT		 1014 &Header::showhttpheaders();
1015 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1016 &Header::openbigbox('100%', 'left', '', $errormessage);
1017 if ($errormessage) {
1018 &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
1019 print "<class name='base'>$errormessage";
1020 print "&nbsp;</class>";
1021 &Header::closebox();
1022 }
1023 &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:");
1024 print <<END
1025 <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
1026 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
1027 <tr><td width='40%' class='base'>$Lang::tr{'organization name'}:</td>
1028 <td width='60%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td></tr>
5fd30232 1029 <tr><td class='base'>$Lang::tr{'IPFires hostname'}:</td>
ed84e8b8
MT		 1030 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td></tr>
1031 <tr><td class='base'>$Lang::tr{'your e-mail'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
1032 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td></tr>
1033 <tr><td class='base'>$Lang::tr{'your department'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
1034 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td></tr>
1035 <tr><td class='base'>$Lang::tr{'city'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
1036 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td></tr>
1037 <tr><td class='base'>$Lang::tr{'state or province'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
1038 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td></tr>
1039 <tr><td class='base'>$Lang::tr{'country'}:</td>
1040 <td class='base'><select name='ROOTCERT_COUNTRY'>
ac1cfefa 1041END
ed84e8b8
MT		 1042 ;
1043 foreach my $country (sort keys %{Countries::countries}) {
1044 print "<option value='$Countries::countries{$country}'";
1045 if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) {
1046 print " selected='selected'";
1047 }
1048 print ">$country</option>";
ac1cfefa 1049 }
ed84e8b8
MT		 1050 print <<END
1051 </select></td></tr>
1052 <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*) <img src='/blob.gif' alt='*' /></td>
1053 <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' /></td></tr>
1054 <tr><td>&nbsp;</td>
1055 <td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr>
1056 <tr><td class='base' colspan='2' align='left'>
1057 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
1058 $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'}
1059 </td></tr>
1060 <tr><td colspan='2'><hr /></td></tr>
1061 <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td>
1062 <td nowrap='nowrap'><input type='file' name='FH' size='32' /></td></tr>
1063 <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
1064 <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td></tr>
1065 <tr><td>&nbsp;</td>
1066 <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td></tr>
1067 <tr><td class='base' colspan='2' align='left'>
1068 <img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'this field may be blank'}</td></tr>
1069 </table></form>
1070END
1071 ;
1072 &Header::closebox();
1073 &Header::closebigbox();
1074 &Header::closepage();
1075 exit(0);
ac1cfefa
MT		 1076
1077 ROOTCERT_SUCCESS:
ed84e8b8 1078 if (&vpnenabled) {
ac1cfefa
MT		 1079 system('/usr/local/bin/ipsecctrl', 'S');
1080 sleep $sleepDelay;
1081 }
ed84e8b8 1082 ROOTCERT_SKIP:
ac1cfefa 1083###
ed84e8b8 1084### Export PKCS12 file to browser
ac1cfefa
MT		 1085###
1086} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) {
1087 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
ed84e8b8
MT		 1088 print "Content-Type: application/force-download\n";
1089 print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
ac1cfefa
MT		 1090 print "Content-Type: application/octet-stream\r\n\r\n";
1091 print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
1092 exit (0);
1093
1094###
1095### Display certificate
1096###
1097} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) {
1098 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
1099
1100 if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
1101 &Header::showhttpheaders();
1102 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
ed84e8b8
MT		 1103 &Header::openbigbox('100%', 'left', '', '');
1104 &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:");
ac1cfefa
MT		 1105 my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
1106 $output = &Header::cleanhtml($output,"y");
1107 print "<pre>$output</pre>\n";
1108 &Header::closebox();
1109 print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1110 &Header::closebigbox();
1111 &Header::closepage();
1112 exit(0);
1113 }
1114
1115###
ed84e8b8 1116### Export Certificate to browser
ac1cfefa
MT		 1117###
1118} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) {
1119 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
1120
1121 if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
ed84e8b8
MT		 1122 print "Content-Type: application/force-download\n";
1123 print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n";
ac1cfefa
MT		 1124 print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
1125 exit (0);
1126 }
1127
1128###
1129### Enable/Disable connection
1130###
1131} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
1132
1133 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
1134 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
1135
1136 if ($confighash{$cgiparams{'KEY'}}) {
1137 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
1138 $confighash{$cgiparams{'KEY'}}[0] = 'on';
1139 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
1140 &writeipsecfiles();
ed84e8b8 1141 system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled);
ac1cfefa 1142 } else {
5fd30232 1143 system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
ac1cfefa 1144 $confighash{$cgiparams{'KEY'}}[0] = 'off';
ac1cfefa
MT		 1145 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
1146 &writeipsecfiles();
1147 }
ed84e8b8 1148 sleep $sleepDelay;
ac1cfefa
MT		 1149 } else {
1150 $errormessage = $Lang::tr{'invalid key'};
1151 }
1152
1153###
1154### Restart connection
1155###
1156} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) {
1157 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
1158 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
1159
1160 if ($confighash{$cgiparams{'KEY'}}) {
ed84e8b8 1161 if (&vpnenabled) {
ac1cfefa
MT		 1162 system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
1163 sleep $sleepDelay;
1164 }
1165 } else {
1166 $errormessage = $Lang::tr{'invalid key'};
1167 }
1168
1169###
1170### Remove connection
1171###
1172} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
1173 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
1174 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
1175
1176 if ($confighash{$cgiparams{'KEY'}}) {
ed84e8b8 1177 system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
ac1cfefa
MT		 1178 unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
1179 unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
1180 delete $confighash{$cgiparams{'KEY'}};
1181 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
1182 &writeipsecfiles();
1183 } else {
1184 $errormessage = $Lang::tr{'invalid key'};
1185 }
1186
1187###
1188### Choose between adding a host-net or net-net connection
1189###
1190} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {
ac1cfefa
MT		 1191 &Header::showhttpheaders();
1192 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
ed84e8b8
MT		 1193 &Header::openbigbox('100%', 'left', '', '');
1194 &Header::openbox('100%', 'left', $Lang::tr{'connection type'});
ac1cfefa 1195 print <<END
ed84e8b8 1196 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
ac1cfefa 1197 <b>$Lang::tr{'connection type'}:</b><br />
ed84e8b8
MT		 1198 <table>
1199 <tr><td><input type='radio' name='TYPE' value='host' checked='checked' /></td>
1200 <td class='base'>$Lang::tr{'host to net vpn'}</td>
1201 </tr><tr>
1202 <td><input type='radio' name='TYPE' value='net' /></td>
1203 <td class='base'>$Lang::tr{'net to net vpn'}</td>
1204 </tr><tr>
1205 <td align='center' colspan='2'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td>
1206 </tr>
1207 </table></form>
ac1cfefa
MT		 1208END
1209 ;
1210 &Header::closebox();
1211 &Header::closebigbox();
1212 &Header::closepage();
1213 exit (0);
1214###
ed84e8b8 1215### Adding/Editing/Saving a connection
ac1cfefa
MT		 1216###
1217} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) ||
1218 ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) ||
1219 ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {
1220
1221 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
1222 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
1223 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
1224
1225 if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
1226 if (! $confighash{$cgiparams{'KEY'}}[0]) {
1227 $errormessage = $Lang::tr{'invalid key'};
1228 goto VPNCONF_END;
1229 }
ed84e8b8
MT		 1230 $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0];
1231 $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1];
1232 $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];
1233 $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];
1234 $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];
5fd30232 1235 #$cgiparams{'free'} = $confighash{$cgiparams{'KEY'}}[6];
ed84e8b8
MT		 1236 $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7];
1237 $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8];
1238 $cgiparams{'REMOTE_ID'} = $confighash{$cgiparams{'KEY'}}[9];
1239 $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
1240 $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];
1241 $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
1242 $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];
1243 $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27];
1244 $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];
1245 $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19];
1246 $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20];
1247 $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16];
1248 $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21];
1249 $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22];
1250 $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23];
1251 $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17];
1252 $cgiparams{'AGGRMODE'} = $confighash{$cgiparams{'KEY'}}[12];
1253 $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13];
1254 $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24];
1255 $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28];
1256 $cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14];
ac1cfefa
MT		 1257
1258 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
1259 $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
1260 if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
1261 $errormessage = $Lang::tr{'connection type is invalid'};
1262 goto VPNCONF_ERROR;
1263 }
1264
1265 if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
1266 $errormessage = $Lang::tr{'name must only contain characters'};
1267 goto VPNCONF_ERROR;
1268 }
1269
1270 if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
1271 $errormessage = $Lang::tr{'name is invalid'};
1272 goto VPNCONF_ERROR;
1273 }
1274
1275 if (length($cgiparams{'NAME'}) >60) {
1276 $errormessage = $Lang::tr{'name too long'};
1277 goto VPNCONF_ERROR;
1278 }
1279
ac1cfefa 1280 # Check if there is no other entry with this name
ed84e8b8 1281 if (! $cgiparams{'KEY'}) { #only for add
ac1cfefa
MT		 1282 foreach my $key (keys %confighash) {
1283 if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
1284 $errormessage = $Lang::tr{'a connection with this name already exists'};
1285 goto VPNCONF_ERROR;
1286 }
1287 }
1288 }
1289
1290 if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) {
1291 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
1292 goto VPNCONF_ERROR;
1293 }
1294
1295 if ($cgiparams{'REMOTE'}) {
1296 if (! &General::validip($cgiparams{'REMOTE'})) {
1297 if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
1298 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
1299 goto VPNCONF_ERROR;
1300 } else {
1301 if (&valid_dns_host($cgiparams{'REMOTE'})) {
1302 $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}";
1303 }
1304 }
1305 }
1306 }
1307
1308 unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {
1309 $errormessage = $Lang::tr{'local subnet is invalid'};
1310 goto VPNCONF_ERROR;
1311 }
1312
ed84e8b8
MT		 1313 # Allow only one roadwarrior/psk without remote IP-address
1314 if ($cgiparams{'REMOTE'} eq '' && $cgiparams{'AUTH'} eq 'psk') {
ac1cfefa 1315 foreach my $key (keys %confighash) {
ed84e8b8
MT		 1316 if ( ($cgiparams{'KEY'} ne $key) &&
1317 ($confighash{$key}[4] eq 'psk') &&
1318 ($confighash{$key}[10] eq '') ) {
ac1cfefa
MT		 1319 $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'};
1320 goto VPNCONF_ERROR;
1321 }
1322 }
1323 }
1324 if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {
1325 $errormessage = $Lang::tr{'remote subnet is invalid'};
1326 goto VPNCONF_ERROR;
1327 }
1328
1329 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
1330 $errormessage = $Lang::tr{'invalid input'};
1331 goto VPNCONF_ERROR;
1332 }
1333 if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {
1334 $errormessage = $Lang::tr{'invalid input'};
1335 goto VPNCONF_ERROR;
1336 }
1337
ed84e8b8
MT		 1338 # Allow nothing or a string (DN,FDQN,) beginning with @
1339 # with no comma but slashes between RID eg @O=FR/C=Paris/OU=myhome/CN=franck
1340 if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d\.\d\.\d\.\d)$/) ||
1341 ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d\.\d\.\d\.\d)$/) ||
ac1cfefa
MT		 1342 (($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne ''))
1343 ) {
ed84e8b8
MT		 1344 $errormessage = $Lang::tr{'invalid local-remote id'} . '<br />' .
