* [PATCH] vpnmain.cgi - Replace spaces with tab characters and fix indentation @ 2015-09-25 21:01 Lars Schuhmacher 2015-09-25 22:11 ` Michael Tremer 0 siblings, 1 reply; 4+ messages in thread From: Lars Schuhmacher @ 2015-09-25 21:01 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 200112 bytes --] Replaced spaces with tab characters. Fixed indentation. This is based on http://patchwork.ipfire.org/patch/88/ so that patch must be applied before. Signed-off-by: Lars Schuhmacher <larsen007(a)web.de> --- html/cgi-bin/vpnmain.cgi | 4313 +++++++++++++++++++++++----------------------- 1 file changed, 2155 insertions(+), 2158 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 5658dac..e717862 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -40,8 +40,7 @@ undef (@dummy); ### ### Initialize variables ### -my $sleepDelay = 4; # after a call to ipsecctrl S or R, wait this delay (seconds) before reading status - # (let the ipsec do its job) +my $sleepDelay = 4; # after a call to ipsecctrl S or R, wait this delay (seconds) before reading status (let the ipsec do its job) my %netsettings=(); our %cgiparams=(); our %vpnsettings=(); @@ -132,103 +131,101 @@ sub valid_dns_host { ### Just return true is one interface is vpn enabled ### sub vpnenabled { - return ($vpnsettings{'ENABLED'} eq 'on'); + return ($vpnsettings{'ENABLED'} eq 'on'); } ### -### old version: maintain serial number to one, without explication. -### this : let the counter go, so that each cert is numbered. +### old version: maintain serial number to one, without explication. +### this: let the counter go, so that each cert is numbered. ### -sub cleanssldatabase -{ - if (open(FILE, ">${General::swroot}/certs/serial")) { - print FILE "01"; - close FILE; - } - if (open(FILE, ">${General::swroot}/certs/index.txt")) { - print FILE ""; - close FILE; - } - unlink ("${General::swroot}/certs/index.txt.old"); - unlink ("${General::swroot}/certs/serial.old"); - unlink ("${General::swroot}/certs/01.pem"); +sub cleanssldatabase { + if (open(FILE, ">${General::swroot}/certs/serial")) { + print FILE "01"; + close FILE; + } + if (open(FILE, ">${General::swroot}/certs/index.txt")) { + print FILE ""; + close FILE; + } + unlink ("${General::swroot}/certs/index.txt.old"); + unlink ("${General::swroot}/certs/serial.old"); + unlink ("${General::swroot}/certs/01.pem"); } -sub newcleanssldatabase -{ - if (! -s "${General::swroot}/certs/serial" ) { - open(FILE, ">${General::swroot}/certs/serial"); - print FILE "01"; - close FILE; - } - if (! -s ">${General::swroot}/certs/index.txt") { - system ("touch ${General::swroot}/certs/index.txt"); - } - unlink ("${General::swroot}/certs/index.txt.old"); - unlink ("${General::swroot}/certs/serial.old"); -# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete +sub newcleanssldatabase { + if (! -s "${General::swroot}/certs/serial" ) { + open(FILE, ">${General::swroot}/certs/serial"); + print FILE "01"; + close FILE; + } + if (! -s ">${General::swroot}/certs/index.txt") { + system ("touch ${General::swroot}/certs/index.txt"); + } + unlink ("${General::swroot}/certs/index.txt.old"); + unlink ("${General::swroot}/certs/serial.old"); +# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete } ### ### Call openssl and return errormessage if any ### sub callssl ($) { - my $opt = shift; - my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr - my $ret = ''; - foreach my $line (split (/\n/, $retssl)) { - &General::log("ipsec", "$line") if (0); # 1 for verbose logging - $ret .= '<br>'.$line if ( $line =~ /error|unknown/ ); - } - if ($ret) { - $ret= &Header::cleanhtml($ret); - } - return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : '' ; + my $opt = shift; + my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr + my $ret = ''; + foreach my $line (split (/\n/, $retssl)) { + &General::log("ipsec", "$line") if (0); # 1 for verbose logging + $ret .= '<br>'.$line if ( $line =~ /error|unknown/ ); + } + if ($ret) { + $ret= &Header::cleanhtml($ret); + } + return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : '' ; } ### ### Obtain a CN from given cert ### sub getCNfromcert ($) { - #&General::log("ipsec", "Extracting name from $_[0]..."); - my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; - $temp =~ /Subject:.*CN=(.*)[\n]/; - $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; - $temp =~ s/,//g; - $temp =~ s/\'//g; - return $temp; + #&General::log("ipsec", "Extracting name from $_[0]..."); + my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; + $temp =~ /Subject:.*CN=(.*)[\n]/; + $temp = $1; + $temp =~ s+/Email+, E+; + $temp =~ s/ ST=/ S=/; + $temp =~ s/,//g; + $temp =~ s/\'//g; + return $temp; } ### ### Obtain Subject from given cert ### sub getsubjectfromcert ($) { - #&General::log("ipsec", "Extracting subject from $_[0]..."); - my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; - $temp =~ /Subject: (.*)[\n]/; - $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; - return $temp; + #&General::log("ipsec", "Extracting subject from $_[0]..."); + my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; + $temp =~ /Subject: (.*)[\n]/; + $temp = $1; + $temp =~ s+/Email+, E+; + $temp =~ s/ ST=/ S=/; + return $temp; } ### -### Combine local subnet and connection name to make a unique name for each connection section +### Combine local subnet and connection name to make a unique name for each connection section ### (this sub is not used now) ### sub makeconnname ($) { - my $conn = shift; - my $subnet = shift; - - $subnet =~ /^(.*?)\/(.*?)$/; # $1=IP $2=mask - my $ip = unpack('N', &Socket::inet_aton($1)); - if (length ($2) > 2) { - my $mm = unpack('N', &Socket::inet_aton($2)); - while ( ($mm & 1)==0 ) { - $ip >>= 1; - $mm >>= 1; - }; - } else { - $ip >>= (32 - $2); - } - return sprintf ("%s-%X", $conn, $ip); + my $conn = shift; + my $subnet = shift; + + $subnet =~ /^(.*?)\/(.*?)$/; # $1=IP $2=mask + my $ip = unpack('N', &Socket::inet_aton($1)); + if (length ($2) > 2) { + my $mm = unpack('N', &Socket::inet_aton($2)); + while ( ($mm & 1)==0 ) { + $ip >>= 1; + $mm >>= 1; + }; + } else { + $ip >>= (32 - $2); + } + return sprintf ("%s-%X", $conn, $ip); } ### ### Write a config file. @@ -238,197 +235,198 @@ sub makeconnname ($) { ### sub writeipsecfiles { - my %lconfighash = (); - my %lvpnsettings = (); - &General::readhasharray("${General::swroot}/vpn/config", \%lconfighash); - &General::readhash("${General::swroot}/vpn/settings", \%lvpnsettings); - - open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die "Unable to open ${General::swroot}/vpn/ipsec.conf: $!"; - open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") or die "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!"; - flock CONF, 2; - flock SECRETS, 2; - print CONF "version 2\n\n"; - print CONF "conn %default\n"; - print CONF "\tkeyingtries=%forever\n"; - print CONF "\n"; - - # Add user includes to config file - if (-e "/etc/ipsec.user.conf") { - print CONF "include /etc/ipsec.user.conf\n"; - print CONF "\n"; - } - - print SECRETS "include /etc/ipsec.user.secrets\n"; - - if (-f "${General::swroot}/certs/hostkey.pem") { - print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n" - } - my $last_secrets = ''; # old the less specifics connections - - foreach my $key (keys %lconfighash) { - next if ($lconfighash{$key}[0] ne 'on'); - - #remote peer is not set? => use '%any' - $lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq ''); - - my $localside; - if ($lconfighash{$key}[26] eq 'BLUE') { - $localside = $netsettings{'BLUE_ADDRESS'}; - } elsif ($lconfighash{$key}[26] eq 'GREEN') { - $localside = $netsettings{'GREEN_ADDRESS'}; - } elsif ($lconfighash{$key}[26] eq 'ORANGE') { - $localside = $netsettings{'ORANGE_ADDRESS'}; - } else { # it is RED - $localside = $lvpnsettings{'VPN_IP'}; - } - - print CONF "conn $lconfighash{$key}[1]\n"; - print CONF "\tleft=$localside\n"; - my $cidr_net=&General::ipcidr($lconfighash{$key}[8]); - print CONF "\tleftsubnet=$cidr_net\n"; - print CONF "\tleftfirewall=yes\n"; - print CONF "\tlefthostaccess=yes\n"; - - print CONF "\tright=$lconfighash{$key}[10]\n"; - if ($lconfighash{$key}[3] eq 'net') { - my $cidr_net=&General::ipcidr($lconfighash{$key}[11]); - print CONF "\trightsubnet=$cidr_net\n"; - } - - # Local Cert and Remote Cert (unless auth is DN dn-auth) - if ($lconfighash{$key}[4] eq 'cert') { - print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; - print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if ($lconfighash{$key}[2] ne '%auth-dn'); - } - - # Local and Remote IDs - print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]); - print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]); - - # Is PFS enabled? - my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off'; - - # Algorithms - if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) { - my @encs = split('\|', $lconfighash{$key}[18]); - my @ints = split('\|', $lconfighash{$key}[19]); - my @groups = split('\|', $lconfighash{$key}[20]); - - my @algos = &make_algos("ike", \@encs, \@ints, \@groups, 1); - print CONF "\tike=" . join(",", @algos); - - if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? - print CONF "!\n"; - } else { - print CONF "\n"; - } + my %lconfighash = (); + my %lvpnsettings = (); + &General::readhasharray("${General::swroot}/vpn/config", \%lconfighash); + &General::readhash("${General::swroot}/vpn/settings", \%lvpnsettings); + + open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die "Unable to open ${General::swroot}/vpn/ipsec.conf: $!"; + open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") or die "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!"; + flock CONF, 2; + flock SECRETS, 2; + print CONF "version 2\n\n"; + print CONF "conn %default\n"; + print CONF "\tkeyingtries=%forever\n"; + print CONF "\n"; + + # Add user includes to config file + if (-e "/etc/ipsec.user.conf") { + print CONF "include /etc/ipsec.user.conf\n"; + print CONF "\n"; } - if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) { - my @encs = split('\|', $lconfighash{$key}[21]); - my @ints = split('\|', $lconfighash{$key}[22]); - my @groups = split('\|', $lconfighash{$key}[23]); + print SECRETS "include /etc/ipsec.user.secrets\n"; - # Use IKE grouptype if no ESP group type has been selected - # (for backwards compatibility) - if ($lconfighash{$key}[23] eq "") { - @groups = split('\|', $lconfighash{$key}[20]); + if (-f "${General::swroot}/certs/hostkey.pem") { + print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n" + } + my $last_secrets = ''; # old the less specifics connections + + foreach my $key (keys %lconfighash) { + next if ($lconfighash{$key}[0] ne 'on'); + + #remote peer is not set? => use '%any' + $lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq ''); + + my $localside; + if ($lconfighash{$key}[26] eq 'BLUE') { + $localside = $netsettings{'BLUE_ADDRESS'}; + } elsif ($lconfighash{$key}[26] eq 'GREEN') { + $localside = $netsettings{'GREEN_ADDRESS'}; + } elsif ($lconfighash{$key}[26] eq 'ORANGE') { + $localside = $netsettings{'ORANGE_ADDRESS'}; + } else { # it is RED + $localside = $lvpnsettings{'VPN_IP'}; } - my @algos = &make_algos("esp", \@encs, \@ints, \@groups, ($pfs eq "on")); - print CONF "\tesp=" . join(",", @algos); + print CONF "conn $lconfighash{$key}[1]\n"; + print CONF "\tleft=$localside\n"; + my $cidr_net=&General::ipcidr($lconfighash{$key}[8]); + print CONF "\tleftsubnet=$cidr_net\n"; + print CONF "\tleftfirewall=yes\n"; + print CONF "\tlefthostaccess=yes\n"; + print CONF "\tright=$lconfighash{$key}[10]\n"; + + if ($lconfighash{$key}[3] eq 'net') { + my $cidr_net=&General::ipcidr($lconfighash{$key}[11]); + print CONF "\trightsubnet=$cidr_net\n"; + } - if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? - print CONF "!\n"; - } else { - print CONF "\n"; + # Local Cert and Remote Cert (unless auth is DN dn-auth) + if ($lconfighash{$key}[4] eq 'cert') { + print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; + print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if ($lconfighash{$key}[2] ne '%auth-dn'); } - } - # IKE V1 or V2 - if (! $lconfighash{$key}[29]) { - $lconfighash{$key}[29] = "ikev1"; - } - print CONF "\tkeyexchange=$lconfighash{$key}[29]\n"; + # Local and Remote IDs + print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]); + print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]); - # Lifetimes - print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" if ($lconfighash{$key}[16]); - print CONF "\tkeylife=$lconfighash{$key}[17]h\n" if ($lconfighash{$key}[17]); + # Is PFS enabled? + my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off'; - # Compression - print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on'); + # Algorithms + if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) { + my @encs = split('\|', $lconfighash{$key}[18]); + my @ints = split('\|', $lconfighash{$key}[19]); + my @groups = split('\|', $lconfighash{$key}[20]); - # Force MOBIKE? - if (($lconfighash{$key}[29] eq "ikev2") && ($lconfighash{$key}[32] eq 'on')) { - print CONF "\tmobike=yes\n"; - } + my @algos = &make_algos("ike", \@encs, \@ints, \@groups, 1); + print CONF "\tike=" . join(",", @algos); + + if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? + print CONF "!\n"; + } else { + print CONF "\n"; + } + } + + if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) { + my @encs = split('\|', $lconfighash{$key}[21]); + my @ints = split('\|', $lconfighash{$key}[22]); + my @groups = split('\|', $lconfighash{$key}[23]); + + # Use IKE grouptype if no ESP group type has been selected + # (for backwards compatibility) + if ($lconfighash{$key}[23] eq "") { + @groups = split('\|', $lconfighash{$key}[20]); + } - # Dead Peer Detection - my $dpdaction = $lconfighash{$key}[27]; - print CONF "\tdpdaction=$dpdaction\n"; + my @algos = &make_algos("esp", \@encs, \@ints, \@groups, ($pfs eq "on")); + print CONF "\tesp=" . join(",", @algos); - # If the dead peer detection is disabled and IKEv2 is used, - # dpddelay must be set to zero, too. - if ($dpdaction eq "none") { - if ($lconfighash{$key}[29] eq "ikev2") { - print CONF "\tdpddelay=0\n"; + if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? + print CONF "!\n"; + } else { + print CONF "\n"; + } } - } else { - my $dpddelay = $lconfighash{$key}[31]; - if (!$dpddelay) { - $dpddelay = 30; - } - print CONF "\tdpddelay=$dpddelay\n"; - my $dpdtimeout = $lconfighash{$key}[30]; - if (!$dpdtimeout) { - $dpdtimeout = 120; - } - print CONF "\tdpdtimeout=$dpdtimeout\n"; - } - - # Build Authentication details: LEFTid RIGHTid : PSK psk - my $psk_line; - if ($lconfighash{$key}[4] eq 'psk') { - $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ; - $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address? - $psk_line .= " : PSK '$lconfighash{$key}[5]'\n"; - # if the line contains %any, it is less specific than two IP or ID, so move it at end of file. - if ($psk_line =~ /%any/) { - $last_secrets .= $psk_line; - } else { - print SECRETS $psk_line; - } - print CONF "\tauthby=secret\n"; - } else { - print CONF "\tauthby=rsasig\n"; - print CONF "\tleftrsasigkey=%cert\n"; - print CONF "\trightrsasigkey=%cert\n"; - } - # Automatically start only if a net-to-net connection - if ($lconfighash{$key}[3] eq 'host') { - print CONF "\tauto=add\n"; - print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n"; - } else { - print CONF "\tauto=start\n"; - } + # IKE V1 or V2 + if (! $lconfighash{$key}[29]) { + $lconfighash{$key}[29] = "ikev1"; + } - # Fragmentation - print CONF "\tfragmentation=yes\n"; + print CONF "\tkeyexchange=$lconfighash{$key}[29]\n"; - print CONF "\n"; - }#foreach key - - # Add post user includes to config file - # After the GUI-connections allows to patch connections. - if (-e "/etc/ipsec.user-post.conf") { - print CONF "include /etc/ipsec.user-post.conf\n"; - print CONF "\n"; - } - - print SECRETS $last_secrets if ($last_secrets); - close(CONF); - close(SECRETS); + # Lifetimes + print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" if ($lconfighash{$key}[16]); + print CONF "\tkeylife=$lconfighash{$key}[17]h\n" if ($lconfighash{$key}[17]); + + # Compression + print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on'); + + # Force MOBIKE? + if (($lconfighash{$key}[29] eq "ikev2") && ($lconfighash{$key}[32] eq 'on')) { + print CONF "\tmobike=yes\n"; + } + + # Dead Peer Detection + my $dpdaction = $lconfighash{$key}[27]; + print CONF "\tdpdaction=$dpdaction\n"; + + # If the dead peer detection is disabled and IKEv2 is used, + # dpddelay must be set to zero, too. + if ($dpdaction eq "none") { + if ($lconfighash{$key}[29] eq "ikev2") { + print CONF "\tdpddelay=0\n"; + } + } else { + my $dpddelay = $lconfighash{$key}[31]; + if (!$dpddelay) { + $dpddelay = 30; + } + print CONF "\tdpddelay=$dpddelay\n"; + my $dpdtimeout = $lconfighash{$key}[30]; + if (!$dpdtimeout) { + $dpdtimeout = 120; + } + print CONF "\tdpdtimeout=$dpdtimeout\n"; + } + + # Build Authentication details: LEFTid RIGHTid : PSK psk + my $psk_line; + if ($lconfighash{$key}[4] eq 'psk') { + $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ; + $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address? + $psk_line .= " : PSK '$lconfighash{$key}[5]'\n"; + # if the line contains %any, it is less specific than two IP or ID, so move it at end of file. + if ($psk_line =~ /%any/) { + $last_secrets .= $psk_line; + } else { + print SECRETS $psk_line; + } + print CONF "\tauthby=secret\n"; + } else { + print CONF "\tauthby=rsasig\n"; + print CONF "\tleftrsasigkey=%cert\n"; + print CONF "\trightrsasigkey=%cert\n"; + } + + # Automatically start only if a net-to-net connection + if ($lconfighash{$key}[3] eq 'host') { + print CONF "\tauto=add\n"; + print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n"; + } else { + print CONF "\tauto=start\n"; + } + + # Fragmentation + print CONF "\tfragmentation=yes\n"; + + print CONF "\n"; + } #foreach key + + # Add post user includes to config file + # After the GUI-connections allows to patch connections. + if (-e "/etc/ipsec.user-post.conf") { + print CONF "include /etc/ipsec.user-post.conf\n"; + print CONF "\n"; + } + + print SECRETS $last_secrets if ($last_secrets); + close(CONF); + close(SECRETS); } # Hook to regenerate the configuration files. @@ -441,779 +439,779 @@ if ($ENV{"REMOTE_ADDR"} eq "") { ### Save main settings ### if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') { - &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); - unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'}) - || $cgiparams{'VPN_IP'} eq '%defaultroute' ) { - $errormessage = $Lang::tr{'invalid input for hostname'}; - goto SAVE_ERROR; - } - - unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds ! - $errormessage = $Lang::tr{'invalid time period'}; - goto SAVE_ERROR; - } - - if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) { - $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'}; - goto SAVE_ERROR; - } - - $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; - $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; - $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'}; - $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; - &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings); - &writeipsecfiles(); - if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S'); - } else { - system('/usr/local/bin/ipsecctrl', 'D'); - } - sleep $sleepDelay; - SAVE_ERROR: + &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); + + unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'}) + || $cgiparams{'VPN_IP'} eq '%defaultroute' ) { + $errormessage = $Lang::tr{'invalid input for hostname'}; + goto SAVE_ERROR; + } + + unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds ! + $errormessage = $Lang::tr{'invalid time period'}; + goto SAVE_ERROR; + } + + if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) { + $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'}; + goto SAVE_ERROR; + } + + $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; + $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; + $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'}; + $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; + &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings); + &writeipsecfiles(); + if (&vpnenabled) { + system('/usr/local/bin/ipsecctrl', 'S'); + } else { + system('/usr/local/bin/ipsecctrl', 'D'); + } + sleep $sleepDelay; + SAVE_ERROR: ### ### Reset all step 2 ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && $cgiparams{'AREUSURE'} eq 'yes') { - &General::readhasharray("${General::swroot}/vpn/config", \%confighash); - - foreach my $key (keys %confighash) { - if ($confighash{$key}[4] eq 'cert') { - delete $confighash{$key}; - } - } - while (my $file = glob("${General::swroot}/{ca,certs,crls,private}/*")) { - unlink $file - } - &cleanssldatabase(); - if (open(FILE, ">${General::swroot}/vpn/caconfig")) { - print FILE ""; - close FILE; - } - &General::writehasharray("${General::swroot}/vpn/config", \%confighash); - &writeipsecfiles(); - system('/usr/local/bin/ipsecctrl', 'R'); - sleep $sleepDelay; + &General::readhasharray("${General::swroot}/vpn/config", \%confighash); + + foreach my $key (keys %confighash) { + if ($confighash{$key}[4] eq 'cert') { + delete $confighash{$key}; + } + } + while (my $file = glob("${General::swroot}/{ca,certs,crls,private}/*")) { + unlink $file + } + &cleanssldatabase(); + if (open(FILE, ">${General::swroot}/vpn/caconfig")) { + print FILE ""; + close FILE; + } + &General::writehasharray("${General::swroot}/vpn/config", \%confighash); + &writeipsecfiles(); + system('/usr/local/bin/ipsecctrl', 'R'); + sleep $sleepDelay; ### ### Reset all step 1 ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); - print <<END + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); + print <<END <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <table width='100%'> - <tr> - <td align='center'> - <input type='hidden' name='AREUSURE' value='yes' /> - <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: - $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}</td> - </tr><tr> - <td align='center'> - <input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /> + <table width='100%'> + <tr> + <td align='center'> + <input type='hidden' name='AREUSURE' value='yes' /> + <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'} + </td> + </tr><tr> + <td align='center'> + <input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /> <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td> - </tr> - </table> + </tr> + </table> </form> END - ; - &Header::closebox(); - &Header::closebigbox(); - &Header::closepage(); - exit (0); +; + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit (0); ### ### Upload CA Certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) { - &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); - - if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) { - $errormessage = $Lang::tr{'name must only contain characters'}; - goto UPLOADCA_ERROR; - } - - if (length($cgiparams{'CA_NAME'}) >60) { - $errormessage = $Lang::tr{'name too long'}; - goto VPNCONF_ERROR; - } - - if ($cgiparams{'CA_NAME'} eq 'ca') { - $errormessage = $Lang::tr{'name is invalid'}; - goto UPLOAD_CA_ERROR; - } - - # Check if there is no other entry with this name - foreach my $key (keys %cahash) { - if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) { - $errormessage = $Lang::tr{'a ca certificate with this name already exists'}; - goto UPLOADCA_ERROR; - } - } - - if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto UPLOADCA_ERROR; - } - # Move uploaded ca to a temporary file - (my $fh, my $filename) = tempfile( ); - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto UPLOADCA_ERROR; - } - my $temp = `/usr/bin/openssl x509 -text -in $filename`; - if ($temp !~ /CA:TRUE/i) { - $errormessage = $Lang::tr{'not a valid ca certificate'}; - unlink ($filename); - goto UPLOADCA_ERROR; - } else { - move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; - unlink ($filename); - goto UPLOADCA_ERROR; - } - } - - my $key = &General::findhasharraykey (\%cahash); - $cahash{$key}[0] = $cgiparams{'CA_NAME'}; - $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")); - &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash); - - system('/usr/local/bin/ipsecctrl', 'R'); - sleep $sleepDelay; - - UPLOADCA_ERROR: + &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); + + if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) { + $errormessage = $Lang::tr{'name must only contain characters'}; + goto UPLOADCA_ERROR; + } + + if (length($cgiparams{'CA_NAME'}) >60) { + $errormessage = $Lang::tr{'name too long'}; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'CA_NAME'} eq 'ca') { + $errormessage = $Lang::tr{'name is invalid'}; + goto UPLOAD_CA_ERROR; + } + + # Check if there is no other entry with this name + foreach my $key (keys %cahash) { + if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) { + $errormessage = $Lang::tr{'a ca certificate with this name already exists'}; + goto UPLOADCA_ERROR; + } + } + + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto UPLOADCA_ERROR; + } + # Move uploaded ca to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto UPLOADCA_ERROR; + } + my $temp = `/usr/bin/openssl x509 -text -in $filename`; + if ($temp !