]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blame - html/cgi-bin/vpnmain.cgi
projects / people / teissler / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
immernoch das alte Problem...
[people/teissler/ipfire-2.x.git] / html / cgi-bin / vpnmain.cgi
CommitLineData
cd1a2927
MT		 1#!/usr/bin/perl\r
2#\r
3# This file is part of the IPCop Firewall.\r
4#\r
5# IPCop is free software; you can redistribute it and/or modify\r
6# it under the terms of the GNU General Public License as published by\r
7# the Free Software Foundation; either version 2 of the License, or\r
8# (at your option) any later version.\r
9#\r
10# IPCop is distributed in the hope that it will be useful,\r
11# but WITHOUT ANY WARRANTY; without even the implied warranty of\r
12# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r
13# GNU General Public License for more details.\r
14#\r
15# You should have received a copy of the GNU General Public License\r
16# along with IPCop; if not, write to the Free Software\r
17# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA\r
18#\r
19# Copyright (C) 2003-05-25 Mark Wormgoor <mark@wormgoor.com>\r
20#\r
21# $Id: vpnmain.cgi,v 1.10.2.69 2006/01/31 02:07:19 franck78 Exp $\r
22#\r
23\r
24use Net::DNS;\r
25use File::Copy;\r
26use File::Temp qw/ tempfile tempdir /;\r
27use strict;\r
28\r
29# enable only the following on debugging purpose\r
30#use warnings;\r
31#use CGI::Carp 'fatalsToBrowser';\r
32\r
33require 'CONFIG_ROOT/general-functions.pl';\r
34require "${General::swroot}/lang.pl";\r
35require "${General::swroot}/header.pl";\r
36\r
37require "${General::swroot}/countries.pl";\r
38\r
39#workaround to suppress a warning when a variable is used only once\r
40my @dummy = ( ${Header::colourgreen} );\r
41undef (@dummy);\r
42\r
43###\r
44### Initialize variables\r
45###\r
46my $sleepDelay = '4s'; # after a call to ipsecctrl S or R, wait this delay (seconds) before reading status\r
47 # (let the ipsec do its job)\r
48my %netsettings=();\r
49my %cgiparams=();\r
50my %vpnsettings=();\r
51my %checked=();\r
52my %confighash=();\r
53my %cahash=();\r
54my %selected=();\r
55my $warnmessage = '';\r
56my $errormessage = '';\r
57&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);\r
58$cgiparams{'ENABLED'} = 'off';\r
59$cgiparams{'ENABLED_BLUE'} = 'off';\r
60$cgiparams{'EDIT_ADVANCED'} = 'off';\r
61$cgiparams{'NAT'} = 'off';\r
62$cgiparams{'COMPRESSION'} = 'off';\r
63$cgiparams{'ONLY_PROPOSED'} = 'off';\r
64$cgiparams{'ACTION'} = '';\r
65$cgiparams{'CA_NAME'} = '';\r
66$cgiparams{'DBG_CRYPT'} = '';\r
67$cgiparams{'DBG_PARSING'} = '';\r
68$cgiparams{'DBG_EMITTING'} = '';\r
69$cgiparams{'DBG_CONTROL'} = '';\r
70$cgiparams{'DBG_KLIPS'} = '';\r
71$cgiparams{'DBG_DNS'} = '';\r
72$cgiparams{'DBG_NAT_T'} = '';\r
73\r
74&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});\r
75\r
76###\r
77### Useful functions\r
78###\r
79sub valid_dns_host {\r
80 my $hostname = $_[0];\r
81 unless ($hostname) { return "No hostname"};\r
82 my $res = new Net::DNS::Resolver;\r
83 my $query = $res->search("$hostname");\r
84 if ($query) {\r
85 foreach my $rr ($query->answer) {\r
86 ## Potential bug - we are only looking at A records:\r
87 return 0 if $rr->type eq "A";\r
88 }\r
89 } else {\r
90 return $res->errorstring;\r
91 }\r
92}\r
93\r
94#\r
95# old version: maintain serial number to one, without explication. \r
96# this : let the counter go, so that each cert is numbered.\r
97#\r
98sub cleanssldatabase\r
99{\r
100 if (open(FILE, ">${General::swroot}/certs/serial")) {\r
101 print FILE "01";\r
102 close FILE;\r
103 }\r
104 if (open(FILE, ">${General::swroot}/certs/index.txt")) {\r
105 print FILE "";\r
106 close FILE;\r
107 }\r
108 unlink ("${General::swroot}/certs/index.txt.old");\r
109 unlink ("${General::swroot}/certs/serial.old");\r
110 unlink ("${General::swroot}/certs/01.pem");\r
111}\r
112sub newcleanssldatabase\r
113{\r
114 if (! -s "${General::swroot}/certs/serial" ) {\r
115 open(FILE, ">${General::swroot}/certs/serial");\r
116 print FILE "01";\r
117 close FILE;\r
118 }\r
119 if (! -s ">${General::swroot}/certs/index.txt") {\r
120 system ("touch ${General::swroot}/certs/index.txt");\r
121 }\r
122 unlink ("${General::swroot}/certs/index.txt.old");\r
123 unlink ("${General::swroot}/certs/serial.old");\r
124# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete\r
125}\r
126 \r
127sub writeipsecfiles {\r
128 my %lconfighash = ();\r
129 my %lvpnsettings = ();\r
130 &General::readhasharray("${General::swroot}/vpn/config", \%lconfighash);\r
131 &General::readhash("${General::swroot}/vpn/settings", \%lvpnsettings);\r
132\r
133 open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die "Unable to open ${General::swroot}/vpn/ipsec.conf: $!";\r
134 open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") or die "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!";\r
135 flock CONF, 2;\r
136 flock SECRETS, 2;\r
137 print CONF "config setup\n";\r
138 if ($lvpnsettings{'ENABLED_BLUE'} eq 'on')\r
139 {\r
140 if ($lvpnsettings{'ENABLED'} eq 'on')\r
141 {\r
142 print CONF "\tinterfaces=\"%defaultroute ipsec1=$netsettings{'BLUE_DEV'}\"\n";\r
143 } else {\r
144 print CONF "\tinterfaces=ipsec0=$netsettings{'BLUE_DEV'}\n";\r
145 }\r
146 } else {\r
147 print CONF "\tinterfaces=%defaultroute\n";\r
148 }\r
149 \r
150 my $plutodebug = ''; # build debug list\r
151 map ($plutodebug .= $lvpnsettings{$_} eq 'on' ? lc (substr($_,4)).' ' : '',\r
152 ('DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',\r
153 'DBG_KLIPS','DBG_DNS','DBG_NAT_T'));\r
154 $plutodebug = 'none' if $plutodebug eq ''; # if nothing selected, use 'none'.\r
155 print CONF "\tklipsdebug=none\n";\r
156 print CONF "\tplutodebug=\"$plutodebug\"\n";\r
157 print CONF "\tplutoload=%search\n";\r
158 print CONF "\tplutostart=%search\n";\r
159 print CONF "\tuniqueids=yes\n";\r
160 print CONF "\tnat_traversal=yes\n";\r
161 print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne '');\r
162 print CONF "\tvirtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16";\r
163 print CONF ",%v4:!$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";\r
164 if (length($netsettings{'ORANGE_DEV'}) > 2) {\r
165 print CONF ",%v4:!$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";\r
166 }\r
167 if (length($netsettings{'BLUE_DEV'}) > 2) {\r
168 print CONF ",%v4:!$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";\r
169 }\r
170 foreach my $key (keys %lconfighash) {\r
171 if ($lconfighash{$key}[3] eq 'net') {\r
172 print CONF ",%v4:!$lconfighash{$key}[11]";\r
173 }\r
174 }\r
175 print CONF "\n\n";\r
176 print CONF "conn %default\n";\r
177 print CONF "\tkeyingtries=0\n";\r
178 print CONF "\tdisablearrivalcheck=no\n";\r
179 print CONF "\n";\r
180\r
181 if (-f "${General::swroot}/certs/hostkey.pem") {\r
182 print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n"\r
183 }\r
184\r
185 foreach my $key (keys %lconfighash) {\r
186 if ($lconfighash{$key}[0] eq 'on') {\r
187 if ($lconfighash{$key}[10] eq '') { $lconfighash{$key}[10] = '%any'; }\r
188\r
189 print CONF "conn $lconfighash{$key}[1]\n";\r
190 #always choose LEFT localside for roadwarrior\r
191 if ($lconfighash{$key}[3] eq 'host' || $lconfighash{$key}[6] eq 'left') {\r
192 if ($lconfighash{$key}[26] eq 'BLUE')\r
193 {\r
194 print CONF "\tleft=$netsettings{'BLUE_ADDRESS'}\n";\r
195# print CONF "\tleftnexthop=$netsettings{'BLUE_NETADDRESS'}\n";\r
196 } \r
197 elsif ($lconfighash{$key}[26] eq 'ORANGE')\r
198 {\r
199 print CONF "\tleft=$netsettings{'ORANGE_ADDRESS'}\n";\r
200 } \r
201 elsif ($lconfighash{$key}[26] eq 'GREEN')\r
202 {\r
203 print CONF "\tleft=$netsettings{'GREEN_ADDRESS'}\n";\r
204 } \r
205 elsif ($lconfighash{$key}[26] eq 'RED')\r
206 {\r
207 print CONF "\tleft=$lvpnsettings{'VPN_IP'}\n";\r
208 print CONF "\tleftnexthop=%defaultroute\n" if ($lvpnsettings{'VPN_IP'} ne '%defaultroute');\r
209 }\r
210 print CONF "\tleftsubnet=$lconfighash{$key}[8]\n";\r
211 print CONF "\tright=$lconfighash{$key}[10]\n";\r
212 if ($lconfighash{$key}[3] eq 'net') {\r
213 print CONF "\trightsubnet=$lconfighash{$key}[11]\n";\r
214 print CONF "\trightnexthop=%defaultroute\n";\r
215 } elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') {\r
216 print CONF "\trightsubnet=vhost:%no,%priv\n";\r
217 }\r
218 if ($lconfighash{$key}[4] eq 'cert') {\r
219 print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n";\r
220 print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n";\r
221 }\r
222 } else {\r
223 print CONF "\tright=$lvpnsettings{'VPN_IP'}\n";\r
224 print CONF "\trightsubnet=$lconfighash{$key}[8]\n";\r
225 print CONF "\trightnexthop=%defaultroute\n" if ($lvpnsettings{'VPN_IP'} ne '%defaultroute');\r
226 print CONF "\tleft=$lconfighash{$key}[10]\n";\r
227 if ($lconfighash{$key}[3] eq 'net') {\r
228 print CONF "\tleftsubnet=$lconfighash{$key}[11]\n";\r
229 print CONF "\tleftnexthop=%defaultroute\n";\r
230 }\r
231 if ($lconfighash{$key}[4] eq 'cert') {\r
232 print CONF "\trightcert=${General::swroot}/certs/hostcert.pem\n";\r
233 print CONF "\tleftcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n";\r
234 }\r
235 }\r
236 print CONF "\tleftid=$lconfighash{$key}[7]\n" if ($lconfighash{$key}[7]);\r
237 print CONF "\trightid=$lconfighash{$key}[9]\n" if ($lconfighash{$key}[9]);\r
238\r
239 # Algorithms\r
240 if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) {\r
241 print CONF "\tike=";\r
242 my @encs = split('\|', $lconfighash{$key}[18]);\r
243 my @ints = split('\|', $lconfighash{$key}[19]);\r
244 my @groups = split('\|', $lconfighash{$key}[20]);\r
245 my $comma = 0;\r
246 foreach my $i (@encs) {\r
247 foreach my $j (@ints) {\r
248 foreach my $k (@groups) {\r
249 if ($comma != 0) { print CONF ","; } else { $comma = 1; }\r
250 print CONF "$i-$j-modp$k";\r
251 }\r
252 }\r
253 }\r
254 if ($lconfighash{$key}[24] eq 'on') {\r
255 print CONF "!\n";\r
256 } else {\r
257 print CONF "\n";\r
258 }\r
259 }\r
260 if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) {\r
261 print CONF "\tesp=";\r
262 my @encs = split('\|', $lconfighash{$key}[21]);\r
263 my @ints = split('\|', $lconfighash{$key}[22]);\r
264 my $comma = 0;\r
265 foreach my $i (@encs) {\r
266 foreach my $j (@ints) {\r
267 if ($comma != 0) { print CONF ","; } else { $comma = 1; }\r
268 print CONF "$i-$j";\r
269 }\r
270 }\r
271 if ($lconfighash{$key}[24] eq 'on') {\r
272 print CONF "!\n";\r
273 } else {\r
274 print CONF "\n";\r
275 }\r
276 }\r
277 if ($lconfighash{$key}[23]) {\r
278 print CONF "\tpfsgroup=$lconfighash{$key}[23]\n";\r
279 }\r
280\r
281 # Lifetimes\r
282 if ($lconfighash{$key}[16]) {\r
283 print CONF "\tikelifetime=$lconfighash{$key}[16]h\n";\r
284 }\r
285 if ($lconfighash{$key}[17]) {\r
286 print CONF "\tkeylife=$lconfighash{$key}[17]h\n";\r
287 }\r
288\r
289 # Compression\r
290 if ($lconfighash{$key}[13] eq 'on') {\r
291 print CONF "\tcompress=yes\n";\r
292 }\r
293\r
294 # Dead Peer Detection\r
295 print CONF "\tdpddelay=30\n";\r
296 print CONF "\tdpdtimeout=120\n";\r
297 print CONF "\tdpdaction=$lconfighash{$key}[27]\n";\r
298 \r
299 # Disable pfs ?\r
300 print CONF "\tpfs=$lconfighash{$key}[28]\n";\r
301\r
302 # Print Authentication details\r
303 if ($lconfighash{$key}[4] eq 'psk') {\r
304 if ($lconfighash{$key}[6] eq 'left'){\r
305 if ($lconfighash{$key}[26] eq 'BLUE') {\r
306 print SECRETS ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $netsettings{'BLUE_ADDRESS'}) . " ";\r
307 print SECRETS $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10];\r
308 print SECRETS " : PSK \"$lconfighash{$key}[5]\"\n";\r
309 } else {\r
310 print SECRETS ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $lvpnsettings{'VPN_IP'}) . " ";\r
311 print SECRETS $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10];\r
312 print SECRETS " : PSK \"$lconfighash{$key}[5]\"\n";\r
313 }\r
314 } else {\r
315 if ($lconfighash{$key}[26] eq 'BLUE') {\r
316 print SECRETS ($lconfighash{$key}[9] ? $lconfighash{$key}[9] : $netsettings{'BLUE_ADDRESS'}) . " ";\r
317 print SECRETS $lconfighash{$key}[7] ? $lconfighash{$key}[7] : $lconfighash{$key}[10];\r
318 print SECRETS " : PSK \"$lconfighash{$key}[5]\"\n";\r
319 } else {\r
320 print SECRETS ($lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lvpnsettings{'VPN_IP'}) . " ";\r
321 print SECRETS $lconfighash{$key}[7] ? $lconfighash{$key}[7] : $lconfighash{$key}[10];\r
322 print SECRETS " : PSK \"$lconfighash{$key}[5]\"\n";\r
323 }\r
324 }\r
325\r
326 print CONF "\tauthby=secret\n";\r
327 } else {\r
328 print CONF "\tauthby=rsasig\n";\r
329 }\r
330\r
331 # Automatically start only if a net-to-net connection\r
332 if ($lconfighash{$key}[3] eq 'host') {\r
333 print CONF "\tauto=add\n";\r
334 } else {\r
335 print CONF "\tauto=start\n";\r
336 }\r
337 print CONF "\n";\r
338 }#on\r
339 }#foreach key\r
340\r
341 close(CONF);\r
342 close(SECRETS);\r
343}\r
344\r
345###\r
346### Save main settings\r
347###\r
348if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {\r
349 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);\r
350 unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})\r
351 || $cgiparams{'VPN_IP'} eq '%defaultroute' ) {\r
352 $errormessage = $Lang::tr{'invalid input for hostname'};\r
353 goto SAVE_ERROR;\r
354 }\r
355\r
356 unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds !\r
357 $errormessage = $Lang::tr{'invalid time period'};\r
358 goto SAVE_ERROR;\r
359 }\r
360\r
361 unless ($cgiparams{'VPN_OVERRIDE_MTU'} =~ /^(|[0-9]{1,5})$/ ) { #allow 0-99999\r
362 $errormessage = $Lang::tr{'vpn mtu invalid'};\r