1345 'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*<br />' .
5fd30232
MT		 1346 'FQDN: @ipfire.org<br />' .
1347 'USER_FQDN: info@ipfire.org<br />' .
ed84e8b8 1348 'IPV4_ADDR: @123.123.123.123';
ac1cfefa
MT		 1349 goto VPNCONF_ERROR;
1350 }
ed84e8b8
MT		 1351 # If Auth is DN, verify existance of Remote ID.
1352 if ( $cgiparams{'REMOTE_ID'} eq '' && (
1353 $cgiparams{'AUTH'} eq 'auth-dn'|| # while creation
1354 $confighash{$cgiparams{'KEY'}}[2] eq '%auth-dn')){ # while editing
1355 $errormessage = $Lang::tr{'vpn missing remote id'};
1356 goto VPNCONF_ERROR;
1357 }
1358
1359 if ($cgiparams{'AUTH'} eq 'psk') {
ac1cfefa
MT		 1360 if (! length($cgiparams{'PSK'}) ) {
1361 $errormessage = $Lang::tr{'pre-shared key is too short'};
1362 goto VPNCONF_ERROR;
1363 }
ed84e8b8
MT		 1364 if ($cgiparams{'PSK'} =~ /'/) {
1365 $cgiparams{'PSK'} =~ tr/'/ /;
ac1cfefa
MT		 1366 $errormessage = $Lang::tr{'invalid characters found in pre-shared key'};
1367 goto VPNCONF_ERROR;
1368 }
1369 } elsif ($cgiparams{'AUTH'} eq 'certreq') {
1370 if ($cgiparams{'KEY'}) {
1371 $errormessage = $Lang::tr{'cant change certificates'};
1372 goto VPNCONF_ERROR;
1373 }
1374 if (ref ($cgiparams{'FH'}) ne 'Fh') {
1375 $errormessage = $Lang::tr{'there was no file upload'};
1376 goto VPNCONF_ERROR;
1377 }
1378
1379 # Move uploaded certificate request to a temporary file
1380 (my $fh, my $filename) = tempfile( );
1381 if (copy ($cgiparams{'FH'}, $fh) != 1) {
1382 $errormessage = $!;
1383 goto VPNCONF_ERROR;
1384 }
1385
ed84e8b8
MT		 1386 # Sign the certificate request
1387 &General::log("ipsec", "Signing your cert $cgiparams{'NAME'}...");
1388 my $opt = " ca -days 999999";
1389 $opt .= " -batch -notext";
1390 $opt .= " -in $filename";
1391 $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
1392
1393 if ( $errormessage = &callssl ($opt) ) {
ac1cfefa
MT		 1394 unlink ($filename);
1395 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
1396 &cleanssldatabase();
1397 goto VPNCONF_ERROR;
1398 } else {
ed84e8b8
MT		 1399 unlink ($filename);
1400 &cleanssldatabase();
ac1cfefa
MT		 1401 }
1402
ed84e8b8 1403 $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
ac1cfefa
MT		 1404 if ($cgiparams{'CERT_NAME'} eq '') {
1405 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
1406 goto VPNCONF_ERROR;
1407 }
ed84e8b8
MT		 1408 } elsif ($cgiparams{'AUTH'} eq 'pkcs12') {
1409 &General::log("ipsec", "Importing from p12...");
1410
1411 if (ref ($cgiparams{'FH'}) ne 'Fh') {
1412 $errormessage = $Lang::tr{'there was no file upload'};
1413 goto ROOTCERT_ERROR;
1414 }
1415
1416 # Move uploaded certificate request to a temporary file
1417 (my $fh, my $filename) = tempfile( );
1418 if (copy ($cgiparams{'FH'}, $fh) != 1) {
1419 $errormessage = $!;
1420 goto ROOTCERT_ERROR;
1421 }
1422
1423 # Extract the CA certificate from the file
1424 &General::log("ipsec", "Extracting caroot from p12...");
1425 if (open(STDIN, "-|")) {
1426 my $opt = " pkcs12 -cacerts -nokeys";
1427 $opt .= " -in $filename";
1428 $opt .= " -out /tmp/newcacert";
1429 $errormessage = &callssl ($opt);
1430 } else { #child
1431 print "$cgiparams{'P12_PASS'}\n";
1432 exit (0);
1433 }
1434
1435 # Extract the Host certificate from the file
1436 if (!$errormessage) {
1437 &General::log("ipsec", "Extracting host cert from p12...");
1438 if (open(STDIN, "-|")) {
1439 my $opt = " pkcs12 -clcerts -nokeys";
1440 $opt .= " -in $filename";
1441 $opt .= " -out /tmp/newhostcert";
1442 $errormessage = &callssl ($opt);
1443 } else { #child
1444 print "$cgiparams{'P12_PASS'}\n";
1445 exit (0);
1446 }
1447 }
1448
1449 if (!$errormessage) {
1450 &General::log("ipsec", "Moving cacert...");
1451 #If CA have new subject, add it to our list of CA
1452 my $casubject = &Header::cleanhtml(getsubjectfromcert ('/tmp/newcacert'));
1453 my @names;
1454 foreach my $x (keys %cahash) {
1455 $casubject='' if ($cahash{$x}[1] eq $casubject);
1456 unshift (@names,$cahash{$x}[0]);
1457 }
1458 if ($casubject) { # a new one!
1459 my $temp = `/usr/bin/openssl x509 -text -in /tmp/newcacert`;
1460 if ($temp !~ /CA:TRUE/i) {
1461 $errormessage = $Lang::tr{'not a valid ca certificate'};
1462 } else {
1463 #compute a name for it
1464 my $idx=0;
1465 while (grep(/Imported-$idx/, @names) ) {$idx++};
1466 $cgiparams{'CA_NAME'}="Imported-$idx";
1467 $cgiparams{'CERT_NAME'}=&Header::cleanhtml(getCNfromcert ('/tmp/newhostcert'));
1468 move("/tmp/newcacert", "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem");
1469 $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
1470 if (!$errormessage) {
1471 my $key = &General::findhasharraykey (\%cahash);
1472 $cahash{$key}[0] = $cgiparams{'CA_NAME'};
1473 $cahash{$key}[1] = $casubject;
1474 &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
1475 system('/usr/local/bin/ipsecctrl', 'R');
1476 }
1477 }
1478 }
1479 }
1480 if (!$errormessage) {
1481 &General::log("ipsec", "Moving host cert...");
1482 move("/tmp/newhostcert", "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
1483 $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
1484 }
1485
1486 #cleanup temp files
1487 unlink ($filename);
1488 unlink ('/tmp/newcacert');
1489 unlink ('/tmp/newhostcert');
1490 if ($errormessage) {
1491 unlink ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem");
1492 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
1493 goto VPNCONF_ERROR;
1494 }
1495 &General::log("ipsec", "p12 import completed!");
ac1cfefa
MT		 1496 } elsif ($cgiparams{'AUTH'} eq 'certfile') {
1497 if ($cgiparams{'KEY'}) {
1498 $errormessage = $Lang::tr{'cant change certificates'};
1499 goto VPNCONF_ERROR;
1500 }
1501 if (ref ($cgiparams{'FH'}) ne 'Fh') {
1502 $errormessage = $Lang::tr{'there was no file upload'};
1503 goto VPNCONF_ERROR;
1504 }
1505 # Move uploaded certificate to a temporary file
1506 (my $fh, my $filename) = tempfile( );
1507 if (copy ($cgiparams{'FH'}, $fh) != 1) {
1508 $errormessage = $!;
1509 goto VPNCONF_ERROR;
1510 }
1511
1512 # Verify the certificate has a valid CA and move it
ed84e8b8
MT		 1513 &General::log("ipsec", "Validating imported cert against our known CA...");
1514 my $validca = 1; #assume ok
ac1cfefa 1515 my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/cacert.pem $filename`;
ed84e8b8
MT		 1516 if ($test !~ /: OK/) {
1517 my $validca = 0;
ac1cfefa
MT		 1518 foreach my $key (keys %cahash) {
1519 $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`;
1520 if ($test =~ /: OK/) {
1521 $validca = 1;
ed84e8b8 1522 last;
ac1cfefa
MT		 1523 }
1524 }
1525 }
1526 if (! $validca) {
1527 $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'};
1528 unlink ($filename);
1529 goto VPNCONF_ERROR;
1530 } else {
1531 move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
1532 if ($? ne 0) {
1533 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1534 unlink ($filename);
1535 goto VPNCONF_ERROR;
1536 }
1537 }
1538
ed84e8b8 1539 $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
ac1cfefa
MT		 1540 if ($cgiparams{'CERT_NAME'} eq '') {
1541 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
1542 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
1543 goto VPNCONF_ERROR;
1544 }
1545 } elsif ($cgiparams{'AUTH'} eq 'certgen') {
1546 if ($cgiparams{'KEY'}) {
1547 $errormessage = $Lang::tr{'cant change certificates'};
1548 goto VPNCONF_ERROR;
1549 }
1550 # Validate input since the form was submitted
1551 if (length($cgiparams{'CERT_NAME'}) >60) {
1552 $errormessage = $Lang::tr{'name too long'};
1553 goto VPNCONF_ERROR;
1554 }
1555 if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
1556 $errormessage = $Lang::tr{'invalid input for name'};
1557 goto VPNCONF_ERROR;
1558 }
1559 if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
1560 $errormessage = $Lang::tr{'invalid input for e-mail address'};
1561 goto VPNCONF_ERROR;
1562 }
1563 if (length($cgiparams{'CERT_EMAIL'}) > 40) {
1564 $errormessage = $Lang::tr{'e-mail address too long'};
1565 goto VPNCONF_ERROR;
1566 }
1567 if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1568 $errormessage = $Lang::tr{'invalid input for department'};
1569 goto VPNCONF_ERROR;
1570 }
1571 if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {
1572 $errormessage = $Lang::tr{'organization too long'};
1573 goto VPNCONF_ERROR;
1574 }
1575 if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
1576 $errormessage = $Lang::tr{'invalid input for organization'};
1577 goto VPNCONF_ERROR;
1578 }
1579 if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1580 $errormessage = $Lang::tr{'invalid input for city'};
1581 goto VPNCONF_ERROR;
1582 }
1583 if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1584 $errormessage = $Lang::tr{'invalid input for state or province'};
1585 goto VPNCONF_ERROR;
1586 }
1587 if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {
1588 $errormessage = $Lang::tr{'invalid input for country'};
1589 goto VPNCONF_ERROR;
1590 }
ed84e8b8
MT		 1591 #the exact syntax is a list comma separated of
1592 # email:any-validemail
1593 # URI: a uniform resource indicator
1594 # DNS: a DNS domain name
1595 # RID: a registered OBJECT IDENTIFIER
1596 # IP: an IP address
1597 # example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com
1598
1599 if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) {
1600 $errormessage = $Lang::tr{'vpn altname syntax'};
1601 goto VPNCONF_ERROR;
1602 }
1603
ac1cfefa
MT		 1604 if (length($cgiparams{'CERT_PASS1'}) < 5) {
1605 $errormessage = $Lang::tr{'password too short'};
1606 goto VPNCONF_ERROR;
1607 }
1608 if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
1609 $errormessage = $Lang::tr{'passwords do not match'};
1610 goto VPNCONF_ERROR;
1611 }
1612
1613 # Replace empty strings with a .