~ /CA:TRUE/i) { + $errormessage = $Lang::tr{'not a valid ca certificate'}; + unlink ($filename); + goto UPLOADCA_ERROR; + } else { + move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); + if ($? ne 0) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + unlink ($filename); + goto UPLOADCA_ERROR; + } + } + + my $key = &General::findhasharraykey (\%cahash); + $cahash{$key}[0] = $cgiparams{'CA_NAME'}; + $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")); + &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash); + + system('/usr/local/bin/ipsecctrl', 'R'); + sleep $sleepDelay; + + UPLOADCA_ERROR: ### ### Display ca certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) { - &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); - - if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - &Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; - $output = &Header::cleanhtml($output,"y"); - print "<pre>$output</pre>\n"; - &Header::closebox(); - print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; - &Header::closebigbox(); - &Header::closepage(); - exit(0); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } + &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); + + if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + &Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:"); + my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; + $output = &Header::cleanhtml($output,"y"); + print "<pre>$output</pre>\n"; + &Header::closebox(); + print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } else { + $errormessage = $Lang::tr{'invalid key'}; + } ### ### Export ca certificate to browser ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) { - &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); - - if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { - print "Content-Type: application/force-download\n"; - print "Content-Type: application/octet-stream\r\n"; - print "Content-Disposition: attachment; filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; - exit(0); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } + &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); + + if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { + print "Content-Type: application/force-download\n"; + print "Content-Type: application/octet-stream\r\n"; + print "Content-Disposition: attachment; filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; + print `/usr/bin/openssl x509 -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; + exit(0); + } else { + $errormessage = $Lang::tr{'invalid key'}; + } ### ### Remove ca certificate (step 2) ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') { - &General::readhasharray("${General::swroot}/vpn/config", \%confighash); - &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); - - if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { - foreach my $key (keys %confighash) { - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; - if ($test =~ /: OK/) { - # Delete connection - system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled); - unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem"); - unlink ("${General::swroot}/certs/$confighash{$key}[1].p12"); - delete $confighash{$key}; - &General::writehasharray("${General::swroot}/vpn/config", \%confighash); - &writeipsecfiles(); - } + &General::readhasharray("${General::swroot}/vpn/config", \%confighash); + &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); + + if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { + foreach my $key (keys %confighash) { + my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; + if ($test =~ /: OK/) { + # Delete connection + system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled); + unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem"); + unlink ("${General::swroot}/certs/$confighash{$key}[1].p12"); + delete $confighash{$key}; + &General::writehasharray("${General::swroot}/vpn/config", \%confighash); + &writeipsecfiles(); + } + } + unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); + delete $cahash{$cgiparams{'KEY'}}; + &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash); + system('/usr/local/bin/ipsecctrl', 'R'); + sleep $sleepDelay; + } else { + $errormessage = $Lang::tr{'invalid key'}; } - unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); - delete $cahash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash); - system('/usr/local/bin/ipsecctrl', 'R'); - sleep $sleepDelay; - } else { - $errormessage = $Lang::tr{'invalid key'}; - } ### ### Remove ca certificate (step 1) ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) { - &General::readhasharray("${General::swroot}/vpn/config", \%confighash); - &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); - - my $assignedcerts = 0; - if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { - foreach my $key (keys %confighash) { - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; - if ($test =~ /: OK/) { - $assignedcerts++; - } - } - if ($assignedcerts) { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); - print <<END - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <table width='100%'> - <tr> - <td align='center'> - <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> - <input type='hidden' name='AREUSURE' value='yes' /></td> - </tr><tr> - <td align='center'> - <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b> - $Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}</td> - </tr><tr> - <td align='center'> - <input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' /> - <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td> - </tr> - </table> - </form> + &General::readhasharray("${General::swroot}/vpn/config", \%confighash); + &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); + + my $assignedcerts = 0; + if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { + foreach my $key (keys %confighash) { + my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; + if ($test =~ /: OK/) { + $assignedcerts++; + } + } + if ($assignedcerts) { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); + print <<END + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <table width='100%'> + <tr> + <td align='center'> + <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> + <input type='hidden' name='AREUSURE' value='yes' /></td> + </tr><tr> + <td align='center'> + <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b> $Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}</td> + </tr><tr> + <td align='center'> + <input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' /> + <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td> + </tr> + </table> + </form> END - ; - &Header::closebox(); - &Header::closebigbox(); - &Header::closepage(); - exit (0); +; + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit (0); + } else { + unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); + delete $cahash{$cgiparams{'KEY'}}; + &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash); + system('/usr/local/bin/ipsecctrl', 'R'); + sleep $sleepDelay; + } } else { - unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); - delete $cahash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash); - system('/usr/local/bin/ipsecctrl', 'R'); - sleep $sleepDelay; + $errormessage = $Lang::tr{'invalid key'}; } - } else { - $errormessage = $Lang::tr{'invalid key'}; - } ### ### Display root certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} || $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { - my $output; - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { - &Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`; - } else { - &Header::openbox('100%', 'left', "$Lang::tr{'host certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`; - } - $output = &Header::cleanhtml($output,"y"); - print "<pre>$output</pre>\n"; - &Header::closebox(); - print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; - &Header::closebigbox(); - &Header::closepage(); - exit(0); + my $output; + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { + &Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:"); + $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`; + } else { + &Header::openbox('100%', 'left', "$Lang::tr{'host certificate'}:"); + $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`; + } + $output = &Header::cleanhtml($output,"y"); + print "<pre>$output</pre>\n"; + &Header::closebox(); + print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); ### ### Export root certificate to browser ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) { - if ( -f "${General::swroot}/ca/cacert.pem" ) { - print "Content-Type: application/force-download\n"; - print "Content-Disposition: attachment; filename=cacert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ca/cacert.pem`; - exit(0); - } + if ( -f "${General::swroot}/ca/cacert.pem" ) { + print "Content-Type: application/force-download\n"; + print "Content-Disposition: attachment; filename=cacert.pem\r\n\r\n"; + print `/usr/bin/openssl x509 -in ${General::swroot}/ca/cacert.pem`; + exit(0); + } ### ### Export host certificate to browser ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) { - if ( -f "${General::swroot}/certs/hostcert.pem" ) { - print "Content-Type: application/force-download\n"; - print "Content-Disposition: attachment; filename=hostcert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/certs/hostcert.pem`; - exit(0); - } + if ( -f "${General::swroot}/certs/hostcert.pem" ) { + print "Content-Type: application/force-download\n"; + print "Content-Disposition: attachment; filename=hostcert.pem\r\n\r\n"; + print `/usr/bin/openssl x509 -in ${General::swroot}/certs/hostcert.pem`; + exit(0); + } ### ### Form for generating/importing the caroot+host certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} || - $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { - - if (-f "${General::swroot}/ca/cacert.pem") { - $errormessage = $Lang::tr{'valid root certificate already exists'}; - goto ROOTCERT_SKIP; - } - - &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); - # fill in initial values - if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { - if (-e "${General::swroot}/red/active" && open(IPADDR, "${General::swroot}/red/local-ipaddress")) { - my $ipaddr = <IPADDR>; - close IPADDR; - chomp ($ipaddr); - $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; - if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { - $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; - } - } - $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'}); - } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { - &General::log("ipsec", "Importing from p12..."); + $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { + + if (-f "${General::swroot}/ca/cacert.pem") { + $errormessage = $Lang::tr{'valid root certificate already exists'}; + goto ROOTCERT_SKIP; + } + + &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); + # fill in initial values + if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { + if (-e "${General::swroot}/red/active" && open(IPADDR, "${General::swroot}/red/local-ipaddress")) { + my $ipaddr = <IPADDR>; + close IPADDR; + chomp ($ipaddr); + $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; + if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { + $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; + } + } + $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'}); + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { + &General::log("ipsec", "Importing from p12..."); - if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto ROOTCERT_ERROR; - } + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto ROOTCERT_ERROR; + } - # Move uploaded certificate request to a temporary file - (my $fh, my $filename) = tempfile( ); - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto ROOTCERT_ERROR; - } + # Move uploaded certificate request to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto ROOTCERT_ERROR; + } - # Extract the CA certificate from the file - &General::log("ipsec", "Extracting caroot from p12..."); - if (open(STDIN, "-|")) { - my $opt = " pkcs12 -cacerts -nokeys"; - $opt .= " -in $filename"; - $opt .= " -out /tmp/newcacert"; - $errormessage = &callssl ($opt); - } else { #child - print "$cgiparams{'P12_PASS'}\n"; - exit (0); - } - - # Extract the Host certificate from the file - if (!$errormessage) { - &General::log("ipsec", "Extracting host cert from p12..."); - if (open(STDIN, "-|")) { - my $opt = " pkcs12 -clcerts -nokeys"; - $opt .= " -in $filename"; - $opt .= " -out /tmp/newhostcert"; - $errormessage = &callssl ($opt); - } else { #child - print "$cgiparams{'P12_PASS'}\n"; - exit (0); - } - } - - # Extract the Host key from the file - if (!$errormessage) { - &General::log("ipsec", "Extracting private key from p12..."); - if (open(STDIN, "-|")) { - my $opt = " pkcs12 -nocerts -nodes"; - $opt .= " -in $filename"; - $opt .= " -out /tmp/newhostkey"; - $errormessage = &callssl ($opt); - } else { #child - print "$cgiparams{'P12_PASS'}\n"; - exit (0); - } - } - - if (!$errormessage) { - &General::log("ipsec", "Moving cacert..."); - move("/tmp/newcacert", "${General::swroot}/ca/cacert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); - } - - if (!$errormessage) { - &General::log("ipsec", "Moving host cert..."); - move("/tmp/newhostcert", "${General::swroot}/certs/hostcert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); - } - - if (!$errormessage) { - &General::log("ipsec", "Moving private key..."); - move("/tmp/newhostkey", "${General::swroot}/certs/hostkey.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); - } - - #cleanup temp files - unlink ($filename); - unlink ('/tmp/newcacert'); - unlink ('/tmp/newhostcert'); - unlink ('/tmp/newhostkey'); - if ($errormessage) { - unlink ("${General::swroot}/ca/cacert.pem"); - unlink ("${General::swroot}/certs/hostcert.pem"); - unlink ("${General::swroot}/certs/hostkey.pem"); - goto ROOTCERT_ERROR; - } + # Extract the CA certificate from the file + &General::log("ipsec", "Extracting caroot from p12..."); + if (open(STDIN, "-|")) { + my $opt = " pkcs12 -cacerts -nokeys"; + $opt .= " -in $filename"; + $opt .= " -out /tmp/newcacert"; + $errormessage = &callssl ($opt); + } else { #child + print "$cgiparams{'P12_PASS'}\n"; + exit (0); + } - # Create empty CRL cannot be done because we don't have - # the private key for this CAROOT - # IPFire can only import certificates + # Extract the Host certificate from the file + if (!$errormessage) { + &General::log("ipsec", "Extracting host cert from p12..."); + if (open(STDIN, "-|")) { + my $opt = " pkcs12 -clcerts -nokeys"; + $opt .= " -in $filename"; + $opt .= " -out /tmp/newhostcert"; + $errormessage = &callssl ($opt); + } else { #child + print "$cgiparams{'P12_PASS'}\n"; + exit (0); + } + } - &General::log("ipsec", "p12 import completed!"); - &cleanssldatabase(); - goto ROOTCERT_SUCCESS; - - } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') { - - # Validate input since the form was submitted - if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){ - $errormessage = $Lang::tr{'organization cant be empty'}; - goto ROOTCERT_ERROR; - } - if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) { - $errormessage = $Lang::tr{'organization too long'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { - $errormessage = $Lang::tr{'invalid input for organization'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){ - $errormessage = $Lang::tr{'hostname cant be empty'}; - goto ROOTCERT_ERROR; - } - unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) { - $errormessage = $Lang::tr{'invalid input for hostname'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) { - $errormessage = $Lang::tr{'invalid input for e-mail address'}; - goto ROOTCERT_ERROR; - } - if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) { - $errormessage = $Lang::tr{'e-mail address too long'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { - $errormessage = $Lang::tr{'invalid input for department'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { - $errormessage = $Lang::tr{'invalid input for city'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { - $errormessage = $Lang::tr{'invalid input for state or province'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) { - $errormessage = $Lang::tr{'invalid input for country'}; - goto ROOTCERT_ERROR; - } - #the exact syntax is a list comma separated of - # email:any-validemail - # URI: a uniform resource indicator - # DNS: a DNS domain name - # RID: a registered OBJECT IDENTIFIER - # IP: an IP address - # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:franck.foo.com - - if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) { - $errormessage = $Lang::tr{'vpn altname syntax'}; - goto VPNCONF_ERROR; - } - - # Copy the cgisettings to vpnsettings and save the configfile - $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'}; - $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'}; - $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'}; - $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'}; - $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'}; - $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'}; - $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'}; - &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings); + # Extract the Host key from the file + if (!$errormessage) { + &General::log("ipsec", "Extracting private key from p12..."); + if (open(STDIN, "-|")) { + my $opt = " pkcs12 -nocerts -nodes"; + $opt .= " -in $filename"; + $opt .= " -out /tmp/newhostkey"; + $errormessage = &callssl ($opt); + } else { #child + print "$cgiparams{'P12_PASS'}\n"; + exit (0); + } + } - # Replace empty strings with a . - (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./; - (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./; - (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./; - - # Create the CA certificate - if (!$errormessage) { - &General::log("ipsec", "Creating cacert..."); - if (open(STDIN, "-|")) { - my $opt = " req -x509 -sha256 -nodes"; - $opt .= " -days 999999"; - $opt .= " -newkey rsa:4096"; - $opt .= " -keyout ${General::swroot}/private/cakey.pem"; - $opt .= " -out ${General::swroot}/ca/cacert.pem"; - - $errormessage = &callssl ($opt); - } else { #child - print "$cgiparams{'ROOTCERT_COUNTRY'}\n"; - print "$state\n"; - print "$city\n"; - print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; - print "$ou\n"; - print "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n"; - print "$cgiparams{'ROOTCERT_EMAIL'}\n"; - exit (0); - } - } - - # Create the Host certificate request - if (!$errormessage) { - &General::log("ipsec", "Creating host cert..."); - if (open(STDIN, "-|")) { - my $opt = " req -sha256 -nodes"; - $opt .= " -newkey rsa:2048"; - $opt .= " -keyout ${General::swroot}/certs/hostkey.pem"; - $opt .= " -out ${General::swroot}/certs/hostreq.pem"; - $errormessage = &callssl ($opt); - } else { #child - print "$cgiparams{'ROOTCERT_COUNTRY'}\n"; - print "$state\n"; - print "$city\n"; - print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; - print "$ou\n"; - print "$cgiparams{'ROOTCERT_HOSTNAME'}\n"; - print "$cgiparams{'ROOTCERT_EMAIL'}\n"; - print ".\n"; - print ".\n"; - exit (0); - } - } + if (!$errormessage) { + &General::log("ipsec", "Moving cacert..."); + move("/tmp/newcacert", "${General::swroot}/ca/cacert.pem"); + $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + } - # Sign the host certificate request - if (!$errormessage) { - &General::log("ipsec", "Self signing host cert..."); + if (!$errormessage) { + &General::log("ipsec", "Moving host cert..."); + move("/tmp/newhostcert", "${General::swroot}/certs/hostcert.pem"); + $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + } - #No easy way for specifying the contain of subjectAltName without writing a config file... - my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); - print $fh <<END - basicConstraints=CA:FALSE - nsComment="OpenSSL Generated Certificate" - subjectKeyIdentifier=hash - authorityKeyIdentifier=keyid,issuer:always - extendedKeyUsage = serverAuth + if (!$errormessage) { + &General::log("ipsec", "Moving private key..."); + move("/tmp/newhostkey", "${General::swroot}/certs/hostkey.pem"); + $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + } + + #cleanup temp files + unlink ($filename); + unlink ('/tmp/newcacert'); + unlink ('/tmp/newhostcert'); + unlink ('/tmp/newhostkey'); + if ($errormessage) { + unlink ("${General::swroot}/ca/cacert.pem"); + unlink ("${General::swroot}/certs/hostcert.pem"); + unlink ("${General::swroot}/certs/hostkey.pem"); + goto ROOTCERT_ERROR; + } + + # Create empty CRL cannot be done because we don't have + # the private key for this CAROOT + # IPFire can only import certificates + + &General::log("ipsec", "p12 import completed!"); + &cleanssldatabase(); + goto ROOTCERT_SUCCESS; + + } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') { + + # Validate input since the form was submitted + if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){ + $errormessage = $Lang::tr{'organization cant be empty'}; + goto ROOTCERT_ERROR; + } + if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) { + $errormessage = $Lang::tr{'organization too long'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { + $errormessage = $Lang::tr{'invalid input for organization'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){ + $errormessage = $Lang::tr{'hostname cant be empty'}; + goto ROOTCERT_ERROR; + } + unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) { + $errormessage = $Lang::tr{'invalid input for hostname'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) { + $errormessage = $Lang::tr{'invalid input for e-mail address'}; + goto ROOTCERT_ERROR; + } + if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) { + $errormessage = $Lang::tr{'e-mail address too long'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { + $errormessage = $Lang::tr{'invalid input for department'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { + $errormessage = $Lang::tr{'invalid input for city'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { + $errormessage = $Lang::tr{'invalid input for state or province'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) { + $errormessage = $Lang::tr{'invalid input for country'}; + goto ROOTCERT_ERROR; + } + #the exact syntax is a list comma separated of + # email:any-validemail + # URI: a uniform resource indicator + # DNS: a DNS domain name + # RID: a registered OBJECT IDENTIFIER + # IP: an IP address + # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:franck.foo.com + + if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) { + $errormessage = $Lang::tr{'vpn altname syntax'}; + goto VPNCONF_ERROR; + } + + # Copy the cgisettings to vpnsettings and save the configfile + $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'}; + $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'}; + $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'}; + $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'}; + $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'}; + $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'}; + $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'}; + &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings); + + # Replace empty strings with a . + (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./; + (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./; + (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./; + + # Create the CA certificate + if (!$errormessage) { + &General::log("ipsec", "Creating cacert..."); + if (open(STDIN, "-|")) { + my $opt = " req -x509 -sha256 -nodes"; + $opt .= " -days 999999"; + $opt .= " -newkey rsa:4096"; + $opt .= " -keyout ${General::swroot}/private/cakey.pem"; + $opt .= " -out ${General::swroot}/ca/cacert.pem"; + + $errormessage = &callssl ($opt); + } else { #child + print "$cgiparams{'ROOTCERT_COUNTRY'}\n"; + print "$state\n"; + print "$city\n"; + print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; + print "$ou\n"; + print "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n"; + print "$cgiparams{'ROOTCERT_EMAIL'}\n"; + exit (0); + } + } + + # Create the Host certificate request + if (!$errormessage) { + &General::log("ipsec", "Creating host cert..."); + if (open(STDIN, "-|")) { + my $opt = " req -sha256 -nodes"; + $opt .= " -newkey rsa:2048"; + $opt .= " -keyout ${General::swroot}/certs/hostkey.pem"; + $opt .= " -out ${General::swroot}/certs/hostreq.pem"; + $errormessage = &callssl ($opt); + } else { #child + print "$cgiparams{'ROOTCERT_COUNTRY'}\n"; + print "$state\n"; + print "$city\n"; + print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; + print "$ou\n"; + print "$cgiparams{'ROOTCERT_HOSTNAME'}\n"; + print "$cgiparams{'ROOTCERT_EMAIL'}\n"; + print ".\n"; + print ".\n"; + exit (0); + } + } + + # Sign the host certificate request + if (!$errormessage) { + &General::log("ipsec", "Self signing host cert..."); + + #No easy way for specifying the contain of subjectAltName without writing a config file... + my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); + print $fh <<END + basicConstraints=CA:FALSE + nsComment="OpenSSL Generated Certificate" + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid,issuer:always + extendedKeyUsage = serverAuth END ; - print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); - close ($fh); - - my $opt = " ca -md sha256 -days 999999"; - $opt .= " -batch -notext"; - $opt .= " -in ${General::swroot}/certs/hostreq.pem"; - $opt .= " -out ${General::swroot}/certs/hostcert.pem"; - $opt .= " -extfile $v3extname"; - $errormessage = &callssl ($opt); - unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed - unlink ($v3extname); - } - - # Create an empty CRL - if (!$errormessage) { - &General::log("ipsec", "Creating emptycrl..."); - my $opt = " ca -gencrl"; - $opt .= " -out ${General::swroot}/crls/cacrl.pem"; - $errormessage = &callssl ($opt); - } - - # Successfully build CA / CERT! - if (!$errormessage) { - &cleanssldatabase(); - goto ROOTCERT_SUCCESS; - } - - #Cleanup - unlink ("${General::swroot}/ca/cacert.pem"); - unlink ("${General::swroot}/certs/hostkey.pem"); - unlink ("${General::swroot}/certs/hostcert.pem"); - unlink ("${General::swroot}/crls/cacrl.pem"); - &cleanssldatabase(); - } - - ROOTCERT_ERROR: - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', $errormessage); - if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "<class name='base'>$errormessage"; - print " </class>"; - &Header::closebox(); - } - &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:"); - print <<END - <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> - <table width='100%' border='0' cellspacing='1' cellpadding='0'> - <tr><td width='40%' class='base'>$Lang::tr{'organization name'}: <img src='/blob.gif' alt='*' /></td> - <td width='60%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'ipfires hostname'}: <img src='/blob.gif' alt='*' /></td> - <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'your e-mail'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'your department'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'city'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'state or province'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'country'}:</td> - <td class='base'><select name='ROOTCERT_COUNTRY'> + print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); + close ($fh); + + my $opt = " ca -md sha256 -days 999999"; + $opt .= " -batch -notext"; + $opt .= " -in ${General::swroot}/certs/hostreq.pem"; + $opt .= " -out ${General::swroot}/certs/hostcert.pem"; + $opt .= " -extfile $v3extname"; + $errormessage = &callssl ($opt); + unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed + unlink ($v3extname); + } + + # Create an empty CRL + if (!$errormessage) { + &General::log("ipsec", "Creating emptycrl..."); + my $opt = " ca -gencrl"; + $opt .= " -out ${General::swroot}/crls/cacrl.pem"; + $errormessage = &callssl ($opt); + } + + # Successfully build CA / CERT! + if (!