ipsec: Add ECP cryptography.

[people/teissler/ipfire-2.x.git] / html / cgi-bin / vpnmain.cgi

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
old mode 100755 (executable)
new mode 100644 (file)
index e9d114b..2e3ef9a
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2011  IPFire Team  info@ipfire.org                       #
+# Copyright (C) 2007-2013  IPFire Team  info@ipfire.org                       #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -245,9 +245,6 @@ sub writeipsecfiles {
     flock CONF, 2;
     flock SECRETS, 2;
     print CONF "version 2\n\n";
-    print CONF "config setup\n";
-    print CONF "\tcharondebug=\"dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, asn 0, enc 0, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0\"\n";
-    print CONF "\n";
     print CONF "conn %default\n";
     print CONF "\tkeyingtries=%forever\n";
     print CONF "\n";
@@ -319,9 +316,16 @@ sub writeipsecfiles {
                foreach my $j (@ints) {
                    foreach my $k (@groups) {
                        if ($comma != 0) { print CONF ","; } else { $comma = 1; }
-                   print CONF "$i-$j-modp$k";
-               }
+
+                       my @l = split("", $k);
+                       if ($l[0] eq "e") {
+                           shift @l;
+                           print CONF "$i-$j-ecp".join("", @l);
+                       } else {
+                           print CONF "$i-$j-modp$k";
+                       }
                    }
+               }
            }
            if ($lconfighash{$key}[24] eq 'on') {       #only proposed algorythms?
                print CONF "!\n";
@@ -342,7 +346,12 @@ sub writeipsecfiles {
                                foreach my $k (@groups) {
                                    if ($comma != 0) { print CONF ","; } else { $comma = 1; }
                                    if ($pfs eq "on") {
-                                       $modp = "-modp$k";
+                                       my @l = split("", $k);
+                                       if ($l[0] eq "e") {
+                                               $modp = "";
+                                       } else {
+                                               $modp = "-modp$k";
+                                       }
                                    } else {
                                        $modp = "";
                                    }
@@ -414,7 +423,7 @@ sub writeipsecfiles {
 
 # Hook to regenerate the configuration files.
 if ($ENV{"REMOTE_ADDR"} eq "") {
-       writeipsecfiles;
+       writeipsecfiles();
        exit(0);
 }
 