1614 (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
1615 (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
1616 (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
1617
1618 # Create the Host certificate request
ed84e8b8
MT		 1619 &General::log("ipsec", "Creating a cert...");
1620
1621 if (open(STDIN, "-|")) {
1622 my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
1623 $opt .= " -newkey rsa:1024";
1624 $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
1625 $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
1626
1627 if ( $errormessage = &callssl ($opt) ) {
ac1cfefa
MT		 1628 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
1629 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
1630 goto VPNCONF_ERROR;
ed84e8b8
MT		 1631 }
1632 } else { #child
1633 print "$cgiparams{'CERT_COUNTRY'}\n";
1634 print "$state\n";
1635 print "$city\n";
1636 print "$cgiparams{'CERT_ORGANIZATION'}\n";
1637 print "$ou\n";
1638 print "$cgiparams{'CERT_NAME'}\n";
1639 print "$cgiparams{'CERT_EMAIL'}\n";
1640 print ".\n";
1641 print ".\n";
1642 exit (0);
ac1cfefa 1643 }
ed84e8b8 1644
ac1cfefa 1645 # Sign the host certificate request
ed84e8b8
MT		 1646 &General::log("ipsec", "Signing the cert $cgiparams{'NAME'}...");
1647
1648 #No easy way for specifying the contain of subjectAltName without writing a config file...
1649 my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX');
1650 print $fh <<END
1651 basicConstraints=CA:FALSE
1652 nsComment="OpenSSL Generated Certificate"
1653 subjectKeyIdentifier=hash
1654 authorityKeyIdentifier=keyid,issuer:always
1655END
1656;
1657 print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
1658 close ($fh);
1659
1660 my $opt = " ca -days 999999 -batch -notext";
1661 $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
1662 $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
1663 $opt .= " -extfile $v3extname";
1664
1665 if ( $errormessage = &callssl ($opt) ) {
1666 unlink ($v3extname);
ac1cfefa
MT		 1667 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
1668 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
1669 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
1670 &cleanssldatabase();
1671 goto VPNCONF_ERROR;
1672 } else {
ed84e8b8 1673 unlink ($v3extname);
ac1cfefa
MT		 1674 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
1675 &cleanssldatabase();
1676 }
1677
1678 # Create the pkcs12 file
ed84e8b8
MT		 1679 &General::log("ipsec", "Packing a pkcs12 file...");
1680 $opt = " pkcs12 -export";
1681 $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
1682 $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
1683 $opt .= " -name \"$cgiparams{'NAME'}\"";
1684 $opt .= " -passout pass:$cgiparams{'CERT_PASS1'}";
1685 $opt .= " -certfile ${General::swroot}/ca/cacert.pem";
1686 $opt .= " -caname \"$vpnsettings{'ROOTCERT_ORGANIZATION'} CA\"";
1687 $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}.p12";
1688
1689 if ( $errormessage = &callssl ($opt) ) {
ac1cfefa
MT		 1690 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
1691 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
1692 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}.p12");
1693 goto VPNCONF_ERROR;
1694 } else {
1695 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
1696 }
1697 } elsif ($cgiparams{'AUTH'} eq 'cert') {
1698 ;# Nothing, just editing
ed84e8b8
MT		 1699 } elsif ($cgiparams{'AUTH'} eq 'auth-dn') {
1700 $cgiparams{'CERT_NAME'} = '%auth-dn'; # a special value saying 'no cert file'
ac1cfefa
MT		 1701 } else {
1702 $errormessage = $Lang::tr{'invalid input for authentication method'};
1703 goto VPNCONF_ERROR;
1704 }
1705
ed84e8b8
MT		 1706 # 1)Error message here is not accurate.
1707 # 2)Test is superfluous, openswan can reference same cert multiple times
1708 # 3)Present since initial version (1.3.2.11), it isn't a bug correction
1709 # Check if there is no other entry with this certificate name
1710 #if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk') && ($cgiparams{'AUTH'} ne 'auth-dn')) {
1711 # foreach my $key (keys %confighash) {
1712 # if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {
1713 # $errormessage = $Lang::tr{'a connection with this common name already exists'};
1714 # goto VPNCONF_ERROR;
1715 # }
1716 # }
1717 #}
ac1cfefa 1718 # Save the config
ed84e8b8 1719
ac1cfefa
MT		 1720 my $key = $cgiparams{'KEY'};
1721 if (! $key) {
1722 $key = &General::findhasharraykey (\%confighash);
1723 foreach my $i (0 .. 28) { $confighash{$key}[$i] = "";}
1724 }
1725 $confighash{$key}[0] = $cgiparams{'ENABLED'};
1726 $confighash{$key}[1] = $cgiparams{'NAME'};
1727 if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') {
1728 $confighash{$key}[2] = $cgiparams{'CERT_NAME'};
1729 }
1730 $confighash{$key}[3] = $cgiparams{'TYPE'};
1731 if ($cgiparams{'AUTH'} eq 'psk') {
1732 $confighash{$key}[4] = 'psk';
1733 $confighash{$key}[5] = $cgiparams{'PSK'};
1734 } else {
1735 $confighash{$key}[4] = 'cert';
1736 }
1737 if ($cgiparams{'TYPE'} eq 'net') {
ac1cfefa
MT		 1738 $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};
1739 }
1740 $confighash{$key}[7] = $cgiparams{'LOCAL_ID'};
1741 $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};
1742 $confighash{$key}[9] = $cgiparams{'REMOTE_ID'};
1743 $confighash{$key}[10] = $cgiparams{'REMOTE'};
1744 $confighash{$key}[25] = $cgiparams{'REMARK'};
1745 $confighash{$key}[26] = $cgiparams{'INTERFACE'};
1746 $confighash{$key}[27] = $cgiparams{'DPD_ACTION'};
ac1cfefa 1747
ed84e8b8
MT		 1748 #dont forget advanced value
1749 $confighash{$key}[18] = $cgiparams{'IKE_ENCRYPTION'};
1750 $confighash{$key}[19] = $cgiparams{'IKE_INTEGRITY'};
1751 $confighash{$key}[20] = $cgiparams{'IKE_GROUPTYPE'};
1752 $confighash{$key}[16] = $cgiparams{'IKE_LIFETIME'};
1753 $confighash{$key}[21] = $cgiparams{'ESP_ENCRYPTION'};
1754 $confighash{$key}[22] = $cgiparams{'ESP_INTEGRITY'};
1755 $confighash{$key}[23] = $cgiparams{'ESP_GROUPTYPE'};
1756 $confighash{$key}[17] = $cgiparams{'ESP_KEYLIFE'};
1757 $confighash{$key}[12] = $cgiparams{'AGGRMODE'};
1758 $confighash{$key}[13] = $cgiparams{'COMPRESSION'};
1759 $confighash{$key}[24] = $cgiparams{'ONLY_PROPOSED'};
1760 $confighash{$key}[28] = $cgiparams{'PFS'};
1761 $confighash{$key}[14] = $cgiparams{'VHOST'};
ac1cfefa
MT		 1762
1763 #free unused fields!