$errormessage) { + &cleanssldatabase(); + goto ROOTCERT_SUCCESS; + } + + #Cleanup + unlink ("${General::swroot}/ca/cacert.pem"); + unlink ("${General::swroot}/certs/hostkey.pem"); + unlink ("${General::swroot}/certs/hostcert.pem"); + unlink ("${General::swroot}/crls/cacrl.pem"); + &cleanssldatabase(); + } + + ROOTCERT_ERROR: + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "<class name='base'>$errormessage"; + print " </class>"; + &Header::closebox(); + } + &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:"); + print <<END + <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> + <table width='100%' border='0' cellspacing='1' cellpadding='0'> + <tr><td width='40%' class='base'>$Lang::tr{'organization name'}: <img src='/blob.gif' alt='*' /></td> + <td width='60%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'ipfires hostname'}: <img src='/blob.gif' alt='*' /></td> + <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'your e-mail'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'your department'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'city'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'state or province'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'country'}:</td> + <td class='base'><select name='ROOTCERT_COUNTRY'> END - ; - foreach my $country (sort keys %{Countries::countries}) { - print "<option value='$Countries::countries{$country}'"; - if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) { - print " selected='selected'"; - } - print ">$country</option>"; - } - print <<END - </select></td></tr> - <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> +; + foreach my $country (sort keys %{Countries::countries}) { + print "<option value='$Countries::countries{$country}'"; + if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) { + print " selected='selected'"; + } + print ">$country</option>"; + } + print <<END + </select></td></tr> + <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' /></td></tr> - <tr><td> </td> - <td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr> - <tr><td class='base' colspan='2' align='left'> - <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: - $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'} - </td></tr> - <tr><td colspan='2'><hr></td></tr> - <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td> - <td nowrap='nowrap'><input type='file' name='FH' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td> - <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td></tr> - <tr><td> </td> - <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td></tr> - <tr><td class='base' colspan='2' align='left'> - <img src='/blob.gif' alt='*' /> $Lang::tr{'required field'}</td></tr> - </table></form> + <tr><td> </td> + <td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr> + <tr><td class='base' colspan='2' align='left'> + <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: + $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'} + </td></tr> + <tr><td colspan='2'><hr></td></tr> + <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td> + <td nowrap='nowrap'><input type='file' name='FH' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td> + <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td></tr> + <tr><td> </td> + <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td></tr> + <tr><td class='base' colspan='2' align='left'> + <img src='/blob.gif' alt='*' /> $Lang::tr{'required field'}</td></tr> + </table></form> END - ; - &Header::closebox(); - &Header::closebigbox(); - &Header::closepage(); - exit(0); - - ROOTCERT_SUCCESS: - if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S'); - sleep $sleepDelay; - } - ROOTCERT_SKIP: +; + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit(0); + + ROOTCERT_SUCCESS: + if (&vpnenabled) { + system('/usr/local/bin/ipsecctrl', 'S'); + sleep $sleepDelay; + } + ROOTCERT_SKIP: ### ### Export PKCS12 file to browser ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) { - &General::readhasharray("${General::swroot}/vpn/config", \%confighash); - print "Content-Type: application/force-download\n"; - print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n"; - print "Content-Type: application/octet-stream\r\n\r\n"; - print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; - exit (0); + &General::readhasharray("${General::swroot}/vpn/config", \%confighash); + print "Content-Type: application/force-download\n"; + print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n"; + print "Content-Type: application/octet-stream\r\n\r\n"; + print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; + exit (0); ### ### Display certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) { - &General::readhasharray("${General::swroot}/vpn/config", \%confighash); - - if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; - $output = &Header::cleanhtml($output,"y"); - print "<pre>$output</pre>\n"; - &Header::closebox(); - print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; - &Header::closebigbox(); - &Header::closepage(); - exit(0); - } + &General::readhasharray("${General::swroot}/vpn/config", \%confighash); + + if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:"); + my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; + $output = &Header::cleanhtml($output,"y"); + print "<pre>$output</pre>\n"; + &Header::closebox(); + print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } ### ### Export Certificate to browser ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) { - &General::readhasharray("${General::swroot}/vpn/config", \%confighash); + &General::readhasharray("${General::swroot}/vpn/config", \%confighash); - if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { - print "Content-Type: application/force-download\n"; - print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n"; - print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; - exit (0); - } + if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { + print "Content-Type: application/force-download\n"; + print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n"; + print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; + exit (0); + } ### ### Enable/Disable connection ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) { - - &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/vpn/config", \%confighash); - - if ($confighash{$cgiparams{'KEY'}}) { - if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { - $confighash{$cgiparams{'KEY'}}[0] = 'on'; - &General::writehasharray("${General::swroot}/vpn/config", \%confighash); - &writeipsecfiles(); - system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled); + + &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); + &General::readhasharray("${General::swroot}/vpn/config", \%confighash); + + if ($confighash{$cgiparams{'KEY'}}) { + if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { + $confighash{$cgiparams{'KEY'}}[0] = 'on'; + &General::writehasharray("${General::swroot}/vpn/config", \%confighash); + &writeipsecfiles(); + system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled); + } else { + system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); + $confighash{$cgiparams{'KEY'}}[0] = 'off'; + &General::writehasharray("${General::swroot}/vpn/config", \%confighash); + &writeipsecfiles(); + } + sleep $sleepDelay; } else { - system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); - $confighash{$cgiparams{'KEY'}}[0] = 'off'; - &General::writehasharray("${General::swroot}/vpn/config", \%confighash); - &writeipsecfiles(); + $errormessage = $Lang::tr{'invalid key'}; } - sleep $sleepDelay; - } else { - $errormessage = $Lang::tr{'invalid key'}; - } ### ### Restart connection ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) { - &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/vpn/config", \%confighash); + &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); + &General::readhasharray("${General::swroot}/vpn/config", \%confighash); - if ($confighash{$cgiparams{'KEY'}}) { - if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); - sleep $sleepDelay; + if ($confighash{$cgiparams{'KEY'}}) { + if (&vpnenabled) { + system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); + sleep $sleepDelay; + } + } else { + $errormessage = $Lang::tr{'invalid key'}; } - } else { - $errormessage = $Lang::tr{'invalid key'}; - } ### ### Remove connection ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) { - &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/vpn/config", \%confighash); - - if ($confighash{$cgiparams{'KEY'}}) { - system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); - unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); - unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); - delete $confighash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/vpn/config", \%confighash); - &writeipsecfiles(); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } + &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); + &General::readhasharray("${General::swroot}/vpn/config", \%confighash); + + if ($confighash{$cgiparams{'KEY'}}) { + system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); + unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + delete $confighash{$cgiparams{'KEY'}}; + &General::writehasharray("${General::swroot}/vpn/config", \%confighash); + &writeipsecfiles(); + } else { + $errormessage = $Lang::tr{'invalid key'}; + } &General::firewall_reload(); ### ### Choose between adding a host-net or net-net connection @@ -1224,20 +1222,20 @@ END &Header::openbigbox('100%', 'left', '', ''); &Header::openbox('100%', 'left', $Lang::tr{'connection type'}); print <<END - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <b>$Lang::tr{'connection type'}:</b><br /> - <table> - <tr><td><input type='radio' name='TYPE' value='host' checked='checked' /></td> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <b>$Lang::tr{'connection type'}:</b><br /> + <table> + <tr><td><input type='radio' name='TYPE' value='host' checked='checked' /></td> <td class='base'>$Lang::tr{'host to net vpn'}</td> - </tr><tr> + </tr><tr> <td><input type='radio' name='TYPE' value='net' /></td> <td class='base'>$Lang::tr{'net to net vpn'}</td> - </tr><tr> + </tr><tr> <td align='center' colspan='2'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td> - </tr> - </table></form> + </tr> + </table></form> END - ; +; &Header::closebox(); &Header::closebigbox(); &Header::closepage(); @@ -1246,512 +1244,512 @@ END ### Adding/Editing/Saving a connection ### } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) || - ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) || - ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) { - - &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); - &General::readhasharray("${General::swroot}/vpn/config", \%confighash); - - if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { - if (! $confighash{$cgiparams{'KEY'}}[0]) { - $errormessage = $Lang::tr{'invalid key'}; - goto VPNCONF_END; - } - $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0]; - $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1]; - $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; - $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; - $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; - #$cgiparams{'free'} = $confighash{$cgiparams{'KEY'}}[6]; - $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7]; - $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8]; - $cgiparams{'REMOTE_ID'} = $confighash{$cgiparams{'KEY'}}[9]; - $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; - $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11]; - $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; - $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; - $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; - $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; - $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19]; - $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20]; - $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16]; - $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21]; - $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22]; - $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23]; - if ($cgiparams{'ESP_GROUPTYPE'} eq "") { - $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'}; - } - $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17]; - $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13]; - $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; - $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; - $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; - $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; - $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; + ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) || + ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) { - if (!$cgiparams{'DPD_DELAY'}) { - $cgiparams{'DPD_DELAY'} = 30; - } + &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); + &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); + &General::readhasharray("${General::swroot}/vpn/config", \%confighash); - if (!$cgiparams{'DPD_TIMEOUT'}) { - $cgiparams{'DPD_TIMEOUT'} = 120; - } + if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { + if (! $confighash{$cgiparams{'KEY'}}[0]) { + $errormessage = $Lang::tr{'invalid key'}; + goto VPNCONF_END; + } + $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0]; + $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1]; + $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; + $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; + $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; + #$cgiparams{'free'} = $confighash{$cgiparams{'KEY'}}[6]; + $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7]; + $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8]; + $cgiparams{'REMOTE_ID'} = $confighash{$cgiparams{'KEY'}}[9]; + $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; + $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11]; + $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; + $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; + $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; + $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; + $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19]; + $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20]; + $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16]; + $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21]; + $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22]; + $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23]; + if ($cgiparams{'ESP_GROUPTYPE'} eq "") { + $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'}; + } + $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17]; + $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13]; + $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; + $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; + $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; + $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; + $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; + + if (!$cgiparams{'DPD_DELAY'}) { + $cgiparams{'DPD_DELAY'} = 30; + } - } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { - $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); - if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { - $errormessage = $Lang::tr{'connection type is invalid'}; - goto VPNCONF_ERROR; - } + if (!$cgiparams{'DPD_TIMEOUT'}) { + $cgiparams{'DPD_TIMEOUT'} = 120; + } - if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { - $errormessage = $Lang::tr{'name must only contain characters'}; - goto VPNCONF_ERROR; - } + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { + $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); + if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { + $errormessage = $Lang::tr{'connection type is invalid'}; + goto VPNCONF_ERROR; + } - if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) { - $errormessage = $Lang::tr{'name is invalid'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { + $errormessage = $Lang::tr{'name must only contain characters'}; + goto VPNCONF_ERROR; + } - if (length($cgiparams{'NAME'}) >60) { - $errormessage = $Lang::tr{'name too long'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) { + $errormessage = $Lang::tr{'name is invalid'}; + goto VPNCONF_ERROR; + } - # Check if there is no other entry with this name - if (! $cgiparams{'KEY'}) { #only for add - foreach my $key (keys %confighash) { - if ($confighash{$key}[1] eq $cgiparams{'NAME'}) { - $errormessage = $Lang::tr{'a connection with this name already exists'}; - goto VPNCONF_ERROR; + if (length($cgiparams{'NAME'}) >60) { + $errormessage = $Lang::tr{'name too long'}; + goto VPNCONF_ERROR; } - } - } - if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) { - $errormessage = $Lang::tr{'invalid input for remote host/ip'}; - goto VPNCONF_ERROR; - } + # Check if there is no other entry with this name + if (! $cgiparams{'KEY'}) { #only for add + foreach my $key (keys %confighash) { + if ($confighash{$key}[1] eq $cgiparams{'NAME'}) { + $errormessage = $Lang::tr{'a connection with this name already exists'}; + goto VPNCONF_ERROR; + } + } + } - if ($cgiparams{'REMOTE'}) { - if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) { - if (! &General::validfqdn ($cgiparams{'REMOTE'})) { - $errormessage = $Lang::tr{'invalid input for remote host/ip'}; - goto VPNCONF_ERROR; - } else { - if (&valid_dns_host($cgiparams{'REMOTE'})) { - $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}"; - } + if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) { + $errormessage = $Lang::tr{'invalid input for remote host/ip'}; + goto VPNCONF_ERROR; } - } - } - unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) { - $errormessage = $Lang::tr{'local subnet is invalid'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'REMOTE'}) { + if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) { + if (! &General::validfqdn ($cgiparams{'REMOTE'})) { + $errormessage = $Lang::tr{'invalid input for remote host/ip'}; + goto VPNCONF_ERROR; + } else { + if (&valid_dns_host($cgiparams{'REMOTE'})) { + $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}"; + } + } + } + } - # Allow only one roadwarrior/psk without remote IP-address - if ($cgiparams{'REMOTE'} eq '' && $cgiparams{'AUTH'} eq 'psk') { - foreach my $key (keys %confighash) { - if ( ($cgiparams{'KEY'} ne $key) && - ($confighash{$key}[4] eq 'psk') && - ($confighash{$key}[10] eq '') ) { - $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'}; + unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) { + $errormessage = $Lang::tr{'local subnet is invalid'}; goto VPNCONF_ERROR; } - } - } - if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) { - $errormessage = $Lang::tr{'remote subnet is invalid'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto VPNCONF_ERROR; - } + # Allow only one roadwarrior/psk without remote IP-address + if ($cgiparams{'REMOTE'} eq '' && $cgiparams{'AUTH'} eq 'psk') { + foreach my $key (keys %confighash) { + if ( ($cgiparams{'KEY'} ne $key) && + ($confighash{$key}[4] eq 'psk') && + ($confighash{$key}[10] eq '') ) { + $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'}; + goto VPNCONF_ERROR; + } + } + } + if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) { + $errormessage = $Lang::tr{'remote subnet is invalid'}; + goto VPNCONF_ERROR; + } - # Allow nothing or a string (DN,FDQN,) beginning with @ - # with no comma but slashes between RID eg @O=FR/C=Paris/OU=myhome/CN=franck - if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) || - ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) || - (($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne '')) - ) { - $errormessage = $Lang::tr{'invalid local-remote id'} . '<br />' . - 'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*<br />' . - 'FQDN: @ipfire.org<br />' . - 'USER_FQDN: info(a)ipfire.org<br />' . - 'IPV4_ADDR: 123.123.123.123'; - goto VPNCONF_ERROR; - } - # If Auth is DN, verify existance of Remote ID. - if ( $cgiparams{'REMOTE_ID'} eq '' && ( - $cgiparams{'AUTH'} eq 'auth-dn'|| # while creation - $confighash{$cgiparams{'KEY'}}[2] eq '%auth-dn')){ # while editing - $errormessage = $Lang::tr{'vpn missing remote id'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto VPNCONF_ERROR; + } - if ($cgiparams{'TYPE'} eq 'net'){ - $warnmessage=&General::checksubnets('',$cgiparams{'REMOTE_SUBNET'},'ipsec'); - if ($warnmessage ne ''){ - $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage; + # Allow nothing or a string (DN,FDQN,) beginning with @ + # with no comma but slashes between RID eg @O=FR/C=Paris/OU=myhome/CN=franck + if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) || + ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) || + (($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne '')) + ) { + $errormessage = $Lang::tr{'invalid local-remote id'} . '<br />' . + 'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*<br />' . + 'FQDN: @ipfire.org<br />' . + 'USER_FQDN: info(a)ipfire.org<br />' . + 'IPV4_ADDR: 123.123.123.123'; + goto VPNCONF_ERROR; + } + # If Auth is DN, verify existance of Remote ID. + if ( $cgiparams{'REMOTE_ID'} eq '' && ( + $cgiparams{'AUTH'} eq 'auth-dn'|| # while creation + $confighash{$cgiparams{'KEY'}}[2] eq '%auth-dn')){ # while editing + $errormessage = $Lang::tr{'vpn missing remote id'}; + goto VPNCONF_ERROR; } - } - if ($cgiparams{'AUTH'} eq 'psk') { - if (! length($cgiparams{'PSK'}) ) { - $errormessage = $Lang::tr{'pre-shared key is too short'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'PSK'} =~ /'/) { - $cgiparams{'PSK'} =~ tr/'/ /; - $errormessage = $Lang::tr{'invalid characters found in pre-shared key'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'TYPE'} eq 'net'){ + $warnmessage=&General::checksubnets('',$cgiparams{'REMOTE_SUBNET'},'ipsec'); + if ($warnmessage ne ''){ + $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage; + } + } + + if ($cgiparams{'AUTH'} eq 'psk') { + if (! length($cgiparams{'PSK'}) ) { + $errormessage = $Lang::tr{'pre-shared key is too short'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'PSK'} =~ /'/) { + $cgiparams{'PSK'} =~ tr/'/ /; + $errormessage = $Lang::tr{'invalid characters found in pre-shared key'}; + goto VPNCONF_ERROR; + } } elsif ($cgiparams{'AUTH'} eq 'certreq') { - if ($cgiparams{'KEY'}) { - $errormessage = $Lang::tr{'cant change certificates'}; - goto VPNCONF_ERROR; - } - if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'KEY'}) { + $errormessage = $Lang::tr{'cant change certificates'}; + goto VPNCONF_ERROR; + } + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto VPNCONF_ERROR; + } - # Move uploaded certificate request to a temporary file - (my $fh, my $filename) = tempfile( ); - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto VPNCONF_ERROR; - } + # Move uploaded certificate request to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto VPNCONF_ERROR; + } - # Sign the certificate request - &General::log("ipsec", "Signing your cert $cgiparams{'NAME'}..."); - my $opt = " ca -md sha256 -days 999999"; + # Sign the certificate request + &General::log("ipsec", "Signing your cert $cgiparams{'NAME'}..."); + my $opt = " ca -md sha256 -days 999999"; $opt .= " -batch -notext"; $opt .= " -in $filename"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; - if ( $errormessage = &callssl ($opt) ) { - unlink ($filename); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - &cleanssldatabase(); - goto VPNCONF_ERROR; - } else { - unlink ($filename); - &cleanssldatabase(); - } - - $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - if ($cgiparams{'CERT_NAME'} eq '') { - $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; - goto VPNCONF_ERROR; - } + if ( $errormessage = &callssl ($opt) ) { + unlink ($filename); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + &cleanssldatabase(); + goto VPNCONF_ERROR; + } else { + unlink ($filename); + &cleanssldatabase(); + } + + $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + if ($cgiparams{'CERT_NAME'} eq '') { + $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; + goto VPNCONF_ERROR; + } } elsif ($cgiparams{'AUTH'} eq 'pkcs12') { &General::log("ipsec", "Importing from p12..."); if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto ROOTCERT_ERROR; + $errormessage = $Lang::tr{'there was no file upload'}; + goto ROOTCERT_ERROR; } # Move uploaded certificate request to a temporary file (my $fh, my $filename) = tempfile( ); if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto ROOTCERT_ERROR; + $errormessage = $!; + goto ROOTCERT_ERROR; } # Extract the CA certificate from the file &General::log("ipsec", "Extracting caroot from p12..."); if (open(STDIN, "-|")) { - my $opt = " pkcs12 -cacerts -nokeys"; + my $opt = " pkcs12 -cacerts -nokeys"; $opt .= " -in $filename"; $opt .= " -out /tmp/newcacert"; - $errormessage = &callssl ($opt); - } else { #child - print "$cgiparams{'P12_PASS'}\n"; - exit (0); - } - - # Extract the Host certificate from the file - if (!$errormessage) { - &General::log("ipsec", "Extracting host cert from p12..."); - if (open(STDIN, "-|")) { - my $opt = " pkcs12 -clcerts -nokeys"; - $opt .= " -in $filename"; - $opt .= " -out /tmp/newhostcert"; $errormessage = &callssl ($opt); - } else { #child + } else { #child print "$cgiparams{'P12_PASS'}\n"; exit (0); - } - } - - if (!$errormessage) { - &General::log("ipsec", "Moving cacert..."); - #If CA have new subject, add it to our list of CA - my $casubject = &Header::cleanhtml(getsubjectfromcert ('/tmp/newcacert')); - my @names; - foreach my $x (keys %cahash) { - $casubject='' if ($cahash{$x}[1] eq $casubject); - unshift (@names,$cahash{$x}[0]); - } - if ($casubject) { # a new one! - my $temp = `/usr/bin/openssl x509 -text -in /tmp/newcacert`; - if ($temp !~ /CA:TRUE/i) { - $errormessage = $Lang::tr{'not a valid ca certificate'}; - } else { - #compute a name for it - my $idx=0; - while (grep(/Imported-$idx/, @names) ) {$idx++}; - $cgiparams{'CA_NAME'}="Imported-$idx"; - $cgiparams{'CERT_NAME'}=&Header::cleanhtml(getCNfromcert ('/tmp/newhostcert')); - move("/tmp/newcacert", "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); - if (!$errormessage) { - my $key = &General::findhasharraykey (\%cahash); - $cahash{$key}[0] = $cgiparams{'CA_NAME'}; - $cahash{$key}[1] = $casubject; - &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash); - system('/usr/local/bin/ipsecctrl', 'R'); - } - } - } + } + + # Extract the Host certificate from the file + if (!$errormessage) { + &General::log("ipsec", "Extracting host cert from p12..."); + if (open(STDIN, "-|")) { + my $opt = " pkcs12 -clcerts -nokeys"; + $opt .= " -in $filename"; + $opt .= " -out /tmp/newhostcert"; + $errormessage = &callssl ($opt); + } else { #child + print "$cgiparams{'P12_PASS'}\n"; + exit (0); + } + } + + if (!$errormessage) { + &General::log("ipsec", "Moving cacert..."); + #If CA have new subject, add it to our list of CA + my $casubject = &Header::cleanhtml(getsubjectfromcert ('/tmp/newcacert')); + my @names; + foreach my $x (keys %cahash) { + $casubject='' if ($cahash{$x}[1] eq $casubject); + unshift (@names,$cahash{$x}[0]); + } + if ($casubject) { # a new one! + my $temp = `/usr/bin/openssl x509 -text -in /tmp/newcacert`; + if ($temp !~ /CA:TRUE/i) { + $errormessage = $Lang::tr{'not a valid ca certificate'}; + } else { + #compute a name for it + my $idx=0; + while (grep(/Imported-$idx/, @names) ) {$idx++}; + $cgiparams{'CA_NAME'}="Imported-$idx"; + $cgiparams{'CERT_NAME'}=&Header::cleanhtml(getCNfromcert ('/tmp/newhostcert')); + move("/tmp/newcacert", "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); + $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + if (!$errormessage) { + my $key = &General::findhasharraykey (\%cahash); + $cahash{$key}[0] = $cgiparams{'CA_NAME'}; + $cahash{$key}[1] = $casubject; + &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash); + system('/usr/local/bin/ipsecctrl', 'R'); + } + } + } } if (!$errormessage) { - &General::log("ipsec", "Moving host cert..."); - move("/tmp/newhostcert", "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); - } + &General::log("ipsec", "Moving host cert..."); + move("/tmp/newhostcert", "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + } #cleanup temp files unlink ($filename); unlink ('/tmp/newcacert'); unlink ('/tmp/newhostcert'); if ($errormessage) { - unlink ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - goto VPNCONF_ERROR; + unlink ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + goto VPNCONF_ERROR; } &General::log("ipsec", "p12 import completed!"); } elsif ($cgiparams{'AUTH'} eq 'certfile') { - if ($cgiparams{'KEY'}) { - $errormessage = $Lang::tr{'cant change certificates'}; - goto VPNCONF_ERROR; - } - if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto VPNCONF_ERROR; - } - # Move uploaded certificate to a temporary file - (my $fh, my $filename) = tempfile( ); - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto VPNCONF_ERROR; - } - - # Verify the certificate has a valid CA and move it - &General::log("ipsec", "Validating imported cert against our known CA..."); - my $validca = 1; #assume ok - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/cacert.pem $filename`; - if ($test !~ /: OK/) { - my $validca = 0; - foreach my $key (keys %cahash) { - $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`; - if ($test =~ /: OK/) { - $validca = 1; - last; - } - } - } - if (! $validca) { - $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'}; - unlink ($filename); - goto VPNCONF_ERROR; - } else { - move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; - unlink ($filename); - goto VPNCONF_ERROR; + if ($cgiparams{'KEY'}) { + $errormessage = $Lang::tr{'cant change certificates'}; + goto VPNCONF_ERROR; + } + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto VPNCONF_ERROR; + } + # Move uploaded certificate to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto VPNCONF_ERROR; } - } - $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - if ($cgiparams{'CERT_NAME'} eq '') { - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; - goto VPNCONF_ERROR; - } + # Verify the certificate has a valid CA and move it + &General::log("ipsec", "Validating imported cert against our known CA..."); + my $validca = 1; #assume ok + my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/cacert.pem $filename`; + if ($test !