363 goto SAVE_ERROR;\r
364 }\r
365\r
366 map ($vpnsettings{$_} = $cgiparams{$_},\r
367 ('ENABLED','ENABLED_BLUE','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',\r
368 'DBG_KLIPS','DBG_DNS','DBG_NAT_T'));\r
369\r
370 $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};\r
371 $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};\r
372 $vpnsettings{'VPN_OVERRIDE_MTU'} = $cgiparams{'VPN_OVERRIDE_MTU'};\r
373 &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);\r
374 &writeipsecfiles();\r
375 if ($vpnsettings{'ENABLED'} eq 'on' ||\r
376 $vpnsettings{'ENABLED_BLUE'} eq 'on') {\r
377 system('/usr/local/bin/ipsecctrl', 'S');\r
378 } else {\r
379 system('/usr/local/bin/ipsecctrl', 'D');\r
380 }\r
381 sleep $sleepDelay;\r
382 SAVE_ERROR:\r
383###\r
384### Reset all step 2\r
385###\r
386} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'} && $cgiparams{'AREUSURE'} eq 'yes') {\r
387 my $file = '';\r
388 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
389\r
390 foreach my $key (keys %confighash) {\r
391 if ($confighash{$key}[4] eq 'cert') {\r
392 delete $confighash{$key};\r
393 }\r
394 }\r
395 while ($file = glob("${General::swroot}/{ca,certs,crls,private}/*")) {\r
396 unlink $file\r
397 }\r
398 &cleanssldatabase();\r
399 if (open(FILE, ">${General::swroot}/vpn/caconfig")) {\r
400 print FILE "";\r
401 close FILE;\r
402 }\r
403 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);\r
404 &writeipsecfiles();\r
405 system('/usr/local/bin/ipsecctrl', 'R');\r
406 sleep $sleepDelay;\r
407\r
408###\r
409### Reset all step 1\r
410###\r
411} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'}) {\r
412 &Header::showhttpheaders();\r
413 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
414 &Header::openbigbox('100%', 'LEFT', '', '');\r
415 &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});\r
416 print <<END\r
417 <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />\r
418 <tr><td align='center'>\r
419 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: \r
420 $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}\r
421 <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' />\r
422 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>\r
423 </form></table>\r
424END\r
425 ;\r
426 &Header::closebox();\r
427 &Header::closebigbox();\r
428 &Header::closepage();\r
429 exit (0);\r
430\r
431###\r
432### Upload CA Certificate\r
433###\r
434} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {\r
435 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
436\r
437 if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) {\r
438 $errormessage = $Lang::tr{'name must only contain characters'};\r
439 goto UPLOADCA_ERROR;\r
440 }\r
441\r
442 if (length($cgiparams{'CA_NAME'}) >60) {\r
443 $errormessage = $Lang::tr{'name too long'};\r
444 goto VPNCONF_ERROR;\r
445 }\r
446\r
447 if ($cgiparams{'CA_NAME'} eq 'ca') {\r
448 $errormessage = $Lang::tr{'name is invalid'};\r
449 goto UPLOAD_CA_ERROR;\r
450 }\r
451\r
452 # Check if there is no other entry with this name\r
453 foreach my $key (keys %cahash) {\r
454 if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) {\r
455 $errormessage = $Lang::tr{'a ca certificate with this name already exists'};\r
456 goto UPLOADCA_ERROR;\r
457 }\r
458 }\r
459\r
460 if (ref ($cgiparams{'FH'}) ne 'Fh') {\r
461 $errormessage = $Lang::tr{'there was no file upload'};\r
462 goto UPLOADCA_ERROR;\r
463 }\r
464 # Move uploaded ca to a temporary file\r
465 (my $fh, my $filename) = tempfile( );\r
466 if (copy ($cgiparams{'FH'}, $fh) != 1) {\r
467 $errormessage = $!;\r
468 goto UPLOADCA_ERROR;\r
469 }\r
470 my $temp = `/usr/bin/openssl x509 -text -in $filename`;\r
471 if ($temp !~ /CA:TRUE/i) {\r
472 $errormessage = $Lang::tr{'not a valid ca certificate'};\r
473 unlink ($filename);\r
474 goto UPLOADCA_ERROR;\r
475 } else {\r
476 move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem");\r
477 if ($? ne 0) {\r
478 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";\r
479 unlink ($filename);\r
480 goto UPLOADCA_ERROR;\r
481 }\r
482 }\r
483\r
484 my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem`;\r
485 $casubject =~ /Subject: (.*)[\n]/;\r
486 $casubject = $1;\r
487 $casubject =~ s+/Email+, E+;\r
488 $casubject =~ s/ ST=/ S=/;\r
489 $casubject = &Header::cleanhtml($casubject);\r
490\r
491 my $key = &General::findhasharraykey (\%cahash);\r
492 $cahash{$key}[0] = $cgiparams{'CA_NAME'};\r
493 $cahash{$key}[1] = $casubject;\r
494 &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
495 system('/usr/local/bin/ipsecctrl', 'R');\r
496 sleep $sleepDelay;\r
497\r
498 UPLOADCA_ERROR:\r
499\r
500###\r
501### Display ca certificate\r
502###\r
503} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) {\r
504 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
505\r
506 if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {\r
507 &Header::showhttpheaders();\r
508 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
509 &Header::openbigbox('100%', 'LEFT', '', '');\r
510 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:");\r
511 my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;\r
512 $output = &Header::cleanhtml($output,"y");\r
513 print "<pre>$output</pre>\n";\r
514 &Header::closebox();\r
515 print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";\r
516 &Header::closebigbox();\r
517 &Header::closepage();\r
518 exit(0);\r
519 } else {\r
520 $errormessage = $Lang::tr{'invalid key'};\r
521 }\r
522\r
523###\r
524### Download ca certificate\r
525###\r
526} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) {\r
527 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
528\r
529 if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {\r
530 print "Content-Type: application/octet-stream\r\n";\r
531 print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";\r
532 print `/usr/bin/openssl x509 -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;\r
533 exit(0);\r
534 } else {\r
535 $errormessage = $Lang::tr{'invalid key'};\r
536 }\r
537\r
538###\r
539### Remove ca certificate (step 2)\r
540###\r
541} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') {\r
542 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
543 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
544\r
545 if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {\r
546 foreach my $key (keys %confighash) {\r
547 my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;\r
548 if ($test =~ /: OK/) {\r
549 # Delete connection\r
550 if ($vpnsettings{'ENABLED'} eq 'on' ||\r
551 $vpnsettings{'ENABLED_BLUE'} eq 'on') {\r
552 system('/usr/local/bin/ipsecctrl', 'D', $key);\r
553 }\r
554 unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem");\r
555 unlink ("${General::swroot}/certs/$confighash{$key}[1].p12");\r
556 delete $confighash{$key};\r
557 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);\r
558 &writeipsecfiles();\r
559 }\r
560 }\r
561 unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");\r
562 delete $cahash{$cgiparams{'KEY'}};\r
563 &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
564 system('/usr/local/bin/ipsecctrl', 'R');\r
565 sleep $sleepDelay;\r
566 } else {\r
567 $errormessage = $Lang::tr{'invalid key'};\r
568 }\r
569###\r
570### Remove ca certificate (step 1)\r
571###\r
572} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) {\r
573 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
574 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
575\r
576 my $assignedcerts = 0;\r
577 if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {\r
578 foreach my $key (keys %confighash) {\r
579 my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;\r
580 if ($test =~ /: OK/) {\r
581 $assignedcerts++;\r
582 }\r
583 }\r
584 if ($assignedcerts) {\r
585 &Header::showhttpheaders();\r
586 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
587 &Header::openbigbox('100%', 'LEFT', '', '');\r
588 &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});\r
589 print <<END\r
590 <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />\r
591 <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />\r
592 <tr><td align='center'>\r
593 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: $assignedcerts\r
594 $Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}\r
595 <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />\r
596 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>\r
597 </form></table>\r
598END\r
599 ;\r
600 &Header::closebox();\r
601 &Header::closebigbox();\r
602 &Header::closepage();\r
603 exit (0);\r
604 } else {\r
605 unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");\r
606 delete $cahash{$cgiparams{'KEY'}};\r
607 &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
608 system('/usr/local/bin/ipsecctrl', 'R');\r
609 sleep $sleepDelay;\r
610 }\r
611 } else {\r
612 $errormessage = $Lang::tr{'invalid key'};\r
613 }\r
614\r
615###\r
616### Display root certificate\r
617###\r
618} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||\r
619 $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {\r
620 my $output;\r
621 &Header::showhttpheaders();\r
622 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
623 &Header::openbigbox('100%', 'LEFT', '', '');\r
624 if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {\r
625 &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:");\r
626 $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`;\r
627 } else {\r
628 &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:");\r
629 $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`;\r
630 }\r
631 $output = &Header::cleanhtml($output,"y");\r
632 print "<pre>$output</pre>\n";\r
633 &Header::closebox();\r
634 print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";\r
635 &Header::closebigbox();\r
636 &Header::closepage();\r
637 exit(0);\r
638\r
639###\r
640### Download root certificate\r
641###\r
642} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) {\r
643 if ( -f "${General::swroot}/ca/cacert.pem" ) {\r
644 print "Content-Type: application/octet-stream\r\n";\r
645 print "Content-Disposition: filename=cacert.pem\r\n\r\n";\r
646 print `/usr/bin/openssl x509 -in ${General::swroot}/ca/cacert.pem`;\r
647 exit(0);\r
648 }\r
649###\r
650### Download host certificate\r
651###\r
652} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) {\r
653 if ( -f "${General::swroot}/certs/hostcert.pem" ) {\r
654 print "Content-Type: application/octet-stream\r\n";\r
655 print "Content-Disposition: filename=hostcert.pem\r\n\r\n";\r
656 print `/usr/bin/openssl x509 -in ${General::swroot}/certs/hostcert.pem`;\r
657 exit(0);\r
658 }\r
659###\r
660### Form for generating a root certificate\r
661###\r
662} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||\r
663 $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {\r
664\r
665 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);\r
666 if (-f "${General::swroot}/ca/cacert.pem") {\r
667 $errormessage = $Lang::tr{'valid root certificate already exists'};\r
668 $cgiparams{'ACTION'} = '';\r
669 goto ROOTCERT_ERROR;\r
670 }\r
671\r
672 if (($cgiparams{'ROOTCERT_HOSTNAME'} eq '') && -e "${General::swroot}/red/active") {\r
673 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {\r
674 my $ipaddr = <IPADDR>;\r
675 close IPADDR;\r
676 chomp ($ipaddr);\r
677 $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];\r
678 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {\r
679 $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;\r
680 }\r
681 }\r
682 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {\r
683\r
684 if (ref ($cgiparams{'FH'}) ne 'Fh') {\r
685 $errormessage = $Lang::tr{'there was no file upload'};\r
686 goto ROOTCERT_ERROR;\r
687 }\r
688\r
689 # Move uploaded certificate request to a temporary file\r
690 (my $fh, my $filename) = tempfile( );\r
691 if (copy ($cgiparams{'FH'}, $fh) != 1) {\r
692 $errormessage = $!;\r
693 goto ROOTCERT_ERROR;\r
694 }\r
695\r
696 # Create a temporary dirctory\r
697 my $tempdir = tempdir( CLEANUP => 1 );\r
698\r
699 # Extract the CA certificate from the file\r
700 my $pid = open(OPENSSL, "|-");\r
701 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};\r
702 if ($pid) { # parent\r
703 if ($cgiparams{'P12_PASS'} ne '') {\r
704 print OPENSSL "$cgiparams{'P12_PASS'}\n";\r
705 }\r
706 close (OPENSSL);\r
707 if ($?) {\r
708 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
709 unlink ($filename);\r
710 goto ROOTCERT_ERROR;\r
711 }\r
712 } else { # child\r
713 unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys',\r
714 '-in', $filename,\r
715 '-out', "$tempdir/cacert.pem")) {\r
716 $errormessage = "$Lang::tr{'cant start openssl'}: $!";\r
717 unlink ($filename);\r
718 goto ROOTCERT_ERROR;\r
719 }\r
720 }\r
721\r
722 # Extract the Host certificate from the file\r
723 $pid = open(OPENSSL, "|-");\r
724 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};\r
725 if ($pid) { # parent\r
726 if ($cgiparams{'P12_PASS'} ne '') {\r
727 print OPENSSL "$cgiparams{'P12_PASS'}\n";\r
728 }\r
729 close (OPENSSL);\r
730 if ($?) {\r
731 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
732 unlink ($filename);\r
733 goto ROOTCERT_ERROR;\r
734 }\r
735 } else { # child\r
736 unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys',\r
737 '-in', $filename,\r
738 '-out', "$tempdir/hostcert.pem")) {\r
739 $errormessage = "$Lang::tr{'cant start openssl'}: $!";\r
740 unlink ($filename);\r
741 goto ROOTCERT_ERROR;\r
742 }\r
743 }\r
744\r
745 # Extract the Host key from the file\r