5fd30232 1764 $confighash{$key}[6] = 'off';
ed84e8b8 1765 $confighash{$key}[15] = 'off';
ac1cfefa
MT		 1766
1767 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
1768 &writeipsecfiles();
ed84e8b8 1769 if (&vpnenabled) {
ac1cfefa
MT		 1770 system('/usr/local/bin/ipsecctrl', 'S', $key);
1771 sleep $sleepDelay;
1772 }
1773 if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {
1774 $cgiparams{'KEY'} = $key;
1775 $cgiparams{'ACTION'} = $Lang::tr{'advanced'};
1776 }
1777 goto VPNCONF_END;
1778 } else { # add new connection
1779 $cgiparams{'ENABLED'} = 'on';
ac1cfefa
MT		 1780 if ( ! -f "${General::swroot}/private/cakey.pem" ) {
1781 $cgiparams{'AUTH'} = 'psk';
1782 } elsif ( ! -f "${General::swroot}/ca/cacert.pem") {
1783 $cgiparams{'AUTH'} = 'certfile';
1784 } else {
1785 $cgiparams{'AUTH'} = 'certgen';
1786 }
1787 $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
ed84e8b8
MT		 1788 $cgiparams{'CERT_EMAIL'} = $vpnsettings{'ROOTCERT_EMAIL'};
1789 $cgiparams{'CERT_OU'} = $vpnsettings{'ROOTCERT_OU'};
ac1cfefa
MT		 1790 $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
1791 $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};
1792 $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};
1793 $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};
1794
1795 # choose appropriate dpd action
1796 if ($cgiparams{'TYPE'} eq 'host') {
1797 $cgiparams{'DPD_ACTION'} = 'clear';
1798 } else {
ed84e8b8 1799 $cgiparams{'DPD_ACTION'} = 'restart';
ac1cfefa
MT		 1800 }
1801
1802 # Default is yes for 'pfs'
ed84e8b8 1803 $cgiparams{'PFS'} = 'on';
ac1cfefa
MT		 1804
1805 # ID are empty
1806 $cgiparams{'LOCAL_ID'} = '';
1807 $cgiparams{'REMOTE_ID'} = '';
ed84e8b8
MT		 1808
1809 #use default advanced value
1810 $cgiparams{'IKE_ENCRYPTION'} = 'aes128|3des'; #[18];
1811 $cgiparams{'IKE_INTEGRITY'} = 'sha|md5'; #[19];
1812 $cgiparams{'IKE_GROUPTYPE'} = '1536|1024'; #[20];
1813 $cgiparams{'IKE_LIFETIME'} = '1'; #[16];
1814 $cgiparams{'ESP_ENCRYPTION'} = 'aes128|3des'; #[21];
1815 $cgiparams{'ESP_INTEGRITY'} = 'sha1|md5'; #[22];
1816 $cgiparams{'ESP_GROUPTYPE'} = ''; #[23];
1817 $cgiparams{'ESP_KEYLIFE'} = '8'; #[17];
1818 $cgiparams{'AGGRMODE'} = 'off'; #[12];
1819 $cgiparams{'COMPRESSION'} = 'off'; #[13];
1820 $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24];
1821 $cgiparams{'PFS'} = 'on'; #[28];
1822 $cgiparams{'VHOST'} = 'on'; #[14];
ac1cfefa
MT		 1823 }
1824
1825 VPNCONF_ERROR:
1826 $checked{'ENABLED'}{'off'} = '';
1827 $checked{'ENABLED'}{'on'} = '';
1828 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'";
ac1cfefa
MT		 1829
1830 $checked{'EDIT_ADVANCED'}{'off'} = '';
1831 $checked{'EDIT_ADVANCED'}{'on'} = '';
1832 $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = "checked='checked'";
1833
ac1cfefa
MT		 1834 $checked{'AUTH'}{'psk'} = '';
1835 $checked{'AUTH'}{'certreq'} = '';
1836 $checked{'AUTH'}{'certgen'} = '';
1837 $checked{'AUTH'}{'certfile'} = '';
ed84e8b8
MT		 1838 $checked{'AUTH'}{'pkcs12'} = '';
1839 $checked{'AUTH'}{'auth-dn'} = '';
ac1cfefa
MT		 1840 $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
1841
ed84e8b8
MT		 1842 $selected{'INTERFACE'}{'RED'} = '';
1843 $selected{'INTERFACE'}{'ORANGE'} = '';
1844 $selected{'INTERFACE'}{'GREEN'} = '';
1845 $selected{'INTERFACE'}{'BLUE'} = '';
ac1cfefa 1846 $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = "selected='selected'";
ed84e8b8
MT		 1847
1848 $selected{'DPD_ACTION'}{'clear'} = '';
1849 $selected{'DPD_ACTION'}{'hold'} = '';
1850 $selected{'DPD_ACTION'}{'restart'} = '';
ac1cfefa 1851 $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";
ac1cfefa 1852
ed84e8b8
MT		 1853 &Header::showhttpheaders();
1854 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1855 &Header::openbigbox('100%', 'left', '', $errormessage);
1856 if ($errormessage) {
1857 &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
1858 print "<class name='base'>$errormessage";
1859 print "&nbsp;</class>";
1860 &Header::closebox();
1861 }
ac1cfefa 1862
ed84e8b8
MT		 1863 if ($warnmessage) {
1864 &Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:");
1865 print "<class name='base'>$warnmessage";
1866 print "&nbsp;</class>";
1867 &Header::closebox();
1868 }
ac1cfefa 1869
ed84e8b8
MT		 1870 print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>";
1871 print<<END
1872 <input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' />
1873 <input type='hidden' name='IKE_ENCRYPTION' value='$cgiparams{'IKE_ENCRYPTION'}' />
1874 <input type='hidden' name='IKE_INTEGRITY' value='$cgiparams{'IKE_INTEGRITY'}' />
1875 <input type='hidden' name='IKE_GROUPTYPE' value='$cgiparams{'IKE_GROUPTYPE'}' />
1876 <input type='hidden' name='IKE_LIFETIME' value='$cgiparams{'IKE_LIFETIME'}' />
1877 <input type='hidden' name='ESP_ENCRYPTION' value='$cgiparams{'ESP_ENCRYPTION'}' />
1878 <input type='hidden' name='ESP_INTEGRITY' value='$cgiparams{'ESP_INTEGRITY'}' />
1879 <input type='hidden' name='ESP_GROUPTYPE' value='$cgiparams{'ESP_GROUPTYPE'}' />
1880 <input type='hidden' name='ESP_KEYLIFE' value='$cgiparams{'ESP_KEYLIFE'}' />
1881 <input type='hidden' name='AGGRMODE' value='$cgiparams{'AGGRMODE'}' />
1882 <input type='hidden' name='COMPRESSION' value='$cgiparams{'COMPRESSION'}' />
1883 <input type='hidden' name='ONLY_PROPOSED' value='$cgiparams{'ONLY_PROPOSED'}' />
1884 <input type='hidden' name='PFS' value='$cgiparams{'PFS'}' />
1885 <input type='hidden' name='VHOST' value='$cgiparams{'VHOST'}' />
1886END
1887 ;
1888 if ($cgiparams{'KEY'}) {
1889 print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />";
1890 print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />";
1891 }
ac1cfefa 1892
ed84e8b8
MT		 1893 &Header::openbox('100%', 'left', "$Lang::tr{'connection'}:");
1894 print "<table width='100%'>";
1895 print "<tr><td width='25%' class='boldbase'>$Lang::tr{'name'}:</td>";
1896 if ($cgiparams{'KEY'}) {
1897 print "<td width='25%' class='base'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' /><b>$cgiparams{'NAME'}</b></td>";
1898 } else {
1899 print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' size='30' /></td>";
1900 }
1901 print "<td>$Lang::tr{'enabled'}</td><td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td></tr>";
5fd30232 1902 print '</tr><td><br /></td><tr>';
ac1cfefa 1903
5fd30232
MT		 1904 my $disabled;
1905 my $blob;
ed84e8b8 1906 if ($cgiparams{'TYPE'} eq 'host') {
5fd30232
MT		 1907 $disabled = "disabled='disabled'";
1908 $blob = "<img src='/blob.gif' alt='*' />";
1909 };
1910
1911 print "<tr><td>$Lang::tr{'host ip'}:</td>";
1912 print "<td><select name='INTERFACE'>";
1913 print "<option value='RED' $selected{'INTERFACE'}{'RED'}>RED ($vpnsettings{'VPN_IP'})</option>";
1914 print "<option value='GREEN' $selected{'INTERFACE'}{'GREEN'}>GREEN ($netsettings{'GREEN_ADDRESS'})</option>";
1915 print "<option value='BLUE' $selected{'INTERFACE'}{'BLUE'}>BLUE ($netsettings{'BLUE_ADDRESS'})</option>" if ($netsettings{'BLUE_DEV'} ne '');
1916 print "<option value='ORANGE' $selected{'INTERFACE'}{'ORANGE'}>ORANGE ($netsettings{'ORANGE_ADDRESS'})</option>" if ($netsettings{'ORANGE_DEV'} ne '');
1917 print "</select></td>";
1918 print <<END
1919 <td class='boldbase'>$Lang::tr{'remote host/ip'}:&nbsp;$blob</td>
ed84e8b8 1920 <td><input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size='30' /></td>
ed84e8b8
MT		 1921 </tr><tr>
1922 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td>
1923 <td><input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size='30' /></td>
1924 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}</td>
5fd30232
MT		 1925 <td><input $disabled type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size='30' /></td>
1926 </tr><tr>
1927 <td class='boldbase'>$Lang::tr{'vpn local id'}:&nbsp;<img src='/blob.gif' alt='*' />
1928 <br />($Lang::tr{'eg'} <tt>&#64;xy.example.com</tt>)</td>
1929 <td><input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' /></td>
1930 <td class='boldbase'>$Lang::tr{'vpn remote id'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
1931 <td><input type='text' name='REMOTE_ID' value='$cgiparams{'REMOTE_ID'}' /></td>
1932 </tr><tr>
1933 </tr><td><br /></td><tr>
1934 <td>$Lang::tr{'dpd action'}:</td>
1935 <td><select name='DPD_ACTION'>
1936 <option value='clear' $selected{'DPD_ACTION'}{'clear'}>clear</option>
1937 <option value='hold' $selected{'DPD_ACTION'}{'hold'}>hold</option>
1938 <option value='restart' $selected{'DPD_ACTION'}{'restart'}>restart</option>
1939 </select>&nbsp; <a href='http://www.openswan.com/docs/local/README.DPD'>?</a>
1940 </td>
1941 </tr><tr>
ed84e8b8
MT		 1942<!--http://www.openswan.com/docs/local/README.DPD
1943 http://bugs.xelerance.com/view.php?id=156
1944 restart = clear + reinitiate connection
1945-->
5fd30232
MT		 1946 <td class='boldbase'>$Lang::tr{'remark title'}&nbsp;<img src='/blob.gif' alt='*' /></td>
1947 <td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td>
1948 </tr>
ac1cfefa 1949END
ed84e8b8
MT		 1950 ;
1951 if (!$cgiparams{'KEY'}) {
1952 print "<tr><td colspan='3'><input type='checkbox' name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> $Lang::tr{'edit advanced settings when done'}</td></tr>";
1953 }
1954 print "</table>";
1955 &Header::closebox();
ac1cfefa 1956
ed84e8b8
MT		 1957 if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
1958 &Header::openbox('100%', 'left', $Lang::tr{'authentication'});
1959 print <<END
1960 <table width='100%' cellpadding='0' cellspacing='5' border='0'>
1961 <tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared key'}</td>
1962 <td class='base' width='50%'><input type='text' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td>
1963 </tr>
1964 </table>
ac1cfefa 1965END
ed84e8b8
MT		 1966 ;
1967 &Header::closebox();
1968 } elsif (! $cgiparams{'KEY'}) {
1969 my $pskdisabled = ($vpnsettings{'VPN_IP'} eq '%defaultroute') ? "disabled='disabled'" : '' ;
1970 $cgiparams{'PSK'} = $Lang::tr{'vpn incompatible use of defaultroute'} if ($pskdisabled);