~ /: OK/) { + my $validca = 0; + foreach my $key (keys %cahash) { + $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`; + if ($test =~ /: OK/) { + $validca = 1; + last; + } + } + } + if (! $validca) { + $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'}; + unlink ($filename); + goto VPNCONF_ERROR; + } else { + move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + if ($? ne 0) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + unlink ($filename); + goto VPNCONF_ERROR; + } + } + + $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + if ($cgiparams{'CERT_NAME'} eq '') { + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; + goto VPNCONF_ERROR; + } } elsif ($cgiparams{'AUTH'} eq 'certgen') { - if ($cgiparams{'KEY'}) { - $errormessage = $Lang::tr{'cant change certificates'}; - goto VPNCONF_ERROR; - } - # Validate input since the form was submitted - if (length($cgiparams{'CERT_NAME'}) >60) { - $errormessage = $Lang::tr{'name too long'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { - $errormessage = $Lang::tr{'invalid input for name'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { - $errormessage = $Lang::tr{'invalid input for e-mail address'}; - goto VPNCONF_ERROR; - } - if (length($cgiparams{'CERT_EMAIL'}) > 40) { - $errormessage = $Lang::tr{'e-mail address too long'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { - $errormessage = $Lang::tr{'invalid input for department'}; - goto VPNCONF_ERROR; - } - if (length($cgiparams{'CERT_ORGANIZATION'}) >60) { - $errormessage = $Lang::tr{'organization too long'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { - $errormessage = $Lang::tr{'invalid input for organization'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { - $errormessage = $Lang::tr{'invalid input for city'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { - $errormessage = $Lang::tr{'invalid input for state or province'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) { - $errormessage = $Lang::tr{'invalid input for country'}; - goto VPNCONF_ERROR; - } - #the exact syntax is a list comma separated of - # email:any-validemail - # URI: a uniform resource indicator - # DNS: a DNS domain name - # RID: a registered OBJECT IDENTIFIER - # IP: an IP address - # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:franck.foo.com - - if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) { - $errormessage = $Lang::tr{'vpn altname syntax'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'KEY'}) { + $errormessage = $Lang::tr{'cant change certificates'}; + goto VPNCONF_ERROR; + } + # Validate input since the form was submitted + if (length($cgiparams{'CERT_NAME'}) >60) { + $errormessage = $Lang::tr{'name too long'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { + $errormessage = $Lang::tr{'invalid input for name'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { + $errormessage = $Lang::tr{'invalid input for e-mail address'}; + goto VPNCONF_ERROR; + } + if (length($cgiparams{'CERT_EMAIL'}) > 40) { + $errormessage = $Lang::tr{'e-mail address too long'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { + $errormessage = $Lang::tr{'invalid input for department'}; + goto VPNCONF_ERROR; + } + if (length($cgiparams{'CERT_ORGANIZATION'}) >60) { + $errormessage = $Lang::tr{'organization too long'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { + $errormessage = $Lang::tr{'invalid input for organization'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { + $errormessage = $Lang::tr{'invalid input for city'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { + $errormessage = $Lang::tr{'invalid input for state or province'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) { + $errormessage = $Lang::tr{'invalid input for country'}; + goto VPNCONF_ERROR; + } + #the exact syntax is a list comma separated of + # email:any-validemail + # URI: a uniform resource indicator + # DNS: a DNS domain name + # RID: a registered OBJECT IDENTIFIER + # IP: an IP address + # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:franck.foo.com + + if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) { + $errormessage = $Lang::tr{'vpn altname syntax'}; + goto VPNCONF_ERROR; + } - if (length($cgiparams{'CERT_PASS1'}) < 5) { - $errormessage = $Lang::tr{'password too short'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) { - $errormessage = $Lang::tr{'passwords do not match'}; - goto VPNCONF_ERROR; - } + if (length($cgiparams{'CERT_PASS1'}) < 5) { + $errormessage = $Lang::tr{'password too short'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) { + $errormessage = $Lang::tr{'passwords do not match'}; + goto VPNCONF_ERROR; + } - # Replace empty strings with a . - (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; - (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; - (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./; + # Replace empty strings with a . + (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; + (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; + (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./; - # Create the Client certificate request - &General::log("ipsec", "Creating a cert..."); + # Create the Client certificate request + &General::log("ipsec", "Creating a cert..."); - if (open(STDIN, "-|")) { - my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache"; - $opt .= " -newkey rsa:2048"; - $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; - $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; + if (open(STDIN, "-|")) { + my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache"; + $opt .= " -newkey rsa:2048"; + $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; + $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; + + if ( $errormessage = &callssl ($opt) ) { + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); + goto VPNCONF_ERROR; + } + } else { #child + print "$cgiparams{'CERT_COUNTRY'}\n"; + print "$state\n"; + print "$city\n"; + print "$cgiparams{'CERT_ORGANIZATION'}\n"; + print "$ou\n"; + print "$cgiparams{'CERT_NAME'}\n"; + print "$cgiparams{'CERT_EMAIL'}\n"; + print ".\n"; + print ".\n"; + exit (0); + } - if ( $errormessage = &callssl ($opt) ) { - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); - goto VPNCONF_ERROR; - } - } else { #child - print "$cgiparams{'CERT_COUNTRY'}\n"; - print "$state\n"; - print "$city\n"; - print "$cgiparams{'CERT_ORGANIZATION'}\n"; - print "$ou\n"; - print "$cgiparams{'CERT_NAME'}\n"; - print "$cgiparams{'CERT_EMAIL'}\n"; - print ".\n"; - print ".\n"; - exit (0); - } - - # Sign the client certificate request - &General::log("ipsec", "Signing the cert $cgiparams{'NAME'}..."); - - #No easy way for specifying the contain of subjectAltName without writing a config file... - my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); - print $fh <<END - basicConstraints=CA:FALSE - nsComment="OpenSSL Generated Certificate" - subjectKeyIdentifier=hash - extendedKeyUsage=clientAuth - authorityKeyIdentifier=keyid,issuer:always + # Sign the client certificate request + &General::log("ipsec", "Signing the cert $cgiparams{'NAME'}..."); + + #No easy way for specifying the contain of subjectAltName without writing a config file... + my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); + print $fh <<END + basicConstraints=CA:FALSE + nsComment="OpenSSL Generated Certificate" + subjectKeyIdentifier=hash + extendedKeyUsage=clientAuth + authorityKeyIdentifier=keyid,issuer:always END ; - print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); - close ($fh); - - my $opt = " ca -md sha256 -days 999999 -batch -notext"; - $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; - $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; - $opt .= " -extfile $v3extname"; - - if ( $errormessage = &callssl ($opt) ) { - unlink ($v3extname); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - &cleanssldatabase(); - goto VPNCONF_ERROR; - } else { - unlink ($v3extname); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); - &cleanssldatabase(); - } - - # Create the pkcs12 file - &General::log("ipsec", "Packing a pkcs12 file..."); - $opt = " pkcs12 -export"; - $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; - $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; - $opt .= " -name \"$cgiparams{'NAME'}\""; - $opt .= " -passout pass:$cgiparams{'CERT_PASS1'}"; - $opt .= " -certfile ${General::swroot}/ca/cacert.pem"; - $opt .= " -caname \"$vpnsettings{'ROOTCERT_ORGANIZATION'} CA\""; - $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}.p12"; - - if ( $errormessage = &callssl ($opt) ) { - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}.p12"); - goto VPNCONF_ERROR; - } else { - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); - } + print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); + close ($fh); + + my $opt = " ca -md sha256 -days 999999 -batch -notext"; + $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; + $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; + $opt .= " -extfile $v3extname"; + + if ( $errormessage = &callssl ($opt) ) { + unlink ($v3extname); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + &cleanssldatabase(); + goto VPNCONF_ERROR; + } else { + unlink ($v3extname); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); + &cleanssldatabase(); + } + + # Create the pkcs12 file + &General::log("ipsec", "Packing a pkcs12 file..."); + $opt = " pkcs12 -export"; + $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; + $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; + $opt .= " -name \"$cgiparams{'NAME'}\""; + $opt .= " -passout pass:$cgiparams{'CERT_PASS1'}"; + $opt .= " -certfile ${General::swroot}/ca/cacert.pem"; + $opt .= " -caname \"$vpnsettings{'ROOTCERT_ORGANIZATION'} CA\""; + $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}.p12"; + + if ( $errormessage = &callssl ($opt) ) { + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}.p12"); + goto VPNCONF_ERROR; + } else { + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); + } } elsif ($cgiparams{'AUTH'} eq 'cert') { - ;# Nothing, just editing + ;# Nothing, just editing } elsif ($cgiparams{'AUTH'} eq 'auth-dn') { - $cgiparams{'CERT_NAME'} = '%auth-dn'; # a special value saying 'no cert file' + $cgiparams{'CERT_NAME'} = '%auth-dn'; # a special value saying 'no cert file' } else { - $errormessage = $Lang::tr{'invalid input for authentication method'}; - goto VPNCONF_ERROR; + $errormessage = $Lang::tr{'invalid input for authentication method'}; + goto VPNCONF_ERROR; } # 1)Error message here is not accurate. @@ -1759,34 +1757,34 @@ END # 3)Present since initial version (1.3.2.11), it isn't a bug correction # Check if there is no other entry with this certificate name #if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk') && ($cgiparams{'AUTH'} ne 'auth-dn')) { - # foreach my $key (keys %confighash) { + # foreach my $key (keys %confighash) { # if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) { - # $errormessage = $Lang::tr{'a connection with this common name already exists'}; - # goto VPNCONF_ERROR; + # $errormessage = $Lang::tr{'a connection with this common name already exists'}; + # goto VPNCONF_ERROR; + # } # } - # } #} - # Save the config + # Save the config my $key = $cgiparams{'KEY'}; if (! $key) { - $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 32) { $confighash{$key}[$i] = "";} + $key = &General::findhasharraykey (\%confighash); + foreach my $i (0 .. 32) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') { - $confighash{$key}[2] = $cgiparams{'CERT_NAME'}; + $confighash{$key}[2] = $cgiparams{'CERT_NAME'}; } $confighash{$key}[3] = $cgiparams{'TYPE'}; if ($cgiparams{'AUTH'} eq 'psk') { - $confighash{$key}[4] = 'psk'; - $confighash{$key}[5] = $cgiparams{'PSK'}; + $confighash{$key}[4] = 'psk'; + $confighash{$key}[5] = $cgiparams{'PSK'}; } else { - $confighash{$key}[4] = 'cert'; + $confighash{$key}[4] = 'cert'; } if ($cgiparams{'TYPE'} eq 'net') { - $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; + $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; } $confighash{$key}[7] = $cgiparams{'LOCAL_ID'}; $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'}; @@ -1797,7 +1795,7 @@ END $confighash{$key}[27] = $cgiparams{'DPD_ACTION'}; $confighash{$key}[29] = $cgiparams{'IKE_VERSION'}; - #dont forget advanced value + # don't forget advanced value $confighash{$key}[18] = $cgiparams{'IKE_ENCRYPTION'}; $confighash{$key}[19] = $cgiparams{'IKE_INTEGRITY'}; $confighash{$key}[20] = $cgiparams{'IKE_GROUPTYPE'}; @@ -1814,39 +1812,39 @@ END $confighash{$key}[31] = $cgiparams{'DPD_DELAY'}; $confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'}; - #free unused fields! + # free unused fields! $confighash{$key}[6] = 'off'; $confighash{$key}[15] = 'off'; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S', $key); - sleep $sleepDelay; + system('/usr/local/bin/ipsecctrl', 'S', $key); + sleep $sleepDelay; } if ($cgiparams{'EDIT_ADVANCED'} eq 'on') { - $cgiparams{'KEY'} = $key; - $cgiparams{'ACTION'} = $Lang::tr{'advanced'}; + $cgiparams{'KEY'} = $key; + $cgiparams{'ACTION'} = $Lang::tr{'advanced'}; } goto VPNCONF_END; - } else { # add new connection - $cgiparams{'ENABLED'} = 'on'; +} else { # add new connection + $cgiparams{'ENABLED'} = 'on'; if ( ! -f "${General::swroot}/private/cakey.pem" ) { - $cgiparams{'AUTH'} = 'psk'; + $cgiparams{'AUTH'} = 'psk'; } elsif ( ! -f "${General::swroot}/ca/cacert.pem") { - $cgiparams{'AUTH'} = 'certfile'; + $cgiparams{'AUTH'} = 'certfile'; } else { - $cgiparams{'AUTH'} = 'certgen'; + $cgiparams{'AUTH'} = 'certgen'; } - $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; - $cgiparams{'CERT_EMAIL'} = $vpnsettings{'ROOTCERT_EMAIL'}; - $cgiparams{'CERT_OU'} = $vpnsettings{'ROOTCERT_OU'}; - $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'}; - $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'}; - $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'}; - $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'}; + $cgiparams{'LOCAL_SUBNET'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + $cgiparams{'CERT_EMAIL'} = $vpnsettings{'ROOTCERT_EMAIL'}; + $cgiparams{'CERT_OU'} = $vpnsettings{'ROOTCERT_OU'}; + $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'}; + $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'}; + $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'}; + $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'}; - # choose appropriate dpd action + # choose appropriate dpd action if ($cgiparams{'TYPE'} eq 'host') { $cgiparams{'DPD_ACTION'} = 'clear'; } else { @@ -1867,63 +1865,63 @@ END # Default IKE Version to v2 if (!$cgiparams{'IKE_VERSION'}) { - $cgiparams{'IKE_VERSION'} = 'ikev2'; + $cgiparams{'IKE_VERSION'} = 'ikev2'; } # ID are empty - $cgiparams{'LOCAL_ID'} = ''; + $cgiparams{'LOCAL_ID'} = ''; $cgiparams{'REMOTE_ID'} = ''; #use default advanced value - $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; - $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; #[19]; - $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20]; - $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; - $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; - $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; #[22]; - $cgiparams{'ESP_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[23]; - $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; - $cgiparams{'COMPRESSION'} = 'on'; #[13]; - $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; - $cgiparams{'PFS'} = 'on'; #[28]; - } - - VPNCONF_ERROR: - $checked{'ENABLED'}{'off'} = ''; - $checked{'ENABLED'}{'on'} = ''; - $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'"; - - $checked{'EDIT_ADVANCED'}{'off'} = ''; - $checked{'EDIT_ADVANCED'}{'on'} = ''; - $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = "checked='checked'"; - - $checked{'AUTH'}{'psk'} = ''; - $checked{'AUTH'}{'certreq'} = ''; - $checked{'AUTH'}{'certgen'} = ''; - $checked{'AUTH'}{'certfile'} = ''; - $checked{'AUTH'}{'pkcs12'} = ''; - $checked{'AUTH'}{'auth-dn'} = ''; - $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; - - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', $errormessage); - if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "<class name='base'>$errormessage"; - print " </class>"; - &Header::closebox(); - } + $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; + $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; #[19]; + $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20]; + $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; + $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; + $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; #[22]; + $cgiparams{'ESP_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[23]; + $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; + $cgiparams{'COMPRESSION'} = 'on'; #[13]; + $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; + $cgiparams{'PFS'} = 'on'; #[28]; +} - if ($warnmessage) { - &Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:"); - print "<class name='base'>$warnmessage"; - print " </class>"; - &Header::closebox(); - } +VPNCONF_ERROR: + $checked{'ENABLED'}{'off'} = ''; + $checked{'ENABLED'}{'on'} = ''; + $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'"; + + $checked{'EDIT_ADVANCED'}{'off'} = ''; + $checked{'EDIT_ADVANCED'}{'on'} = ''; + $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = "checked='checked'"; + + $checked{'AUTH'}{'psk'} = ''; + $checked{'AUTH'}{'certreq'} = ''; + $checked{'AUTH'}{'certgen'} = ''; + $checked{'AUTH'}{'certfile'} = ''; + $checked{'AUTH'}{'pkcs12'} = ''; + $checked{'AUTH'}{'auth-dn'} = ''; + $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; + + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "<class name='base'>$errormessage"; + print " </class>"; + &Header::closebox(); + } + + if ($warnmessage) { + &Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:"); + print "<class name='base'>$warnmessage"; + print " </class>"; + &Header::closebox(); + } - print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>"; - print<<END + print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>"; + print<<END <input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' /> <input type='hidden' name='IKE_VERSION' value='$cgiparams{'IKE_VERSION'}' /> <input type='hidden' name='IKE_ENCRYPTION' value='$cgiparams{'IKE_ENCRYPTION'}' /> @@ -1942,172 +1940,172 @@ END <input type='hidden' name='DPD_TIMEOUT' value='$cgiparams{'DPD_TIMEOUT'}' /> <input type='hidden' name='FORCE_MOBIKE' value='$cgiparams{'FORCE_MOBIKE'}' /> END - ; - if ($cgiparams{'KEY'}) { - print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />"; - print "<input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />"; - print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />"; - } - - &Header::openbox('100%', 'left', "$Lang::tr{'connection'}: $cgiparams{'NAME'}"); - print "<table width='100%'>"; - if (!$cgiparams{'KEY'}) { - print <<EOF; - <tr> - <td width='20%'>$Lang::tr{'name'}: <img src='/blob.gif' alt='*' /></td> - <td width='30%'> - <input type='text' name='NAME' value='$cgiparams{'NAME'}' size='25' /> - </td> - <td colspan="2"></td> - </tr> +; + if ($cgiparams{'KEY'}) { + print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />"; + print "<input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />"; + print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />"; + } + + &Header::openbox('100%', 'left', "$Lang::tr{'connection'}: $cgiparams{'NAME'}"); + print "<table width='100%'>"; + if (!$cgiparams{'KEY'}) { + print <<EOF; + <tr> + <td width='20%'>$Lang::tr{'name'}: <img src='/blob.gif' alt='*' /></td> + <td width='30%'> + <input type='text' name='NAME' value='$cgiparams{'NAME'}' size='25' /> + </td> + <td colspan="2"></td> + </tr> EOF - } + } - my $disabled; - my $blob; - if ($cgiparams{'TYPE'} eq 'host') { + my $disabled; + my $blob; + if ($cgiparams{'TYPE'} eq 'host') { $disabled = "disabled='disabled'"; - } elsif ($cgiparams{'TYPE'} eq 'net') { + } elsif ($cgiparams{'TYPE'} eq 'net') { $blob = "<img src='/blob.gif' alt='*' />"; - }; + }; - print <<END + print <<END <tr> <td width='20%'>$Lang::tr{'enabled'}</td> <td width='30%'> <input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /> </td> - <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'} <img src='/blob.gif' alt='*' /></td> - <td width='30%'> - <input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size="25" /> - </td> + <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'} <img src='/blob.gif' alt='*' /></td> + <td width='30%'> + <input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size="25" /> + </td> </tr> <tr> - <td class='boldbase' width='20%'>$Lang::tr{'remote host/ip'}: $blob</td> - <td width='30%'> - <input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size="25" /> - </td> - <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'} $blob</td> - <td width='30%'> - <input $disabled type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size="25" /> - </td> + <td class='boldbase' width='20%'>$Lang::tr{'remote host/ip'}: $blob</td> + <td width='30%'> + <input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size="25" /> + </td> + <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'} $blob</td> + <td width='30%'> + <input $disabled type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size="25" /> + </td> </tr> <tr> - <td class='boldbase' width='20%'>$Lang::tr{'vpn local id'}:</td> - <td width='30%'> - <input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' size="25" /> - </td> - <td class='boldbase' width='20%'>$Lang::tr{'vpn remote id'}:</td> - <td width='30%'> - <input type='text' name='REMOTE_ID' value='$cgiparams{'REMOTE_ID'}' size="25" /> - </td> + <td class='boldbase' width='20%'>$Lang::tr{'vpn local id'}:</td> + <td width='30%'> + <input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' size="25" /> + </td> + <td class='boldbase' width='20%'>$Lang::tr{'vpn remote id'}:</td> + <td width='30%'> + <input type='text' name='REMOTE_ID' value='$cgiparams{'REMOTE_ID'}' size="25" /> + </td> </tr> <tr><td colspan="4"><br /></td></tr> <tr> - <td class='boldbase' width='20%'>$Lang::tr{'remark title'}</td> - <td colspan='3'> - <input type='text' name='REMARK' value='$cgiparams{'REMARK'}' maxlength='50' size="73" /> - </td> - </tr> -END - ; - if (!$cgiparams{'KEY'}) { - print "<tr><td colspan='3'><input type='checkbox' name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> $Lang::tr{'edit advanced settings when done'}</td></tr>"; - } - print "</table>"; - &Header::closebox(); - - if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { - &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); - print <<END - <table width='100%' cellpadding='0' cellspacing='5' border='0'> - <tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared key'}</td> - <td class='base' width='50%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td> + <td class='boldbase' width='20%'>$Lang::tr{'remark title'}</td> + <td colspan='3'> + <input type='text' name='REMARK' value='$cgiparams{'REMARK'}' maxlength='50' size="73" /> + </td> </tr> - </table> END - ; +; + if (!$cgiparams{'KEY'}) { + print "<tr><td colspan='3'><input type='checkbox' name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> $Lang::tr{'edit advanced settings when done'}</td></tr>"; + } + print "</table>"; &Header::closebox(); - } elsif (! $cgiparams{'KEY'}) { - my $cakeydisabled = ( ! -f "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : ''; - $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if ($cakeydisabled); - my $cacrtdisabled = ( ! -f "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : ''; - &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); - print <<END - <table width='100%' cellpadding='0' cellspacing='5' border='0'> - <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} /></td> - <td class='base' width='55%'>$Lang::tr{'use a pre-shared key'}</td> - <td class='base' width='40%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr> - <tr><td colspan='3' bgcolor='#000000'></td></tr> - <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td> - <td class='base'><hr />$Lang::tr{'upload a certificate request'}</td> - <td class='base' rowspan='3' valign='middle'><input type='file' name='FH' size='30' $cacrtdisabled /></td></tr> - <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td> - <td class='base'>$Lang::tr{'upload a certificate'}</td></tr> - <tr><td><input type='radio' name='AUTH' value='pkcs12' $cacrtdisabled /></td> - <td class='base'>$Lang::tr{'upload p12 file'} $Lang::tr{'pkcs12 file password'}:<input type='password' name='P12_PASS'/></td></tr> - <tr><td><input type='radio' name='AUTH' value='auth-dn' $checked{'AUTH'}{'auth-dn'} $cacrtdisabled /></td> - <td class='base'><hr />$Lang::tr{'vpn auth-dn'}</td></tr> - <tr><td colspan='3' bgcolor='#000000'></td></tr> - <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td> - <td class='base'><hr />$Lang::tr{'generate a certificate'}</td><td> </td></tr> - <tr><td> </td> - <td class='base'>$Lang::tr{'users fullname or system hostname'}: <img src='/blob.gif' alt='*' /></td> - <td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' size='32' $cakeydisabled /></td></tr> - <tr><td> </td> - <td class='base'>$Lang::tr{'users email'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' size='32' $cakeydisabled /></td></tr> - <tr><td> </td> - <td class='base'>$Lang::tr{'users department'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' size='32' $cakeydisabled /></td></tr> - <tr><td> </td> - <td class='base'>$Lang::tr{'organization name'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' size='32' $cakeydisabled /></td></tr> - <tr><td> </td> - <td class='base'>$Lang::tr{'city'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' size='32' $cakeydisabled /></td></tr> - <tr><td> </td> - <td class='base'>$Lang::tr{'state or province'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' size='32' $cakeydisabled /></td></tr> - <tr><td> </td> - <td class='base'>$Lang::tr{'country'}:</td> - <td class='base'><select name='CERT_COUNTRY' $cakeydisabled> + if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { + &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); + print <<END + <table width='100%' cellpadding='0' cellspacing='5' border='0'> + <tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared key'}</td> + <td class='base' width='50%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td> + </tr> + </table> END - ; - foreach my $country (sort keys %{Countries::countries}) { - print "\t\t\t<option value='$Countries::countries{$country}'"; - if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) { - print " selected='selected'"; - } - print ">$country</option>\n"; +; + &Header::closebox(); + } elsif (! $cgiparams{'KEY'}) { + my $cakeydisabled = ( ! -f "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : ''; + $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if ($cakeydisabled); + my $cacrtdisabled = ( ! -f "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : ''; + + &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); + print <<END + <table width='100%' cellpadding='0' cellspacing='5' border='0'> + <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} /></td> + <td class='base' width='55%'>$Lang::tr{'use a pre-shared key'}</td> + <td class='base' width='40%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr> + <tr><td colspan='3' bgcolor='#000000'></td></tr> + <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td> + <td class='base'><hr />$Lang::tr{'upload a certificate request'}</td> + <td class='base' rowspan='3' valign='middle'><input type='file' name='FH' size='30' $cacrtdisabled /></td></tr> + <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td> + <td class='base'>$Lang::tr{'upload a certificate'}</td></tr> + <tr><td><input type='radio' name='AUTH' value='pkcs12' $cacrtdisabled /></td> + <td class='base'>$Lang::tr{'upload p12 file'} $Lang::tr{'pkcs12 file password'}:<input type='password' name='P12_PASS'/></td></tr> + <tr><td><input type='radio' name='AUTH' value='auth-dn' $checked{'AUTH'}{'auth-dn'} $cacrtdisabled /></td> + <td class='base'><hr />$Lang::tr{'vpn auth-dn'}</td></tr> + <tr><td colspan='3' bgcolor='#000000'></td></tr> + <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td> + <td class='base'><hr />$Lang::tr{'generate a certificate'}</td><td> </td></tr> + <tr><td> </td> + <td class='base'>$Lang::tr{'users fullname or system hostname'}: <img src='/blob.gif' alt='*' /></td> + <td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' size='32' $cakeydisabled /></td></tr> + <tr><td> </td> + <td class='base'>$Lang::tr{'users email'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' size='32' $cakeydisabled /></td></tr> + <tr><td> </td> + <td class='base'>$Lang::tr{'users department'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' size='32' $cakeydisabled /></td></tr> + <tr><td> </td> + <td class='base'>$Lang::tr{'organization name'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' size='32' $cakeydisabled /></td></tr> + <tr><td> </td> + <td class='base'>$Lang::tr{'city'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' size='32' $cakeydisabled /></td></tr> + <tr><td> </td> + <td class='base'>$Lang::tr{'state or province'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' size='32' $cakeydisabled /></td></tr> + <tr><td> </td> + <td class='base'>$Lang::tr{'country'}:</td> + <td class='base'><select name='CERT_COUNTRY' $cakeydisabled> +END +; + foreach my $country (sort keys %{Countries::countries}) { + print "\t\t\t<option value='$Countries::countries{$country}'"; + if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) { + print " selected='selected'"; + } + print ">$country</option>\n"; + } + print <<END + </select></td></tr> + + <tr><td> </td><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> + <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' $cakeydisabled /></td></tr> + <tr><td> </td> + <td class='base'>$Lang::tr{'pkcs12 file password'}: <img src='/blob.gif' alt='*' /></td> + <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr> + <tr><td> </td><td class='base'>$Lang::tr{'pkcs12 file password'} ($Lang::tr{'confirmation'}): <img src='/blob.gif' alt='*' /></td> + <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr> + </table> +END +; + &Header::closebox(); } - print <<END - </select></td></tr> - <tr><td> </td><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> - <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' $cakeydisabled /></td></tr> - <tr><td> </td> - <td class='base'>$Lang::tr{'pkcs12 file password'}: <img src='/blob.gif' alt='*' /></td> - <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr> - <tr><td> </td><td class='base'>$Lang::tr{'pkcs12 file password'} ($Lang::tr{'confirmation'}): <img src='/blob.gif' alt='*' /></td> - <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr> - </table> -END - ; - &Header::closebox(); - } - - print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />"; - if ($cgiparams{'KEY'}) { - print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />"; - } - print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>"; - &Header::closebigbox(); - &Header::closepage(); - exit (0); - - VPNCONF_END: + print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />"; + if ($cgiparams{'KEY'}) { + print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />"; + } + print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>"; + &Header::closebigbox(); + &Header::closepage(); + exit (0); + + VPNCONF_END: } ### @@ -2115,291 +2113,288 @@ END ### if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq 'yes')) { - &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/vpn/config", \%confighash); - if (! $confighash{$cgiparams{'KEY'}}) { - $errormessage = $Lang::tr{'invalid key'}; - goto ADVANCED_END; - } - - if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { - my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); - if ($#temp < 0) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - foreach my $val (@temp) { - if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } + &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings); + &General::readhasharray("${General::swroot}/vpn/config", \%confighash); + if (! $confighash{$cgiparams{'KEY'}}) { + $errormessage = $Lang::tr{'invalid key'}; + goto ADVANCED_END; + } + + if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { + my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); + if ($#temp < 0) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + foreach my $val (@temp) { + if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + } + @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); + if ($#temp < 0) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + foreach my $val (@temp) { + if ($val !