ipsec: Add ECP cryptography.

[people/teissler/ipfire-2.x.git] / html / cgi-bin / vpnmain.cgi

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index eaf6f489aca6873e4b3f860c3c1138ab7a5f7996..2e3ef9a5705c38e5a34b937e7a89b21823c61104 100644 (file)
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2011  IPFire Team  info@ipfire.org                       #
+# Copyright (C) 2007-2013  IPFire Team  info@ipfire.org                       #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -245,9 +245,6 @@ sub writeipsecfiles {
     flock CONF, 2;
     flock SECRETS, 2;
     print CONF "version 2\n\n";
-    print CONF "config setup\n";
-    print CONF "\tcharondebug=\"dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, asn 0, enc 0, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0\"\n";
-    print CONF "\n";
     print CONF "conn %default\n";
     print CONF "\tkeyingtries=%forever\n";
     print CONF "\n";
@@ -319,9 +316,16 @@ sub writeipsecfiles {
                foreach my $j (@ints) {
                    foreach my $k (@groups) {
                        if ($comma != 0) { print CONF ","; } else { $comma = 1; }
-                   print CONF "$i-$j-modp$k";
-               }
+
+                       my @l = split("", $k);
+                       if ($l[0] eq "e") {
+                           shift @l;
+                           print CONF "$i-$j-ecp".join("", @l);
+                       } else {
+                           print CONF "$i-$j-modp$k";
+                       }
                    }
+               }
            }
            if ($lconfighash{$key}[24] eq 'on') {       #only proposed algorythms?
                print CONF "!\n";
@@ -342,7 +346,12 @@ sub writeipsecfiles {
                                foreach my $k (@groups) {
                                    if ($comma != 0) { print CONF ","; } else { $comma = 1; }
                                    if ($pfs eq "on") {
-                                       $modp = "-modp$k";
+                                       my @l = split("", $k);
+                                       if ($l[0] eq "e") {
+                                               $modp = "";
+                                       } else {
+                                               $modp = "-modp$k";
+                                       }
                                    } else {
                                        $modp = "";
                                    }
@@ -414,7 +423,7 @@ sub writeipsecfiles {
 
 # Hook to regenerate the configuration files.
 if ($ENV{"REMOTE_ADDR"} eq "") {
-       writeipsecfiles;
+       writeipsecfiles();
        exit(0);
 }
 