1971 my $cakeydisabled = ( ! -f "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : '';
1972 $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if ($cakeydisabled);
1973 my $cacrtdisabled = ( ! -f "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : '';
1974
1975 &Header::openbox('100%', 'left', $Lang::tr{'authentication'});
1976 print <<END
1977 <table width='100%' cellpadding='0' cellspacing='5' border='0'>
1978 <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} $pskdisabled/></td>
1979 <td class='base' width='55%'>$Lang::tr{'use a pre-shared key'}</td>
1980 <td class='base' width='40%'><input type='text' name='PSK' size='30' value='$cgiparams{'PSK'}' $pskdisabled/></td></tr>
1981 <tr><td colspan='3' bgcolor='#000000'></td></tr>
1982 <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td>
1983 <td class='base'><hr />$Lang::tr{'upload a certificate request'}</td>
1984 <td class='base' rowspan='3' valign='middle'><input type='file' name='FH' size='30' $cacrtdisabled /></td></tr>
1985 <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td>
1986 <td class='base'>$Lang::tr{'upload a certificate'}</td></tr>
1987 <tr><td><input type='radio' name='AUTH' value='pkcs12' $cacrtdisabled /></td>
1988 <td class='base'>$Lang::tr{'upload p12 file'} $Lang::tr{'pkcs12 file password'}:<input type='password' name='P12_PASS'/></td></tr>
1989 <tr><td><input type='radio' name='AUTH' value='auth-dn' $checked{'AUTH'}{'auth-dn'} $cacrtdisabled /></td>
1990 <td class='base'><hr />$Lang::tr{'vpn auth-dn'}</td></tr>
1991 <tr><td colspan='3' bgcolor='#000000'></td></tr>
1992 <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td>
1993 <td class='base'><hr />$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr>
1994 <tr><td>&nbsp;</td>
1995 <td class='base'>$Lang::tr{'users fullname or system hostname'}:</td>
1996 <td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' size='32' $cakeydisabled /></td></tr>
1997 <tr><td>&nbsp;</td>
1998 <td class='base'>$Lang::tr{'users email'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
1999 <td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' size='32' $cakeydisabled /></td></tr>
2000 <tr><td>&nbsp;</td>
2001 <td class='base'>$Lang::tr{'users department'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
2002 <td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' size='32' $cakeydisabled /></td></tr>
2003 <tr><td>&nbsp;</td>
2004 <td class='base'>$Lang::tr{'organization name'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
2005 <td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' size='32' $cakeydisabled /></td></tr>
2006 <tr><td>&nbsp;</td>
2007 <td class='base'>$Lang::tr{'city'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
2008 <td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' size='32' $cakeydisabled /></td></tr>
2009 <tr><td>&nbsp;</td>
2010 <td class='base'>$Lang::tr{'state or province'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
2011 <td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' size='32' $cakeydisabled /></td></tr>
2012 <tr><td>&nbsp;</td>
2013 <td class='base'>$Lang::tr{'country'}:</td>
2014 <td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
ac1cfefa 2015END
ed84e8b8
MT		 2016 ;
2017 foreach my $country (sort keys %{Countries::countries}) {
2018 print "\t\t\t<option value='$Countries::countries{$country}'";
2019 if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) {
2020 print " selected='selected'";
ac1cfefa 2021 }
ed84e8b8 2022 print ">$country</option>\n";
ac1cfefa 2023 }
ed84e8b8
MT		 2024 print <<END
2025 </select></td></tr>
ac1cfefa 2026
ed84e8b8
MT		 2027 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)<img src='/blob.gif' alt='*' /></td>
2028 <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' $cakeydisabled /></td></tr>
2029 <tr><td>&nbsp;</td>
2030 <td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
2031 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr>
2032 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'pkcs12 file password'}:($Lang::tr{'confirmation'})</td>
2033 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr>
2034 </table>
2035END
2036 ;
2037 &Header::closebox();
2038 }
2039
2040 print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
2041 if ($cgiparams{'KEY'}) {
2042 print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />";
ac1cfefa 2043 }
ed84e8b8
MT		 2044 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
2045 &Header::closebigbox();
2046 &Header::closepage();
2047 exit (0);
2048
ac1cfefa
MT		 2049 VPNCONF_END:
2050}
2051
2052###
2053### Advanced settings
2054###
2055if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
2056 ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq 'yes')) {
2057 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
2058 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
2059 if (! $confighash{$cgiparams{'KEY'}}) {
2060 $errormessage = $Lang::tr{'invalid key'};
2061 goto ADVANCED_END;
2062 }
2063
2064 if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
ed84e8b8
MT		 2065 # I didn't read any incompatibilities here....
2066 #if ($cgiparams{'VHOST'} eq 'on' && $cgiparams{'COMPRESSION'} eq 'on') {
2067 # $errormessage = $Lang::tr{'cannot enable both nat traversal and compression'};
2068 # goto ADVANCED_ERROR;
2069 #}
ac1cfefa
MT		 2070 my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});
2071 if ($#temp < 0) {
2072 $errormessage = $Lang::tr{'invalid input'};
2073 goto ADVANCED_ERROR;
2074 }
2075 foreach my $val (@temp) {
2076 if ($val !~ /^(aes256|aes128|3des|twofish256|twofish128|serpent256|serpent128|blowfish256|blowfish128|cast128)$/) {
2077 $errormessage = $Lang::tr{'invalid input'};
2078 goto ADVANCED_ERROR;
2079 }
2080 }
2081 @temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
2082 if ($#temp < 0) {
2083 $errormessage = $Lang::tr{'invalid input'};
2084 goto ADVANCED_ERROR;
2085 }
2086 foreach my $val (@temp) {
2087 if ($val !~ /^(sha2_512|sha2_256|sha|md5)$/) {
2088 $errormessage = $Lang::tr{'invalid input'};
2089 goto ADVANCED_ERROR;
2090 }
2091 }
2092 @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});
2093 if ($#temp < 0) {
2094 $errormessage = $Lang::tr{'invalid input'};
2095 goto ADVANCED_ERROR;
2096 }
2097 foreach my $val (@temp) {
2098 if ($val !~ /^(768|1024|1536|2048|3072|4096|6144|8192)$/) {
2099 $errormessage = $Lang::tr{'invalid input'};
2100 goto ADVANCED_ERROR;
2101 }
2102 }
2103 if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) {
2104 $errormessage = $Lang::tr{'invalid input for ike lifetime'};
2105 goto ADVANCED_ERROR;
2106 }
2107 if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 8) {
2108 $errormessage = $Lang::tr{'ike lifetime should be between 1 and 8 hours'};
2109 goto ADVANCED_ERROR;
2110 }
2111 @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});
2112 if ($#temp < 0) {
2113 $errormessage = $Lang::tr{'invalid input'};
2114 goto ADVANCED_ERROR;
2115 }
2116 foreach my $val (@temp) {
2117 if ($val !~ /^(aes256|aes128|3des|twofish256|twofish128|serpent256|serpent128|blowfish256|blowfish128)$/) {
2118 $errormessage = $Lang::tr{'invalid input'};
2119 goto ADVANCED_ERROR;
2120 }
2121 }
2122 @temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
2123 if ($#temp < 0) {
2124 $errormessage = $Lang::tr{'invalid input'};
2125 goto ADVANCED_ERROR;
2126 }
2127 foreach my $val (@temp) {
2128 if ($val !~ /^(sha2_512|sha2_256|sha1|md5)$/) {
2129 $errormessage = $Lang::tr{'invalid input'};
2130 goto ADVANCED_ERROR;
2131 }
2132 }
2133 if ($cgiparams{'ESP_GROUPTYPE'} ne '' &&
2134 $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(768|1024|1536|2048|3072|4096)$/) {
2135 $errormessage = $Lang::tr{'invalid input'};
2136 goto ADVANCED_ERROR;
2137 }
2138
2139 if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) {
2140 $errormessage = $Lang::tr{'invalid input for esp keylife'};
2141 goto ADVANCED_ERROR;
2142 }
2143 if ($cgiparams{'ESP_KEYLIFE'} < 1 || $cgiparams{'ESP_KEYLIFE'} > 24) {
2144 $errormessage = $Lang::tr{'esp keylife should be between 1 and 24 hours'};
2145 goto ADVANCED_ERROR;
2146 }
ed84e8b8
MT		 2147
2148 if (
2149 ($cgiparams{'AGGRMODE'} !~ /^(|on|off)$/) ||
2150 ($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) ||
2151 ($cgiparams{'ONLY_PROPOSED'} !~ /^(|on|off)$/) ||
2152 ($cgiparams{'PFS'} !~ /^(|on|off)$/) ||
2153 ($cgiparams{'VHOST'} !~ /^(|on|off)$/)
2154 ){
ac1cfefa
MT		 2155 $errormessage = $Lang::tr{'invalid input'};
2156 goto ADVANCED_ERROR;
2157 }
ed84e8b8 2158
ac1cfefa
MT		 2159 $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'};
2160 $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'};
2161 $confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'};
2162 $confighash{$cgiparams{'KEY'}}[16] = $cgiparams{'IKE_LIFETIME'};
2163 $confighash{$cgiparams{'KEY'}}[21] = $cgiparams{'ESP_ENCRYPTION'};
2164 $confighash{$cgiparams{'KEY'}}[22] = $cgiparams{'ESP_INTEGRITY'};
2165 $confighash{$cgiparams{'KEY'}}[23] = $cgiparams{'ESP_GROUPTYPE'};
2166 $confighash{$cgiparams{'KEY'}}[17] = $cgiparams{'ESP_KEYLIFE'};
ed84e8b8
MT		 2167 $confighash{$cgiparams{'KEY'}}[12] = $cgiparams{'AGGRMODE'};
2168 $confighash{$cgiparams{'KEY'}}[13] = $cgiparams{'COMPRESSION'};
ac1cfefa 2169 $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'};
ed84e8b8
MT		 2170 $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'};
2171 $confighash{$cgiparams{'KEY'}}[14] = $cgiparams{'VHOST'};
ac1cfefa
MT		 2172 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
2173 &writeipsecfiles();
ed84e8b8 2174 if (&vpnenabled) {
ac1cfefa
MT		 2175 system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
2176 sleep $sleepDelay;
2177 }
2178 goto ADVANCED_END;
2179 } else {
ac1cfefa
MT		 2180 $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];
2181 $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19];
2182 $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20];
2183 $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16];