~ /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + } + @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'}); + if ($#temp < 0) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + foreach my $val (@temp) { + if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + } + if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for ike lifetime'}; + goto ADVANCED_ERROR; + } + if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 8) { + $errormessage = $Lang::tr{'ike lifetime should be between 1 and 8 hours'}; + goto ADVANCED_ERROR; + } + @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'}); + if ($#temp < 0) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + foreach my $val (@temp) { + if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + } + @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); + if ($#temp < 0) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + foreach my $val (@temp) { + if ($val !~ /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + } + @temp = split('\|', $cgiparams{'ESP_GROUPTYPE'}); + if ($#temp < 0) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + foreach my $val (@temp) { + if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + } + if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for esp keylife'}; + goto ADVANCED_ERROR; + } + if ($cgiparams{'ESP_KEYLIFE'} < 1 || $cgiparams{'ESP_KEYLIFE'} > 24) { + $errormessage = $Lang::tr{'esp keylife should be between 1 and 24 hours'}; + goto ADVANCED_ERROR; + } + + if (($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) || + ($cgiparams{'FORCE_MOBIKE'} !~ /^(|on|off)$/) || + ($cgiparams{'ONLY_PROPOSED'} !~ /^(|on|off)$/) || + ($cgiparams{'PFS'} !~ /^(|on|off)$/)) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + + if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for dpd delay'}; + goto ADVANCED_ERROR; + } + + if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for dpd timeout'}; + goto ADVANCED_ERROR; + } + + $confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'IKE_VERSION'}; + $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'}; + $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'}; + $confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'}; + $confighash{$cgiparams{'KEY'}}[16] = $cgiparams{'IKE_LIFETIME'}; + $confighash{$cgiparams{'KEY'}}[21] = $cgiparams{'ESP_ENCRYPTION'}; + $confighash{$cgiparams{'KEY'}}[22] = $cgiparams{'ESP_INTEGRITY'}; + $confighash{$cgiparams{'KEY'}}[23] = $cgiparams{'ESP_GROUPTYPE'}; + $confighash{$cgiparams{'KEY'}}[17] = $cgiparams{'ESP_KEYLIFE'}; + $confighash{$cgiparams{'KEY'}}[12] = 'off'; #$cgiparams{'AGGRMODE'}; + $confighash{$cgiparams{'KEY'}}[13] = $cgiparams{'COMPRESSION'}; + $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'}; + $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'}; + $confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'DPD_ACTION'}; + $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'}; + $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'}; + $confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'}; + &General::writehasharray("${General::swroot}/vpn/config", \%confighash); + &writeipsecfiles(); + if (&vpnenabled) { + system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); + sleep $sleepDelay; + } + goto ADVANCED_END; + } else { + $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; + $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; + $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19]; + $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20]; + $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16]; + $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21]; + $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22]; + $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23]; + if ($cgiparams{'ESP_GROUPTYPE'} eq "") { + $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'}; + } + $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17]; + $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13]; + $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; + $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; + $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; + $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; + $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; + $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; + + if (!$cgiparams{'DPD_DELAY'}) { + $cgiparams{'DPD_DELAY'} = 30; + } + + if (!$cgiparams{'DPD_TIMEOUT'}) { + $cgiparams{'DPD_TIMEOUT'} = 120; + } } + + ADVANCED_ERROR: + $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = ''; + $checked{'IKE_ENCRYPTION'}{'3des'} = ''; + $checked{'IKE_ENCRYPTION'}{'camellia256'} = ''; + $checked{'IKE_ENCRYPTION'}{'camellia192'} = ''; + $checked{'IKE_ENCRYPTION'}{'camellia128'} = ''; + my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); + foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; } + $checked{'IKE_INTEGRITY'}{'sha2_512'} = ''; + $checked{'IKE_INTEGRITY'}{'sha2_384'} = ''; + $checked{'IKE_INTEGRITY'}{'sha2_256'} = ''; + $checked{'IKE_INTEGRITY'}{'sha'} = ''; + $checked{'IKE_INTEGRITY'}{'md5'} = ''; + $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); - if ($#temp < 0) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - foreach my $val (@temp) { - if ($val !~ /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - } + foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; } + $checked{'IKE_GROUPTYPE'}{'768'} = ''; + $checked{'IKE_GROUPTYPE'}{'1024'} = ''; + $checked{'IKE_GROUPTYPE'}{'1536'} = ''; + $checked{'IKE_GROUPTYPE'}{'2048'} = ''; + $checked{'IKE_GROUPTYPE'}{'3072'} = ''; + $checked{'IKE_GROUPTYPE'}{'4096'} = ''; + $checked{'IKE_GROUPTYPE'}{'6144'} = ''; + $checked{'IKE_GROUPTYPE'}{'8192'} = ''; @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'}); - if ($#temp < 0) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - foreach my $val (@temp) { - if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - } - if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) { - $errormessage = $Lang::tr{'invalid input for ike lifetime'}; - goto ADVANCED_ERROR; - } - if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 8) { - $errormessage = $Lang::tr{'ike lifetime should be between 1 and 8 hours'}; - goto ADVANCED_ERROR; - } + foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; } + + # 768 is not supported by strongswan + $checked{'IKE_GROUPTYPE'}{'768'} = ''; + + $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = ''; + $checked{'ESP_ENCRYPTION'}{'3des'} = ''; + $checked{'ESP_ENCRYPTION'}{'camellia256'} = ''; + $checked{'ESP_ENCRYPTION'}{'camellia192'} = ''; + $checked{'ESP_ENCRYPTION'}{'camellia128'} = ''; @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'}); - if ($#temp < 0) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - foreach my $val (@temp) { - if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - } + foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; } + $checked{'ESP_INTEGRITY'}{'sha2_512'} = ''; + $checked{'ESP_INTEGRITY'}{'sha2_384'} = ''; + $checked{'ESP_INTEGRITY'}{'sha2_256'} = ''; + $checked{'ESP_INTEGRITY'}{'sha1'} = ''; + $checked{'ESP_INTEGRITY'}{'md5'} = ''; + $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); - if ($#temp < 0) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - foreach my $val (@temp) { - if ($val !~ /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - } + foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; } + $checked{'ESP_GROUPTYPE'}{'768'} = ''; + $checked{'ESP_GROUPTYPE'}{'1024'} = ''; + $checked{'ESP_GROUPTYPE'}{'1536'} = ''; + $checked{'ESP_GROUPTYPE'}{'2048'} = ''; + $checked{'ESP_GROUPTYPE'}{'3072'} = ''; + $checked{'ESP_GROUPTYPE'}{'4096'} = ''; + $checked{'ESP_GROUPTYPE'}{'6144'} = ''; + $checked{'ESP_GROUPTYPE'}{'8192'} = ''; + $checked{'ESP_GROUPTYPE'}{'none'} = ''; @temp = split('\|', $cgiparams{'ESP_GROUPTYPE'}); - if ($#temp < 0) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - foreach my $val (@temp) { - if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - } - if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) { - $errormessage = $Lang::tr{'invalid input for esp keylife'}; - goto ADVANCED_ERROR; - } - if ($cgiparams{'ESP_KEYLIFE'} < 1 || $cgiparams{'ESP_KEYLIFE'} > 24) { - $errormessage = $Lang::tr{'esp keylife should be between 1 and 24 hours'}; - goto ADVANCED_ERROR; - } - - if ( - ($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) || - ($cgiparams{'FORCE_MOBIKE'} !~ /^(|on|off)$/) || - ($cgiparams{'ONLY_PROPOSED'} !~ /^(|on|off)$/) || - ($cgiparams{'PFS'} !~ /^(|on|off)$/) - ){ - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - - if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) { - $errormessage = $Lang::tr{'invalid input for dpd delay'}; - goto ADVANCED_ERROR; - } - - if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) { - $errormessage = $Lang::tr{'invalid input for dpd timeout'}; - goto ADVANCED_ERROR; - } - - $confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'IKE_VERSION'}; - $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'}; - $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'}; - $confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'}; - $confighash{$cgiparams{'KEY'}}[16] = $cgiparams{'IKE_LIFETIME'}; - $confighash{$cgiparams{'KEY'}}[21] = $cgiparams{'ESP_ENCRYPTION'}; - $confighash{$cgiparams{'KEY'}}[22] = $cgiparams{'ESP_INTEGRITY'}; - $confighash{$cgiparams{'KEY'}}[23] = $cgiparams{'ESP_GROUPTYPE'}; - $confighash{$cgiparams{'KEY'}}[17] = $cgiparams{'ESP_KEYLIFE'}; - $confighash{$cgiparams{'KEY'}}[12] = 'off'; #$cgiparams{'AGGRMODE'}; - $confighash{$cgiparams{'KEY'}}[13] = $cgiparams{'COMPRESSION'}; - $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'}; - $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'}; - $confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'DPD_ACTION'}; - $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'}; - $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'}; - $confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'}; - &General::writehasharray("${General::swroot}/vpn/config", \%confighash); - &writeipsecfiles(); - if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); - sleep $sleepDelay; - } - goto ADVANCED_END; - } else { - $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; - $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; - $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19]; - $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20]; - $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16]; - $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21]; - $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22]; - $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23]; - if ($cgiparams{'ESP_GROUPTYPE'} eq "") { - $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'}; - } - $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17]; - $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13]; - $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; - $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; - $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; - $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; - $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; - $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; + foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = "selected='selected'"; } - if (!$cgiparams{'DPD_DELAY'}) { - $cgiparams{'DPD_DELAY'} = 30; - } + $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' ? "checked='checked'" : '' ; + $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq 'on' ? "checked='checked'" : '' ; + $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq 'on' ? "checked='checked'" : '' ; + $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ; - if (!$cgiparams{'DPD_TIMEOUT'}) { - $cgiparams{'DPD_TIMEOUT'} = 120; - } + $selected{'IKE_VERSION'}{'ikev1'} = ''; + $selected{'IKE_VERSION'}{'ikev2'} = ''; + $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = "selected='selected'"; - } - - ADVANCED_ERROR: - $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = ''; - $checked{'IKE_ENCRYPTION'}{'3des'} = ''; - $checked{'IKE_ENCRYPTION'}{'camellia256'} = ''; - $checked{'IKE_ENCRYPTION'}{'camellia192'} = ''; - $checked{'IKE_ENCRYPTION'}{'camellia128'} = ''; - my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); - foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; } - $checked{'IKE_INTEGRITY'}{'sha2_512'} = ''; - $checked{'IKE_INTEGRITY'}{'sha2_384'} = ''; - $checked{'IKE_INTEGRITY'}{'sha2_256'} = ''; - $checked{'IKE_INTEGRITY'}{'sha'} = ''; - $checked{'IKE_INTEGRITY'}{'md5'} = ''; - $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; - @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); - foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; } - $checked{'IKE_GROUPTYPE'}{'768'} = ''; - $checked{'IKE_GROUPTYPE'}{'1024'} = ''; - $checked{'IKE_GROUPTYPE'}{'1536'} = ''; - $checked{'IKE_GROUPTYPE'}{'2048'} = ''; - $checked{'IKE_GROUPTYPE'}{'3072'} = ''; - $checked{'IKE_GROUPTYPE'}{'4096'} = ''; - $checked{'IKE_GROUPTYPE'}{'6144'} = ''; - $checked{'IKE_GROUPTYPE'}{'8192'} = ''; - @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'}); - foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; } - - # 768 is not supported by strongswan - $checked{'IKE_GROUPTYPE'}{'768'} = ''; - - $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = ''; - $checked{'ESP_ENCRYPTION'}{'3des'} = ''; - $checked{'ESP_ENCRYPTION'}{'camellia256'} = ''; - $checked{'ESP_ENCRYPTION'}{'camellia192'} = ''; - $checked{'ESP_ENCRYPTION'}{'camellia128'} = ''; - @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'}); - foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; } - $checked{'ESP_INTEGRITY'}{'sha2_512'} = ''; - $checked{'ESP_INTEGRITY'}{'sha2_384'} = ''; - $checked{'ESP_INTEGRITY'}{'sha2_256'} = ''; - $checked{'ESP_INTEGRITY'}{'sha1'} = ''; - $checked{'ESP_INTEGRITY'}{'md5'} = ''; - $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; - @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); - foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; } - $checked{'ESP_GROUPTYPE'}{'768'} = ''; - $checked{'ESP_GROUPTYPE'}{'1024'} = ''; - $checked{'ESP_GROUPTYPE'}{'1536'} = ''; - $checked{'ESP_GROUPTYPE'}{'2048'} = ''; - $checked{'ESP_GROUPTYPE'}{'3072'} = ''; - $checked{'ESP_GROUPTYPE'}{'4096'} = ''; - $checked{'ESP_GROUPTYPE'}{'6144'} = ''; - $checked{'ESP_GROUPTYPE'}{'8192'} = ''; - $checked{'ESP_GROUPTYPE'}{'none'} = ''; - @temp = split('\|', $cgiparams{'ESP_GROUPTYPE'}); - foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = "selected='selected'"; } - - $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' ? "checked='checked'" : '' ; - $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq 'on' ? "checked='checked'" : '' ; - $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq 'on' ? "checked='checked'" : '' ; - $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ; - - $selected{'IKE_VERSION'}{'ikev1'} = ''; - $selected{'IKE_VERSION'}{'ikev2'} = ''; - $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = "selected='selected'"; - - $selected{'DPD_ACTION'}{'clear'} = ''; - $selected{'DPD_ACTION'}{'hold'} = ''; - $selected{'DPD_ACTION'}{'restart'} = ''; - $selected{'DPD_ACTION'}{'none'} = ''; - $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'"; - - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', $errormessage); - - if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "<class name='base'>$errormessage"; - print " </class>"; - &Header::closebox(); - } + $selected{'DPD_ACTION'}{'clear'} = ''; + $selected{'DPD_ACTION'}{'hold'} = ''; + $selected{'DPD_ACTION'}{'restart'} = ''; + $selected{'DPD_ACTION'}{'none'} = ''; + $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'"; - if ($warnmessage) { - &Header::openbox('100%', 'left', $Lang::tr{'warning messages'}); - print "<class name='base'>$warnmessage"; - print " </class>"; - &Header::closebox(); - } + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "<class name='base'>$errormessage"; + print " </class>"; + &Header::closebox(); + } + + if ($warnmessage) { + &Header::openbox('100%', 'left', $Lang::tr{'warning messages'}); + print "<class name='base'>$warnmessage"; + print " </class>"; + &Header::closebox(); + } - &Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:"); - print <<EOF - <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ADVANCED' value='yes' /> - <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> + &Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:"); + print <<EOF + <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ADVANCED' value='yes' /> + <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> - <table width='100%'> + <table width='100%'> <thead> <tr> <th width="15%"></th> @@ -2545,14 +2540,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || </td> </tr> </tbody> - </table> + </table> <br><br> <h2>$Lang::tr{'dead peer detection'}</h2> - <table width="100%"> - <tr> + <table width="100%"> + <tr> <td width="15%">$Lang::tr{'dpd action'}:</td> <td> <select name='DPD_ACTION'> @@ -2575,11 +2570,11 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || <input type='text' name='DPD_DELAY' size='5' value='$cgiparams{'DPD_DELAY'}' /> </td> </tr> - </table> + </table> - <hr> + <hr> - <table width="100%"> + <table width="100%"> <tr> <td> <label> @@ -2613,9 +2608,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || </td> </tr> EOF - ; +; - print <<EOF; + print <<EOF; <tr> <td align='left' colspan='1'><img src='/blob.gif' align='top' alt='*' /> $Lang::tr{'required field'}</td> <td align='right' colspan='2'> @@ -2623,58 +2618,58 @@ EOF <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /> </td> </tr> - </table></form> + </table></form> EOF - &Header::closebox(); - &Header::closebigbox(); - &Header::closepage(); - exit(0); + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit(0); - ADVANCED_END: + ADVANCED_END: } ### ### Default status page ### - %cgiparams = (); - %cahash = (); - %confighash = (); - &General::readhash("${General::swroot}/vpn/settings", \%cgiparams); - &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); - &General::readhasharray("${General::swroot}/vpn/config", \%confighash); - $cgiparams{'CA_NAME'} = ''; - - my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`; - - # suggest a default name for this side - if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { - if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { - my $ipaddr = <IPADDR>; - close IPADDR; - chomp ($ipaddr); - $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; - if ($cgiparams{'VPN_IP'} eq '') { - $cgiparams{'VPN_IP'} = $ipaddr; - } - } - } - # no IP found, use %defaultroute - $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq ''); - - $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'})); - $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : ''; - - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', $errormessage); - - if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "<class name='base'>$errormessage\n"; - print " </class>\n"; - &Header::closebox(); - } + %cgiparams = (); + %cahash = (); + %confighash = (); + &General::readhash("${General::swroot}/vpn/settings", \%cgiparams); + &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); + &General::readhasharray("${General::swroot}/vpn/config", \%confighash); + $cgiparams{'CA_NAME'} = ''; + + my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`; + + # suggest a default name for this side + if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { + if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { + my $ipaddr = <IPADDR>; + close IPADDR; + chomp ($ipaddr); + $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; + if ($cgiparams{'VPN_IP'} eq '') { + $cgiparams{'VPN_IP'} = $ipaddr; + } + } + } + # no IP found, use %defaultroute + $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq ''); + + $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'})); + $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : ''; + + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "<class name='base'>$errormessage\n"; + print " </class>\n"; + &Header::closebox(); + } if ($warnmessage) { &Header::openbox('100%', 'left', $Lang::tr{'warning messages'}); @@ -2686,61 +2681,61 @@ EOF exit 0; } - &Header::openbox('100%', 'left', $Lang::tr{'global settings'}); - print <<END - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <table width='100%'> - <tr> + &Header::openbox('100%', 'left', $Lang::tr{'global settings'}); + print <<END + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <table width='100%'> + <tr> <td width='20%' class='base' nowrap='nowrap'>$Lang::tr{'vpn red name'}: <img src='/blob.gif' alt='*' /></td> <td width='20%'><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' /></td> <td width='20%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td> - </tr> + </tr> END - ; +; print <<END - <tr> - <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}: <img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /></td> + <tr> + <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}: <img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /></td> <td ><input type='text' name='VPN_DELAYED_START' value='$cgiparams{'VPN_DELAYED_START'}' /></td> - </tr> - <tr> - <td class='base' nowrap='nowrap'>$Lang::tr{'host to net vpn'}:</td> + </tr> + <tr> + <td class='base' nowrap='nowrap'>$Lang::tr{'host to net vpn'}:</td> <td ><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td> - </tr> + </tr> </table> <br> <hr /> <table width='100%'> <tr> - <td class='base' valign='top'><img src='/blob.gif' alt='*' /></td> - <td width='70%' class='base' valign='top'>$Lang::tr{'required field'}</td><td width='30%' align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td> + <td class='base' valign='top'><img src='/blob.gif' alt='*' /></td> + <td width='70%' class='base' valign='top'>$Lang::tr{'required field'}</td><td width='30%' align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td> </tr> <tr> - <td class='base' valign='top' nowrap='nowrap'><img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /> </td> - <td class='base'> <font class='base'>$Lang::tr{'vpn delayed start help'}</font></td> - <td></td> + <td class='base' valign='top' nowrap='nowrap'><img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /> </td> + <td class='base'> <font class='base'>$Lang::tr{'vpn delayed start help'}</font></td> + <td></td> </tr> </table> END -; - print "</form>"; - &Header::closebox(); - - &Header::openbox('100%', 'left', $Lang::tr{'connection status and controlc'}); - print <<END - <table width='100%' cellspacing='1' cellpadding='0' class='tbl'> - <tr> +; + print "</form>"; + &Header::closebox(); + + &Header::openbox('100%', 'left', $Lang::tr{'connection status and controlc'}); + print <<END + <table width='100%' cellspacing='1' cellpadding='0' class='tbl'> + <tr> <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th> <th width='22%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th> <th width='23%' class='boldbase' align='center'><b>$Lang::tr{'common name'}</b></th> <th width='30%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th> <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th> <th class='boldbase' align='center' colspan='6'><b>$Lang::tr{'action'}</b></th> - </tr> + </tr> END - ; - my $id = 0; - my $gif; - foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { +; + my $id = 0; + my $gif; + foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } if ($id % 2) { @@ -2753,302 +2748,304 @@ END print "<td align='center' nowrap='nowrap' $col>$confighash{$key}[1]</td>"; print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$key}[29]</td>"; if ($confighash{$key}[2] eq '%auth-dn') { - print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[9]</td>"; + print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[9]</td>"; } elsif ($confighash{$key}[4] eq 'cert') { - print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[2]</td>"; + print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[2]</td>"; } else { - print "<td align='left' $col> </td>"; + print "<td align='left' $col> </td>"; } print "<td align='center' $col>$confighash{$key}[25]</td>"; my $col1="bgcolor='${Header::colourred}'"; # get real state my $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>"; foreach my $line (@status) { - if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) || - ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) - { - $col1="bgcolor='${Header::colourgreen}'"; - $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>"; - } - } - # move to blueif really down + if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) || + ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) { + $col1="bgcolor='${Header::colourgreen}'"; + $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>"; + } + } + # move to blue if really down if ($confighash{$key}[0] eq 'off' && $col1 =~ /${Header::colourred}/ ) { $col1="bgcolor='${Header::colourblue}'"; - $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>"; + $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>"; } print <<END <td align='center' $col1>$active</td> <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name='$Lang::tr{'restart'}' src='/images/reload.gif' alt='$Lang::tr{'restart'}' title='$Lang::tr{'restart'}' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'restart'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'restart'}' src='/images/reload.gif' alt='$Lang::tr{'restart'}' title='$Lang::tr{'restart'}' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'restart'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> </td> END - ; +; if (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) { - print <<END - <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> + print <<END + <td align='center' $col> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> <input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' /> <input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' /> <input type='hidden' name='KEY' value='$key' /> - </form> - </td> + </form> + </td> END - ; } else { - print "<td width='2%' $col> </td>"; +; + } else { + print "<td width='2%' $col> </td>"; } - if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") { - print <<END - <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> + if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") { + print <<END + <td align='center' $col> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> <input type='image' name='$Lang::tr{'download pkcs12 file'}' src='/images/floppy.gif' alt='$Lang::tr{'download pkcs12 file'}' title='$Lang::tr{'download pkcs12 file'}' /> <input type='hidden' name='ACTION' value='$Lang::tr{'download pkcs12 file'}' /> <input type='hidden' name='KEY' value='$key' /> - </form> + </form> </td> END - ; } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) { - print <<END - <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> +; + } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) { + print <<END + <td align='center' $col> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> <input type='image' name='$Lang::tr{'download certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' title='$Lang::tr{'download certificate'}' /> <input type='hidden' name='ACTION' value='$Lang::tr{'download certificate'}' /> <input type='hidden' name='KEY' value='$key' /> - </form> + </form> </td> END - ; } else { - print "<td width='2%' $col> </td>"; +; + } else { + print "<td width='2%' $col> </td>"; } print <<END <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> </td> <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' /> - <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' /> + <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> </td> <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' /> - <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' /> + <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> </td> </tr> END - ; +; $id++; - } - print "</table>"; - - # If the config file contains entries, print Key to action icons - if ( $id ) { - print <<END - <table> - <tr> - <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td> - <td> <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td> - <td class='base'>$Lang::tr{'click to disable'}</td> - <td> <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td> - <td class='base'>$Lang::tr{'show certificate'}</td> - <td> <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td> - <td class='base'>$Lang::tr{'edit'}</td> - <td> <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td> - <td class='base'>$Lang::tr{'remove'}</td> - </tr> - <tr> - <td> </td> - <td> <img src='/images/off.gif' alt='?OFF' /></td> - <td class='base'>$Lang::tr{'click to enable'}</td> - <td> <img src='/images/floppy.gif' alt='?FLOPPY' /></td> - <td class='base'>$Lang::tr{'download certificate'}</td> - <td> <img src='/images/reload.gif' alt='?RELOAD'/></td> - <td class='base'>$Lang::tr{'restart'}</td> - </tr> - </table> + } + print "</table>"; + + # If the config file contains entries, print Key to action icons + if ( $id ) { + print <<END + <table> + <tr> + <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td> + <td> <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td> + <td class='base'>$Lang::tr{'click to disable'}</td> + <td> <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td> + <td class='base'>$Lang::tr{'show certificate'}</td> + <td> <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td> + <td class='base'>$Lang::tr{'edit'}</td> + <td> <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td> + <td class='base'>$Lang::tr{'remove'}</td> + </tr> + <tr> + <td> </td> + <td> <img src='/images/off.gif' alt='?OFF' /></td> + <td class='base'>$Lang::tr{'click to enable'}</td> + <td> <img src='/images/floppy.gif' alt='?FLOPPY' /></td> + <td class='base'>$Lang::tr{'download certificate'}</td> + <td> <img src='/images/reload.gif' alt='?RELOAD'/></td> + <td class='base'>$Lang::tr{'restart'}</td> + </tr> + </table> END - ; - } +; + } - print <<END - <table width='100%'> - <tr><td align='right' colspan='9'> + print <<END + <table width='100%'> + <tr><td align='right' colspan='9'> <form method='post' action='$ENV{'SCRIPT_NAME'}'> <input type='submit' name='ACTION' value='$Lang::tr{'add'}' /> </form> - </td></tr> - </table> + </td></tr> + </table> END - ; - &Header::closebox(); +; + &Header::closebox(); - &Header::openbox('100%', 'left', "$Lang::tr{'certificate authorities'}"); - print <<EOF - <table width='100%' cellspacing='1' cellpadding='0' class='tbl'> - <tr> + &Header::openbox('100%', 'left', "$Lang::tr{'certificate authorities'}"); + print <<EOF + <table width='100%' cellspacing='1' cellpadding='0' class='tbl'> + <tr> <th width='25%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th> <th width='65%' class='boldbase' align='center'><b>$Lang::tr{'subject'}</b></th> <th width='10%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></th> - </tr> + </tr> EOF - ; - my $col1="bgcolor='$color{'color22'}'"; +; + my $col1="bgcolor='$color{'color22'}'"; my $col2="bgcolor='$color{'color20'}'"; - if (-f "${General::swroot}/ca/cacert.pem") { - my $casubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/cacert.pem")); - print <<END - <tr> - <td class='base' $col1>$Lang::tr{'root certificate'}</td> - <td class='base' $col1>$casubject</td> - <td width='3%' align='center' $col1> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' /> - <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' /> - </form> - </td> - <td width='3%' align='center' $col1> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' /> - </form> - </td> - <td width='4%' $col1> </td></tr> + if (-f "${General::swroot}/ca/cacert.pem") { + my $casubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/cacert.pem")); + print <<END + <tr> + <td class='base' $col1>$Lang::tr{'root certificate'}</td> + <td class='base' $col1>$casubject</td> + <td width='3%' align='center' $col1> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' /> + <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' /> + </form> + </td> + <td width='3%' align='center' $col1> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' /> + </form> + </td> + <td width='4%' $col1> </td></tr> END - ; - } else { - # display rootcert generation buttons - print <<END - <tr> - <td class='base' $col1>$Lang::tr{'root certificate'}:</td> - <td class='base' $col1>$Lang::tr{'not present'}</td> - <td colspan='3' $col1> </td></tr> +; + } else { + # display rootcert generation buttons + print <<END + <tr> + <td class='base' $col1>$Lang::tr{'root certificate'}:</td> + <td class='base' $col1>$Lang::tr{'not present'}</td> + <td colspan='3' $col1> </td></tr> END - ; - } +; + } - if (-f "${General::swroot}/certs/hostcert.pem") { - my $hostsubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/certs/hostcert.pem")); + if (-f "${General::swroot}/certs/hostcert.pem") { + my $hostsubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/certs/hostcert.pem")); - print <<END - <tr> - <td class='base' $col2>$Lang::tr{'host certificate'}</td> - <td class='base' $col2>$hostsubject</td> - <td width='3%' align='center' $col2> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' /> - <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' /> - </form> - </td> - <td width='3%' align='center' $col2> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name="$Lang::tr{'download host certificate'}" src='/images/floppy.gif' alt="$Lang::tr{'download host certificate'}" title="$Lang::tr{'download host certificate'}" /> - <input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" /> - </form> - </td> - <td width='4%' $col2> </td></tr> + print <<END + <tr> + <td class='base' $col2>$Lang::tr{'host certificate'}</td> + <td class='base' $col2>$hostsubject</td> + <td width='3%' align='center' $col2> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' /> + <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' /> + </form> + </td> + <td width='3%' align='center' $col2> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name="$Lang::tr{'download host certificate'}" src='/images/floppy.gif' alt="$Lang::tr{'download host certificate'}" title="$Lang::tr{'download host certificate'}" /> + <input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" /> + </form> + </td> + <td width='4%' $col2> </td></tr> END - ; - } else { - # Nothing - print <<END - <tr> - <td width='25%' class='base' $col2>$Lang::tr{'host certificate'}:</td> - <td class='base' $col2>$Lang::tr{'not present'}</td> - <td colspan='3' $col2> </td></tr> +; + } else { + # Nothing + print <<END + <tr> + <td width='25%' class='base' $col2>$Lang::tr{'host certificate'}:</td> + <td class='base' $col2>$Lang::tr{'not present'}</td> + <td colspan='3' $col2> </td></tr> END - ; - } - +; + } + my $rowcolor = 0; if (keys %cahash > 0) { foreach my $key (keys %cahash) { - if ($rowcolor++ % 2) { - print "<tr>"; - $col="bgcolor='$color{'color20'}'"; - } else { - print "<tr>"; - $col="bgcolor='$color{'color22'}'"; - } - print "<td class='base' $col>$cahash{$key}[0]</td>\n"; - print "<td class='base' $col>$cahash{$key}[1]</td>\n"; - print <<END - <td align='center' $col> - <form method='post' name='cafrm${key}a' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> - </td> - <td align='center' $col> - <form method='post' name='cafrm${key}b' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> - </td> - <td align='center' $col> - <form method='post' name='cafrm${key}c' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' /> - <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> - </td> - </tr> + if ($rowcolor++ % 2) { + print "<tr>"; + $col="bgcolor='$color{'color20'}'"; + } else { + print "<tr>"; + $col="bgcolor='$color{'color22'}'"; + } + print "<td class='base' $col>$cahash{$key}[0]</td>\n"; + print "<td class='base' $col>$cahash{$key}[1]</td>\n"; + print <<END + <td align='center' $col> + <form method='post' name='cafrm${key}a' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> + </td> + <td align='center' $col> + <form method='post' name='cafrm${key}b' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> + </td> + <td align='center' $col> + <form method='post' name='cafrm${key}c' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' /> + <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> + </td> + </tr> +END +; + } + } + print "</table>"; + + # If the file contains entries, print Key to action icons + if ( -f "${General::swroot}/ca/cacert.pem") { + print <<END + <table><tr> + <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td> + <td> <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td> + <td class='base'>$Lang::tr{'show certificate'}</td> + <td> <img src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' /></td> + <td class='base'>$Lang::tr{'download certificate'}</td> + </tr></table> END - ; +; } - } - print "</table>"; - - # If the file contains entries, print Key to action icons - if ( -f "${General::swroot}/ca/cacert.pem") { + my $createCA = -f "${General::swroot}/ca/cacert.pem" ? '' : "<tr><td colspan='3'></td><td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td></tr>"; print <<END - <table><tr> - <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td> - <td> <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td> - <td class='base'>$Lang::tr{'show certificate'}</td> - <td> <img src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' /></td> - <td class='base'>$Lang::tr{'download certificate'}</td> - </tr></table> -END - ; - } - my $createCA = -f "${General::swroot}/ca/cacert.pem" ? '' : "<tr><td colspan='3'></td><td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td></tr>"; - print <<END - <br> - <hr /> - <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> - <table width='100%' border='0' cellspacing='1' cellpadding='0'> - $createCA - <tr> + <br> + <hr /> + <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> + <table width='100%' border='0' cellspacing='1' cellpadding='0'> + $createCA + <tr> <td class='base' nowrap='nowrap'>$Lang::tr{'ca name'}: <img src='/blob.gif' alt='*' /></td> <td nowrap='nowrap'><input type='text' name='CA_NAME' value='$cgiparams{'CA_NAME'}' size='15' /> </td> <td nowrap='nowrap'><input type='file' name='FH' size='30' /></td> <td nowrap='nowrap'><input type='submit' name='ACTION' value='$Lang::tr{'upload ca certificate'}' /></td> - </tr> - <tr> + </tr> + <tr> <td colspan='3'>$Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}:</td> <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /></td> - </tr> - </table> - </form> + </tr> + </table> + </form> END - ; - &Header::closebox(); - &Header::closebigbox(); - &Header::closepage(); +; + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); sub array_unique($) { my $array = shift; ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] vpnmain.cgi - Replace spaces with tab characters and fix indentation 2015-09-25 21:01 [PATCH] vpnmain.cgi - Replace spaces with tab characters and fix indentation Lars Schuhmacher @ 2015-09-25 22:11 ` Michael Tremer 2015-09-26 6:04 ` Larsen 0 siblings, 1 reply; 4+ messages in thread From: Michael Tremer @ 2015-09-25 22:11 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 208330 bytes --] Hi, I am not really sure if this is a patch that I want to merge. It certainly fixes the bad coding regarding the indentation, but it will also make it difficult to find out what changed in what commit since there will only be this massive patch in the history. If we want to know when a certain line in the code was added, we won't find this so easily any more. I will have to discuss this with Arne. Best, -Michael On Fri, 2015-09-25 at 23:01 +0200, Lars Schuhmacher wrote: > Replaced spaces with tab characters. Fixed indentation. > > This is based on http://patchwork.ipfire.org/patch/88/ so that patch > must be applied before. > > Signed-off-by: Lars Schuhmacher <larsen007(a)web.de> > --- > html/cgi-bin/vpnmain.cgi | 4313 +++++++++++++++++++++++------------- > ---------- > 1 file changed, 2155 insertions(+), 2158 deletions(-) > > diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi > index 5658dac..e717862 100644 > --- a/html/cgi-bin/vpnmain.cgi > +++ b/html/cgi-bin/vpnmain.cgi > @@ -40,8 +40,7 @@ undef (@dummy); > ### > ### Initialize variables > ### > -my $sleepDelay = 4; # after a call to ipsecctrl S or R, wait > this delay (seconds) before reading status > - # (let the ipsec do its job) > +my $sleepDelay = 4; # after a call to ipsecctrl S or R, wait this > delay (seconds) before reading status (let the ipsec do its job) > my %netsettings=(); > our %cgiparams=(); > our %vpnsettings=(); > @@ -132,103 +131,101 @@ sub valid_dns_host { > ### Just return true is one interface is vpn enabled > ### > sub vpnenabled { > - return ($vpnsettings{'ENABLED'} eq 'on'); > + return ($vpnsettings{'ENABLED'} eq 'on'); > } > ### > -### old version: maintain serial number to one, without explication. > -### this : let the counter go, so that each cert is > numbered. > +### old version: maintain serial number to one, without explication. > +### this: let the counter go, so that each cert is numbered. > ### > -sub cleanssldatabase > -{ > - if (open(FILE, ">${General::swroot}/certs/serial")) { > - print FILE "01"; > - close FILE; > - } > - if (open(FILE, ">${General::swroot}/certs/index.txt")) { > - print FILE ""; > - close FILE; > - } > - unlink ("${General::swroot}/certs/index.txt.old"); > - unlink ("${General::swroot}/certs/serial.old"); > - unlink ("${General::swroot}/certs/01.pem"); > +sub cleanssldatabase { > + if (open(FILE, ">${General::swroot}/certs/serial")) { > + print FILE "01"; > + close FILE; > + } > + if (open(FILE, ">${General::swroot}/certs/index.txt")) { > + print FILE ""; > + close FILE; > + } > + unlink ("${General::swroot}/certs/index.txt.old"); > + unlink ("${General::swroot}/certs/serial.old"); > + unlink ("${General::swroot}/certs/01.pem"); > } > -sub newcleanssldatabase > -{ > - if (! -s "${General::swroot}/certs/serial" ) { > - open(FILE, ">${General::swroot}/certs/serial"); > - print FILE "01"; > - close FILE; > - } > - if (! -s ">${General::swroot}/certs/index.txt") { > - system ("touch ${General::swroot}/certs/index.txt"); > - } > - unlink ("${General::swroot}/certs/index.txt.old"); > - unlink ("${General::swroot}/certs/serial.old"); > -# unlink ("${General::swroot}/certs/01.pem"); numbe > ring evolves. Wrong place to delete > +sub newcleanssldatabase { > + if (! -s "${General::swroot}/certs/serial" ) { > + open(FILE, ">${General::swroot}/certs/serial"); > + print FILE "01"; > + close FILE; > + } > + if (! -s ">${General::swroot}/certs/index.txt") { > + system ("touch ${General::swroot}/certs/index.txt"); > + } > + unlink ("${General::swroot}/certs/index.txt.old"); > + unlink ("${General::swroot}/certs/serial.old"); > +# unlink ("${General::swroot}/certs/01.pem"); > numbering evolves. Wrong place to delete > } > > ### > ### Call openssl and return errormessage if any > ### > sub callssl ($) { > - my $opt = shift; > - my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect > stderr > - my $ret = ''; > - foreach my $line (split (/\n/, $retssl)) { > - &General::log("ipsec", "$line") if (0); # 1 > for verbose logging > - $ret .= '<br>'.$line if ( $line =~ /error|unknown/ ); > - } > - if ($ret) { > - $ret= &Header::cleanhtml($ret); > - } > - return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : > '' ; > + my $opt = shift; > + my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr > + my $ret = ''; > + foreach my $line (split (/\n/, $retssl)) { > + &General::log("ipsec", "$line") if (0); # 1 for > verbose logging > + $ret .= '<br>'.$line if ( $line =~ /error|unknown/ > ); > + } > + if ($ret) { > + $ret= &Header::cleanhtml($ret); > + } > + return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" > : '' ; > } > ### > ### Obtain a CN from given cert > ### > sub getCNfromcert ($) { > - #&General::log("ipsec", "Extracting name from $_[0]..."); > - my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; > - $temp =~ /Subject:.*CN=(.*)[\n]/; > - $temp = $1; > - $temp =~ s+/Email+, E+; > - $temp =~ s/ ST=/ S=/; > - $temp =~ s/,//g; > - $temp =~ s/\'//g; > - return $temp; > + #&General::log("ipsec", "Extracting name from $_[0]..."); > + my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; > + $temp =~ /Subject:.*CN=(.*)[\n]/; > + $temp = $1; > + $temp =~ s+/Email+, E+; > + $temp =~ s/ ST=/ S=/; > + $temp =~ s/,//g; > + $temp =~ s/\'//g; > + return $temp; > } > ### > ### Obtain Subject from given cert > ### > sub getsubjectfromcert ($) { > - #&General::log("ipsec", "Extracting subject from $_[0]..."); > - my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; > - $temp =~ /Subject: (.*)[\n]/; > - $temp = $1; > - $temp =~ s+/Email+, E+; > - $temp =~ s/ ST=/ S=/; > - return $temp; > + #&General::log("ipsec", "Extracting subject from $_[0]..."); > + my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; > + $temp =~ /Subject: (.*)[\n]/; > + $temp = $1; > + $temp =~ s+/Email+, E+; > + $temp =~ s/ ST=/ S=/; > + return $temp; > } > ### > -### Combine local subnet and connection name to make a unique name > for each connection section > +### Combine local subnet and connection name to make a unique name > for each connection section > ### (this sub is not used now) > ### > sub makeconnname ($) { > - my $conn = shift; > - my $subnet = shift; > - > - $subnet =~ /^(.*?)\/(.*?)$/; # $1=IP $2=mask > - my $ip = unpack('N', &Socket::inet_aton($1)); > - if (length ($2) > 2) { > - my $mm = unpack('N', &Socket::inet_aton($2)); > - while ( ($mm & 1)==0 ) { > - $ip >>= 1; > - $mm >>= 1; > - }; > - } else { > - $ip >>= (32 - $2); > - } > - return sprintf ("%s-%X", $conn, $ip); > + my $conn = shift; > + my $subnet = shift; > + > + $subnet =~ /^(.*?)\/(.*?)$/; # $1=IP $2=mask > + my $ip = unpack('N', &Socket::inet_aton($1)); > + if (length ($2) > 2) { > + my $mm = unpack('N', &Socket::inet_aton($2)); > + while ( ($mm & 1)==0 ) { > + $ip >>= 1; > + $mm >>= 1; > + }; > + } else { > + $ip >>= (32 - $2); > + } > + return sprintf ("%s-%X", $conn, $ip); > } > ### > ### Write a config file. > @@ -238,197 +235,198 @@ sub makeconnname ($) { > ### > > sub writeipsecfiles { > - my %lconfighash = (); > - my %lvpnsettings = (); > - &General::readhasharray("${General::swroot}/vpn/config", > \%lconfighash); > - &General::readhash("${General::swroot}/vpn/settings", > \%lvpnsettings); > - > - open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die > "Unable to open ${General::swroot}/vpn/ipsec.conf: $!"; > - open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") or die > "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!"; > - flock CONF, 2; > - flock SECRETS, 2; > - print CONF "version 2\n\n"; > - print CONF "conn %default\n"; > - print CONF "\tkeyingtries=%forever\n"; > - print CONF "\n"; > - > - # Add user includes to config file > - if (-e "/etc/ipsec.user.conf") { > - print CONF "include /etc/ipsec.user.conf\n"; > - print CONF "\n"; > - } > - > - print SECRETS "include /etc/ipsec.user.secrets\n"; > - > - if (-f "${General::swroot}/certs/hostkey.pem") { > - print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n" > - } > - my $last_secrets = ''; # old the less specifics connections > - > - foreach my $key (keys %lconfighash) { > - next if ($lconfighash{$key}[0] ne 'on'); > - > - #remote peer is not set? => use '%any' > - $lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] > eq ''); > - > - my $localside; > - if ($lconfighash{$key}[26] eq 'BLUE') { > - $localside = $netsettings{'BLUE_ADDRESS'}; > - } elsif ($lconfighash{$key}[26] eq 'GREEN') { > - $localside = $netsettings{'GREEN_ADDRESS'}; > - } elsif ($lconfighash{$key}[26] eq 'ORANGE') { > - $localside = $netsettings{'ORANGE_ADDRESS'}; > - } else { # it is RED > - $localside = $lvpnsettings{'VPN_IP'}; > - } > - > - print CONF "conn $lconfighash{$key}[1]\n"; > - print CONF "\tleft=$localside\n"; > - my $cidr_net=&General::ipcidr($lconfighash{$key}[8]); > - print CONF "\tleftsubnet=$cidr_net\n"; > - print CONF "\tleftfirewall=yes\n"; > - print CONF "\tlefthostaccess=yes\n"; > - > - print CONF "\tright=$lconfighash{$key}[10]\n"; > - if ($lconfighash{$key}[3] eq 'net') { > - my $cidr_net=&General::ipcidr($lconfighash{$key}[11]); > - print CONF "\trightsubnet=$cidr_net\n"; > - } > - > - # Local Cert and Remote Cert (unless auth is DN dn-auth) > - if ($lconfighash{$key}[4] eq 'cert') { > - print CONF > "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; > - print CONF > "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n > " if ($lconfighash{$key}[2] ne '%auth-dn'); > - } > - > - # Local and Remote IDs > - print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if > ($lconfighash{$key}[7]); > - print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if > ($lconfighash{$key}[9]); > - > - # Is PFS enabled? > - my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off'; > - > - # Algorithms > - if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && > $lconfighash{$key}[20]) { > - my @encs = split('\|', $lconfighash{$key}[18]); > - my @ints = split('\|', $lconfighash{$key}[19]); > - my @groups = split('\|', $lconfighash{$key}[20]); > - > - my @algos = &make_algos("ike", \@encs, \@ints, > \@groups, 1); > - print CONF "\tike=" . join(",", @algos); > - > - if ($lconfighash{$key}[24] eq 'on') { #only > proposed algorythms? > - print CONF "!\n"; > - } else { > - print CONF "\n"; > - } > + my %lconfighash = (); > + my %lvpnsettings = (); > + &General::readhasharray("${General::swroot}/vpn/config", > \%lconfighash); > + &General::readhash("${General::swroot}/vpn/settings", > \%lvpnsettings); > + > + open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die > "Unable to open ${General::swroot}/vpn/ipsec.conf: $!"; > + open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") or > die "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!"; > + flock CONF, 2; > + flock SECRETS, 2; > + print CONF "version 2\n\n"; > + print CONF "conn %default\n"; > + print CONF "\tkeyingtries=%forever\n"; > + print CONF "\n"; > + > + # Add user includes to config file > + if (-e "/etc/ipsec.user.conf") { > + print CONF "include /etc/ipsec.user.conf\n"; > + print CONF "\n"; > } > > - if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) { > - my @encs = split('\|', $lconfighash{$key}[21]); > - my @ints = split('\|', $lconfighash{$key}[22]); > - my @groups = split('\|', $lconfighash{$key}[23]); > + print SECRETS "include /etc/ipsec.user.secrets\n"; > > - # Use IKE grouptype if no ESP group type has been > selected > - # (for backwards compatibility) > - if ($lconfighash{$key}[23] eq "") { > - @groups = split('\|', > $lconfighash{$key}[20]); > + if (-f "${General::swroot}/certs/hostkey.pem") { > + print SECRETS ": RSA > ${General::swroot}/certs/hostkey.pem\n" > + } > + my $last_secrets = ''; # old the less specifics connections > + > + foreach my $key (keys %lconfighash) { > + next if ($lconfighash{$key}[0] ne 'on'); > + > + #remote peer is not set? => use '%any' > + $lconfighash{$key}[10] = '%any' if > ($lconfighash{$key}[10] eq ''); > + > + my $localside; > + if ($lconfighash{$key}[26] eq 'BLUE') { > + $localside = $netsettings{'BLUE_ADDRESS'}; > + } elsif ($lconfighash{$key}[26] eq 'GREEN') { > + $localside = $netsettings{'GREEN_ADDRESS'}; > + } elsif ($lconfighash{$key}[26] eq 'ORANGE') { > + $localside = $netsettings{'ORANGE_ADDRESS'}; > + } else { # it is RED > + $localside = $lvpnsettings{'VPN_IP'}; > } > > - my @algos = &make_algos("esp", \@encs, \@ints, > \@groups, ($pfs eq "on")); > - print CONF "\tesp=" . join(",", @algos); > + print CONF "conn $lconfighash{$key}[1]\n"; > + print CONF "\tleft=$localside\n"; > + my > $cidr_net=&General::ipcidr($lconfighash{$key}[8]); > + print CONF "\tleftsubnet=$cidr_net\n"; > + print CONF "\tleftfirewall=yes\n"; > + print CONF "\tlefthostaccess=yes\n"; > + print CONF "\tright=$lconfighash{$key}[10]\n"; > + > + if ($lconfighash{$key}[3] eq 'net') { > + my > $cidr_net=&General::ipcidr($lconfighash{$key}[11]); > + print CONF "\trightsubnet=$cidr_net\n"; > + } > > - if ($lconfighash{$key}[24] eq 'on') { #only > proposed algorythms? > - print CONF "!\n"; > - } else { > - print CONF "\n"; > + # Local Cert and Remote Cert (unless auth is DN dn > -auth) > + if ($lconfighash{$key}[4] eq 'cert') { > + print CONF > "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; > + print CONF > "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n > " if ($lconfighash{$key}[2] ne '%auth-dn'); > } > - } > > - # IKE V1 or V2 > - if (! $lconfighash{$key}[29]) { > - $lconfighash{$key}[29] = "ikev1"; > - } > - print CONF "\tkeyexchange=$lconfighash{$key}[29]\n"; > + # Local and Remote IDs > + print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if > ($lconfighash{$key}[7]); > + print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" > if ($lconfighash{$key}[9]); > > - # Lifetimes > - print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" if > ($lconfighash{$key}[16]); > - print CONF "\tkeylife=$lconfighash{$key}[17]h\n" if > ($lconfighash{$key}[17]); > + # Is PFS enabled? > + my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : > 'off'; > > - # Compression > - print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq > 'on'); > + # Algorithms > + if ($lconfighash{$key}[18] && $lconfighash{$key}[19] > && $lconfighash{$key}[20]) { > + my @encs = split('\|', > $lconfighash{$key}[18]); > + my @ints = split('\|', > $lconfighash{$key}[19]); > + my @groups = split('\|', > $lconfighash{$key}[20]); > > - # Force MOBIKE? > - if (($lconfighash{$key}[29] eq "ikev2") && > ($lconfighash{$key}[32] eq 'on')) { > - print CONF "\tmobike=yes\n"; > - } > + my @algos = &make_algos("ike", \@encs, > \@ints, \@groups, 1); > + print CONF "\tike=" . join(",", @algos); > + > + if ($lconfighash{$key}[24] eq 'on') { #only > proposed algorythms? > + print CONF "!