746 $pid = open(OPENSSL, "|-");\r
747 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};\r
748 if ($pid) { # parent\r
749 if ($cgiparams{'P12_PASS'} ne '') {\r
750 print OPENSSL "$cgiparams{'P12_PASS'}\n";\r
751 }\r
752 close (OPENSSL);\r
753 if ($?) {\r
754 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
755 unlink ($filename);\r
756 goto ROOTCERT_ERROR;\r
757 }\r
758 } else { # child\r
759 unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts',\r
760 '-nodes',\r
761 '-in', $filename,\r
762 '-out', "$tempdir/hostkey.pem")) {\r
763 $errormessage = "$Lang::tr{'cant start openssl'}: $!";\r
764 unlink ($filename);\r
765 goto ROOTCERT_ERROR;\r
766 }\r
767 }\r
768\r
769 move("$tempdir/cacert.pem", "${General::swroot}/ca/cacert.pem");\r
770 if ($? ne 0) {\r
771 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";\r
772 unlink ($filename);\r
773 unlink ("${General::swroot}/ca/cacert.pem");\r
774 unlink ("${General::swroot}/certs/hostcert.pem");\r
775 unlink ("${General::swroot}/certs/hostkey.pem");\r
776 goto ROOTCERT_ERROR;\r
777 }\r
778\r
779 move("$tempdir/hostcert.pem", "${General::swroot}/certs/hostcert.pem");\r
780 if ($? ne 0) {\r
781 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";\r
782 unlink ($filename);\r
783 unlink ("${General::swroot}/ca/cacert.pem");\r
784 unlink ("${General::swroot}/certs/hostcert.pem");\r
785 unlink ("${General::swroot}/certs/hostkey.pem");\r
786 goto ROOTCERT_ERROR;\r
787 }\r
788\r
789 move("$tempdir/hostkey.pem", "${General::swroot}/certs/hostkey.pem");\r
790 if ($? ne 0) {\r
791 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";\r
792 unlink ($filename);\r
793 unlink ("${General::swroot}/ca/cacert.pem");\r
794 unlink ("${General::swroot}/certs/hostcert.pem");\r
795 unlink ("${General::swroot}/certs/hostkey.pem");\r
796 goto ROOTCERT_ERROR;\r
797 }\r
798\r
799 # Create an empty CRL\r
800 system('/usr/bin/openssl', 'ca', '-gencrl',\r
801 '-out', "${General::swroot}/crls/cacrl.pem");\r
802 if ($?) {\r
803 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
804 unlink ("${General::swroot}/certs/hostkey.pem");\r
805 unlink ("${General::swroot}/certs/hostcert.pem");\r
806 unlink ("${General::swroot}/ca/cacert.pem");\r
807 unlink ("${General::swroot}/crls/cacrl.pem");\r
808 &cleanssldatabase();\r
809 goto ROOTCERT_ERROR;\r
810 } else {\r
811 &cleanssldatabase();\r
812 }\r
813\r
814 goto ROOTCERT_SUCCESS;\r
815\r
816 } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {\r
817\r
818 # Validate input since the form was submitted\r
819 if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){\r
820 $errormessage = $Lang::tr{'organization cant be empty'};\r
821 goto ROOTCERT_ERROR;\r
822 }\r
823 if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) {\r
824 $errormessage = $Lang::tr{'organization too long'};\r
825 goto ROOTCERT_ERROR;\r
826 }\r
827 if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {\r
828 $errormessage = $Lang::tr{'invalid input for organization'};\r
829 goto ROOTCERT_ERROR;\r
830 }\r
831 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){\r
832 $errormessage = $Lang::tr{'hostname cant be empty'};\r
833 goto ROOTCERT_ERROR;\r
834 }\r
835 unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) {\r
836 $errormessage = $Lang::tr{'invalid input for hostname'};\r
837 goto ROOTCERT_ERROR;\r
838 }\r
839 if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) {\r
840 $errormessage = $Lang::tr{'invalid input for e-mail address'};\r
841 goto ROOTCERT_ERROR;\r
842 }\r
843 if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) {\r
844 $errormessage = $Lang::tr{'e-mail address too long'};\r
845 goto ROOTCERT_ERROR;\r
846 }\r
847 if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {\r
848 $errormessage = $Lang::tr{'invalid input for department'};\r
849 goto ROOTCERT_ERROR;\r
850 }\r
851 if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {\r
852 $errormessage = $Lang::tr{'invalid input for city'};\r
853 goto ROOTCERT_ERROR;\r
854 }\r
855 if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {\r
856 $errormessage = $Lang::tr{'invalid input for state or province'};\r
857 goto ROOTCERT_ERROR;\r
858 }\r
859 if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) {\r
860 $errormessage = $Lang::tr{'invalid input for country'};\r
861 goto ROOTCERT_ERROR;\r
862 }\r
863\r
864 # Copy the cgisettings to vpnsettings and save the configfile\r
865 $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'};\r
866 $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'};\r
867 $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'};\r
868 $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'};\r
869 $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'};\r
870 $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'};\r
871 $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'};\r
872 &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);\r
873\r
874 # Replace empty strings with a .\r
875 (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./;\r
876 (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./;\r
877 (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./;\r
878\r
879 # Create the CA certificate\r
880 my $pid = open(OPENSSL, "|-");\r
881 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};\r
882 if ($pid) { # parent\r
883 print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";\r
884 print OPENSSL "$state\n";\r
885 print OPENSSL "$city\n";\r
886 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";\r
887 print OPENSSL "$ou\n";\r
888 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n";\r
889 print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";\r
890 close (OPENSSL);\r
891 if ($?) {\r
892 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
893 unlink ("${General::swroot}/private/cakey.pem");\r
894 unlink ("${General::swroot}/ca/cacert.pem");\r
895 goto ROOTCERT_ERROR;\r
896 }\r
897 } else { # child\r
898 unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',\r
899 '-days', '999999', '-newkey', 'rsa:2048',\r
900 '-keyout', "${General::swroot}/private/cakey.pem",\r
901 '-out', "${General::swroot}/ca/cacert.pem")) {\r
902 $errormessage = "$Lang::tr{'cant start openssl'}: $!";\r
903 goto ROOTCERT_ERROR;\r
904 }\r
905 }\r
906\r
907 # Create the Host certificate request\r
908 $pid = open(OPENSSL, "|-");\r
909 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};\r
910 if ($pid) { # parent\r
911 print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";\r
912 print OPENSSL "$state\n";\r
913 print OPENSSL "$city\n";\r
914 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";\r
915 print OPENSSL "$ou\n";\r
916 print OPENSSL "$cgiparams{'ROOTCERT_HOSTNAME'}\n";\r
917 print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";\r
918 print OPENSSL ".\n";\r
919 print OPENSSL ".\n";\r
920 close (OPENSSL);\r
921 if ($?) {\r
922 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
923 unlink ("${General::swroot}/certs/hostkey.pem");\r
924 unlink ("${General::swroot}/certs/hostreq.pem");\r
925 goto ROOTCERT_ERROR;\r
926 }\r
927 } else { # child\r
928 unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',\r
929 '-newkey', 'rsa:1024',\r
930 '-keyout', "${General::swroot}/certs/hostkey.pem",\r
931 '-out', "${General::swroot}/certs/hostreq.pem")) {\r
932 $errormessage = "$Lang::tr{'cant start openssl'}: $!";\r
933 unlink ("${General::swroot}/certs/hostkey.pem");\r
934 unlink ("${General::swroot}/certs/hostreq.pem");\r
935 unlink ("${General::swroot}/private/cakey.pem");\r
936 unlink ("${General::swroot}/ca/cacert.pem");\r
937 goto ROOTCERT_ERROR;\r
938 }\r
939 }\r
940 \r
941 # Sign the host certificate request\r
942 system('/usr/bin/openssl', 'ca', '-days', '999999',\r
943 '-batch', '-notext',\r
944 '-in', "${General::swroot}/certs/hostreq.pem",\r
945 '-out', "${General::swroot}/certs/hostcert.pem");\r
946 if ($?) {\r
947 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
948 unlink ("${General::swroot}/private/cakey.pem");\r
949 unlink ("${General::swroot}/ca/cacert.pem");\r
950 unlink ("${General::swroot}/certs/hostkey.pem");\r
951 unlink ("${General::swroot}/certs/hostreq.pem");\r
952 unlink ("${General::swroot}/certs/hostcert.pem");\r
953 &cleanssldatabase();\r
954 goto ROOTCERT_ERROR;\r
955 } else {\r
956 unlink ("${General::swroot}/certs/hostreq.pem");\r
957 &cleanssldatabase();\r
958 }\r
959\r
960 # Create an empty CRL\r
961 system('/usr/bin/openssl', 'ca', '-gencrl',\r
962 '-out', "${General::swroot}/crls/cacrl.pem");\r
963 if ($?) {\r
964 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
965 unlink ("${General::swroot}/certs/hostkey.pem");\r
966 unlink ("${General::swroot}/certs/hostcert.pem");\r
967 unlink ("${General::swroot}/ca/cacert.pem");\r
968 unlink ("${General::swroot}/crls/cacrl.pem");\r
969 &cleanssldatabase();\r
970 goto ROOTCERT_ERROR;\r
971 } else {\r
972 &cleanssldatabase();\r
973 }\r
974 goto ROOTCERT_SUCCESS;\r
975 }\r
976 ROOTCERT_ERROR:\r
977 if ($cgiparams{'ACTION'} ne '') {\r
978 &Header::showhttpheaders();\r
979 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
980 &Header::openbigbox('100%', 'LEFT', '', $errormessage);\r
981 if ($errormessage) {\r
982 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});\r
983 print "<class name='base'>$errormessage";\r
984 print "&nbsp;</class>";\r
985 &Header::closebox();\r
986 }\r
987 &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificates'}:");\r
988 print <<END\r
989 <form method='post' enctype='multipart/form-data'>\r
990 <table width='100%' border='0' cellspacing='1' cellpadding='0'>\r
991 <tr><td width='30%' class='base'>$Lang::tr{'organization name'}:</td>\r
992 <td width='35%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td>\r
993 <td width='35%' colspan='2'>&nbsp;</td></tr>\r
994 <tr><td class='base'>$Lang::tr{'ipcops hostname'}:</td>\r
995 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td>\r
996 <td colspan='2'>&nbsp;</td></tr>\r
997 <tr><td class='base'>$Lang::tr{'your e-mail'}:&nbsp;<img src='/blob.gif' alt='*' /></td>\r
998 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td>\r
999 <td colspan='2'>&nbsp;</td></tr>\r
1000 <tr><td class='base'>$Lang::tr{'your department'}:&nbsp;<img src='/blob.gif' alt='*' /></td>\r
1001 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td>\r
1002 <td colspan='2'>&nbsp;</td></tr>\r
1003 <tr><td class='base'>$Lang::tr{'city'}:&nbsp;<img src='/blob.gif' alt='*' /></td>\r
1004 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td>\r
1005 <td colspan='2'>&nbsp;</td></tr>\r
1006 <tr><td class='base'>$Lang::tr{'state or province'}:&nbsp;<img src='/blob.gif' alt='*' /></td>\r
1007 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td>\r
1008 <td colspan='2'>&nbsp;</td></tr>\r
1009 <tr><td class='base'>$Lang::tr{'country'}:</td>\r
1010 <td class='base'><select name='ROOTCERT_COUNTRY'>\r
1011END\r
1012 ;\r
1013 foreach my $country (sort keys %{Countries::countries}) {\r
1014 print "<option value='$Countries::countries{$country}'";\r
1015 if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) {\r
1016 print " selected='selected'";\r
1017 }\r
1018 print ">$country</option>";\r
1019 }\r
1020 print <<END\r
1021 </select></td>\r
1022 <td colspan='2'>&nbsp;</td></tr>\r
1023 <tr><td>&nbsp;</td>\r
1024 <td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td>\r
1025 <td>&nbsp;</td><td>&nbsp;</td></tr>\r
1026 <tr><td class='base' align='left' valign='top'>\r
1027 <img src='/blob.gif' valign='top' alt='*' />&nbsp;$Lang::tr{'this field may be blank'}</td>\r
1028 <td class='base' align='left'>\r
1029 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: \r
1030 $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'}\r
1031 </td></tr>\r
1032 <tr><td colspan='4'><hr /></td></tr>\r
1033 <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td>\r
1034 <td nowrap='nowrap'><input type='file' name='FH' size='32'></td>\r
1035 <td colspan='2'>&nbsp;</td></tr>\r
1036 <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:&nbsp;<img src='/blob.gif' alt='*' /></td>\r
1037 <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td>\r
1038 <td colspan='2'>&nbsp;</td></tr>\r
1039 <tr><td>&nbsp;</td>\r
1040 <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td>\r
1041 <td colspan='2'>&nbsp;</td></tr>\r
1042 <tr><td class='base' colspan='4' align='left'>\r
1043 <img src='/blob.gif' valign='top' alt='*' />&nbsp;$Lang::tr{'this field may be blank'}</td></tr>\r
1044 </form></table>\r
1045END\r
1046 ;\r
1047 &Header::closebox();\r
1048\r
1049 &Header::closebigbox();\r
1050 &Header::closepage();\r
1051 exit(0)\r
1052 }\r
1053\r
1054 ROOTCERT_SUCCESS:\r
1055 if ($vpnsettings{'ENABLED'} eq 'on' ||\r
1056 $vpnsettings{'ENABLE_BLUE'} eq 'on') {\r
1057 system('/usr/local/bin/ipsecctrl', 'S');\r
1058 sleep $sleepDelay;\r
1059 }\r
1060###\r
1061### Download PKCS12 file\r
1062###\r
1063} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) {\r
1064 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
1065\r
1066 print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";\r
1067 print "Content-Type: application/octet-stream\r\n\r\n";\r
1068 print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;\r
1069 exit (0);\r
1070\r
1071###\r
1072### Display certificate\r
1073###\r
1074} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) {\r
1075 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
1076\r
1077 if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {\r
1078 &Header::showhttpheaders();\r