2184 $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21];
2185 $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22];
2186 $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23];
2187 $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17];
ed84e8b8
MT		 2188 $cgiparams{'AGGRMODE'} = $confighash{$cgiparams{'KEY'}}[12];
2189 $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13];
ac1cfefa 2190 $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24];
ed84e8b8
MT		 2191 $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28];
2192 $cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14];
2193
ac1cfefa 2194 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net' || $confighash{$cgiparams{'KEY'}}[10]) {
ed84e8b8 2195 $cgiparams{'VHOST'} = 'off';
ac1cfefa
MT		 2196 }
2197 }
2198
2199 ADVANCED_ERROR:
ac1cfefa
MT		 2200 $checked{'IKE_ENCRYPTION'}{'aes256'} = '';
2201 $checked{'IKE_ENCRYPTION'}{'aes128'} = '';
2202 $checked{'IKE_ENCRYPTION'}{'3des'} = '';
2203 $checked{'IKE_ENCRYPTION'}{'twofish256'} = '';
2204 $checked{'IKE_ENCRYPTION'}{'twofish128'} = '';
2205 $checked{'IKE_ENCRYPTION'}{'serpent256'} = '';
2206 $checked{'IKE_ENCRYPTION'}{'serpent128'} = '';
2207 $checked{'IKE_ENCRYPTION'}{'blowfish256'} = '';
2208 $checked{'IKE_ENCRYPTION'}{'blowfish128'} = '';
2209 $checked{'IKE_ENCRYPTION'}{'cast128'} = '';
2210 my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});
2211 foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; }
2212 $checked{'IKE_INTEGRITY'}{'sha2_512'} = '';
2213 $checked{'IKE_INTEGRITY'}{'sha2_256'} = '';
2214 $checked{'IKE_INTEGRITY'}{'sha'} = '';
2215 $checked{'IKE_INTEGRITY'}{'md5'} = '';
2216 @temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
2217 foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; }
2218 $checked{'IKE_GROUPTYPE'}{'768'} = '';
2219 $checked{'IKE_GROUPTYPE'}{'1024'} = '';
2220 $checked{'IKE_GROUPTYPE'}{'1536'} = '';
2221 $checked{'IKE_GROUPTYPE'}{'2048'} = '';
2222 $checked{'IKE_GROUPTYPE'}{'3072'} = '';
2223 $checked{'IKE_GROUPTYPE'}{'4096'} = '';
2224 $checked{'IKE_GROUPTYPE'}{'6144'} = '';
2225 $checked{'IKE_GROUPTYPE'}{'8192'} = '';
2226 @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});
2227 foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; }
2228 $checked{'ESP_ENCRYPTION'}{'aes256'} = '';
2229 $checked{'ESP_ENCRYPTION'}{'aes128'} = '';
2230 $checked{'ESP_ENCRYPTION'}{'3des'} = '';
2231 $checked{'ESP_ENCRYPTION'}{'twofish256'} = '';
2232 $checked{'ESP_ENCRYPTION'}{'twofish128'} = '';
2233 $checked{'ESP_ENCRYPTION'}{'serpent256'} = '';
2234 $checked{'ESP_ENCRYPTION'}{'serpent128'} = '';
2235 $checked{'ESP_ENCRYPTION'}{'blowfish256'} = '';
2236 $checked{'ESP_ENCRYPTION'}{'blowfish128'} = '';
2237 @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});
2238 foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; }
2239 $checked{'ESP_INTEGRITY'}{'sha2_512'} = '';
2240 $checked{'ESP_INTEGRITY'}{'sha2_256'} = '';
2241 $checked{'ESP_INTEGRITY'}{'sha1'} = '';
2242 $checked{'ESP_INTEGRITY'}{'md5'} = '';
2243 @temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
2244 foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; }
2245 $checked{'ESP_GROUPTYPE'}{'modp768'} = '';
2246 $checked{'ESP_GROUPTYPE'}{'modp1024'} = '';
2247 $checked{'ESP_GROUPTYPE'}{'modp1536'} = '';
2248 $checked{'ESP_GROUPTYPE'}{'modp2048'} = '';
2249 $checked{'ESP_GROUPTYPE'}{'modp3072'} = '';
2250 $checked{'ESP_GROUPTYPE'}{'modp4096'} = '';
2251 $checked{'ESP_GROUPTYPE'}{$cgiparams{'ESP_GROUPTYPE'}} = "selected='selected'";
ed84e8b8
MT		 2252
2253 $checked{'AGGRMODE'} = $cgiparams{'AGGRMODE'} eq 'on' ? "checked='checked'" : '' ;
2254 $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' ? "checked='checked'" : '' ;
2255 $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq 'on' ? "checked='checked'" : '' ;
2256 $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ;
2257 $checked{'VHOST'} = $cgiparams{'VHOST'} eq 'on' ? "checked='checked'" : '' ;
ac1cfefa
MT		 2258
2259 &Header::showhttpheaders();
2260 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
ed84e8b8 2261 &Header::openbigbox('100%', 'left', '', $errormessage);
ac1cfefa
MT		 2262
2263 if ($errormessage) {
ed84e8b8 2264 &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
ac1cfefa
MT		 2265 print "<class name='base'>$errormessage";
2266 print "&nbsp;</class>";
2267 &Header::closebox();
2268 }
2269
2270 if ($warnmessage) {
ed84e8b8 2271 &Header::openbox('100%', 'left', $Lang::tr{'warning messages'});
ac1cfefa
MT		 2272 print "<class name='base'>$warnmessage";
2273 print "&nbsp;</class>";
2274 &Header::closebox();
2275 }
2276
ed84e8b8
MT		 2277 &Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:");
2278 print <<EOF
2279 <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
2280 <input type='hidden' name='ADVANCED' value='yes' />
2281 <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
ac1cfefa 2282
ed84e8b8
MT		 2283 <table width='100%'>
2284 <tr><td class='boldbase' align='right' valign='top'>$Lang::tr{'ike encryption'}</td><td class='boldbase' valign='top'>
2285 <select name='IKE_ENCRYPTION' multiple='multiple' size='4'>
2286 <option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>AES (256 bit)</option>
2287 <option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>AES (128 bit)</option>
2288 <option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>3DES</option>
2289 <option value='twofish256' $checked{'IKE_ENCRYPTION'}{'twofish256'}>Twofish (256 bit)</option>
2290 <option value='twofish128' $checked{'IKE_ENCRYPTION'}{'twofish128'}>Twofish (128 bit)</option>
2291 <option value='serpent256' $checked{'IKE_ENCRYPTION'}{'serpent256'}>Serpent (256 bit)</option>
2292 <option value='serpent128' $checked{'IKE_ENCRYPTION'}{'serpent128'}>Serpent (128 bit)</option>
2293 <option value='blowfish256' $checked{'IKE_ENCRYPTION'}{'blowfish256'}>Blowfish (256 bit)</option>
2294 <option value='blowfish128' $checked{'IKE_ENCRYPTION'}{'blowfish128'}>Blowfish (128 bit)</option>
2295 <option value='cast128' $checked{'IKE_ENCRYPTION'}{'cast128'}>Cast (128 bit)</option>
2296 </select></td>
2297
2298 <td class='boldbase' align='right' valign='top'>$Lang::tr{'ike integrity'}</td><td class='boldbase' valign='top'>
2299 <select name='IKE_INTEGRITY' multiple='multiple' size='4'>
2300 <option value='sha2_512' $checked{'IKE_INTEGRITY'}{'sha2_512'}>SHA2 (512)</option>
2301 <option value='sha2_256' $checked{'IKE_INTEGRITY'}{'sha2_256'}>SHA2 (256)</option>
2302 <option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA</option>
2303 <option value='md5' $checked{'IKE_INTEGRITY'}{'md5'}>MD5</option>
2304 </select></td>
2305
2306 <td class='boldbase' align='right' valign='top'>$Lang::tr{'ike grouptype'}</td><td class='boldbase' valign='top'>
2307 <select name='IKE_GROUPTYPE' multiple='multiple' size='4'>
2308 <option value='8192' $checked{'IKE_GROUPTYPE'}{'8192'}>MODP-8192</option>
2309 <option value='6144' $checked{'IKE_GROUPTYPE'}{'6144'}>MODP-6144</option>
2310 <option value='4096' $checked{'IKE_GROUPTYPE'}{'4096'}>MODP-4096</option>
2311 <option value='3072' $checked{'IKE_GROUPTYPE'}{'3072'}>MODP-3072</option>
2312 <option value='2048' $checked{'IKE_GROUPTYPE'}{'2048'}>MODP-2048</option>
2313 <option value='1536' $checked{'IKE_GROUPTYPE'}{'1536'}>MODP-1536</option>
2314 <option value='1024' $checked{'IKE_GROUPTYPE'}{'1024'}>MODP-1024</option>
2315 <option value='768' $checked{'IKE_GROUPTYPE'}{'768'}>MODP-768</option>
2316 </select></td>
2317 </tr><tr>
2318 <td class='boldbase' align='right' valign='top'>$Lang::tr{'ike lifetime'}</td><td class='boldbase' valign='top'>
2319 <input type='text' name='IKE_LIFETIME' value='$cgiparams{'IKE_LIFETIME'}' size='5' /> $Lang::tr{'hours'}</td>
2320
2321 </tr><tr>
2322 <td colspan='1'><hr /></td>
2323 </tr><tr>
2324 <td class='boldbase' align='right' valign='top'>$Lang::tr{'esp encryption'}</td><td class='boldbase' valign='top'>
2325 <select name='ESP_ENCRYPTION' multiple='multiple' size='4'>
2326 <option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>AES (256 bit)</option>
2327 <option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>AES (128 bit)</option>
2328 <option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>3DES</option>
2329 <option value='twofish256' $checked{'ESP_ENCRYPTION'}{'twofish256'}>Twofish (256 bit)</option>
2330 <option value='twofish128' $checked{'ESP_ENCRYPTION'}{'twofish128'}>Twofish (128 bit)</option>
2331 <option value='serpent256' $checked{'ESP_ENCRYPTION'}{'serpent256'}>Serpent (256 bit)</option>
2332 <option value='serpent128' $checked{'ESP_ENCRYPTION'}{'serpent128'}>Serpent (128 bit)</option>
2333 <option value='blowfish256' $checked{'ESP_ENCRYPTION'}{'blowfish256'}>Blowfish (256 bit)</option>
2334 <option value='blowfish128' $checked{'ESP_ENCRYPTION'}{'blowfish128'}>Blowfish (128 bit)</option></select></td>
2335
2336 <td class='boldbase' align='right' valign='top'>$Lang::tr{'esp integrity'}</td><td class='boldbase' valign='top'>
2337 <select name='ESP_INTEGRITY' multiple='multiple' size='4'>
2338 <option value='sha2_512' $checked{'ESP_INTEGRITY'}{'sha2_512'}>SHA2 (512)</option>
2339 <option value='sha2_256' $checked{'ESP_INTEGRITY'}{'sha2_256'}>SHA2 (256)</option>
2340 <option value='sha1' $checked{'ESP_INTEGRITY'}{'sha1'}>SHA1</option>
2341 <option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5</option></select></td>
2342
2343 <td class='boldbase' align='right' valign='top'>$Lang::tr{'esp grouptype'}</td><td class='boldbase' valign='top'>
2344 <select name='ESP_GROUPTYPE'>
2345 <option value=''>$Lang::tr{'phase1 group'}</option>
2346 <option value='modp4096' $checked{'ESP_GROUPTYPE'}{'modp4096'}>MODP-4096</option>
2347 <option value='modp3072' $checked{'ESP_GROUPTYPE'}{'modp3072'}>MODP-3072</option>
2348 <option value='modp2048' $checked{'ESP_GROUPTYPE'}{'modp2048'}>MODP-2048</option>