\n"; > + } else { > + print CONF "\n"; > + } > + } > + > + if ($lconfighash{$key}[21] && > $lconfighash{$key}[22]) { > + my @encs = split('\|', > $lconfighash{$key}[21]); > + my @ints = split('\|', > $lconfighash{$key}[22]); > + my @groups = split('\|', > $lconfighash{$key}[23]); > + > + # Use IKE grouptype if no ESP group type has > been selected > + # (for backwards compatibility) > + if ($lconfighash{$key}[23] eq "") { > + @groups = split('\|', > $lconfighash{$key}[20]); > + } > > - # Dead Peer Detection > - my $dpdaction = $lconfighash{$key}[27]; > - print CONF "\tdpdaction=$dpdaction\n"; > + my @algos = &make_algos("esp", \@encs, > \@ints, \@groups, ($pfs eq "on")); > + print CONF "\tesp=" . join(",", @algos); > > - # If the dead peer detection is disabled and IKEv2 is used, > - # dpddelay must be set to zero, too. > - if ($dpdaction eq "none") { > - if ($lconfighash{$key}[29] eq "ikev2") { > - print CONF "\tdpddelay=0\n"; > + if ($lconfighash{$key}[24] eq 'on') { #only > proposed algorythms? > + print CONF "!\n"; > + } else { > + print CONF "\n"; > + } > } > - } else { > - my $dpddelay = $lconfighash{$key}[31]; > - if (!$dpddelay) { > - $dpddelay = 30; > - } > - print CONF "\tdpddelay=$dpddelay\n"; > - my $dpdtimeout = $lconfighash{$key}[30]; > - if (!$dpdtimeout) { > - $dpdtimeout = 120; > - } > - print CONF "\tdpdtimeout=$dpdtimeout\n"; > - } > - > - # Build Authentication details: LEFTid RIGHTid : PSK psk > - my $psk_line; > - if ($lconfighash{$key}[4] eq 'psk') { > - $psk_line = ($lconfighash{$key}[7] ? > $lconfighash{$key}[7] : $localside) . " " ; > - $psk_line .= $lconfighash{$key}[9] ? > $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote > address? > - $psk_line .= " : PSK '$lconfighash{$key}[5]'\n"; > - # if the line contains %any, it is less specific than > two IP or ID, so move it at end of file. > - if ($psk_line =~ /%any/) { > - $last_secrets .= $psk_line; > - } else { > - print SECRETS $psk_line; > - } > - print CONF "\tauthby=secret\n"; > - } else { > - print CONF "\tauthby=rsasig\n"; > - print CONF "\tleftrsasigkey=%cert\n"; > - print CONF "\trightrsasigkey=%cert\n"; > - } > > - # Automatically start only if a net-to-net connection > - if ($lconfighash{$key}[3] eq 'host') { > - print CONF "\tauto=add\n"; > - print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n"; > - } else { > - print CONF "\tauto=start\n"; > - } > + # IKE V1 or V2 > + if (! $lconfighash{$key}[29]) { > + $lconfighash{$key}[29] = "ikev1"; > + } > > - # Fragmentation > - print CONF "\tfragmentation=yes\n"; > + print CONF "\tkeyexchange=$lconfighash{$key}[29]\n"; > > - print CONF "\n"; > - }#foreach key > - > - # Add post user includes to config file > - # After the GUI-connections allows to patch connections. > - if (-e "/etc/ipsec.user-post.conf") { > - print CONF "include /etc/ipsec.user-post.conf\n"; > - print CONF "\n"; > - } > - > - print SECRETS $last_secrets if ($last_secrets); > - close(CONF); > - close(SECRETS); > + # Lifetimes > + print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" > if ($lconfighash{$key}[16]); > + print CONF "\tkeylife=$lconfighash{$key}[17]h\n" if > ($lconfighash{$key}[17]); > + > + # Compression > + print CONF "\tcompress=yes\n" if > ($lconfighash{$key}[13] eq 'on'); > + > + # Force MOBIKE? > + if (($lconfighash{$key}[29] eq "ikev2") && > ($lconfighash{$key}[32] eq 'on')) { > + print CONF "\tmobike=yes\n"; > + } > + > + # Dead Peer Detection > + my $dpdaction = $lconfighash{$key}[27]; > + print CONF "\tdpdaction=$dpdaction\n"; > + > + # If the dead peer detection is disabled and IKEv2 > is used, > + # dpddelay must be set to zero, too. > + if ($dpdaction eq "none") { > + if ($lconfighash{$key}[29] eq "ikev2") { > + print CONF "\tdpddelay=0\n"; > + } > + } else { > + my $dpddelay = $lconfighash{$key}[31]; > + if (!$dpddelay) { > + $dpddelay = 30; > + } > + print CONF "\tdpddelay=$dpddelay\n"; > + my $dpdtimeout = $lconfighash{$key}[30]; > + if (!$dpdtimeout) { > + $dpdtimeout = 120; > + } > + print CONF "\tdpdtimeout=$dpdtimeout\n"; > + } > + > + # Build Authentication details: LEFTid RIGHTid : PSK > psk > + my $psk_line; > + if ($lconfighash{$key}[4] eq 'psk') { > + $psk_line = ($lconfighash{$key}[7] ? > $lconfighash{$key}[7] : $localside) . " " ; > + $psk_line .= $lconfighash{$key}[9] ? > $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote > address? > + $psk_line .= " : PSK > '$lconfighash{$key}[5]'\n"; > + # if the line contains %any, it is less > specific than two IP or ID, so move it at end of file. > + if ($psk_line =~ /%any/) { > + $last_secrets .= $psk_line; > + } else { > + print SECRETS $psk_line; > + } > + print CONF "\tauthby=secret\n"; > + } else { > + print CONF "\tauthby=rsasig\n"; > + print CONF "\tleftrsasigkey=%cert\n"; > + print CONF "\trightrsasigkey=%cert\n"; > + } > + > + # Automatically start only if a net-to-net > connection > + if ($lconfighash{$key}[3] eq 'host') { > + print CONF "\tauto=add\n"; > + print CONF > "\trightsourceip=$lvpnsettings{'RW_NET'}\n"; > + } else { > + print CONF "\tauto=start\n"; > + } > + > + # Fragmentation > + print CONF "\tfragmentation=yes\n"; > + > + print CONF "\n"; > + } #foreach key > + > + # Add post user includes to config file > + # After the GUI-connections allows to patch connections. > + if (-e "/etc/ipsec.user-post.conf") { > + print CONF "include /etc/ipsec.user-post.conf\n"; > + print CONF "\n"; > + } > + > + print SECRETS $last_secrets if ($last_secrets); > + close(CONF); > + close(SECRETS); > } > > # Hook to regenerate the configuration files. > @@ -441,779 +439,779 @@ if ($ENV{"REMOTE_ADDR"} eq "") { > ### Save main settings > ### > if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} > eq '' && $cgiparams{'KEY'} eq '') { > - &General::readhash("${General::swroot}/vpn/settings", > \%vpnsettings); > - unless (&General::validfqdn($cgiparams{'VPN_IP'}) || > &General::validip($cgiparams{'VPN_IP'}) > - || $cgiparams{'VPN_IP'} eq '%defaultroute' ) { > - $errormessage = $Lang::tr{'invalid input for hostname'}; > - goto SAVE_ERROR; > - } > - > - unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { > #allow 0-999 seconds ! > - $errormessage = $Lang::tr{'invalid time period'}; > - goto SAVE_ERROR; > - } > - > - if ( $cgiparams{'RW_NET'} ne '' and > !&General::validipandmask($cgiparams{'RW_NET'}) ) { > - $errormessage = $Lang::tr{'urlfilter invalid ip or mask > error'}; > - goto SAVE_ERROR; > - } > - > - $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; > - $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; > - $vpnsettings{'VPN_DELAYED_START'} = > $cgiparams{'VPN_DELAYED_START'}; > - $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; > - &General::writehash("${General::swroot}/vpn/settings", > \%vpnsettings); > - &writeipsecfiles(); > - if (&vpnenabled) { > - system('/usr/local/bin/ipsecctrl', 'S'); > - } else { > - system('/usr/local/bin/ipsecctrl', 'D'); > - } > - sleep $sleepDelay; > - SAVE_ERROR: > + &General::readhash("${General::swroot}/vpn/settings", > \%vpnsettings); > + > + unless (&General::validfqdn($cgiparams{'VPN_IP'}) || > &General::validip($cgiparams{'VPN_IP'}) > + || $cgiparams{'VPN_IP'} eq '%defaultroute' ) { > + $errormessage = $Lang::tr{'invalid input for > hostname'}; > + goto SAVE_ERROR; > + } > + > + unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) > { #allow 0-999 seconds ! > + $errormessage = $Lang::tr{'invalid time period'}; > + goto SAVE_ERROR; > + } > + > + if ( $cgiparams{'RW_NET'} ne '' and > !&General::validipandmask($cgiparams{'RW_NET'}) ) { > + $errormessage = $Lang::tr{'urlfilter invalid ip or > mask error'}; > + goto SAVE_ERROR; > + } > + > + $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; > + $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; > + $vpnsettings{'VPN_DELAYED_START'} = > $cgiparams{'VPN_DELAYED_START'}; > + $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; > + &General::writehash("${General::swroot}/vpn/settings", > \%vpnsettings); > + &writeipsecfiles(); > + if (&vpnenabled) { > + system('/usr/local/bin/ipsecctrl', 'S'); > + } else { > + system('/usr/local/bin/ipsecctrl', 'D'); > + } > + sleep $sleepDelay; > + SAVE_ERROR: > ### > ### Reset all step 2 > ### > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && > $cgiparams{'AREUSURE'} eq 'yes') { > - &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > - > - foreach my $key (keys %confighash) { > - if ($confighash{$key}[4] eq 'cert') { > - delete $confighash{$key}; > - } > - } > - while (my $file = > glob("${General::swroot}/{ca,certs,crls,private}/*")) { > - unlink $file > - } > - &cleanssldatabase(); > - if (open(FILE, ">${General::swroot}/vpn/caconfig")) { > - print FILE ""; > - close FILE; > - } > - &General::writehasharray("${General::swroot}/vpn/config", > \%confighash); > - &writeipsecfiles(); > - system('/usr/local/bin/ipsecctrl', 'R'); > - sleep $sleepDelay; > + &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > + > + foreach my $key (keys %confighash) { > + if ($confighash{$key}[4] eq 'cert') { > + delete $confighash{$key}; > + } > + } > + while (my $file = > glob("${General::swroot}/{ca,certs,crls,private}/*")) { > + unlink $file > + } > + &cleanssldatabase(); > + if (open(FILE, ">${General::swroot}/vpn/caconfig")) { > + print FILE ""; > + close FILE; > + } > + &General::writehasharray("${General::swroot}/vpn/config", > \%confighash); > + &writeipsecfiles(); > + system('/usr/local/bin/ipsecctrl', 'R'); > + sleep $sleepDelay; > > ### > ### Reset all step 1 > ### > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) { > - &Header::showhttpheaders(); > - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > - &Header::openbigbox('100%', 'left', '', ''); > - &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); > - print <<END > + &Header::showhttpheaders(); > + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > + &Header::openbigbox('100%', 'left', '', ''); > + &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); > + print <<END > <form method='post' action='$ENV{'SCRIPT_NAME'}'> > - <table width='100%'> > - <tr> > - <td align='center'> > - <input type='hidden' name='AREUSURE' value='yes' /> > - <b><font > color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: > - $Lang::tr{'resetting the vpn configuration will > remove the root ca, the host certificate and all certificate based > connections'}</td> > - </tr><tr> > - <td align='center'> > - <input type='submit' name='ACTION' > value='$Lang::tr{'remove x509'}' /> > + <table width='100%'> > + <tr> > + <td align='center'> > + <input type='hidden' > name='AREUSURE' value='yes' /> > + <b><font > color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:&nbs > p;$Lang::tr{'resetting the vpn configuration will remove the root ca, > the host certificate and all certificate based connections'} > + </td> > + </tr><tr> > + <td align='center'> > + <input type='submit' > name='ACTION' value='$Lang::tr{'remove x509'}' /> > <input type='submit' name='ACTION' > value='$Lang::tr{'cancel'}' /></td> > - </tr> > - </table> > + </tr> > + </table> > </form> > END > - ; > - &Header::closebox(); > - &Header::closebigbox(); > - &Header::closepage(); > - exit (0); > +; > + &Header::closebox(); > + &Header::closebigbox(); > + &Header::closepage(); > + exit (0); > > ### > ### Upload CA Certificate > ### > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) > { > - &General::readhasharray("${General::swroot}/vpn/caconfig", > \%cahash); > - > - if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) { > - $errormessage = $Lang::tr{'name must only contain > characters'}; > - goto UPLOADCA_ERROR; > - } > - > - if (length($cgiparams{'CA_NAME'}) >60) { > - $errormessage = $Lang::tr{'name too long'}; > - goto VPNCONF_ERROR; > - } > - > - if ($cgiparams{'CA_NAME'} eq 'ca') { > - $errormessage = $Lang::tr{'name is invalid'}; > - goto UPLOAD_CA_ERROR; > - } > - > - # Check if there is no other entry with this name > - foreach my $key (keys %cahash) { > - if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) { > - $errormessage = $Lang::tr{'a ca certificate with this > name already exists'}; > - goto UPLOADCA_ERROR; > - } > - } > - > - if (ref ($cgiparams{'FH'}) ne 'Fh') { > - $errormessage = $Lang::tr{'there was no file upload'}; > - goto UPLOADCA_ERROR; > - } > - # Move uploaded ca to a temporary file > - (my $fh, my $filename) = tempfile( ); > - if (copy ($cgiparams{'FH'}, $fh) != 1) { > - $errormessage = $!; > - goto UPLOADCA_ERROR; > - } > - my $temp = `/usr/bin/openssl x509 -text -in $filename`; > - if ($temp !~ /CA:TRUE/i) { > - $errormessage = $Lang::tr{'not a valid ca certificate'}; > - unlink ($filename); > - goto UPLOADCA_ERROR; > - } else { > - move($filename, > "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); > - if ($? ne 0) { > - $errormessage = "$Lang::tr{'certificate file move > failed'}: $!"; > - unlink ($filename); > - goto UPLOADCA_ERROR; > - } > - } > - > - my $key = &General::findhasharraykey (\%cahash); > - $cahash{$key}[0] = $cgiparams{'CA_NAME'}; > - $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert > ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")); > - &General::writehasharray("${General::swroot}/vpn/caconfig", > \%cahash); > - > - system('/usr/local/bin/ipsecctrl', 'R'); > - sleep $sleepDelay; > - > - UPLOADCA_ERROR: > + &General::readhasharray("${General::swroot}/vpn/caconfig", > \%cahash); > + > + if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) { > + $errormessage = $Lang::tr{'name must only contain > characters'}; > + goto UPLOADCA_ERROR; > + } > + > + if (length($cgiparams{'CA_NAME'}) >60) { > + $errormessage = $Lang::tr{'name too long'}; > + goto VPNCONF_ERROR; > + } > + > + if ($cgiparams{'CA_NAME'} eq 'ca') { > + $errormessage = $Lang::tr{'name is invalid'}; > + goto UPLOAD_CA_ERROR; > + } > + > + # Check if there is no other entry with this name > + foreach my $key (keys %cahash) { > + if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) { > + $errormessage = $Lang::tr{'a ca certificate > with this name already exists'}; > + goto UPLOADCA_ERROR; > + } > + } > + > + if (ref ($cgiparams{'FH'}) ne 'Fh') { > + $errormessage = $Lang::tr{'there was no file > upload'}; > + goto UPLOADCA_ERROR; > + } > + # Move uploaded ca to a temporary file > + (my $fh, my $filename) = tempfile( ); > + if (copy ($cgiparams{'FH'}, $fh) != 1) { > + $errormessage = $!; > + goto UPLOADCA_ERROR; > + } > + my $temp = `/usr/bin/openssl x509 -text -in $filename`; > + if ($temp !~ /CA:TRUE/i) { > + $errormessage = $Lang::tr{'not a valid ca > certificate'}; > + unlink ($filename); > + goto UPLOADCA_ERROR; > + } else { > + move($filename, > "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); > + if ($? ne 0) { > + $errormessage = "$Lang::tr{'certificate file > move failed'}: $!"; > + unlink ($filename); > + goto UPLOADCA_ERROR; > + } > + } > + > + my $key = &General::findhasharraykey (\%cahash); > + $cahash{$key}[0] = $cgiparams{'CA_NAME'}; > + $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert > ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")); > + &General::writehasharray("${General::swroot}/vpn/caconfig", > \%cahash); > + > + system('/usr/local/bin/ipsecctrl', 'R'); > + sleep $sleepDelay; > + > + UPLOADCA_ERROR: > > ### > ### Display ca certificate > ### > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) { > - &General::readhasharray("${General::swroot}/vpn/caconfig", > \%cahash); > - > - if ( -f > "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { > - &Header::showhttpheaders(); > - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > - &Header::openbigbox('100%', 'left', '', ''); > - &Header::openbox('100%', 'left', "$Lang::tr{'ca > certificate'}:"); > - my $output = `/usr/bin/openssl x509 -text -in > ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; > - $output = &Header::cleanhtml($output,"y"); > - print "<pre>$output</pre>\n"; > - &Header::closebox(); > - print "<div align='center'><a href='/cgi > -bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; > - &Header::closebigbox(); > - &Header::closepage(); > - exit(0); > - } else { > - $errormessage = $Lang::tr{'invalid key'}; > - } > + &General::readhasharray("${General::swroot}/vpn/caconfig", > \%cahash); > + > + if ( -f > "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { > + &Header::showhttpheaders(); > + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > + &Header::openbigbox('100%', 'left', '', ''); > + &Header::openbox('100%', 'left', "$Lang::tr{'ca > certificate'}:"); > + my $output = `/usr/bin/openssl x509 -text -in > ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; > + $output = &Header::cleanhtml($output,"y"); > + print "<pre>$output</pre>\n"; > + &Header::closebox(); > + print "<div align='center'><a href='/cgi > -bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; > + &Header::closebigbox(); > + &Header::closepage(); > + exit(0); > + } else { > + $errormessage = $Lang::tr{'invalid key'}; > + } > > ### > ### Export ca certificate to browser > ### > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca > certificate'}) { > - &General::readhasharray("${General::swroot}/vpn/caconfig", > \%cahash); > - > - if ( -f > "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { > - print "Content-Type: application/force-download\n"; > - print "Content-Type: application/octet-stream\r\n"; > - print "Content-Disposition: attachment; > filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; > - print `/usr/bin/openssl x509 -in > ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; > - exit(0); > - } else { > - $errormessage = $Lang::tr{'invalid key'}; > - } > + &General::readhasharray("${General::swroot}/vpn/caconfig", > \%cahash); > + > + if ( -f > "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { > + print "Content-Type: application/force-download\n"; > + print "Content-Type: application/octet-stream\r\n"; > + print "Content-Disposition: attachment; > filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; > + print `/usr/bin/openssl x509 -in > ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; > + exit(0); > + } else { > + $errormessage = $Lang::tr{'invalid key'}; > + } > > ### > ### Remove ca certificate (step 2) > ### > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} > && $cgiparams{'AREUSURE'} eq 'yes') { > - &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > - &General::readhasharray("${General::swroot}/vpn/caconfig", > \%cahash); > - > - if ( -f > "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { > - foreach my $key (keys %confighash) { > - my $test = `/usr/bin/openssl verify -CAfile > ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem > ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; > - if ($test =~ /: OK/) { > - # Delete connection > - system('/usr/local/bin/ipsecctrl', 'D', $key) if > (&vpnenabled); > - unlink > ("${General::swroot}/certs/$confighash{$key}[1]cert.pem"); > - unlink > ("${General::swroot}/certs/$confighash{$key}[1].p12"); > - delete $confighash{$key}; > - &General::writehasharray("${General::swroot}/vpn/con > fig", \%confighash); > - &writeipsecfiles(); > - } > + &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > + &General::readhasharray("${General::swroot}/vpn/caconfig", > \%cahash); > + > + if ( -f > "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { > + foreach my $key (keys %confighash) { > + my $test = `/usr/bin/openssl verify -CAfile > ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem > ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; > + if ($test =~ /: OK/) { > + # Delete connection > + system('/usr/local/bin/ipsecctrl', > 'D', $key) if (&vpnenabled); > + unlink > ("${General::swroot}/certs/$confighash{$key}[1]cert.pem"); > + unlink > ("${General::swroot}/certs/$confighash{$key}[1].p12"); > + delete $confighash{$key}; > + &General::writehasharray("${General: > :swroot}/vpn/config", \%confighash); > + &writeipsecfiles(); > + } > + } > + unlink > ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); > + delete $cahash{$cgiparams{'KEY'}}; > + &General::writehasharray("${General::swroot}/vpn/cac > onfig", \%cahash); > + system('/usr/local/bin/ipsecctrl', 'R'); > + sleep $sleepDelay; > + } else { > + $errormessage = $Lang::tr{'invalid key'}; > } > - unlink > ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); > - delete $cahash{$cgiparams{'KEY'}}; > - &General::writehasharray("${General::swroot}/vpn/caconfig", > \%cahash); > - system('/usr/local/bin/ipsecctrl', 'R'); > - sleep $sleepDelay; > - } else { > - $errormessage = $Lang::tr{'invalid key'}; > - } > ### > ### Remove ca certificate (step 1) > ### > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) > { > - &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > - &General::readhasharray("${General::swroot}/vpn/caconfig", > \%cahash); > - > - my $assignedcerts = 0; > - if ( -f > "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { > - foreach my $key (keys %confighash) { > - my $test = `/usr/bin/openssl verify -CAfile > ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem > ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; > - if ($test =~ /: OK/) { > - $assignedcerts++; > - } > - } > - if ($assignedcerts) { > - &Header::showhttpheaders(); > - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > - &Header::openbigbox('100%', 'left', '', ''); > - &Header::openbox('100%', 'left', $Lang::tr{'are you > sure'}); > - print <<END > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > - <table width='100%'> > - <tr> > - <td align='center'> > - <input type='hidden' name='KEY' > value='$cgiparams{'KEY'}' /> > - <input type='hidden' name='AREUSURE' value='yes' > /></td> > - </tr><tr> > - <td align='center'> > - <b><font > color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b> > - $Lang::tr{'connections are associated with this > ca. deleting the ca will delete these connections as well.'}</td> > - </tr><tr> > - <td align='center'> > - <input type='submit' name='ACTION' > value='$Lang::tr{'remove ca certificate'}' /> > - <input type='submit' name='ACTION' > value='$Lang::tr{'cancel'}' /></td> > - </tr> > - </table> > - </form> > + &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > + &General::readhasharray("${General::swroot}/vpn/caconfig", > \%cahash); > + > + my $assignedcerts = 0; > + if ( -f > "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { > + foreach my $key (keys %confighash) { > + my $test = `/usr/bin/openssl verify -CAfile > ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem > ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; > + if ($test =~ /: OK/) { > + $assignedcerts++; > + } > + } > + if ($assignedcerts) { > + &Header::showhttpheaders(); > + &Header::openpage($Lang::tr{'ipsec'}, 1, > ''); > + &Header::openbigbox('100%', 'left', '', ''); > + &Header::openbox('100%', 'left', > $Lang::tr{'are you sure'}); > + print <<END > + <form method='post' > action='$ENV{'SCRIPT_NAME'}'> > + <table width='100%'> > + <tr> > + <td align='center'> > + <input > type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> > + <input type='hidden' name='AREUSURE' > value='yes' /></td> > + </tr><tr> > + <td align='center'> > + <b><font > color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>  > ;$Lang::tr{'connections are associated with this ca. deleting the ca > will delete these connections as well.'}</td> > + </tr><tr> > + <td align='center'> > + <input > type='submit' name='ACTION' value='$Lang::tr{'remove ca > certificate'}' /> > + <input type='submit' name='ACTION' > value='$Lang::tr{'cancel'}' /></td> > + </tr> > + </table> > + </form> > END > - ; > - &Header::closebox(); > - &Header::closebigbox(); > - &Header::closepage(); > - exit (0); > +; > + &Header::closebox(); > + &Header::closebigbox(); > + &Header::closepage(); > + exit (0); > + } else { > + unlink > ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); > + delete $cahash{$cgiparams{'KEY'}}; > + &General::writehasharray("${General::swroot} > /vpn/caconfig", \%cahash); > + system('/usr/local/bin/ipsecctrl', 'R'); > + sleep $sleepDelay; > + } > } else { > - unlink > ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); > - delete $cahash{$cgiparams{'KEY'}}; > - > &General::writehasharray("${General::swroot}/vpn/caconfig", > \%cahash); > - system('/usr/local/bin/ipsecctrl', 'R'); > - sleep $sleepDelay; > + $errormessage = $Lang::tr{'invalid key'}; > } > - } else { > - $errormessage = $Lang::tr{'invalid key'}; > - } > > ### > ### Display root certificate > ### > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} > || > $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) > { > - my $output; > - &Header::showhttpheaders(); > - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > - &Header::openbigbox('100%', 'left', '', ''); > - if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) > { > - &Header::openbox('100%', 'left', "$Lang::tr{'root > certificate'}:"); > - $output = `/usr/bin/openssl x509 -text -in > ${General::swroot}/ca/cacert.pem`; > - } else { > - &Header::openbox('100%', 'left', "$Lang::tr{'host > certificate'}:"); > - $output = `/usr/bin/openssl x509 -text -in > ${General::swroot}/certs/hostcert.pem`; > - } > - $output = &Header::cleanhtml($output,"y"); > - print "<pre>$output</pre>\n"; > - &Header::closebox(); > - print "<div align='center'><a href='/cgi > -bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; > - &Header::closebigbox(); > - &Header::closepage(); > - exit(0); > + my $output; > + &Header::showhttpheaders(); > + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > + &Header::openbigbox('100%', 'left', '', ''); > + if ($cgiparams{'ACTION'} eq $Lang::tr{'show root > certificate'}) { > + &Header::openbox('100%', 'left', "$Lang::tr{'root > certificate'}:"); > + $output = `/usr/bin/openssl x509 -text -in > ${General::swroot}/ca/cacert.pem`; > + } else { > + &Header::openbox('100%', 'left', "$Lang::tr{'host > certificate'}:"); > + $output = `/usr/bin/openssl x509 -text -in > ${General::swroot}/certs/hostcert.pem`; > + } > + $output = &Header::cleanhtml($output,"y"); > + print "<pre>$output</pre>\n"; > + &Header::closebox(); > + print "<div align='center'><a href='/cgi > -bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; > + &Header::closebigbox(); > + &Header::closepage(); > + exit(0); > > ### > ### Export root certificate to browser > ### > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root > certificate'}) { > - if ( -f "${General::swroot}/ca/cacert.pem" ) { > - print "Content-Type: application/force-download\n"; > - print "Content-Disposition: attachment; > filename=cacert.pem\r\n\r\n"; > - print `/usr/bin/openssl x509 -in > ${General::swroot}/ca/cacert.pem`; > - exit(0); > - } > + if ( -f "${General::swroot}/ca/cacert.pem" ) { > + print "Content-Type: application/force-download\n"; > + print "Content-Disposition: attachment; > filename=cacert.pem\r\n\r\n"; > + print `/usr/bin/openssl x509 -in > ${General::swroot}/ca/cacert.pem`; > + exit(0); > + } > ### > ### Export host certificate to browser > ### > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host > certificate'}) { > - if ( -f "${General::swroot}/certs/hostcert.pem" ) { > - print "Content-Type: application/force-download\n"; > - print "Content-Disposition: attachment; > filename=hostcert.pem\r\n\r\n"; > - print `/usr/bin/openssl x509 -in > ${General::swroot}/certs/hostcert.pem`; > - exit(0); > - } > + if ( -f "${General::swroot}/certs/hostcert.pem" ) { > + print "Content-Type: application/force-download\n"; > + print "Content-Disposition: attachment; > filename=hostcert.pem\r\n\r\n"; > + print `/usr/bin/openssl x509 -in > ${General::swroot}/certs/hostcert.pem`; > + exit(0); > + } > ### > ### Form for generating/importing the caroot+host certificate > ### > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host > certificates'} || > - $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { > - > - if (-f "${General::swroot}/ca/cacert.pem") { > - $errormessage = $Lang::tr{'valid root certificate already > exists'}; > - goto ROOTCERT_SKIP; > - } > - > - &General::readhash("${General::swroot}/vpn/settings", > \%vpnsettings); > - # fill in initial values > - if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { > - if (-e "${General::swroot}/red/active" && open(IPADDR, > "${General::swroot}/red/local-ipaddress")) { > - my $ipaddr = <IPADDR>; > - close IPADDR; > - chomp ($ipaddr); > - $cgiparams{'ROOTCERT_HOSTNAME'} = > (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; > - if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { > - $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; > - } > - } > - $cgiparams{'ROOTCERT_COUNTRY'} = > $vpnsettings{'ROOTCERT_COUNTRY'} if > (!