1079 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
1080 &Header::openbigbox('100%', 'LEFT', '', '');\r
1081 &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:");\r
1082 my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;\r
1083 $output = &Header::cleanhtml($output,"y");\r
1084 print "<pre>$output</pre>\n";\r
1085 &Header::closebox();\r
1086 print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";\r
1087 &Header::closebigbox();\r
1088 &Header::closepage();\r
1089 exit(0);\r
1090 }\r
1091\r
1092###\r
1093### Download Certificate\r
1094###\r
1095} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) {\r
1096 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
1097\r
1098 if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {\r
1099 print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n";\r
1100 print "Content-Type: application/octet-stream\r\n\r\n";\r
1101 print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;\r
1102 exit (0);\r
1103 }\r
1104\r
1105###\r
1106### Enable/Disable connection\r
1107###\r
1108} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {\r
1109 \r
1110 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);\r
1111 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
1112\r
1113 if ($confighash{$cgiparams{'KEY'}}) {\r
1114 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {\r
1115 $confighash{$cgiparams{'KEY'}}[0] = 'on';\r
1116 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);\r
1117 &writeipsecfiles();\r
1118 if ($vpnsettings{'ENABLED'} eq 'on' ||\r
1119 $vpnsettings{'ENABLED_BLUE'} eq 'on') {\r
1120 system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});\r
1121 sleep $sleepDelay;\r
1122 }\r
1123 } else {\r
1124 $confighash{$cgiparams{'KEY'}}[0] = 'off';\r
1125 if ($vpnsettings{'ENABLED'} eq 'on' ||\r
1126 $vpnsettings{'ENABLED_BLUE'} eq 'on') {\r
1127 system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});\r
1128 }\r
1129 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);\r
1130 &writeipsecfiles();\r
1131 }\r
1132 } else {\r
1133 $errormessage = $Lang::tr{'invalid key'};\r
1134 }\r
1135\r
1136###\r
1137### Restart connection\r
1138###\r
1139} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) {\r
1140 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);\r
1141 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
1142\r
1143 if ($confighash{$cgiparams{'KEY'}}) {\r
1144 if ($vpnsettings{'ENABLED'} eq 'on' ||\r
1145 $vpnsettings{'ENABLED_BLUE'} eq 'on') {\r
1146 system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});\r
1147 sleep $sleepDelay;\r
1148 }\r
1149 } else {\r
1150 $errormessage = $Lang::tr{'invalid key'};\r
1151 }\r
1152\r
1153###\r
1154### Remove connection\r
1155###\r
1156} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {\r
1157 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);\r
1158 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
1159\r
1160 if ($confighash{$cgiparams{'KEY'}}) {\r
1161 if ($vpnsettings{'ENABLED'} eq 'on' ||\r
1162 $vpnsettings{'ENABLED_BLUE'} eq 'on') {\r
1163 system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});\r
1164 }\r
1165 unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");\r
1166 unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12");\r
1167 delete $confighash{$cgiparams{'KEY'}};\r
1168 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);\r
1169 &writeipsecfiles();\r
1170 } else {\r
1171 $errormessage = $Lang::tr{'invalid key'};\r
1172 }\r
1173\r
1174###\r
1175### Choose between adding a host-net or net-net connection\r
1176###\r
1177} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {\r
1178 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);\r
1179 &Header::showhttpheaders();\r
1180 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
1181 &Header::openbigbox('100%', 'LEFT', '', '');\r
1182 &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'});\r
1183 print <<END\r
1184 <b>$Lang::tr{'connection type'}:</b><br />\r
1185 <table><form method='post'>\r
1186 <tr><td><input type='radio' name='TYPE' value='host' checked /></td>\r
1187 <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>\r
1188 <tr><td><input type='radio' name='TYPE' value='net' /></td>\r
1189 <td class='base'>$Lang::tr{'net to net vpn'}</td></tr>\r
1190 <tr><td align='center' colspan='2'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>\r
1191 </form></table>\r
1192END\r
1193 ;\r
1194 &Header::closebox();\r
1195 &Header::closebigbox();\r
1196 &Header::closepage();\r
1197 exit (0);\r
1198###\r
1199### Adding a new connection\r
1200###\r
1201} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) ||\r
1202 ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) ||\r
1203 ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {\r
1204\r
1205 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);\r
1206 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
1207 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
1208\r
1209 if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {\r
1210 if (! $confighash{$cgiparams{'KEY'}}[0]) {\r
1211 $errormessage = $Lang::tr{'invalid key'};\r
1212 goto VPNCONF_END;\r
1213 }\r
1214 $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0];\r
1215 $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1];\r
1216 $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];\r
1217 $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];\r
1218 $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];\r
1219 $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6];\r
1220 $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7];\r
1221 $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8];\r
1222 $cgiparams{'REMOTE_ID'} = $confighash{$cgiparams{'KEY'}}[9];\r
1223 $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];\r
1224 $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];\r
1225 $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];\r
1226 $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];\r
1227 $cgiparams{'DPD_ACTION'}= $confighash{$cgiparams{'KEY'}}[27];\r
1228 $cgiparams{'PFS_YES_NO'}= $confighash{$cgiparams{'KEY'}}[28];\r
1229\r
1230 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {\r
1231 $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});\r
1232 if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {\r
1233 $errormessage = $Lang::tr{'connection type is invalid'};\r
1234 goto VPNCONF_ERROR;\r
1235 }\r
1236\r
1237 if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {\r
1238 $errormessage = $Lang::tr{'name must only contain characters'};\r
1239 goto VPNCONF_ERROR;\r
1240 }\r
1241\r
1242 if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {\r
1243 $errormessage = $Lang::tr{'name is invalid'};\r
1244 goto VPNCONF_ERROR;\r
1245 }\r
1246\r
1247 if (length($cgiparams{'NAME'}) >60) {\r
1248 $errormessage = $Lang::tr{'name too long'};\r
1249 goto VPNCONF_ERROR;\r
1250 }\r
1251\r
1252 if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) {\r
1253 $errormessage = $Lang::tr{'ipcop side is invalid'};\r
1254 goto VPNCONF_ERROR;\r
1255 }\r
1256\r
1257 # Check if there is no other entry with this name\r
1258 if (! $cgiparams{'KEY'}) {\r
1259 foreach my $key (keys %confighash) {\r
1260 if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {\r
1261 $errormessage = $Lang::tr{'a connection with this name already exists'};\r
1262 goto VPNCONF_ERROR;\r
1263 }\r
1264 }\r
1265 }\r
1266\r
1267 if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) {\r
1268 $errormessage = $Lang::tr{'invalid input for remote host/ip'};\r
1269 goto VPNCONF_ERROR;\r
1270 }\r
1271\r
1272 if ($cgiparams{'REMOTE'}) {\r
1273 if (! &General::validip($cgiparams{'REMOTE'})) {\r
1274 if (! &General::validfqdn ($cgiparams{'REMOTE'})) {\r
1275 $errormessage = $Lang::tr{'invalid input for remote host/ip'};\r
1276 goto VPNCONF_ERROR;\r
1277 } else {\r
1278 if (&valid_dns_host($cgiparams{'REMOTE'})) {\r
1279 $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}";\r
1280 }\r
1281 }\r
1282 }\r
1283 }\r
1284\r
1285 unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {\r
1286 $errormessage = $Lang::tr{'local subnet is invalid'};\r
1287 goto VPNCONF_ERROR;\r
1288 }\r
1289\r
1290 # Check if there is no other entry without IP-address and PSK\r
1291 if ($cgiparams{'REMOTE'} eq '') {\r
1292 foreach my $key (keys %confighash) {\r
1293 if(($cgiparams{'KEY'} ne $key) && \r
1294 ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') && \r
1295 $confighash{$key}[10] eq '') {\r
1296 $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'};\r
1297 goto VPNCONF_ERROR;\r
1298 }\r
1299 }\r
1300 }\r
1301 if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {\r
1302 $errormessage = $Lang::tr{'remote subnet is invalid'};\r
1303 goto VPNCONF_ERROR;\r
1304 }\r
1305\r
1306 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {\r
1307 $errormessage = $Lang::tr{'invalid input'};\r
1308 goto VPNCONF_ERROR;\r
1309 }\r
1310 if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {\r
1311 $errormessage = $Lang::tr{'invalid input'};\r
1312 goto VPNCONF_ERROR;\r
1313 }\r
1314\r
1315 if (($cgiparams{'LOCAL_ID'} !~ /^(|@[a-zA-Z0-9_.-]*)$/) ||\r
1316 ($cgiparams{'REMOTE_ID'} !~ /^(|@[a-zA-Z0-9_.-]*)$/) ||\r
1317 (($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne ''))\r
1318 ) {\r
1319 $errormessage = $Lang::tr{'invalid local-remote id'};\r
1320 goto VPNCONF_ERROR;\r
1321 }\r
1322 \r
1323 if ($cgiparams{'AUTH'} eq 'psk') {\r
1324 if (! length($cgiparams{'PSK'}) ) {\r
1325 $errormessage = $Lang::tr{'pre-shared key is too short'};\r
1326 goto VPNCONF_ERROR;\r
1327 }\r
1328 if ($cgiparams{'PSK'} =~ /['",&]/) { # " ' correct coloring syntax editor !\r
1329 $errormessage = $Lang::tr{'invalid characters found in pre-shared key'};\r
1330 goto VPNCONF_ERROR;\r
1331 }\r
1332 } elsif ($cgiparams{'AUTH'} eq 'certreq') {\r
1333 if ($cgiparams{'KEY'}) {\r
1334 $errormessage = $Lang::tr{'cant change certificates'};\r
1335 goto VPNCONF_ERROR;\r
1336 }\r
1337 if (ref ($cgiparams{'FH'}) ne 'Fh') {\r
1338 $errormessage = $Lang::tr{'there was no file upload'};\r
1339 goto VPNCONF_ERROR;\r
1340 }\r
1341\r
1342 # Move uploaded certificate request to a temporary file\r
1343 (my $fh, my $filename) = tempfile( );\r
1344 if (copy ($cgiparams{'FH'}, $fh) != 1) {\r
1345 $errormessage = $!;\r
1346 goto VPNCONF_ERROR;\r
1347 }\r
1348\r
1349 # Sign the certificate request and move it\r
1350 # Sign the host certificate request\r
1351 system('/usr/bin/openssl', 'ca', '-days', '999999',\r
1352 '-batch', '-notext',\r
1353 '-in', $filename,\r
1354 '-out', "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");\r
1355 if ($?) {\r
1356 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
1357 unlink ($filename);\r
1358 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");\r
1359 &cleanssldatabase();\r
1360 goto VPNCONF_ERROR;\r
1361 } else {\r
1362 unlink ($filename);\r
1363 &cleanssldatabase();\r
1364 }\r
1365\r
1366 my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem`;\r
1367 $temp =~ /Subject:.*CN=(.*)[\n]/;\r
1368 $temp = $1;\r
1369 $temp =~ s+/Email+, E+;\r
1370 $temp =~ s/ ST=/ S=/;\r
1371 $cgiparams{'CERT_NAME'} = $temp;\r
1372 $cgiparams{'CERT_NAME'} =~ s/,//g;\r
1373 $cgiparams{'CERT_NAME'} =~ s/\'//g;\r
1374 if ($cgiparams{'CERT_NAME'} eq '') {\r
1375 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};\r
1376 goto VPNCONF_ERROR;\r
1377 }\r
1378 } elsif ($cgiparams{'AUTH'} eq 'certfile') {\r
1379 if ($cgiparams{'KEY'}) {\r
1380 $errormessage = $Lang::tr{'cant change certificates'};\r
1381 goto VPNCONF_ERROR;\r
1382 }\r
1383 if (ref ($cgiparams{'FH'}) ne 'Fh') {\r
1384 $errormessage = $Lang::tr{'there was no file upload'};\r
1385 goto VPNCONF_ERROR;\r
1386 }\r
1387 # Move uploaded certificate to a temporary file\r
1388 (my $fh, my $filename) = tempfile( );\r
1389 if (copy ($cgiparams{'FH'}, $fh) != 1) {\r
1390 $errormessage = $!;\r
1391 goto VPNCONF_ERROR;\r
1392 }\r
1393\r
1394 # Verify the certificate has a valid CA and move it\r
1395 my $validca = 0;\r
1396 my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/cacert.pem $filename`;\r
1397 if ($test =~ /: OK/) {\r
1398 $validca = 1;\r
1399 } else {\r
1400 foreach my $key (keys %cahash) {\r
1401 $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`;\r
1402 if ($test =~ /: OK/) {\r
1403 $validca = 1;\r
1404 }\r
1405 }\r
1406 }\r
1407 if (! $validca) {\r
1408 $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'};\r
1409 unlink ($filename);\r
1410 goto VPNCONF_ERROR;\r
1411 } else {\r
1412 move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");\r
1413 if ($? ne 0) {\r
1414 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";\r
1415 unlink ($filename);\r
1416 goto VPNCONF_ERROR;\r
1417 }\r
1418 }\r
1419\r
1420 my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem`;\r
1421 $temp =~ /Subject:.*CN=(.*)[\n]/;\r
1422 $temp = $1;\r
1423 $temp =~ s+/Email+, E+;\r
1424 $temp =~ s/ ST=/ S=/;\r
1425 $cgiparams{'CERT_NAME'} = $temp;\r
1426 $cgiparams{'CERT_NAME'} =~ s/,//g;\r
1427 $cgiparams{'CERT_NAME'} =~ s/\'//g;\r
1428 if ($cgiparams{'CERT_NAME'} eq '') {\r
1429 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");\r
1430 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};\r
1431 goto VPNCONF_ERROR;\r
1432 }\r
1433 } elsif ($cgiparams{'AUTH'} eq 'certgen') {\r
1434 if ($cgiparams{'KEY'}) {\r
1435 $errormessage = $Lang::tr{'cant change certificates'};\r
1436 goto VPNCONF_ERROR;\r
1437 }\r