2349 <option value='modp1536' $checked{'ESP_GROUPTYPE'}{'modp1536'}>MODP-1536</option>
2350 <option value='modp1024' $checked{'ESP_GROUPTYPE'}{'modp1024'}>MODP-1024</option>
2351 <option value='modp768' $checked{'ESP_GROUPTYPE'}{'modp768'}>MODP-768</option></select></td>
2352 </tr><tr>
2353 <td class='boldbase' align='right' valign='top'>$Lang::tr{'esp keylife'}</td><td class='boldbase' valign='top'>
2354 <input type='text' name='ESP_KEYLIFE' value='$cgiparams{'ESP_KEYLIFE'}' size='5' /> $Lang::tr{'hours'}</td>
2355 </tr><tr>
2356 <td colspan='1'><hr /></td>
2357 </tr><tr>
2358 <td colspan='5'><input type='checkbox' name='ONLY_PROPOSED' $checked{'ONLY_PROPOSED'} />
2359 IKE+ESP: $Lang::tr{'use only proposed settings'}</td>
2360 </tr><tr>
2361 <td colspan='5'><input type='checkbox' name='AGGRMODE' $checked{'AGGRMODE'} />
2362 $Lang::tr{'vpn aggrmode'}</td>
2363 </tr><tr>
2364 <td colspan='5'><input type='checkbox' name='PFS' $checked{'PFS'} />
2365 $Lang::tr{'pfs yes no'}</td>
2366 <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
2367 </tr><tr>
2368 <td colspan='5'><input type='checkbox' name='COMPRESSION' $checked{'COMPRESSION'} />
2369 $Lang::tr{'vpn payload compression'}</td>
2370 <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td>
2371 </tr>
2372EOF
2373 ;
ac1cfefa 2374 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {
ed84e8b8 2375 print "<tr><td><input type='hidden' name='VHOST' value='off' /></td></tr>";
ac1cfefa 2376 } elsif ($confighash{$cgiparams{'KEY'}}[10]) {
ed84e8b8
MT		 2377 print "<tr><td colspan='5'><input type='checkbox' name='VHOST' $checked{'VHOST'} disabled='disabled' />";
2378 print " $Lang::tr{'vpn vhost'}</td></tr>";
ac1cfefa 2379 } else {
ed84e8b8
MT		 2380 print "<tr><td colspan='5'><input type='checkbox' name='VHOST' $checked{'VHOST'} />";
2381 print " $Lang::tr{'vpn vhost'}</td></tr>";
ac1cfefa 2382 }
ed84e8b8
MT		 2383
2384 print "</table></form>";
ac1cfefa 2385 &Header::closebox();
ac1cfefa
MT		 2386 &Header::closebigbox();
2387 &Header::closepage();
2388 exit(0);
2389
2390 ADVANCED_END:
2391}
2392
2393###
2394### Default status page
2395###
2396 %cgiparams = ();
2397 %cahash = ();
2398 %confighash = ();
2399 &General::readhash("${General::swroot}/vpn/settings", \%cgiparams);
2400 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
2401 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
ed84e8b8 2402 $cgiparams{'CA_NAME'} = '';
ac1cfefa
MT		 2403
2404 my @status = `/usr/sbin/ipsec auto --status`;
2405
2406 # suggest a default name for this side
2407 if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
2408 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
2409 my $ipaddr = <IPADDR>;
2410 close IPADDR;
2411 chomp ($ipaddr);
2412 $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
2413 if ($cgiparams{'VPN_IP'} eq '') {
2414 $cgiparams{'VPN_IP'} = $ipaddr;
2415 }
2416 }
2417 }
2418 # no IP found, use %defaultroute
2419 $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq '');
2420
2421 $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'}));
ed84e8b8 2422 $checked{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'} eq 'on' ? "checked='checked'" : '' ;
ac1cfefa 2423 map ($checked{$_} = $cgiparams{$_} eq 'on' ? "checked='checked'" : '',
5fd30232 2424 ('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
ac1cfefa
MT		 2425 'DBG_KLIPS','DBG_DNS','DBG_NAT_T'));
2426
2427
2428 &Header::showhttpheaders();
2429 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
ed84e8b8 2430 &Header::openbigbox('100%', 'left', '', $errormessage);
ac1cfefa
MT		 2431
2432 if ($errormessage) {
ed84e8b8 2433 &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
ac1cfefa
MT		 2434 print "<class name='base'>$errormessage\n";
2435 print "&nbsp;</class>\n";
2436 &Header::closebox();
2437 }
2438
ed84e8b8 2439 &Header::openbox('100%', 'left', $Lang::tr{'global settings'});
ac1cfefa 2440 print <<END
ed84e8b8 2441 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
ac1cfefa
MT		 2442 <table width='100%'>
2443 <tr>
5fd30232 2444 <td width='20%' class='base' nowrap='nowrap'>$Lang::tr{'vpn red name'}:</td>
ed84e8b8
MT		 2445 <td width='20%'><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' /></td>
2446 <td width='20%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td>
ac1cfefa
MT		 2447 </tr>
2448END
2449 ;
ac1cfefa
MT		 2450 print <<END
2451 <tr>
ed84e8b8
MT		 2452 <td class='base' nowrap='nowrap'>$Lang::tr{'override mtu'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
2453 <td ><input type='text' name='VPN_OVERRIDE_MTU' value='$cgiparams{'VPN_OVERRIDE_MTU'}' /></td>
ac1cfefa
MT		 2454 </tr>
2455END
2456 ;
ac1cfefa 2457print <<END
ed84e8b8
MT		 2458 <tr>
2459 <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}:&nbsp;<img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /></td>
2460 <td ><input type='text' name='VPN_DELAYED_START' value='$cgiparams{'VPN_DELAYED_START'}' /></td>
ed84e8b8
MT		 2461 </tr>
2462 </table>
2463<p>$Lang::tr{'vpn watch'}:<input type='checkbox' name='VPN_WATCH' $checked{'VPN_WATCH'} /></p>
2464<p>PLUTO DEBUG&nbsp;=
2465crypt:<input type='checkbox' name='DBG_CRYPT' $checked{'DBG_CRYPT'} />,&nbsp;
2466parsing:<input type='checkbox' name='DBG_PARSING' $checked{'DBG_PARSING'} />,&nbsp;
2467emitting:<input type='checkbox' name='DBG_EMITTING' $checked{'DBG_EMITTING'} />,&nbsp;
2468control:<input type='checkbox' name='DBG_CONTROL' $checked{'DBG_CONTROL'} />,&nbsp;
2469klips:<input type='checkbox' name='DBG_KLIPS' $checked{'DBG_KLIPS'} />,&nbsp;
2470dns:<input type='checkbox' name='DBG_DNS' $checked{'DBG_DNS'} />,&nbsp;
2471nat_t:<input type='checkbox' name='DBG_NAT_T' $checked{'DBG_NAT_T'} /></p>
2472
ac1cfefa
MT		 2473<hr />
2474<table width='100%'>
2475<tr>
2476 <td class='base' valign='top'><img src='/blob.gif' alt='*' /></td>
ed84e8b8
MT		 2477 <td width='70%' class='base' valign='top'>$Lang::tr{'this field may be blank'}</td>
2478</tr>
2479<tr>
2480 <td class='base' valign='top' nowrap='nowrap'><img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' />&nbsp;</td>
2481 <td class='base'> <font class='base'>$Lang::tr{'vpn delayed start help'}</font></td>
ac1cfefa
MT		 2482 <td width='30%' align='center' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
2483</tr>
2484</table>
2485END
2486;
2487 print "</form>";
2488 &Header::closebox();
2489
ed84e8b8 2490 &Header::openbox('100%', 'left', $Lang::tr{'connection status and controlc'});
ac1cfefa
MT		 2491 print <<END
2492 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
2493 <tr>
2494 <td width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></td>
2495 <td width='22%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></td>
2496 <td width='23%' class='boldbase' align='center'><b>$Lang::tr{'common name'}</b></td>
ed84e8b8 2497 <td width='30%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></td>
ac1cfefa 2498 <td width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></td>
ed84e8b8 2499 <td class='boldbase' align='center' colspan='6'><b>$Lang::tr{'action'}</b></td>
ac1cfefa
MT		 2500 </tr>
2501END
2502 ;
2503 my $id = 0;
2504 my $gif;
2505 foreach my $key (keys %confighash) {
2506 if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
2507
2508 if ($id % 2) {
2509 print "<tr bgcolor='${Header::table1colour}'>\n";
2510 } else {
2511 print "<tr bgcolor='${Header::table2colour}'>\n";
2512 }
2513 print "<td align='center' nowrap='nowrap'>$confighash{$key}[1]</td>";
2514 print "<td align='center' nowrap='nowrap'>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")</td>";
ed84e8b8
MT		 2515 if ($confighash{$key}[2] eq '%auth-dn') {
2516 print "<td align='left' nowrap='nowrap'>$confighash{$key}[9]</td>";
2517 } elsif ($confighash{$key}[4] eq 'cert') {
ac1cfefa
MT		 2518 print "<td align='left' nowrap='nowrap'>$confighash{$key}[2]</td>";
2519 } else {
2520 print "<td align='left'>&nbsp;</td>";
2521 }
2522 print "<td align='center'>$confighash{$key}[25]</td>";
5fd30232 2523 # get real state
ac1cfefa 2524 my $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourred}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b></td></tr></table>";
5fd30232
MT		 2525 foreach my $line (@status) {
2526 if ($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) {
2527 $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourgreen}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b></td></tr></table>";
ac1cfefa
MT		 2528 }
2529 }
5fd30232
MT		 2530 # move to blueif really down
2531 if ($confighash{$key}[0] eq 'off' && $active =~ /${Header::colourred}/ ) {
a99274b3 2532 $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourblue}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsinactive'}</font></b></td></tr></table>";
5fd30232 2533 }
ac1cfefa
MT		 2534 print <<END
2535 <td align='center'>$active</td>
ed84e8b8
MT		 2536 <td align='center'>
2537 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
2538 <input type='image' name='$Lang::tr{'restart'}' src='/images/reload.gif' alt='$Lang::tr{'restart'}' title='$Lang::tr{'restart'}' />
ac1cfefa
MT		 2539 <input type='hidden' name='ACTION' value='$Lang::tr{'restart'}' />
2540 <input type='hidden' name='KEY' value='$key' />
ed84e8b8
MT		 2541 </form>
2542 </td>
ac1cfefa
MT		 2543END
2544 ;
ed84e8b8 2545 if (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) {
ac1cfefa 2546 print <<END
ed84e8b8
MT		 2547 <td align='center'>
2548 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
2549 <input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' />
ac1cfefa
MT		 2550 <input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' />
2551 <input type='hidden' name='KEY' value='$key' />
ed84e8b8
MT		 2552 </form>
2553 </td>
ac1cfefa
MT		 2554END
2555 ; } else {
ed84e8b8 2556 print "<td width='2%'>&nbsp;</td>";
ac1cfefa
MT		 2557 }
2558 if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") {
2559 print <<END
ed84e8b8
MT		 2560 <td align='center'>
2561 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