@@ -1367,6 +1376,14 @@ END
            goto VPNCONF_ERROR;
        }
 
+#temporary disabled (BUG 10294)
+#      if ($cgiparams{'TYPE'} eq 'net'){
+#              $errormessage=&General::checksubnets($cgiparams{'NAME'},$cgiparams{'REMOTE_SUBNET'});
+#              if ($errormessage ne ''){
+#                      goto VPNCONF_ERROR;
+#              }
+#              
+#      }
        if ($cgiparams{'AUTH'} eq 'psk') {
            if (! length($cgiparams{'PSK'}) ) {
                $errormessage = $Lang::tr{'pre-shared key is too short'};
@@ -1824,11 +1841,11 @@ END
        $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|3des';     #[18];
        $cgiparams{'IKE_INTEGRITY'}  = 'sha2_256|sha|md5';      #[19];
        $cgiparams{'IKE_GROUPTYPE'}  = '8192|6144|4096|3072|2048|1536|1024';            #[20];
-       $cgiparams{'IKE_LIFETIME'}   = '1';             #[16];
+       $cgiparams{'IKE_LIFETIME'}   = '3';             #[16];
        $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|3des';     #[21];
        $cgiparams{'ESP_INTEGRITY'}  = 'sha2_256|sha1|md5';     #[22];
        $cgiparams{'ESP_GROUPTYPE'}  = '';              #[23];
-       $cgiparams{'ESP_KEYLIFE'}    = '8';             #[17];
+       $cgiparams{'ESP_KEYLIFE'}    = '1';             #[17];
        $cgiparams{'COMPRESSION'}    = 'on';            #[13];
        $cgiparams{'ONLY_PROPOSED'}  = 'off';           #[24];
        $cgiparams{'PFS'}            = 'on';            #[28];
@@ -1979,8 +1996,6 @@ END
        ;
        &Header::closebox();
     } elsif (! $cgiparams{'KEY'}) {
-       my $pskdisabled = ($vpnsettings{'VPN_IP'} eq '%defaultroute') ? "disabled='disabled'" : '' ;
-        $cgiparams{'PSK'} =  $Lang::tr{'vpn incompatible use of defaultroute'} if ($pskdisabled);
        my $cakeydisabled = ( ! -f "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : '';
         $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if ($cakeydisabled);
        my $cacrtdisabled = ( ! -f "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : '';
@@ -1988,9 +2003,9 @@ END
        &Header::openbox('100%', 'left', $Lang::tr{'authentication'});
        print <<END
        <table width='100%' cellpadding='0' cellspacing='5' border='0'>
-       <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} $pskdisabled/></td>
+       <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} /></td>
            <td class='base' width='55%'>$Lang::tr{'use a pre-shared key'}</td>
-           <td class='base' width='40%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' $pskdisabled/></td></tr>
+           <td class='base' width='40%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr>
        <tr><td colspan='3' bgcolor='#000000'></td></tr>
        <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td>
            <td class='base'><hr />$Lang::tr{'upload a certificate request'}</td>
@@ -2086,7 +2101,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
            goto ADVANCED_ERROR;
        }
        foreach my $val (@temp) {
-           if ($val !~ /^(aes256|aes128|3des)$/) {
+           if ($val !~ /^(aes256|aes192|aes128|3des)$/) {
                $errormessage = $Lang::tr{'invalid input'};
                goto ADVANCED_ERROR;
            }
@@ -2108,7 +2123,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
            goto ADVANCED_ERROR;
        }
        foreach my $val (@temp) {
-           if ($val !~ /^(1024|1536|2048|3072|4096|6144|8192)$/) {
+           if ($val !~ /^(e521|e384|e256|e224|e192|1024|1536|2048|3072|4096|6144|8192)$/) {
                $errormessage = $Lang::tr{'invalid input'};
                goto ADVANCED_ERROR;
            }
@@ -2144,6 +2159,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
            }
        }
        if ($cgiparams{'ESP_GROUPTYPE'} ne '' &&
+           $cgiparams{'ESP_GROUPTYPE'} !~  /^ecp(192|224|256|384|512)$/ &&
            $cgiparams{'ESP_GROUPTYPE'} !~  /^modp(1024|1536|2048|3072|4096|6144|8192)$/) {
            $errormessage = $Lang::tr{'invalid input'};
            goto ADVANCED_ERROR;
@@ -2302,6 +2318,11 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
        
            <td class='boldbase' align='right' valign='top'>$Lang::tr{'ike grouptype'}</td><td class='boldbase' valign='top'>
                <select name='IKE_GROUPTYPE' multiple='multiple' size='4'>
+               <option value='e521' $checked{'IKE_GROUPTYPE'}{'e521'}>ECP-521</option>
+               <option value='e384' $checked{'IKE_GROUPTYPE'}{'e384'}>ECP-384</option>
+               <option value='e256' $checked{'IKE_GROUPTYPE'}{'e256'}>ECP-256</option>
+               <option value='e224' $checked{'IKE_GROUPTYPE'}{'e224'}>ECP-224</option>
+               <option value='e192' $checked{'IKE_GROUPTYPE'}{'e192'}>ECP-192</option>
                <option value='8192' $checked{'IKE_GROUPTYPE'}{'8192'}>MODP-8192</option>
                <option value='6144' $checked{'IKE_GROUPTYPE'}{'6144'}>MODP-6144</option>
                <option value='4096' $checked{'IKE_GROUPTYPE'}{'4096'}>MODP-4096</option>