1438 # Validate input since the form was submitted\r
1439 if (length($cgiparams{'CERT_NAME'}) >60) {\r
1440 $errormessage = $Lang::tr{'name too long'};\r
1441 goto VPNCONF_ERROR;\r
1442 }\r
1443 if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {\r
1444 $errormessage = $Lang::tr{'invalid input for name'};\r
1445 goto VPNCONF_ERROR;\r
1446 }\r
1447 if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {\r
1448 $errormessage = $Lang::tr{'invalid input for e-mail address'};\r
1449 goto VPNCONF_ERROR;\r
1450 }\r
1451 if (length($cgiparams{'CERT_EMAIL'}) > 40) {\r
1452 $errormessage = $Lang::tr{'e-mail address too long'};\r
1453 goto VPNCONF_ERROR;\r
1454 }\r
1455 if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {\r
1456 $errormessage = $Lang::tr{'invalid input for department'};\r
1457 goto VPNCONF_ERROR;\r
1458 }\r
1459 if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {\r
1460 $errormessage = $Lang::tr{'organization too long'};\r
1461 goto VPNCONF_ERROR;\r
1462 }\r
1463 if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {\r
1464 $errormessage = $Lang::tr{'invalid input for organization'};\r
1465 goto VPNCONF_ERROR;\r
1466 }\r
1467 if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {\r
1468 $errormessage = $Lang::tr{'invalid input for city'};\r
1469 goto VPNCONF_ERROR;\r
1470 }\r
1471 if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {\r
1472 $errormessage = $Lang::tr{'invalid input for state or province'};\r
1473 goto VPNCONF_ERROR;\r
1474 }\r
1475 if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {\r
1476 $errormessage = $Lang::tr{'invalid input for country'};\r
1477 goto VPNCONF_ERROR;\r
1478 }\r
1479 if (length($cgiparams{'CERT_PASS1'}) < 5) {\r
1480 $errormessage = $Lang::tr{'password too short'};\r
1481 goto VPNCONF_ERROR;\r
1482 }\r
1483 if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {\r
1484 $errormessage = $Lang::tr{'passwords do not match'};\r
1485 goto VPNCONF_ERROR;\r
1486 }\r
1487\r
1488 # Replace empty strings with a .\r
1489 (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;\r
1490 (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;\r
1491 (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;\r
1492\r
1493 # Create the Host certificate request\r
1494 my $pid = open(OPENSSL, "|-");\r
1495 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;};\r
1496 if ($pid) { # parent\r
1497 print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n";\r
1498 print OPENSSL "$state\n";\r
1499 print OPENSSL "$city\n";\r
1500 print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n";\r
1501 print OPENSSL "$ou\n";\r
1502 print OPENSSL "$cgiparams{'CERT_NAME'}\n";\r
1503 print OPENSSL "$cgiparams{'CERT_EMAIL'}\n";\r
1504 print OPENSSL ".\n";\r
1505 print OPENSSL ".\n";\r
1506 close (OPENSSL);\r
1507 if ($?) {\r
1508 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
1509 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");\r
1510 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");\r
1511 goto VPNCONF_ERROR;\r
1512 }\r
1513 } else { # child\r
1514 unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',\r
1515 '-newkey', 'rsa:1024',\r
1516 '-keyout', "${General::swroot}/certs/$cgiparams{'NAME'}key.pem",\r
1517 '-out', "${General::swroot}/certs/$cgiparams{'NAME'}req.pem")) {\r
1518 $errormessage = "$Lang::tr{'cant start openssl'}: $!";\r
1519 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");\r
1520 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");\r
1521 goto VPNCONF_ERROR;\r
1522 }\r
1523 }\r
1524 \r
1525 # Sign the host certificate request\r
1526 system('/usr/bin/openssl', 'ca', '-days', '999999',\r
1527 '-batch', '-notext',\r
1528 '-in', "${General::swroot}/certs/$cgiparams{'NAME'}req.pem",\r
1529 '-out', "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");\r
1530 if ($?) {\r
1531 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
1532 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");\r
1533 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");\r
1534 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");\r
1535 &cleanssldatabase();\r
1536 goto VPNCONF_ERROR;\r
1537 } else {\r
1538 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");\r
1539 &cleanssldatabase();\r
1540 }\r
1541\r
1542 # Create the pkcs12 file\r
1543 system('/usr/bin/openssl', 'pkcs12', '-export', \r
1544 '-inkey', "${General::swroot}/certs/$cgiparams{'NAME'}key.pem",\r
1545 '-in', "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem",\r
1546 '-name', $cgiparams{'NAME'},\r
1547 '-passout', "pass:$cgiparams{'CERT_PASS1'}",\r
1548 '-certfile', "${General::swroot}/ca/cacert.pem", \r
1549 '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA",\r
1550 '-out', "${General::swroot}/certs/$cgiparams{'NAME'}.p12");\r
1551 if ($?) {\r
1552 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";\r
1553 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");\r
1554 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");\r
1555 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}.p12");\r
1556 goto VPNCONF_ERROR;\r
1557 } else {\r
1558 unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");\r
1559 }\r
1560 } elsif ($cgiparams{'AUTH'} eq 'cert') {\r
1561 ;# Nothing, just editing\r
1562 } else {\r
1563 $errormessage = $Lang::tr{'invalid input for authentication method'};\r
1564 goto VPNCONF_ERROR;\r
1565 }\r
1566\r
1567 # Check if there is no other entry with this common name\r
1568 if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {\r
1569 foreach my $key (keys %confighash) {\r
1570 if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {\r
1571 $errormessage = $Lang::tr{'a connection with this common name already exists'};\r
1572 goto VPNCONF_ERROR;\r
1573 }\r
1574 }\r
1575 }\r
1576\r
1577 # Save the config\r
1578 my $key = $cgiparams{'KEY'};\r
1579 if (! $key) {\r
1580 $key = &General::findhasharraykey (\%confighash);\r
1581 foreach my $i (0 .. 28) { $confighash{$key}[$i] = "";}\r
1582 }\r
1583 $confighash{$key}[0] = $cgiparams{'ENABLED'};\r
1584 $confighash{$key}[1] = $cgiparams{'NAME'};\r
1585 if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') {\r
1586 $confighash{$key}[2] = $cgiparams{'CERT_NAME'};\r
1587 }\r
1588 $confighash{$key}[3] = $cgiparams{'TYPE'};\r
1589 if ($cgiparams{'AUTH'} eq 'psk') {\r
1590 $confighash{$key}[4] = 'psk';\r
1591 $confighash{$key}[5] = $cgiparams{'PSK'};\r
1592 } else {\r
1593 $confighash{$key}[4] = 'cert';\r
1594 }\r
1595 if ($cgiparams{'TYPE'} eq 'net') {\r
1596 $confighash{$key}[6] = $cgiparams{'SIDE'};\r
1597 $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};\r
1598 }\r
1599 $confighash{$key}[7] = $cgiparams{'LOCAL_ID'};\r
1600 $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};\r
1601 $confighash{$key}[9] = $cgiparams{'REMOTE_ID'};\r
1602 $confighash{$key}[10] = $cgiparams{'REMOTE'};\r
1603 $confighash{$key}[25] = $cgiparams{'REMARK'};\r
1604 $confighash{$key}[26] = $cgiparams{'INTERFACE'};\r
1605 $confighash{$key}[27] = $cgiparams{'DPD_ACTION'};\r
1606 $confighash{$key}[28] = $cgiparams{'PFS_YES_NO'};\r
1607\r
1608 #use default advanced value\r
1609 $confighash{$key}[14] = 'on';\r
1610 $confighash{$key}[13] = 'off';\r
1611 $confighash{$key}[18] = 'aes128|3des';\r
1612 $confighash{$key}[19] = 'sha|md5';\r
1613 $confighash{$key}[20] = '1536|1024';\r
1614 $confighash{$key}[16] = '1';\r
1615 $confighash{$key}[21] = 'aes128|3des';\r
1616 $confighash{$key}[22] = 'sha1|md5';\r
1617 $confighash{$key}[23] = '';\r
1618 $confighash{$key}[17] = '8';\r
1619 $confighash{$key}[24] = 'off';\r
1620\r
1621 #free unused fields!\r
1622 #$confighash{$key}[12] = '';\r
1623 #$confighash{$key}[15] = '';\r
1624\r
1625 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);\r
1626 &writeipsecfiles();\r
1627 if ($vpnsettings{'ENABLED'} eq 'on' ||\r
1628 $vpnsettings{'ENABLED_BLUE'} eq 'on') {\r
1629 system('/usr/local/bin/ipsecctrl', 'S', $key);\r
1630 sleep $sleepDelay;\r
1631 }\r
1632 if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {\r
1633 $cgiparams{'KEY'} = $key;\r
1634 $cgiparams{'ACTION'} = $Lang::tr{'advanced'};\r
1635 }\r
1636 goto VPNCONF_END;\r
1637 } else { # add new connection\r
1638 $cgiparams{'ENABLED'} = 'on';\r
1639 $cgiparams{'SIDE'} = 'left';\r
1640 if ( ! -f "${General::swroot}/private/cakey.pem" ) {\r
1641 $cgiparams{'AUTH'} = 'psk';\r
1642 } elsif ( ! -f "${General::swroot}/ca/cacert.pem") {\r
1643 $cgiparams{'AUTH'} = 'certfile';\r
1644 } else {\r
1645 $cgiparams{'AUTH'} = 'certgen';\r
1646 }\r
1647 $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";\r
1648 $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};\r
1649 $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};\r
1650 $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};\r
1651 $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};\r
1652\r
1653 # choose appropriate dpd action \r
1654 if ($cgiparams{'TYPE'} eq 'host') {\r
1655 $cgiparams{'DPD_ACTION'} = 'clear';\r
1656 } else {\r
1657 $cgiparams{'DPD_ACTION'} = 'hold'; #restart when available!\r
1658 }\r
1659\r
1660 # Default is yes for 'pfs'\r
1661 $cgiparams{'PFS_YES_NO'} = 'yes';\r
1662 \r
1663 # ID are empty\r
1664 $cgiparams{'LOCAL_ID'} = '';\r
1665 $cgiparams{'REMOTE_ID'} = '';\r
1666 \r
1667 }\r
1668\r
1669 VPNCONF_ERROR:\r
1670 $checked{'ENABLED'}{'off'} = '';\r
1671 $checked{'ENABLED'}{'on'} = '';\r
1672 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'";\r
1673 $checked{'ENABLED_BLUE'}{'off'} = '';\r
1674 $checked{'ENABLED_BLUE'}{'on'} = '';\r
1675 $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = "checked='checked'";\r
1676\r
1677 $checked{'EDIT_ADVANCED'}{'off'} = '';\r
1678 $checked{'EDIT_ADVANCED'}{'on'} = '';\r
1679 $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = "checked='checked'";\r
1680\r
1681 $selected{'SIDE'}{'left'} = '';\r
1682 $selected{'SIDE'}{'right'} = '';\r
1683 $selected{'SIDE'}{$cgiparams{'SIDE'}} = "selected='selected'";\r
1684\r
1685 $checked{'AUTH'}{'psk'} = '';\r
1686 $checked{'AUTH'}{'certreq'} = '';\r
1687 $checked{'AUTH'}{'certgen'} = '';\r
1688 $checked{'AUTH'}{'certfile'} = '';\r
1689 $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";\r
1690\r
1691 $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = "selected='selected'";\r
1692 $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";\r
1693 $selected{'PFS_YES_NO'}{$cgiparams{'PFS_YES_NO'}} = "selected='selected'";\r
1694\r
1695 if (1) {\r
1696 &Header::showhttpheaders();\r
1697 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
1698 &Header::openbigbox('100%', 'LEFT', '', $errormessage);\r
1699 if ($errormessage) {\r
1700 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});\r
1701 print "<class name='base'>$errormessage";\r
1702 print "&nbsp;</class>";\r
1703 &Header::closebox();\r
1704 }\r
1705\r
1706 if ($warnmessage) {\r
1707 &Header::openbox('100%', 'LEFT', "$Lang::tr{'warning messages'}:");\r
1708 print "<class name='base'>$warnmessage";\r
1709 print "&nbsp;</class>";\r
1710 &Header::closebox();\r
1711 }\r
1712\r
1713 print "<form method='post' enctype='multipart/form-data'>";\r
1714 print "<input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' />";\r
1715\r
1716 if ($cgiparams{'KEY'}) {\r
1717 print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />";\r
1718 print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />";\r
1719 }\r
1720\r
1721 &Header::openbox('100%', 'LEFT', "$Lang::tr{'connection'}:");\r
1722 print "<table width='100%'>";\r
1723 print "<tr><td width='25%' class='boldbase'>$Lang::tr{'name'}:</td>";\r
1724 if ($cgiparams{'KEY'}) {\r
1725 print "<td width='25%' class='base'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' /><b>$cgiparams{'NAME'}</b></td>";\r
1726 } else {\r
1727 print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' size='30' /></td>";\r
1728 }\r
1729 print "<td>$Lang::tr{'enabled'}</td><td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td></tr>";\r
1730 \r
1731 if ($cgiparams{'TYPE'} eq 'host') {\r
1732\r
1733 print "<tr><td>$Lang::tr{'interface'}</td>";\r
1734 print "<td><select name='INTERFACE'>";\r
1735 print "<option value='RED' $selected{'INTERFACE'}{'RED'}>RED</option>";\r
1736 print "<option value='BLUE' $selected{'INTERFACE'}{'BLUE'}>BLUE</option>" if ($netsettings{'BLUE_DEV'} ne '');\r
1737# print "<option value='GREEN' $selected{'INTERFACE'}{'GREEN'}>GREEN</option>";\r
1738# print "<option value='ORANGE' $selected{'INTERFACE'}{'ORANGE'}>ORANGE</option>";\r
1739 print "</select></td></tr>";\r
1740 print <<END\r
1741 <tr><td class='boldbase'>$Lang::tr{'local subnet'}</td>\r
1742 <td><input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size='30' /></td>\r
1743 <td colspan='2'>&nbsp;</td></tr>\r
1744 <tr><td class='boldbase'>$Lang::tr{'remote host/ip'}:&nbsp;<img src='/blob.gif' alt='*' /></td>\r
1745 <td><input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size='30' /></td>\r
1746 <td colspan='2'>&nbsp;</td></tr>\r
1747END\r
1748 ;\r
1749 } else {\r
1750 print <<END\r
1751 <tr><input type='hidden' name='INTERFACE' value='RED' />\r
1752 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'ipcop side'}</td>\r
1753 <td><select name='SIDE'><option value='left' $selected{'SIDE'}{'left'}>left</option>\r
1754 <option value='right' $selected{'SIDE'}{'right'}>right</option></select></td>\r
1755 <td class='boldbase'>$Lang::tr{'remote host/ip'}:</td>\r
1756 <td><input type='TEXT' name='REMOTE' value='$cgiparams{'REMOTE'}' size ='30' /></td></tr>\r