2562 <input type='image' name='$Lang::tr{'download pkcs12 file'}' src='/images/floppy.gif' alt='$Lang::tr{'download pkcs12 file'}' title='$Lang::tr{'download pkcs12 file'}' />
ac1cfefa
MT		 2563 <input type='hidden' name='ACTION' value='$Lang::tr{'download pkcs12 file'}' />
2564 <input type='hidden' name='KEY' value='$key' />
ed84e8b8
MT		 2565 </form>
2566 </td>
ac1cfefa 2567END
ed84e8b8 2568 ; } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) {
ac1cfefa 2569 print <<END
ed84e8b8
MT		 2570 <td align='center'>
2571 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
2572 <input type='image' name='$Lang::tr{'download certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' title='$Lang::tr{'download certificate'}' />
ac1cfefa
MT		 2573 <input type='hidden' name='ACTION' value='$Lang::tr{'download certificate'}' />
2574 <input type='hidden' name='KEY' value='$key' />
ed84e8b8
MT		 2575 </form>
2576 </td>
ac1cfefa
MT		 2577END
2578 ; } else {
ed84e8b8 2579 print "<td width='2%'>&nbsp;</td>";
ac1cfefa
MT		 2580 }
2581 print <<END
ed84e8b8
MT		 2582 <td align='center'>
2583 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
2584 <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' />
ac1cfefa
MT		 2585 <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
2586 <input type='hidden' name='KEY' value='$key' />
ed84e8b8
MT		 2587 </form>
2588 </td>
ac1cfefa 2589
ed84e8b8
MT		 2590 <td align='center'>
2591 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
ac1cfefa 2592 <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
ed84e8b8 2593 <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
ac1cfefa 2594 <input type='hidden' name='KEY' value='$key' />
ed84e8b8
MT		 2595 </form>
2596 </td>
2597 <td align='center' >
2598 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
ac1cfefa 2599 <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />
ed84e8b8 2600 <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' />
ac1cfefa 2601 <input type='hidden' name='KEY' value='$key' />
ed84e8b8
MT		 2602 </form>
2603 </td>
ac1cfefa
MT		 2604 </tr>
2605END
2606 ;
2607 $id++;
2608 }
ed84e8b8 2609 print "</table>";
ac1cfefa
MT		 2610
2611 # If the config file contains entries, print Key to action icons
2612 if ( $id ) {
2613 print <<END
2614 <table>
2615 <tr>
2616 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
2617 <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
2618 <td class='base'>$Lang::tr{'click to disable'}</td>
2619 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
2620 <td class='base'>$Lang::tr{'show certificate'}</td>
2621 <td>&nbsp; &nbsp; <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
2622 <td class='base'>$Lang::tr{'edit'}</td>
2623 <td>&nbsp; &nbsp; <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
2624 <td class='base'>$Lang::tr{'remove'}</td>
2625 </tr>
2626 <tr>
2627 <td>&nbsp; </td>
2628 <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td>
2629 <td class='base'>$Lang::tr{'click to enable'}</td>
2630 <td>&nbsp; &nbsp; <img src='/images/floppy.gif' alt='?FLOPPY' /></td>
2631 <td class='base'>$Lang::tr{'download certificate'}</td>
2632 <td>&nbsp; &nbsp; <img src='/images/reload.gif' alt='?RELOAD'/></td>
2633 <td class='base'>$Lang::tr{'restart'}</td>
2634 </tr>
2635 </table>
2636END
2637 ;
2638 }
2639
2640 print <<END
2641 <table width='100%'>
ed84e8b8
MT		 2642 <tr><td align='center' colspan='9'>
2643 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
2644 <input type='submit' name='ACTION' value='$Lang::tr{'add'}' />
2645 </form>
2646 </td></tr>
ac1cfefa
MT		 2647 </table>
2648END
2649 ;
2650 &Header::closebox();
2651
ed84e8b8 2652 &Header::openbox('100%', 'left', "$Lang::tr{'certificate authorities'}:");
ac1cfefa
MT		 2653 print <<EOF
2654 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
2655 <tr>
2656 <td width='25%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></td>
2657 <td width='65%' class='boldbase' align='center'><b>$Lang::tr{'subject'}</b></td>
2658 <td width='10%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></td>
2659 </tr>
2660EOF
2661 ;
2662 if (-f "${General::swroot}/ca/cacert.pem") {
ed84e8b8 2663 my $casubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/cacert.pem"));
ac1cfefa
MT		 2664
2665 print <<END
2666 <tr bgcolor='${Header::table2colour}'>
2667 <td class='base'>$Lang::tr{'root certificate'}</td>
2668 <td class='base'>$casubject</td>
ed84e8b8
MT		 2669 <td width='3%' align='center'>
2670 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
ac1cfefa 2671 <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' />
ed84e8b8
MT		 2672 <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' />
2673 </form>
2674 </td>
2675 <td width='3%' align='center'>
2676 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
2677 <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' />
ac1cfefa 2678 <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' />
ed84e8b8
MT		 2679 </form>
2680 </td>
ac1cfefa
MT		 2681 <td width='4%'>&nbsp;</td></tr>
2682END
2683 ;
2684 } else {
2685 # display rootcert generation buttons
2686 print <<END
2687 <tr bgcolor='${Header::table2colour}'>
2688 <td class='base'>$Lang::tr{'root certificate'}:</td>
2689 <td class='base'>$Lang::tr{'not present'}</td>
2690 <td colspan='3'>&nbsp;</td></tr>
2691END
2692 ;
2693 }
2694
2695 if (-f "${General::swroot}/certs/hostcert.pem") {
ed84e8b8 2696 my $hostsubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/certs/hostcert.pem"));
ac1cfefa
MT		 2697
2698 print <<END
2699 <tr bgcolor='${Header::table1colour}'>
2700 <td class='base'>$Lang::tr{'host certificate'}</td>
2701 <td class='base'>$hostsubject</td>
ed84e8b8
MT		 2702 <td width='3%' align='center'>
2703 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
ac1cfefa 2704 <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' />
ed84e8b8
MT		 2705 <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' />
2706 </form>
2707 </td>
2708 <td width='3%' align='center'>
2709 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
2710 <input type='image' name='$Lang::tr{'download host certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download host certificate'}' title='$Lang::tr{'download host certificate'}' />
ac1cfefa 2711 <input type='hidden' name='ACTION' value='$Lang::tr{'download host certificate'}' />
ed84e8b8
MT		 2712 </form>
2713 </td>
ac1cfefa
MT		 2714 <td width='4%'>&nbsp;</td></tr>
2715END
2716 ;
2717 } else {
2718 # Nothing
2719 print <<END
2720 <tr bgcolor='${Header::table1colour}'>
2721 <td width='25%' class='base'>$Lang::tr{'host certificate'}:</td>
2722 <td class='base'>$Lang::tr{'not present'}</td>
ed84e8b8 2723 <td colspan='3'>&nbsp;</td></tr>
ac1cfefa
MT		 2724END
2725 ;
2726 }
5fd30232
MT		 2727
2728 my $rowcolor = 0;
ac1cfefa 2729 if (keys %cahash > 0) {
5fd30232
MT		 2730 foreach my $key (keys %cahash) {
2731 if ($rowcolor++ % 2) {
2732 print "<tr bgcolor='${Header::table1colour}'>\n";
2733 } else {
2734 print "<tr bgcolor='${Header::table2colour}'>\n";
2735 }
ac1cfefa
MT		 2736 print "<td class='base'>$cahash{$key}[0]</td>\n";
2737 print "<td class='base'>$cahash{$key}[1]</td>\n";
2738 print <<END
ed84e8b8
MT		 2739 <td align='center'>
2740 <form method='post' name='cafrm${key}a' action='$ENV{'SCRIPT_NAME'}'>
2741 <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' />
ac1cfefa
MT		 2742 <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' />
2743 <input type='hidden' name='KEY' value='$key' />
ed84e8b8
MT		 2744 </form>
2745 </td>
2746 <td align='center'>
2747 <form method='post' name='cafrm${key}b' action='$ENV{'SCRIPT_NAME'}'>
2748 <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' />
ac1cfefa
MT		 2749 <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' />
2750 <input type='hidden' name='KEY' value='$key' />
ed84e8b8
MT		 2751 </form>
2752 </td>
2753 <td align='center'>
2754 <form method='post' name='cafrm${key}c' action='$ENV{'SCRIPT_NAME'}'>
ac1cfefa 2755 <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
ed84e8b8 2756 <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' />
ac1cfefa 2757 <input type='hidden' name='KEY' value='$key' />
ed84e8b8
MT		 2758 </form>
2759 </td>
2760 </tr>
ac1cfefa
MT		 2761END
2762 ;
2763 }
2764 }
ac1cfefa
MT		 2765 print "</table>";
2766
2767 # If the file contains entries, print Key to action icons
2768 if ( -f "${General::swroot}/ca/cacert.pem") {
ed84e8b8
MT		 2769 print <<END
2770 <table><tr>
ac1cfefa
MT		 2771 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
2772 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
2773 <td class='base'>$Lang::tr{'show certificate'}</td>
2774 <td>&nbsp; &nbsp; <img src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' /></td>
2775 <td class='base'>$Lang::tr{'download certificate'}</td>
ed84e8b8 2776 </tr></table>
ac1cfefa 2777END
ed84e8b8 2778 ;
ac1cfefa 2779 }
ed84e8b8 2780 my $createCA = -f "${General::swroot}/ca/cacert.pem" ? '' : "<tr><td colspan='3'></td><td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td></tr>";
ac1cfefa 2781 print <<END
ed84e8b8
MT		 2782 <hr />
2783 <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
ac1cfefa 2784 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
ed84e8b8
MT		 2785 $createCA
2786 <tr>
2787 <td class='base' nowrap='nowrap'>$Lang::tr{'ca name'}:</td>
2788 <td nowrap='nowrap'><input type='text' name='CA_NAME' value='$cgiparams{'CA_NAME'}' size='15' /> </td>
2789 <td nowrap='nowrap'><input type='file' name='FH' size='30' /></td>
2790 <td nowrap='nowrap'><input type='submit' name='ACTION' value='$Lang::tr{'upload ca certificate'}' /></td>
2791 </tr>
2792 <tr>
2793 <td colspan='3'>$Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}:</td>
2794 <td><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /></td>
2795 </tr>
2796 </table>
2797 </form>
ac1cfefa
MT		 2798END
2799 ;
2800 &Header::closebox();
ac1cfefa
MT		 2801 &Header::closebigbox();
2802 &Header::closepage();
Timo's tree of IPFire 2.x