@@ -1367,14 +1376,14 @@ END
            goto VPNCONF_ERROR;
        }
 
-       
-       if ($cgiparams{'TYPE'} eq 'net'){
-               $errormessage=&General::checksubnets($cgiparams{'NAME'},$cgiparams{'REMOTE_SUBNET'});
-               if ($errormessage ne ''){
-                       goto VPNCONF_ERROR;
-               }
-               
-       }
+#temporary disabled (BUG 10294)
+#      if ($cgiparams{'TYPE'} eq 'net'){
+#              $errormessage=&General::checksubnets($cgiparams{'NAME'},$cgiparams{'REMOTE_SUBNET'});
+#              if ($errormessage ne ''){
+#                      goto VPNCONF_ERROR;
+#              }
+#              
+#      }
        if ($cgiparams{'AUTH'} eq 'psk') {
            if (! length($cgiparams{'PSK'}) ) {
                $errormessage = $Lang::tr{'pre-shared key is too short'};
@@ -1832,11 +1841,11 @@ END
        $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|3des';     #[18];
        $cgiparams{'IKE_INTEGRITY'}  = 'sha2_256|sha|md5';      #[19];
        $cgiparams{'IKE_GROUPTYPE'}  = '8192|6144|4096|3072|2048|1536|1024';            #[20];
-       $cgiparams{'IKE_LIFETIME'}   = '1';             #[16];
+       $cgiparams{'IKE_LIFETIME'}   = '3';             #[16];
        $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|3des';     #[21];
        $cgiparams{'ESP_INTEGRITY'}  = 'sha2_256|sha1|md5';     #[22];
        $cgiparams{'ESP_GROUPTYPE'}  = '';              #[23];
-       $cgiparams{'ESP_KEYLIFE'}    = '8';             #[17];
+       $cgiparams{'ESP_KEYLIFE'}    = '1';             #[17];
        $cgiparams{'COMPRESSION'}    = 'on';            #[13];
        $cgiparams{'ONLY_PROPOSED'}  = 'off';           #[24];
        $cgiparams{'PFS'}            = 'on';            #[28];
@@ -1987,8 +1996,6 @@ END
        ;
        &Header::closebox();
     } elsif (! $cgiparams{'KEY'}) {
-       my $pskdisabled = ($vpnsettings{'VPN_IP'} eq '%defaultroute') ? "disabled='disabled'" : '' ;
-        $cgiparams{'PSK'} =  $Lang::tr{'vpn incompatible use of defaultroute'} if ($pskdisabled);
        my $cakeydisabled = ( ! -f "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : '';
         $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if ($cakeydisabled);
        my $cacrtdisabled = ( ! -f "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : '';
@@ -1996,9 +2003,9 @@ END
        &Header::openbox('100%', 'left', $Lang::tr{'authentication'});
        print <<END
        <table width='100%' cellpadding='0' cellspacing='5' border='0'>
-       <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} $pskdisabled/></td>
+       <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} /></td>
            <td class='base' width='55%'>$Lang::tr{'use a pre-shared key'}</td>
-           <td class='base' width='40%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' $pskdisabled/></td></tr>
+           <td class='base' width='40%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr>
        <tr><td colspan='3' bgcolor='#000000'></td></tr>
        <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td>
            <td class='base'><hr />$Lang::tr{'upload a certificate request'}</td>
@@ -2094,7 +2101,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
            goto ADVANCED_ERROR;
        }
        foreach my $val (@temp) {
-           if ($val !~ /^(aes256|aes128|3des)$/) {
+           if ($val !~ /^(aes256|aes192|aes128|3des)$/) {
                $errormessage = $Lang::tr{'invalid input'};
                goto ADVANCED_ERROR;
            }
@@ -2116,7 +2123,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
            goto ADVANCED_ERROR;
        }
        foreach my $val (@temp) {
-           if ($val !~ /^(1024|1536|2048|3072|4096|6144|8192)$/) {
+           if ($val !~ /^(e521|e384|e256|e224|e192|1024|1536|2048|3072|4096|6144|8192)$/) {
                $errormessage = $Lang::tr{'invalid input'};
                goto ADVANCED_ERROR;
            }
@@ -2152,6 +2159,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
            }
        }
        if ($cgiparams{'ESP_GROUPTYPE'} ne '' &&
+           $cgiparams{'ESP_GROUPTYPE'} !~  /^ecp(192|224|256|384|512)$/ &&
            $cgiparams{'ESP_GROUPTYPE'} !~  /^modp(1024|1536|2048|3072|4096|6144|8192)$/) {
            $errormessage = $Lang::tr{'invalid input'};
            goto ADVANCED_ERROR;
@@ -2310,6 +2318,11 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
        
            <td class='boldbase' align='right' valign='top'>$Lang::tr{'ike grouptype'}</td><td class='boldbase' valign='top'>
                <select name='IKE_GROUPTYPE' multiple='multiple' size='4'>
+               <option value='e521' $checked{'IKE_GROUPTYPE'}{'e521'}>ECP-521</option>
+               <option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384</option>
+               <option value='e256' $checked{'IKE_GROUPTYPE'}{'e256'}>ECP-256</option>
+               <option value='e224' $checked{'IKE_GROUPTYPE'}{'e224'}>ECP-224</option>
+               <option value='e192' $checked{'IKE_GROUPTYPE'}{'e192'}>ECP-192</option>
                <option value='8192' $checked{'IKE_GROUPTYPE'}{'8192'}>MODP-8192</option>
                <option value='6144' $checked{'IKE_GROUPTYPE'}{'6144'}>MODP-6144</option>
                <option value='4096' $checked{'IKE_GROUPTYPE'}{'4096'}>MODP-4096</option>