1757 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td>\r
1758 <td><input type='TEXT' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size='30' /></td>\r
1759 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}</td>\r
1760 <td><input type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size='30' /></td></tr>\r
1761END\r
1762 ;\r
1763 }\r
1764 print <<END\r
1765 <tr><td>$Lang::tr{'dpd action'}:</td>\r
1766 <td><select name='DPD_ACTION'>\r
1767 <option value='clear' $selected{'DPD_ACTION'}{'clear'}>clear</option>\r
1768 <option value='hold' $selected{'DPD_ACTION'}{'hold'}>hold</option>\r
1769 <option value='restart' $selected{'DPD_ACTION'}{'restart'}>restart</option>\r
1770 </select>&nbsp; <a href='http://www.openswan.com/docs/local/README.DPD'>?</a></td>\r
1771<!-- http://www.openswan.com/docs/local/README.DPD\r
1772 http://bugs.xelerance.com/view.php?id=156\r
1773 restart = clear + reinitiate connection\r
1774--> <td width='25%'>$Lang::tr{'pfs yes no'}:</td>\r
1775 <td width='25%'><select name='PFS_YES_NO'>\r
1776 <option value='yes' $selected{'PFS_YES_NO'}{'yes'}>$Lang::tr{'yes'}</option>\r
1777 <option value='no' $selected{'PFS_YES_NO'}{'no'}>$Lang::tr{'no'}</option>\r
1778 </select></td></tr>\r
1779 <td><b>$Lang::tr{'options'}</b></td>\r
1780 <tr><td class='boldbase'>leftid:&nbsp;<img src='/blob.gif' alt='*' />\r
1781 <br />($Lang::tr{'eg'} <tt>&#64;xy.example.com</tt>)</td>\r
1782 <td><input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' maxlength='50' /></td>\r
1783 <td class='boldbase'>rightid:&nbsp;<img src='/blob.gif' alt='*' /></td>\r
1784 <td><input type='text' name='REMOTE_ID' value='$cgiparams{'REMOTE_ID'}' maxlength='50' /></td></tr>\r
1785 <tr><td class='boldbase'>$Lang::tr{'remark title'}&nbsp;<img src='/blob.gif' alt='*' /></td>\r
1786 <td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td></tr>\r
1787END\r
1788 ;\r
1789 if (!$cgiparams{'KEY'}) {\r
1790 print "<tr><td colspan='3'><input type='checkbox' name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> $Lang::tr{'edit advanced settings when done'}</td></tr>";\r
1791 }\r
1792 print "</table>";\r
1793 &Header::closebox();\r
1794 \r
1795 if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {\r
1796 &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'});\r
1797 print <<END\r
1798 <table width='100%' cellpadding='0' cellspacing='5' border='0'>\r
1799 <tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared key'}</td>\r
1800 <td class='base' width='50%'><input type='text' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr>\r
1801 </table>\r
1802END\r
1803 ;\r
1804 &Header::closebox();\r
1805 } elsif (! $cgiparams{'KEY'}) {\r
1806 my $disabled='';\r
1807 my $cakeydisabled='';\r
1808 my $cacrtdisabled='';\r
1809 if ( ! -f "${General::swroot}/private/cakey.pem" ) { $cakeydisabled = "disabled='disabled'" } else { $cakeydisabled = "" };\r
1810 if ( ! -f "${General::swroot}/ca/cacert.pem" ) { $cacrtdisabled = "disabled='disabled'" } else { $cacrtdisabled = "" };\r
1811 &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'});\r
1812 print <<END\r
1813 <table width='100%' cellpadding='0' cellspacing='5' border='0'>\r
1814 <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} /></td>\r
1815 <td class='base' width='45%'>$Lang::tr{'use a pre-shared key'}</td>\r
1816 <td class='base' width='50%'><input type='text' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr>\r
1817 <tr><td colspan='3' bgcolor='#000000'><img src='/images/null.gif' width='1' height='1' border='0' /></td></tr>\r
1818 <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td>\r
1819 <td class='base'>$Lang::tr{'upload a certificate request'}</td>\r
1820 <td class='base' rowspan='2'><input type='file' name='FH' size='30' $cacrtdisabled></td></tr>\r
1821 <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td>\r
1822 <td class='base'>$Lang::tr{'upload a certificate'}</td></tr>\r
1823 <tr><td colspan='3' bgcolor='#000000'><img src='/images/null.gif' width='1' height='1' BORDER='0' /></td></tr>\r
1824 <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td>\r
1825 <td class='base'>$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr>\r
1826 <tr><td>&nbsp;</td>\r
1827 <td class='base'>$Lang::tr{'users fullname or system hostname'}:</td>\r
1828 <td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>\r
1829 <tr><td>&nbsp;</td>\r
1830 <td class='base'>$Lang::tr{'users email'}:&nbsp;<img src='/blob.gif' alt='*' /></td>\r
1831 <td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>\r
1832 <tr><td>&nbsp;</td>\r
1833 <td class='base'>$Lang::tr{'users department'}:&nbsp;<img src='/blob.gif' alt='*' /></td>\r
1834 <td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>\r
1835 <tr><td>&nbsp;</td>\r
1836 <td class='base'>$Lang::tr{'organization name'}:&nbsp;<img src='/blob.gif' alt='*' /></td>\r
1837 <td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>\r
1838 <tr><td>&nbsp;</td>\r
1839 <td class='base'>$Lang::tr{'city'}:&nbsp;<img src='/blob.gif' alt='*' /></td>\r
1840 <td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>\r
1841 <tr><td>&nbsp;</td>\r
1842 <td class='base'>$Lang::tr{'state or province'}:&nbsp;<img src='/blob.gif' alt='*' /></td>\r
1843 <td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>\r
1844 <tr><td>&nbsp;</td>\r
1845 <td class='base'>$Lang::tr{'country'}:</td>\r
1846 <td class='base'><select name='CERT_COUNTRY' $cakeydisabled>\r
1847END\r
1848 ;\r
1849 foreach my $country (sort keys %{Countries::countries}) {\r
1850 print "\t\t\t<option value='$Countries::countries{$country}'";\r
1851 if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) {\r
1852 print " selected='selected'";\r
1853 }\r
1854 print ">$country</option>\n";\r
1855 }\r
1856 print <<END\r
1857 </select></td></tr>\r
1858 <tr><td>&nbsp;</td>\r
1859 <td class='base'>$Lang::tr{'pkcs12 file password'}:</td>\r
1860 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr>\r
1861 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'pkcs12 file password'}:<BR>($Lang::tr{'confirmation'})</td>\r
1862 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr>\r
1863 </table>\r
1864END\r
1865 ;\r
1866 &Header::closebox();\r
1867 }\r
1868\r
1869 print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";\r
1870 if ($cgiparams{'KEY'}) {\r
1871 print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />";\r
1872 }\r
1873 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";\r
1874 &Header::closebigbox();\r
1875 &Header::closepage();\r
1876 exit (0);\r
1877 }\r
1878 VPNCONF_END:\r
1879}\r
1880\r
1881###\r
1882### Advanced settings\r
1883###\r
1884if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||\r
1885 ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq 'yes')) {\r
1886 &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);\r
1887 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
1888 if (! $confighash{$cgiparams{'KEY'}}) {\r
1889 $errormessage = $Lang::tr{'invalid key'};\r
1890 goto ADVANCED_END;\r
1891 }\r
1892\r
1893 if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {\r
1894 if ($cgiparams{'NAT'} !~ /^(on|off)$/) {\r
1895 $errormessage = $Lang::tr{'invalid input'};\r
1896 goto ADVANCED_ERROR;\r
1897 }\r
1898 if ($cgiparams{'COMPRESSION'} !~ /^(on|off)$/) {\r
1899 $errormessage = $Lang::tr{'invalid input'};\r
1900 goto ADVANCED_ERROR;\r
1901 }\r
1902 if ($cgiparams{'NAT'} eq 'on' && $cgiparams{'COMPRESSION'} eq 'on') {\r
1903 $errormessage = $Lang::tr{'cannot enable both nat traversal and compression'};\r
1904 goto ADVANCED_ERROR;\r
1905 }\r
1906 my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});\r
1907 if ($#temp < 0) {\r
1908 $errormessage = $Lang::tr{'invalid input'};\r
1909 goto ADVANCED_ERROR;\r
1910 }\r
1911 foreach my $val (@temp) {\r
1912 if ($val !~ /^(aes256|aes128|3des|twofish256|twofish128|serpent256|serpent128|blowfish256|blowfish128|cast128)$/) {\r
1913 $errormessage = $Lang::tr{'invalid input'};\r
1914 goto ADVANCED_ERROR;\r
1915 }\r
1916 }\r
1917 @temp = split('\|', $cgiparams{'IKE_INTEGRITY'});\r
1918 if ($#temp < 0) {\r
1919 $errormessage = $Lang::tr{'invalid input'};\r
1920 goto ADVANCED_ERROR;\r
1921 }\r
1922 foreach my $val (@temp) {\r
1923 if ($val !~ /^(sha2_512|sha2_256|sha|md5)$/) {\r
1924 $errormessage = $Lang::tr{'invalid input'};\r
1925 goto ADVANCED_ERROR;\r
1926 }\r
1927 }\r
1928 @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});\r
1929 if ($#temp < 0) {\r
1930 $errormessage = $Lang::tr{'invalid input'};\r
1931 goto ADVANCED_ERROR;\r
1932 }\r
1933 foreach my $val (@temp) {\r
1934 if ($val !~ /^(768|1024|1536|2048|3072|4096|6144|8192)$/) {\r
1935 $errormessage = $Lang::tr{'invalid input'};\r
1936 goto ADVANCED_ERROR;\r
1937 }\r
1938 }\r
1939 if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) {\r
1940 $errormessage = $Lang::tr{'invalid input for ike lifetime'};\r
1941 goto ADVANCED_ERROR;\r
1942 }\r
1943 if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 8) {\r
1944 $errormessage = $Lang::tr{'ike lifetime should be between 1 and 8 hours'};\r
1945 goto ADVANCED_ERROR;\r
1946 }\r
1947 @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});\r
1948 if ($#temp < 0) {\r
1949 $errormessage = $Lang::tr{'invalid input'};\r
1950 goto ADVANCED_ERROR;\r
1951 }\r
1952 foreach my $val (@temp) {\r
1953 if ($val !~ /^(aes256|aes128|3des|twofish256|twofish128|serpent256|serpent128|blowfish256|blowfish128)$/) {\r
1954 $errormessage = $Lang::tr{'invalid input'};\r
1955 goto ADVANCED_ERROR;\r
1956 }\r
1957 }\r
1958 @temp = split('\|', $cgiparams{'ESP_INTEGRITY'});\r
1959 if ($#temp < 0) {\r
1960 $errormessage = $Lang::tr{'invalid input'};\r
1961 goto ADVANCED_ERROR;\r
1962 }\r
1963 foreach my $val (@temp) {\r
1964 if ($val !~ /^(sha2_512|sha2_256|sha1|md5)$/) {\r
1965 $errormessage = $Lang::tr{'invalid input'};\r
1966 goto ADVANCED_ERROR;\r
1967 }\r
1968 }\r
1969 if ($cgiparams{'ESP_GROUPTYPE'} ne '' &&\r
1970 $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(768|1024|1536|2048|3072|4096)$/) {\r
1971 $errormessage = $Lang::tr{'invalid input'};\r
1972 goto ADVANCED_ERROR;\r
1973 }\r
1974\r
1975 if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) {\r
1976 $errormessage = $Lang::tr{'invalid input for esp keylife'};\r
1977 goto ADVANCED_ERROR;\r
1978 }\r
1979 if ($cgiparams{'ESP_KEYLIFE'} < 1 || $cgiparams{'ESP_KEYLIFE'} > 24) {\r
1980 $errormessage = $Lang::tr{'esp keylife should be between 1 and 24 hours'};\r
1981 goto ADVANCED_ERROR;\r
1982 }\r
1983 if ($cgiparams{'ONLY_PROPOSED'} !~ /^(on|off)$/) {\r
1984 $errormessage = $Lang::tr{'invalid input'};\r
1985 goto ADVANCED_ERROR;\r
1986 }\r
1987 $confighash{$cgiparams{'KEY'}}[14] = $cgiparams{'NAT'};\r
1988 $confighash{$cgiparams{'KEY'}}[13] = $cgiparams{'COMPRESSION'};\r
1989 $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'};\r
1990 $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'};\r
1991 $confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'};\r
1992 $confighash{$cgiparams{'KEY'}}[16] = $cgiparams{'IKE_LIFETIME'};\r
1993 $confighash{$cgiparams{'KEY'}}[21] = $cgiparams{'ESP_ENCRYPTION'};\r
1994 $confighash{$cgiparams{'KEY'}}[22] = $cgiparams{'ESP_INTEGRITY'};\r
1995 $confighash{$cgiparams{'KEY'}}[23] = $cgiparams{'ESP_GROUPTYPE'};\r
1996 $confighash{$cgiparams{'KEY'}}[17] = $cgiparams{'ESP_KEYLIFE'};\r
1997 $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'};\r
1998 &General::writehasharray("${General::swroot}/vpn/config", \%confighash);\r
1999 &writeipsecfiles();\r
2000 if ($vpnsettings{'ENABLED'} eq 'on' ||\r
2001 $vpnsettings{'ENABLED_BLUE'} eq 'on') {\r
2002 system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});\r
2003 sleep $sleepDelay;\r
2004 }\r
2005 goto ADVANCED_END;\r
2006 } else {\r
2007\r
2008 $cgiparams{'NAT'} = $confighash{$cgiparams{'KEY'}}[14];\r
2009 $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13];\r
2010 $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];\r
2011 $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19];\r
2012 $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20];\r
2013 $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16];\r
2014 $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21];\r
2015 $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22];\r
2016 $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23];\r
2017 $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17];\r
2018 $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24];\r
2019 \r
2020 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net' || $confighash{$cgiparams{'KEY'}}[10]) {\r
2021 $cgiparams{'NAT'} = 'off';\r
2022 }\r
2023 }\r
2024\r
2025 ADVANCED_ERROR:\r
2026 $checked{'NAT'}{'off'} = '';\r
2027 $checked{'NAT'}{'on'} = '';\r
2028 $checked{'NAT'}{$cgiparams{'NAT'}} = "checked='checked'";\r
2029 $checked{'COMPRESSION'}{'off'} = '';\r
2030 $checked{'COMPRESSION'}{'on'} = '';\r
2031 $checked{'COMPRESSION'}{$cgiparams{'COMPRESSION'}} = "checked='checked'";\r
2032 $checked{'IKE_ENCRYPTION'}{'aes256'} = '';\r
2033 $checked{'IKE_ENCRYPTION'}{'aes128'} = '';\r
2034 $checked{'IKE_ENCRYPTION'}{'3des'} = '';\r
2035 $checked{'IKE_ENCRYPTION'}{'twofish256'} = '';\r
2036 $checked{'IKE_ENCRYPTION'}{'twofish128'} = '';\r
2037 $checked{'IKE_ENCRYPTION'}{'serpent256'} = '';\r
2038 $checked{'IKE_ENCRYPTION'}{'serpent128'} = '';\r
2039 $checked{'IKE_ENCRYPTION'}{'blowfish256'} = '';\r
2040 $checked{'IKE_ENCRYPTION'}{'blowfish128'} = '';\r
2041 $checked{'IKE_ENCRYPTION'}{'cast128'} = '';\r
2042 my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});\r
2043 foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; }\r
2044 $checked{'IKE_INTEGRITY'}{'sha2_512'} = '';\r
2045 $checked{'IKE_INTEGRITY'}{'sha2_256'} = '';\r
2046 $checked{'IKE_INTEGRITY'}{'sha'} = '';\r
2047 $checked{'IKE_INTEGRITY'}{'md5'} = '';\r
2048 @temp = split('\|', $cgiparams{'IKE_INTEGRITY'});\r
2049 foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; }\r
2050 $checked{'IKE_GROUPTYPE'}{'768'} = '';\r
2051 $checked{'IKE_GROUPTYPE'}{'1024'} = '';\r
2052 $checked{'IKE_GROUPTYPE'}{'1536'} = '';\r
2053 $checked{'IKE_GROUPTYPE'}{'2048'} = '';\r
2054 $checked{'IKE_GROUPTYPE'}{'3072'} = '';\r
2055 $checked{'IKE_GROUPTYPE'}{'4096'} = '';\r
2056 $checked{'IKE_GROUPTYPE'}{'6144'} = '';\r
2057 $checked{'IKE_GROUPTYPE'}{'8192'} = '';\r
2058 @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});\r
2059 foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; }\r
2060 $checked{'ESP_ENCRYPTION'}{'aes256'} = '';\r
2061 $checked{'ESP_ENCRYPTION'}{'aes128'} = '';\r
2062 $checked{'ESP_ENCRYPTION'}{'3des'} = '';\r
2063 $checked{'ESP_ENCRYPTION'}{'twofish256'} = '';\r
2064 $checked{'ESP_ENCRYPTION'}{'twofish128'} = '';\r
2065 $checked{'ESP_ENCRYPTION'}{'serpent256'} = '';\r
2066 $checked{'ESP_ENCRYPTION'}{'serpent128'} = '';\r
2067 $checked{'ESP_ENCRYPTION'}{'blowfish256'} = '';\r
2068 $checked{'ESP_ENCRYPTION'}{'blowfish128'} = '';\r
2069 @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});\r
2070 foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; }\r
2071 $checked{'ESP_INTEGRITY'}{'sha2_512'} = '';\r
2072 $checked{'ESP_INTEGRITY'}{'sha2_256'} = '';\r
2073 $checked{'ESP_INTEGRITY'}{'sha1'} = '';\r
2074 $checked{'ESP_INTEGRITY'}{'md5'} = '';\r
2075 @temp = split('\|', $cgiparams{'ESP_INTEGRITY'});\r
2076 foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; }\r
2077 $checked{'ESP_GROUPTYPE'}{'modp768'} = '';\r
2078 $checked{'ESP_GROUPTYPE'}{'modp1024'} = '';\r
2079 $checked{'ESP_GROUPTYPE'}{'modp1536'} = '';\r
2080 $checked{'ESP_GROUPTYPE'}{'modp2048'} = '';\r
2081 $checked{'ESP_GROUPTYPE'}{'modp3072'} = '';\r
2082 $checked{'ESP_GROUPTYPE'}{'modp4096'} = '';\r
2083 $checked{'ESP_GROUPTYPE'}{$cgiparams{'ESP_GROUPTYPE'}} = "selected='selected'";\r
2084 $checked{'ONLY_PROPOSED'}{'off'} = '';\r
2085 $checked{'ONLY_PROPOSED'}{'on'} = '';\r
2086 $checked{'ONLY_PROPOSED'}{$cgiparams{'ONLY_PROPOSED'}} = "checked='checked'";\r
2087\r
2088 &Header::showhttpheaders();\r
2089 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
2090 &Header::openbigbox('100%', 'LEFT', '', $errormessage);\r
2091\r
2092 if ($errormessage) {\r
2093 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});\r
2094 print "<class name='base'>$errormessage";\r
2095 print "&nbsp;</class>";\r
2096 &Header::closebox();\r
2097 }\r
2098\r
2099 if ($warnmessage) {\r
2100 &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});\r
2101 print "<class name='base'>$warnmessage";\r
2102 print "&nbsp;</class>";\r
2103 &Header::closebox();\r
2104 }\r
2105\r
2106 print "<form method='post' enctype='multipart/form-data'>\n";\r
2107 print "<input type='hidden' name='ADVANCED' value='yes' />\n";\r
2108 print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />\n";\r
2109\r
2110 &Header::openbox('100%', 'LEFT', "$Lang::tr{'advanced'}:");\r
2111 print "<table width='100%'>\n";\r
2112 print "<tr><td width='25%' class='boldbase'>$Lang::tr{'compression'}</td>\n";\r
2113 print "<td width='25%'><input type='checkbox' name='COMPRESSION' $checked{'COMPRESSION'}{'on'} /></td>\n";\r
2114 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {\r
2115 print "<td width='25%'><input type='hidden' name='NAT' value='off' /></td><td width='25%'>&nbsp;</td></tr>\n";\r
2116 } elsif ($confighash{$cgiparams{'KEY'}}[10]) {\r
2117 print "<td width='25%' class='boldbase'>$Lang::tr{'nat-traversal'}</td>\n";\r
2118 print "<td width='25%'><input type='checkbox' name='NAT' $checked{'NAT'}{'on'} disabled='disabled' /></td></tr>\n";\r
2119 } else {\r
2120 print "<td width='25%' class='boldbase'>$Lang::tr{'nat-traversal'}</td>\n";\r
2121 print "<td width='25%'><input type='checkbox' name='NAT' $checked{'NAT'}{'on'} /></td></tr>\n";\r
2122 }\r
2123 print <<EOF\r
2124 <tr><td width='25%' class='boldbase' valign='top'>$Lang::tr{'ike encryption'}</td>\r
2125 <td width='25%' valign='top'><select name='IKE_ENCRYPTION' multiple='multiple' size='4'>\r
2126 <option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>AES (256 bit)</option>\r
2127 <option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>AES (128 bit)</option>\r
2128 <option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>3DES</option>\r
2129 <option value='twofish256' $checked{'IKE_ENCRYPTION'}{'twofish256'}>Twofish (256 bit)</option>\r
2130 <option value='twofish128' $checked{'IKE_ENCRYPTION'}{'twofish128'}>Twofish (128 bit)</option>\r
2131 <option value='serpent256' $checked{'IKE_ENCRYPTION'}{'serpent256'}>Serpent (256 bit)</option>\r
2132 <option value='serpent128' $checked{'IKE_ENCRYPTION'}{'serpent128'}>Serpent (128 bit)</option>\r
2133 <option value='blowfish256' $checked{'IKE_ENCRYPTION'}{'blowfish256'}>Blowfish (256 bit)</option>\r
2134 <option value='blowfish128' $checked{'IKE_ENCRYPTION'}{'blowfish128'}>Blowfish (128 bit)</option>\r
2135 <option value='cast128' $checked{'IKE_ENCRYPTION'}{'cast128'}>Cast (128 bit)</option></SELECT></td>\r
2136 <td width='25%' class='boldbase' valign='top'>$Lang::tr{'ike integrity'}</td>\r
2137 <td width='25%' valign='top'><select name='IKE_INTEGRITY' multiple='multiple' size='4'>\r
2138 <option value='sha2_512' $checked{'IKE_INTEGRITY'}{'sha2_512'}>SHA2 (512)</option>\r
2139 <option value='sha2_256' $checked{'IKE_INTEGRITY'}{'sha2_256'}>SHA2 (256)</option>\r
2140 <option value='sha' $checked{'IKE_INTEGRITY'}{'sha'}>SHA</option>\r
2141 <option value='md5' $checked{'IKE_INTEGRITY'}{'md5'}>MD5</option></SELECT></td></tr>\r
2142 <tr><td width='25%' class='boldbase' valign='top'>$Lang::tr{'ike lifetime'}</td>\r
2143 <td width='25%' valign='top'><input type='text' name='IKE_LIFETIME' value='$cgiparams{'IKE_LIFETIME'}' SIZE='5'> $Lang::tr{'hours'}</td>\r
2144 <td width='25%' class='boldbase' valign='top'>$Lang::tr{'ike grouptype'}</td>\r
2145 <td width='25%' valign='top'><select name='IKE_GROUPTYPE' multiple='multiple' size='4'>\r
2146 <option value='8192' $checked{'IKE_GROUPTYPE'}{'8192'}>MODP-8192</option>\r
2147 <option value='6144' $checked{'IKE_GROUPTYPE'}{'6144'}>MODP-6144</option>\r
2148 <option value='4096' $checked{'IKE_GROUPTYPE'}{'4096'}>MODP-4096</option>\r
2149 <option value='3072' $checked{'IKE_GROUPTYPE'}{'3072'}>MODP-3072</option>\r
2150 <option value='2048' $checked{'IKE_GROUPTYPE'}{'2048'}>MODP-2048</option>\r
2151 <option value='1536' $checked{'IKE_GROUPTYPE'}{'1536'}>MODP-1536</option>\r
2152 <option value='1024' $checked{'IKE_GROUPTYPE'}{'1024'}>MODP-1024</option>\r
2153 <option value='768' $checked{'IKE_GROUPTYPE'}{'768'}>MODP-768</option></select></td></tr>\r
2154 <tr><td width='25%' class='boldbase' valign='top'>$Lang::tr{'esp encryption'}</td>\r
2155 <td width='25%' valign='top'><select name='ESP_ENCRYPTION' multiple='multiple' size='4'>\r
2156 <option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>AES (256 bit)</option>\r
2157 <option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>AES (128 bit)</option>\r
2158 <option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>3DES</option>\r
2159 <option value='twofish256' $checked{'ESP_ENCRYPTION'}{'twofish256'}>Twofish (256 bit)</option>\r
2160 <option value='twofish128' $checked{'ESP_ENCRYPTION'}{'twofish128'}>Twofish (128 bit)</option>\r
2161 <option value='serpent256' $checked{'ESP_ENCRYPTION'}{'serpent256'}>Serpent (256 bit)</option>\r
2162 <option value='serpent128' $checked{'ESP_ENCRYPTION'}{'serpent128'}>Serpent (128 bit)</option>\r
2163 <option value='blowfish256' $checked{'ESP_ENCRYPTION'}{'blowfish256'}>Blowfish (256 bit)</option>\r
2164 <option value='blowfish128' $checked{'ESP_ENCRYPTION'}{'blowfish128'}>Blowfish (128 bit)</option></select></td>\r
2165 <td width='25%' class='boldbase' valign='top'>$Lang::tr{'esp integrity'}</td>\r
2166 <td width='25%' valign='top'><select name='ESP_INTEGRITY' multiple='multiple' size='4'>\r
2167 <option value='sha2_512' $checked{'ESP_INTEGRITY'}{'sha2_512'}>SHA2 (512)</option>\r
2168 <option value='sha2_256' $checked{'ESP_INTEGRITY'}{'sha2_256'}>SHA2 (256)</option>\r
2169 <option value='sha1' $checked{'ESP_INTEGRITY'}{'sha1'}>SHA1</option>\r
2170 <option value='md5' $checked{'ESP_INTEGRITY'}{'md5'}>MD5</option></select></td></tr>\r
2171 <tr><td width='25%' class='boldbase' valign='top'>$Lang::tr{'esp keylife'}</td>\r
2172 <td width='25%' valign='top'><input type='text' name='ESP_KEYLIFE' value='$cgiparams{'ESP_KEYLIFE'}' size='5' /> $Lang::tr{'hours'}</td>\r
2173 <td width='25%' class='boldbase' valign='top'>$Lang::tr{'esp grouptype'}</td>\r
2174 <td width='25%' valign='top'><select name='ESP_GROUPTYPE'>\r
2175 <option value=''>$Lang::tr{'phase1 group'}</option>\r
2176 <option value='modp4096' $checked{'ESP_GROUPTYPE'}{'modp4096'}>MODP-4096</option>\r
2177 <option value='modp3072' $checked{'ESP_GROUPTYPE'}{'modp3072'}>MODP-3072</option>\r
2178 <option value='modp2048' $checked{'ESP_GROUPTYPE'}{'modp2048'}>MODP-2048</option>\r
2179 <option value='modp1536' $checked{'ESP_GROUPTYPE'}{'modp1536'}>MODP-1536</option>\r
2180 <option value='modp1024' $checked{'ESP_GROUPTYPE'}{'modp1024'}>MODP-1024</option>\r
2181 <option value='modp768' $checked{'ESP_GROUPTYPE'}{'modp768'}>MODP-768</option></select></td></tr>\r
2182 <tr><td colspan='4'><input type='CHECKBOX' name='ONLY_PROPOSED' $checked{'ONLY_PROPOSED'}{'on'} />\r
2183 $Lang::tr{'use only proposed settings'}</td></tr>\r
2184 </table>\r
2185EOF\r
2186 ;\r
2187 &Header::closebox();\r
2188 print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";\r
2189 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";\r
2190 &Header::closebigbox();\r
2191 &Header::closepage();\r
2192 exit(0);\r
2193\r
2194 ADVANCED_END:\r
2195}\r
2196\r
2197###\r
2198### Default status page\r
2199###\r
2200 %cgiparams = ();\r
2201 %cahash = ();\r
2202 %confighash = ();\r
2203 &General::readhash("${General::swroot}/vpn/settings", \%cgiparams);\r
2204 &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);\r
2205 &General::readhasharray("${General::swroot}/vpn/config", \%confighash);\r
2206\r
2207 my @status = `/usr/sbin/ipsec auto --status`;\r
2208\r
2209 # suggest a default name for this side\r
2210 if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {\r
2211 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {\r
2212 my $ipaddr = <IPADDR>;\r
2213 close IPADDR;\r
2214 chomp ($ipaddr);\r
2215 $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];\r
2216 if ($cgiparams{'VPN_IP'} eq '') {\r
2217 $cgiparams{'VPN_IP'} = $ipaddr;\r
2218 }\r
2219 }\r
2220 }\r
2221 # no IP found, use %defaultroute\r
2222 $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq '');\r
2223 \r
2224 $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'}));\r
2225 map ($checked{$_} = $cgiparams{$_} eq 'on' ? "checked='checked'" : '',\r
2226 ('ENABLED','ENABLED_BLUE','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',\r
2227 'DBG_KLIPS','DBG_DNS','DBG_NAT_T'));\r
2228\r
2229\r
2230 &Header::showhttpheaders();\r
2231 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');\r
2232 &Header::openbigbox('100%', 'LEFT', '', $errormessage);\r
2233\r
2234 if ($errormessage) {\r
2235 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});\r
2236 print "<class name='base'>$errormessage\n";\r
2237 print "&nbsp;</class>\n";\r
2238 &Header::closebox();\r
2239 }\r
2240\r
2241 &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'});\r
2242 print <<END\r
2243 <form method='post'>\r
2244 <table width='100%'>\r
2245 <tr>\r
2246 <td width='25%' class='base' nowrap='nowrap'>$Lang::tr{'local vpn hostname/ip'}:</td>\r
2247 <td width='25%'><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' /></td>\r
2248 <td width='25%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td>\r
2249 </tr>\r
2250END\r
2251 ;\r
2252 if ($netsettings{'BLUE_DEV'} ne '') {\r
2253 print <<END\r
2254 <tr>\r
2255 <td width='25%' class='base' nowrap='nowrap'>$Lang::tr{'vpn on blue'}:</td>\r
2256 <td></td>\r
2257 <td width='25%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED_BLUE' $checked{'ENABLED_BLUE'} /></td>\r
2258 </tr>\r
2259END\r
2260 ;\r
2261 }\r
2262print <<END\r
2263 <td width='25%' class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}:&nbsp;<img src='/blob.gif' alt='*' /></td>\r
2264 <td width='25%'><input type='text' name='VPN_DELAYED_START' value='$cgiparams{'VPN_DELAYED_START'}' /></td>\r
2265 <td width='25%' class='base' nowrap='nowrap'>$Lang::tr{'override mtu'}:&nbsp;<img src='/blob.gif' alt='*' /></td>\r
2266 <td width='25%'><input type='text' name='VPN_OVERRIDE_MTU' value='$cgiparams{'VPN_OVERRIDE_MTU'}' /></td>\r
2267</table>\r
2268<table width='100%'>\r
2269<tr><td>PLUTO DEBUG</td>\r
2270 <td>crypt:<input type='checkbox' name='DBG_CRYPT' $checked{'DBG_CRYPT'} /></td>\r
2271 <td>parsing:<input type='checkbox' name='DBG_PARSING' $checked{'DBG_PARSING'} /></td>\r
2272 <td>emitting:<input type='checkbox' name='DBG_EMITTING' $checked{'DBG_EMITTING'} /></td>\r
2273 <td>control:<input type='checkbox' name='DBG_CONTROL' $checked{'DBG_CONTROL'} /></td>\r
2274 <td>klips:<input type='checkbox' name='DBG_KLIPS' $checked{'DBG_KLIPS'} /></td>\r
2275 <td>dns:<input type='checkbox' name='DBG_DNS' $checked{'DBG_DNS'} /></td>\r
2276 <td>nat_t:<input type='checkbox' name='DBG_NAT_T' $checked{'DBG_NAT_T'} /></td>\r
2277</tr></table>\r
2278<hr />\r
2279<table width='100%'>\r
2280<tr>\r
2281 <td class='base' valign='top'><img src='/blob.gif' alt='*' /></td>\r
2282 <td width='70%' class='base'>$Lang::tr{'vpn delayed start help'}</td>\r
2283 <td width='30%' align='center' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>\r
2284</tr>\r
2285</table>\r
2286END\r
2287; \r
2288 print "</form>";\r
2289 &Header::closebox();\r
2290\r
2291 &Header::openbox('100%', 'LEFT', $Lang::tr{'connection status and controlc'});\r
2292 print <<END\r
2293 <table width='100%' border='0' cellspacing='1' cellpadding='0'>\r
2294 <tr>\r
2295 <td width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></td>\r
2296 <td width='22%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></td>\r
2297 <td width='23%' class='boldbase' align='center'><b>$Lang::tr{'common name'}</b></td>\r
2298 <td width='30%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b><br /><img src='/images/null.gif' width='125' height='1' border='0' alt='L2089' /></td>\r
2299 <td width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></td>\r
2300 <td width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></td>\r
2301 </tr>\r
2302END\r
2303 ;\r
2304 my $id = 0;\r
2305 my $gif;\r
2306 foreach my $key (keys %confighash) {\r
2307 if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }\r
2308\r
2309 if ($id % 2) {\r
2310 print "<tr bgcolor='${Header::table1colour}'>\n";\r
2311 } else {\r
2312 print "<tr bgcolor='${Header::table2colour}'>\n";\r
2313 }\r
2314 print "<td align='center' nowrap='nowrap'>$confighash{$key}[1]</td>";\r
2315 print "<td align='center' nowrap='nowrap'>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")</td>";\r
2316 if ($confighash{$key}[4] eq 'cert') {\r
2317 print "<td align='left' nowrap='nowrap'>$confighash{$key}[2]</td>";\r
2318 } else {\r
2319 print "<td align='left'>&nbsp;</td>";\r
2320 }\r
2321 print "<td align='center'>$confighash{$key}[25]</td>";\r
2322 my $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourred}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b></td></tr></table>";\r
2323 if ($confighash{$key}[0] eq 'off') {\r
2324 $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourblue}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b></td></tr></table>";\r
2325 } else {\r
2326 foreach my $line (@status) {\r
2327 if ($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) {\r
2328 $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourgreen}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b></td></tr></table>";\r
2329 }\r
2330 }\r
2331 }\r
2332 print <<END\r
2333 <td align='center'>$active</td>\r
2334 <form method='post' name='frm${key}a'><td align='center'>\r
2335 <input type='image' name='$Lang::tr{'restart'}' src='/images/reload.gif' alt='$Lang::tr{'restart'}' title='$Lang::tr{'restart'}' border='0' />\r
2336 <input type='hidden' name='ACTION' value='$Lang::tr{'restart'}' />\r
2337 <input type='hidden' name='KEY' value='$key' />\r
2338 </td></form>\r
2339END\r
2340 ;\r
2341 if ($confighash{$key}[4] eq 'cert') {\r
2342 print <<END\r
2343 <form method='post' name='frm${key}b'><td align='center'>\r
2344 <input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' border='0' />\r
2345 <input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' />\r
2346 <input type='hidden' name='KEY' value='$key' />\r
2347 </td></form>\r
2348END\r
2349 ; } else {\r
2350 print "<td>&nbsp;</td>";\r
2351 }\r
2352 if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") { \r
2353 print <<END\r
2354 <form method='post' name='frm${key}c'><td align='center'>\r
2355 <input type='image' name='$Lang::tr{'download pkcs12 file'}' src='/images/floppy.gif' alt='$Lang::tr{'download pkcs12 file'}' title='$Lang::tr{'download pkcs12 file'}' border='0' />\r
2356 <input type='hidden' name='ACTION' value='$Lang::tr{'download pkcs12 file'}' />\r
2357 <input type='hidden' name='KEY' value='$key' />\r
2358 </td></form>\r
2359END\r
2360 ; } elsif ($confighash{$key}[4] eq 'cert') {\r
2361 print <<END\r
2362 <form method='post' name='frm${key}c'><td align='center'>\r
2363 <input type='image' name='$Lang::tr{'download certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' title='$Lang::tr{'download certificate'}' border='0' />\r
2364 <input type='hidden' name='ACTION' value='$Lang::tr{'download certificate'}' />\r
2365 <input type='hidden' name='KEY' value='$key' />\r
2366 </td></form>\r
2367END\r
2368 ; } else {\r
2369 print "<td>&nbsp;</td>";\r
2370 }\r
2371 print <<END\r
2372 <form method='post' name='frm${key}d'><td align='center'>\r
2373 <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' border='0' />\r
2374 <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />\r
2375 <input type='hidden' name='KEY' value='$key' />\r
2376 </td></form>\r
2377\r
2378 <form method='post' name='frm${key}e'><td align='center'>\r
2379 <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />\r
2380 <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' width='20' height='20' border='0'/>\r
2381 <input type='hidden' name='KEY' value='$key' />\r
2382 </td></form>\r
2383 <form method='post' name='frm${key}f'><td align='center'>\r
2384 <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />\r
2385 <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' width='20' height='20' border='0' />\r
2386 <input type='hidden' name='KEY' value='$key' />\r
2387 </td></form>\r
2388 </tr>\r
2389END\r
2390 ;\r
2391 $id++;\r
2392 }\r
2393 ;\r
2394\r
2395 # If the config file contains entries, print Key to action icons\r
2396 if ( $id ) {\r
2397 print <<END\r
2398 <table>\r
2399 <tr>\r
2400 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>\r
2401 <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>\r
2402 <td class='base'>$Lang::tr{'click to disable'}</td>\r
2403 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>\r
2404 <td class='base'>$Lang::tr{'show certificate'}</td>\r
2405 <td>&nbsp; &nbsp; <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>\r
2406 <td class='base'>$Lang::tr{'edit'}</td>\r
2407 <td>&nbsp; &nbsp; <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>\r
2408 <td class='base'>$Lang::tr{'remove'}</td>\r
2409 </tr>\r
2410 <tr>\r
2411 <td>&nbsp; </td>\r
2412 <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td>\r
2413 <td class='base'>$Lang::tr{'click to enable'}</td>\r
2414 <td>&nbsp; &nbsp; <img src='/images/floppy.gif' alt='?FLOPPY' /></td>\r
2415 <td class='base'>$Lang::tr{'download certificate'}</td>\r
2416 <td>&nbsp; &nbsp; <img src='/images/reload.gif' alt='?RELOAD'/></td>\r
2417 <td class='base'>$Lang::tr{'restart'}</td>\r
2418 </tr>\r
2419 </table>\r
2420END\r
2421 ;\r
2422 }\r
2423\r
2424 print <<END\r
2425 <table width='100%'>\r
2426 <form method='post'>\r
2427 <tr><td align='center' colspan='9'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>\r
2428 </form>\r
2429 </table>\r
2430END\r
2431 ;\r
2432 &Header::closebox();\r
2433\r
2434 &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}:");\r
2435 print <<EOF\r
2436 <table width='100%' border='0' cellspacing='1' cellpadding='0'>\r
2437 <tr>\r
2438 <td width='25%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></td>\r
2439 <td width='65%' class='boldbase' align='center'><b>$Lang::tr{'subject'}</b></td>\r
2440 <td width='10%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></td>\r
2441 </tr>\r
2442EOF\r
2443 ;\r
2444 if (-f "${General::swroot}/ca/cacert.pem") {\r
2445 my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`;\r
2446 $casubject =~ /Subject: (.*)[\n]/;\r
2447 $casubject = $1;\r
2448 $casubject =~ s+/Email+, E+;\r
2449 $casubject =~ s/ ST=/ S=/;\r
2450\r
2451 print <<END\r
2452 <tr bgcolor='${Header::table2colour}'>\r
2453 <td class='base'>$Lang::tr{'root certificate'}</td>\r
2454 <td class='base'>$casubject</td>\r
2455 <form method='post' name='frmrootcrta'><td width='3%' align='center'>\r
2456 <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' />\r
2457 <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' width='20' height='20' border='0' />\r
2458 </td></form>\r
2459 <form method='post' name='frmrootcrtb'><td width='3%' align='center'>\r
2460 <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' border='0' />\r
2461 <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' />\r
2462 </td></form>\r
2463 <td width='4%'>&nbsp;</td></tr>\r
2464END\r
2465 ;\r
2466 } else {\r
2467 # display rootcert generation buttons\r
2468 print <<END\r
2469 <tr bgcolor='${Header::table2colour}'>\r
2470 <td class='base'>$Lang::tr{'root certificate'}:</td>\r
2471 <td class='base'>$Lang::tr{'not present'}</td>\r
2472 <td colspan='3'>&nbsp;</td></tr>\r
2473END\r
2474 ;\r
2475 }\r
2476\r
2477 if (-f "${General::swroot}/certs/hostcert.pem") {\r
2478 my $hostsubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`;\r
2479 $hostsubject =~ /Subject: (.*)[\n]/;\r
2480 $hostsubject = $1;\r
2481 $hostsubject =~ s+/Email+, E+;\r
2482 $hostsubject =~ s/ ST=/ S=/;\r
2483\r
2484 print <<END\r
2485 <tr bgcolor='${Header::table1colour}'>\r
2486 <td class='base'>$Lang::tr{'host certificate'}</td>\r
2487 <td class='base'>$hostsubject</td>\r
2488 <form method='post' name='frmhostcrta'><td width='3%' align='center'>\r
2489 <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' />\r
2490 <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' width='20' height='20' border='0' />\r
2491 </td></form>\r
2492 <form method='post' name='frmhostcrtb'><td width='3%' align='center'>\r
2493 <input type='image' name='$Lang::tr{'download host certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download host certificate'}' title='$Lang::tr{'download host certificate'}' border='0' />\r
2494 <input type='hidden' name='ACTION' value='$Lang::tr{'download host certificate'}' />\r
2495 </td></form>\r
2496 <td width='4%'>&nbsp;</td></tr>\r
2497END\r
2498 ;\r
2499 } else {\r
2500 # Nothing\r
2501 print <<END\r
2502 <tr bgcolor='${Header::table1colour}'>\r
2503 <td width='25%' class='base'>$Lang::tr{'host certificate'}:</td>\r
2504 <td class='base'>$Lang::tr{'not present'}</td>\r
2505 </td><td colspan='3'>&nbsp;</td></tr>\r
2506END\r
2507 ;\r
2508 }\r
2509\r
2510 if (! -f "${General::swroot}/ca/cacert.pem") {\r
2511 print "<tr><td colspan='5' align='center'><form method='post'>";\r
2512 print "<input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' />";\r
2513 print "</form></td></tr>\n";\r
2514 }\r
2515\r
2516 if (keys %cahash > 0) {\r
2517 foreach my $key (keys %cahash) {\r
2518 if (($key + 1) % 2) {\r
2519 print "<tr bgcolor='${Header::table1colour}'>\n";\r
2520 } else {\r
2521 print "<tr bgcolor='${Header::table2colour}'>\n";\r
2522 }\r
2523 print "<td class='base'>$cahash{$key}[0]</td>\n";\r
2524 print "<td class='base'>$cahash{$key}[1]</td>\n";\r
2525 print <<END\r
2526 <form method='post' name='cafrm${key}a'><td align='center'>\r
2527 <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' border='0' />\r
2528 <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' />\r
2529 <input type='hidden' name='KEY' value='$key' />\r
2530 </td></form>\r
2531 <form method='post' name='cafrm${key}b'><td align='center'>\r
2532 <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' border='0' />\r
2533 <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' />\r
2534 <input type='hidden' name='KEY' value='$key' />\r
2535 </td></form>\r
2536 <form method='post' name='cafrm${key}c'><td align='center'>\r
2537 <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />\r
2538 <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' width='20' height='20' border='0' />\r
2539 <input type='hidden' name='KEY' value='$key' />\r
2540 </td></form></tr>\r
2541END\r
2542 ;\r
2543 }\r
2544 }\r
2545\r
2546 print "</table>";\r
2547\r
2548 # If the file contains entries, print Key to action icons\r
2549 if ( -f "${General::swroot}/ca/cacert.pem") {\r
2550 print <<END\r
2551 <table>\r
2552 <tr>\r
2553 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>\r
2554 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>\r
2555 <td class='base'>$Lang::tr{'show certificate'}</td>\r
2556 <td>&nbsp; &nbsp; <img src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' /></td>\r
2557 <td class='base'>$Lang::tr{'download certificate'}</td>\r
2558 </tr>\r
2559 </table>\r
2560END\r
2561 ;\r
2562 }\r
2563 print <<END\r
2564 <form method='post' enctype='multipart/form-data'>\r
2565 <table width='100%' border='0' cellspacing='1' cellpadding='0'>\r
2566 <tr><td class='base' nowrap='nowrap'>$Lang::tr{'ca name'}:</td>\r
2567 <td nowrap='nowrap'><input type='text' name='CA_NAME' value='$cgiparams{'CA_NAME'}' size='15' />\r
2568 <td nowrap='nowrap'><input type='file' name='FH' size='30' /></td>\r
2569 <td nowrap='nowrap'><input type='submit' name='ACTION' value='$Lang::tr{'upload ca certificate'}' /></td>\r
2570 </tr></table></form>\r
2571END\r
2572 ;\r
2573 &Header::closebox();\r
2574\r
2575 print "<div align='center'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /></div></form>\n";\r
2576 print "$Lang::tr{'this feature has been sponsored by'} : ";\r
2577 print "<a href='http://www.seminolegas.com/' target='_blank'>Seminole Canada Gas Company</a>.\n";\r
2578\r
2579 &Header::closebigbox();\r
2580 &Header::closepage();\r
Timo's tree of IPFire 2.x