$cgiparams{'ROOTCERT_COUNTRY'}); > - } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { > - &General::log("ipsec", "Importing from p12..."); > + $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { > + > + if (-f "${General::swroot}/ca/cacert.pem") { > + $errormessage = $Lang::tr{'valid root certificate > already exists'}; > + goto ROOTCERT_SKIP; > + } > + > + &General::readhash("${General::swroot}/vpn/settings", > \%vpnsettings); > + # fill in initial values > + if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { > + if (-e "${General::swroot}/red/active" && > open(IPADDR, "${General::swroot}/red/local-ipaddress")) { > + my $ipaddr = <IPADDR>; > + close IPADDR; > + chomp ($ipaddr); > + $cgiparams{'ROOTCERT_HOSTNAME'} = > (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; > + if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { > + $cgiparams{'ROOTCERT_HOSTNAME'} = > $ipaddr; > + } > + } > + $cgiparams{'ROOTCERT_COUNTRY'} = > $vpnsettings{'ROOTCERT_COUNTRY'} if > (!$cgiparams{'ROOTCERT_COUNTRY'}); > + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 > file'}) { > + &General::log("ipsec", "Importing from p12..."); > > - if (ref ($cgiparams{'FH'}) ne 'Fh') { > - $errormessage = $Lang::tr{'there was no file upload'}; > - goto ROOTCERT_ERROR; > - } > + if (ref ($cgiparams{'FH'}) ne 'Fh') { > + $errormessage = $Lang::tr{'there was no file > upload'}; > + goto ROOTCERT_ERROR; > + } > > - # Move uploaded certificate request to a temporary file > - (my $fh, my $filename) = tempfile( ); > - if (copy ($cgiparams{'FH'}, $fh) != 1) { > - $errormessage = $!; > - goto ROOTCERT_ERROR; > - } > + # Move uploaded certificate request to a temporary > file > + (my $fh, my $filename) = tempfile( ); > + if (copy ($cgiparams{'FH'}, $fh) != 1) { > + $errormessage = $!; > + goto ROOTCERT_ERROR; > + } > > - # Extract the CA certificate from the file > - &General::log("ipsec", "Extracting caroot from p12..."); > - if (open(STDIN, "-|")) { > - my $opt = " pkcs12 -cacerts -nokeys"; > - $opt .= " -in $filename"; > - $opt .= " -out /tmp/newcacert"; > - $errormessage = &callssl ($opt); > - } else { #child > - print "$cgiparams{'P12_PASS'}\n"; > - exit (0); > - } > - > - # Extract the Host certificate from the file > - if (!$errormessage) { > - &General::log("ipsec", "Extracting host cert from > p12..."); > - if (open(STDIN, "-|")) { > - my $opt = " pkcs12 -clcerts -nokeys"; > - $opt .= " -in $filename"; > - $opt .= " -out /tmp/newhostcert"; > - $errormessage = &callssl ($opt); > - } else { #child > - print "$cgiparams{'P12_PASS'}\n"; > - exit (0); > - } > - } > - > - # Extract the Host key from the file > - if (!$errormessage) { > - &General::log("ipsec", "Extracting private key from > p12..."); > - if (open(STDIN, "-|")) { > - my $opt = " pkcs12 -nocerts -nodes"; > - $opt .= " -in $filename"; > - $opt .= " -out /tmp/newhostkey"; > - $errormessage = &callssl ($opt); > - } else { #child > - print "$cgiparams{'P12_PASS'}\n"; > - exit (0); > - } > - } > - > - if (!$errormessage) { > - &General::log("ipsec", "Moving cacert..."); > - move("/tmp/newcacert", > "${General::swroot}/ca/cacert.pem"); > - $errormessage = "$Lang::tr{'certificate file move > failed'}: $!" if ($? ne 0); > - } > - > - if (!$errormessage) { > - &General::log("ipsec", "Moving host cert..."); > - move("/tmp/newhostcert", > "${General::swroot}/certs/hostcert.pem"); > - $errormessage = "$Lang::tr{'certificate file move > failed'}: $!" if ($? ne 0); > - } > - > - if (!$errormessage) { > - &General::log("ipsec", "Moving private key..."); > - move("/tmp/newhostkey", > "${General::swroot}/certs/hostkey.pem"); > - $errormessage = "$Lang::tr{'certificate file move > failed'}: $!" if ($? ne 0); > - } > - > - #cleanup temp files > - unlink ($filename); > - unlink ('/tmp/newcacert'); > - unlink ('/tmp/newhostcert'); > - unlink ('/tmp/newhostkey'); > - if ($errormessage) { > - unlink ("${General::swroot}/ca/cacert.pem"); > - unlink ("${General::swroot}/certs/hostcert.pem"); > - unlink ("${General::swroot}/certs/hostkey.pem"); > - goto ROOTCERT_ERROR; > - } > + # Extract the CA certificate from the file > + &General::log("ipsec", "Extracting caroot from > p12..."); > + if (open(STDIN, "-|")) { > + my $opt = " pkcs12 -cacerts -nokeys"; > + $opt .= " -in $filename"; > + $opt .= " -out /tmp/newcacert"; > + $errormessage = &callssl ($opt); > + } else { #child > + print "$cgiparams{'P12_PASS'}\n"; > + exit (0); > + } > > - # Create empty CRL cannot be done because we don't have > - # the private key for this CAROOT > - # IPFire can only import certificates > + # Extract the Host certificate from the file > + if (!$errormessage) { > + &General::log("ipsec", "Extracting host cert > from p12..."); > + if (open(STDIN, "-|")) { > + my $opt = " pkcs12 -clcerts > -nokeys"; > + $opt .= " -in $filename"; > + $opt .= " -out /tmp/newhostcert"; > + $errormessage = &callssl ($opt); > + } else { #child > + print "$cgiparams{'P12_PASS'}\n"; > + exit (0); > + } > + } > > - &General::log("ipsec", "p12 import completed!"); > - &cleanssldatabase(); > - goto ROOTCERT_SUCCESS; > - > - } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') { > - > - # Validate input since the form was submitted > - if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){ > - $errormessage = $Lang::tr{'organization cant be empty'}; > - goto ROOTCERT_ERROR; > - } > - if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) { > - $errormessage = $Lang::tr{'organization too long'}; > - goto ROOTCERT_ERROR; > - } > - if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\ > -_]*$/) { > - $errormessage = $Lang::tr{'invalid input for > organization'}; > - goto ROOTCERT_ERROR; > - } > - if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){ > - $errormessage = $Lang::tr{'hostname cant be empty'}; > - goto ROOTCERT_ERROR; > - } > - unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) > || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) { > - $errormessage = $Lang::tr{'invalid input for hostname'}; > - goto ROOTCERT_ERROR; > - } > - if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! > &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) { > - $errormessage = $Lang::tr{'invalid input for e-mail > address'}; > - goto ROOTCERT_ERROR; > - } > - if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) { > - $errormessage = $Lang::tr{'e-mail address too long'}; > - goto ROOTCERT_ERROR; > - } > - if ($cgiparams{'ROOTCERT_OU'} ne '' && > $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > - $errormessage = $Lang::tr{'invalid input for > department'}; > - goto ROOTCERT_ERROR; > - } > - if ($cgiparams{'ROOTCERT_CITY'} ne '' && > $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > - $errormessage = $Lang::tr{'invalid input for city'}; > - goto ROOTCERT_ERROR; > - } > - if ($cgiparams{'ROOTCERT_STATE'} ne '' && > $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > - $errormessage = $Lang::tr{'invalid input for state or > province'}; > - goto ROOTCERT_ERROR; > - } > - if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) { > - $errormessage = $Lang::tr{'invalid input for country'}; > - goto ROOTCERT_ERROR; > - } > - #the exact syntax is a list comma separated of > - # email:any-validemail > - # URI: a uniform resource indicator > - # DNS: a DNS domain name > - # RID: a registered OBJECT IDENTIFIER > - # IP: an IP address > - # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:franck.foo. > com > - > - if ($cgiparams{'SUBJECTALTNAME'} ne '' && > $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 > :\/,\.\-_@]*$/) { > - $errormessage = $Lang::tr{'vpn altname syntax'}; > - goto VPNCONF_ERROR; > - } > - > - # Copy the cgisettings to vpnsettings and save the > configfile > - $vpnsettings{'ROOTCERT_ORGANIZATION'} = > $cgiparams{'ROOTCERT_ORGANIZATION'}; > - $vpnsettings{'ROOTCERT_HOSTNAME'} = > $cgiparams{'ROOTCERT_HOSTNAME'}; > - $vpnsettings{'ROOTCERT_EMAIL'} = > $cgiparams{'ROOTCERT_EMAIL'}; > - $vpnsettings{'ROOTCERT_OU'} = > $cgiparams{'ROOTCERT_OU'}; > - $vpnsettings{'ROOTCERT_CITY'} = > $cgiparams{'ROOTCERT_CITY'}; > - $vpnsettings{'ROOTCERT_STATE'} = > $cgiparams{'ROOTCERT_STATE'}; > - $vpnsettings{'ROOTCERT_COUNTRY'} = > $cgiparams{'ROOTCERT_COUNTRY'}; > - &General::writehash("${General::swroot}/vpn/settings", > \%vpnsettings); > + # Extract the Host key from the file > + if (!$errormessage) { > + &General::log("ipsec", "Extracting private > key from p12..."); > + if (open(STDIN, "-|")) { > + my $opt = " pkcs12 -nocerts -nodes"; > + $opt .= " -in $filename"; > + $opt .= " -out /tmp/newhostkey"; > + $errormessage = &callssl ($opt); > + } else { #child > + print "$cgiparams{'P12_PASS'}\n"; > + exit (0); > + } > + } > > - # Replace empty strings with a . > - (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./; > - (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./; > - (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./; > - > - # Create the CA certificate > - if (!$errormessage) { > - &General::log("ipsec", "Creating cacert..."); > - if (open(STDIN, "-|")) { > - my $opt = " req -x509 -sha256 -nodes"; > - $opt .= " -days 999999"; > - $opt .= " -newkey rsa:4096"; > - $opt .= " -keyout > ${General::swroot}/private/cakey.pem"; > - $opt .= " -out ${General::swroot}/ca/cacert.pem"; > - > - $errormessage = &callssl ($opt); > - } else { #child > - print "$cgiparams{'ROOTCERT_COUNTRY'}\n"; > - print "$state\n"; > - print "$city\n"; > - print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; > - print "$ou\n"; > - print "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n"; > - print "$cgiparams{'ROOTCERT_EMAIL'}\n"; > - exit (0); > - } > - } > - > - # Create the Host certificate request > - if (!$errormessage) { > - &General::log("ipsec", "Creating host cert..."); > - if (open(STDIN, "-|")) { > - my $opt = " req -sha256 -nodes"; > - $opt .= " -newkey rsa:2048"; > - $opt .= " -keyout > ${General::swroot}/certs/hostkey.pem"; > - $opt .= " -out > ${General::swroot}/certs/hostreq.pem"; > - $errormessage = &callssl ($opt); > - } else { #child > - print "$cgiparams{'ROOTCERT_COUNTRY'}\n"; > - print "$state\n"; > - print "$city\n"; > - print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; > - print "$ou\n"; > - print "$cgiparams{'ROOTCERT_HOSTNAME'}\n"; > - print "$cgiparams{'ROOTCERT_EMAIL'}\n"; > - print ".\n"; > - print ".\n"; > - exit (0); > - } > - } > + if (!$errormessage) { > + &General::log("ipsec", "Moving cacert..."); > + move("/tmp/newcacert", > "${General::swroot}/ca/cacert.pem"); > + $errormessage = "$Lang::tr{'certificate file > move failed'}: $!" if ($? ne 0); > + } > > - # Sign the host certificate request > - if (!$errormessage) { > - &General::log("ipsec", "Self signing host cert..."); > + if (!$errormessage) { > + &General::log("ipsec", "Moving host > cert..."); > + move("/tmp/newhostcert", > "${General::swroot}/certs/hostcert.pem"); > + $errormessage = "$Lang::tr{'certificate file > move failed'}: $!" if ($? ne 0); > + } > > - #No easy way for specifying the contain of > subjectAltName without writing a config file... > - my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); > - print $fh <<END > - basicConstraints=CA:FALSE > - nsComment="OpenSSL Generated Certificate" > - subjectKeyIdentifier=hash > - authorityKeyIdentifier=keyid,issuer:always > - extendedKeyUsage = serverAuth > + if (!$errormessage) { > + &General::log("ipsec", "Moving private > key..."); > + move("/tmp/newhostkey", > "${General::swroot}/certs/hostkey.pem"); > + $errormessage = "$Lang::tr{'certificate file > move failed'}: $!" if ($? ne 0); > + } > + > + #cleanup temp files > + unlink ($filename); > + unlink ('/tmp/newcacert'); > + unlink ('/tmp/newhostcert'); > + unlink ('/tmp/newhostkey'); > + if ($errormessage) { > + unlink ("${General::swroot}/ca/cacert.pem"); > + unlink > ("${General::swroot}/certs/hostcert.pem"); > + unlink > ("${General::swroot}/certs/hostkey.pem"); > + goto ROOTCERT_ERROR; > + } > + > + # Create empty CRL cannot be done because we don't > have > + # the private key for this CAROOT > + # IPFire can only import certificates > + > + &General::log("ipsec", "p12 import completed!"); > + &cleanssldatabase(); > + goto ROOTCERT_SUCCESS; > + > + } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') { > + > + # Validate input since the form was submitted > + if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){ > + $errormessage = $Lang::tr{'organization cant > be empty'}; > + goto ROOTCERT_ERROR; > + } > + if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) > { > + $errormessage = $Lang::tr{'organization too > long'}; > + goto ROOTCERT_ERROR; > + } > + if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA > -Z0-9 ,\.\-_]*$/) { > + $errormessage = $Lang::tr{'invalid input for > organization'}; > + goto ROOTCERT_ERROR; > + } > + if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){ > + $errormessage = $Lang::tr{'hostname cant be > empty'}; > + goto ROOTCERT_ERROR; > + } > + unless > (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || > &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) { > + $errormessage = $Lang::tr{'invalid input for > hostname'}; > + goto ROOTCERT_ERROR; > + } > + if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! > &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) { > + $errormessage = $Lang::tr{'invalid input for > e-mail address'}; > + goto ROOTCERT_ERROR; > + } > + if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) { > + $errormessage = $Lang::tr{'e-mail address > too long'}; > + goto ROOTCERT_ERROR; > + } > + if ($cgiparams{'ROOTCERT_OU'} ne '' && > $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > + $errormessage = $Lang::tr{'invalid input for > department'}; > + goto ROOTCERT_ERROR; > + } > + if ($cgiparams{'ROOTCERT_CITY'} ne '' && > $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > + $errormessage = $Lang::tr{'invalid input for > city'}; > + goto ROOTCERT_ERROR; > + } > + if ($cgiparams{'ROOTCERT_STATE'} ne '' && > $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > + $errormessage = $Lang::tr{'invalid input for > state or province'}; > + goto ROOTCERT_ERROR; > + } > + if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) { > + $errormessage = $Lang::tr{'invalid input for > country'}; > + goto ROOTCERT_ERROR; > + } > + #the exact syntax is a list comma separated of > + # email:any-validemail > + # URI: a uniform resource indicator > + # DNS: a DNS domain name > + # RID: a registered OBJECT IDENTIFIER > + # IP: an IP address > + # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:fra > nck.foo.com > + > + if ($cgiparams{'SUBJECTALTNAME'} ne '' && > $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 > :\/,\.\-_@]*$/) { > + $errormessage = $Lang::tr{'vpn altname > syntax'}; > + goto VPNCONF_ERROR; > + } > + > + # Copy the cgisettings to vpnsettings and save the > configfile > + $vpnsettings{'ROOTCERT_ORGANIZATION'} = > $cgiparams{'ROOTCERT_ORGANIZATION'}; > + $vpnsettings{'ROOTCERT_HOSTNAME'} = > $cgiparams{'ROOTCERT_HOSTNAME'}; > + $vpnsettings{'ROOTCERT_EMAIL'} > = $cgiparams{'ROOTCERT_EMAIL'}; > + $vpnsettings{'ROOTCERT_OU'} > = $cgiparams{'ROOTCERT_OU'}; > + $vpnsettings{'ROOTCERT_CITY'} > = $cgiparams{'ROOTCERT_CITY'}; > + $vpnsettings{'ROOTCERT_STATE'} > = $cgiparams{'ROOTCERT_STATE'}; > + $vpnsettings{'ROOTCERT_COUNTRY'} = > $cgiparams{'ROOTCERT_COUNTRY'}; > + &General::writehash("${General::swroot}/vpn/settings > ", \%vpnsettings); > + > + # Replace empty strings with a . > + (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./; > + (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ > s/^\s*$/\./; > + (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ > s/^\s*$/\./; > + > + # Create the CA certificate > + if (!$errormessage) { > + &General::log("ipsec", "Creating > cacert..."); > + if (open(STDIN, "-|")) { > + my $opt = " req -x509 -sha256 > -nodes"; > + $opt .= " -days 999999"; > + $opt .= " -newkey rsa:4096"; > + $opt .= " -keyout > ${General::swroot}/private/cakey.pem"; > + $opt .= " -out > ${General::swroot}/ca/cacert.pem"; > + > + $errormessage = &callssl ($opt); > + } else { #child > + print > "$cgiparams{'ROOTCERT_COUNTRY'}\n"; > + print "$state\n"; > + print "$city\n"; > + print > "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; > + print "$ou\n"; > + print > "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n"; > + print > "$cgiparams{'ROOTCERT_EMAIL'}\n"; > + exit (0); > + } > + } > + > + # Create the Host certificate request > + if (!$errormessage) { > + &General::log("ipsec", "Creating host > cert..."); > + if (open(STDIN, "-|")) { > + my $opt = " req -sha256 -nodes"; > + $opt .= " -newkey rsa:2048"; > + $opt .= " -keyout > ${General::swroot}/certs/hostkey.pem"; > + $opt .= " -out > ${General::swroot}/certs/hostreq.pem"; > + $errormessage = &callssl ($opt); > + } else { #child > + print > "$cgiparams{'ROOTCERT_COUNTRY'}\n"; > + print "$state\n"; > + print "$city\n"; > + print > "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; > + print "$ou\n"; > + print > "$cgiparams{'ROOTCERT_HOSTNAME'}\n"; > + print > "$cgiparams{'ROOTCERT_EMAIL'}\n"; > + print ".\n"; > + print ".\n"; > + exit (0); > + } > + } > + > + # Sign the host certificate request > + if (!$errormessage) { > + &General::log("ipsec", "Self signing host > cert..."); > + > + #No easy way for specifying the contain of > subjectAltName without writing a config file... > + my ($fh, $v3extname) = tempfile > ('/tmp/XXXXXXXX'); > + print $fh <<END > + basicConstraints=CA:FALSE > + nsComment="OpenSSL Generated Certificate" > + subjectKeyIdentifier=hash > + authorityKeyIdentifier=keyid,issuer:always > + extendedKeyUsage = serverAuth > END > ; > - print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" > if ($cgiparams{'SUBJECTALTNAME'}); > - close ($fh); > - > - my $opt = " ca -md sha256 -days 999999"; > - $opt .= " -batch -notext"; > - $opt .= " -in ${General::swroot}/certs/hostreq.pem"; > - $opt .= " -out > ${General::swroot}/certs/hostcert.pem"; > - $opt .= " -extfile $v3extname"; > - $errormessage = &callssl ($opt); > - unlink ("${General::swroot}/certs/hostreq.pem"); #no > more needed > - unlink ($v3extname); > - } > - > - # Create an empty CRL > - if (!$errormessage) { > - &General::log("ipsec", "Creating emptycrl..."); > - my $opt = " ca -gencrl"; > - $opt .= " -out ${General::swroot}/crls/cacrl.pem"; > - $errormessage = &callssl ($opt); > - } > - > - # Successfully build CA / CERT! > - if (!$errormessage) { > - &cleanssldatabase(); > - goto ROOTCERT_SUCCESS; > - } > - > - #Cleanup > - unlink ("${General::swroot}/ca/cacert.pem"); > - unlink ("${General::swroot}/certs/hostkey.pem"); > - unlink ("${General::swroot}/certs/hostcert.pem"); > - unlink ("${General::swroot}/crls/cacrl.pem"); > - &cleanssldatabase(); > - } > - > - ROOTCERT_ERROR: > - &Header::showhttpheaders(); > - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > - &Header::openbigbox('100%', 'left', '', $errormessage); > - if ($errormessage) { > - &Header::openbox('100%', 'left', $Lang::tr{'error > messages'}); > - print "<class name='base'>$errormessage"; > - print " </class>"; > - &Header::closebox(); > - } > - &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host > certificates'}:"); > - print <<END > - <form method='post' enctype='multipart/form-data' > action='$ENV{'SCRIPT_NAME'}'> > - <table width='100%' border='0' cellspacing='1' cellpadding='0'> > - <tr><td width='40%' class='base'>$Lang::tr{'organization > name'}: <img src='/blob.gif' alt='*' /></td> > - <td width='60%' class='base' nowrap='nowrap'><input > type='text' name='ROOTCERT_ORGANIZATION' > value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td></tr> > - <tr><td class='base'>$Lang::tr{'ipfires hostname'}: <img > src='/blob.gif' alt='*' /></td> > - <td class='base' nowrap='nowrap'><input type='text' > name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' > size='32' /></td></tr> > - <tr><td class='base'>$Lang::tr{'your e-mail'}:</td> > - <td class='base' nowrap='nowrap'><input type='text' > name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' > /></td></tr> > - <tr><td class='base'>$Lang::tr{'your department'}:</td> > - <td class='base' nowrap='nowrap'><input type='text' > name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' > /></td></tr> > - <tr><td class='base'>$Lang::tr{'city'}:</td> > - <td class='base' nowrap='nowrap'><input type='text' > name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' > /></td></tr> > - <tr><td class='base'>$Lang::tr{'state or province'}:</td> > - <td class='base' nowrap='nowrap'><input type='text' > name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' > /></td></tr> > - <tr><td class='base'>$Lang::tr{'country'}:</td> > - <td class='base'><select name='ROOTCERT_COUNTRY'> > + print $fh > "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if > ($cgiparams{'SUBJECTALTNAME'}); > + close ($fh); > + > + my $opt = " ca -md sha256 -days 999999"; > + $opt .= " -batch -notext"; > + $opt .= " -in > ${General::swroot}/certs/hostreq.pem"; > + $opt .= " -out > ${General::swroot}/certs/hostcert.pem"; > + $opt .= " -extfile $v3extname"; > + $errormessage = &callssl ($opt); > + unlink > ("${General::swroot}/certs/hostreq.pem"); #no more needed > + unlink ($v3extname); > + } > + > + # Create an empty CRL > + if (!$errormessage) { > + &General::log("ipsec", "Creating > emptycrl..."); > + my $opt = " ca -gencrl"; > + $opt .= " -out > ${General::swroot}/crls/cacrl.pem"; > + $errormessage = &callssl ($opt); > + } > + > + # Successfully build CA / CERT! > + if (!$errormessage) { > + &cleanssldatabase(); > + goto ROOTCERT_SUCCESS; > + } > + > + #Cleanup > + unlink ("${General::swroot}/ca/cacert.pem"); > + unlink ("${General::swroot}/certs/hostkey.pem"); > + unlink ("${General::swroot}/certs/hostcert.pem"); > + unlink ("${General::swroot}/crls/cacrl.pem"); > + &cleanssldatabase(); > + } > + > + ROOTCERT_ERROR: > + &Header::showhttpheaders(); > + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > + &Header::openbigbox('100%', 'left', '', $errormessage); > + if ($errormessage) { > + &Header::openbox('100%', 'left', $Lang::tr{'error > messages'}); > + print "<class name='base'>$errormessage"; > + print " </class>"; > + &Header::closebox(); > + } > + &Header::openbox('100%', 'left', "$Lang::tr{'generate > root/host certificates'}:"); > + print <<END > + <form method='post' enctype='multipart/form-data' > action='$ENV{'SCRIPT_NAME'}'> > + <table width='100%' border='0' cellspacing='1' > cellpadding='0'> > + <tr><td width='40%' class='base'>$Lang::tr{'organization > name'}: <img src='/blob.gif' alt='*' /></td> > + <td width='60%' class='base' nowrap='nowrap'><input > type='text' name='ROOTCERT_ORGANIZATION' > value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td></tr> > + <tr><td class='base'>$Lang::tr{'ipfires > hostname'}: <img src='/blob.gif' alt='*' /></td> > + <td class='base' nowrap='nowrap'><input type='text' > name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' > size='32' /></td></tr> > + <tr><td class='base'>$Lang::tr{'your e-mail'}:</td> > + <td class='base' nowrap='nowrap'><input type='text' > name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' > /></td></tr> > + <tr><td class='base'>$Lang::tr{'your department'}:</td> > + <td class='base' nowrap='nowrap'><input type='text' > name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' > /></td></tr> > + <tr><td class='base'>$Lang::tr{'city'}:</td> > + <td class='base' nowrap='nowrap'><input type='text' > name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' > /></td></tr> > + <tr><td class='base'>$Lang::tr{'state or province'}:</td> > + <td class='base' nowrap='nowrap'><input type='text' > name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' > /></td></tr> > + <tr><td class='base'>$Lang::tr{'country'}:</td> > + <td class='base'><select name='ROOTCERT_COUNTRY'> > END > - ; > - foreach my $country (sort keys %{Countries::countries}) { > - print "<option value='$Countries::countries{$country}'"; > - if ( $Countries::countries{$country} eq > $cgiparams{'ROOTCERT_COUNTRY'} ) { > - print " selected='selected'"; > - } > - print ">$country</option>"; > - } > - print <<END > - </select></td></tr> > - <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} > (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> > +; > + foreach my $country (sort keys %{Countries::countries}) { > + print "<option > value='$Countries::countries{$country}'"; > + if ( $Countries::countries{$country} eq > $cgiparams{'ROOTCERT_COUNTRY'} ) { > + print " selected='selected'"; > + } > + print ">$country</option>"; > + } > + print <<END > + </select></td></tr> > + <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} > (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> > <td class='base' nowrap='nowrap'><input type='text' > name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' > /></td></tr> > - <tr><td> </td> > - <td><br /><input type='submit' name='ACTION' > value='$Lang::tr{'generate root/host certificates'}' /><br /><br > /></td></tr> > - <tr><td class='base' colspan='2' align='left'> > - <b><font > color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: > - $Lang::tr{'generating the root and host certificates may > take a long time. it can take up to several minutes on older > hardware. please be patient'} > - </td></tr> > - <tr><td colspan='2'><hr></td></tr> > - <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 > file'}:</td> > - <td nowrap='nowrap'><input type='file' name='FH' size='32' > /></td></tr> > - <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td> > - <td class='base' nowrap='nowrap'><input type='password' > name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td></tr> > - <tr><td> </td> > - <td><input type='submit' name='ACTION' > value='$Lang::tr{'upload p12 file'}' /></td></tr> > - <tr><td class='base' colspan='2' align='left'> > - <img src='/blob.gif' alt='*' /> $Lang::tr{'required > field'}</td></tr> > - </table></form> > + <tr><td> </td> > + <td><br /><input type='submit' name='ACTION' > value='$Lang::tr{'generate root/host certificates'}' /><br /><br > /></td></tr> > + <tr><td class='base' colspan='2' align='left'> > + <b><font > color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: > + $Lang::tr{'generating the root and host certificates > may take a long time. it can take up to several minutes on older > hardware. please be patient'} > + </td></tr> > + <tr><td colspan='2'><hr></td></tr> > + <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 > file'}:</td> > + <td nowrap='nowrap'><input type='file' name='FH' > size='32' /></td></tr> > + <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td> > + <td class='base' nowrap='nowrap'><input > type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' > size='32' /></td></tr> > + <tr><td> </td> > + <td><input type='submit' name='ACTION' > value='$Lang::tr{'upload p12 file'}' /></td></tr> > + <tr><td class='base' colspan='2' align='left'> > + <img src='/blob.gif' alt='*' > /> $Lang::tr{'required field'}</td></tr> > + </table></form> > END > - ; > - &Header::closebox(); > - &Header::closebigbox(); > - &Header::closepage(); > - exit(0); > - > - ROOTCERT_SUCCESS: > - if (&vpnenabled) { > - system('/usr/local/bin/ipsecctrl', 'S'); > - sleep $sleepDelay; > - } > - ROOTCERT_SKIP: > +; > + &Header::closebox(); > + &Header::closebigbox(); > + &Header::closepage(); > + exit(0); > + > + ROOTCERT_SUCCESS: > + if (&vpnenabled) { > + system('/usr/local/bin/ipsecctrl', 'S'); > + sleep $sleepDelay; > + } > + ROOTCERT_SKIP: > ### > ### Export PKCS12 file to browser > ### > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) > { > - &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > - print "Content-Type: application/force-download\n"; > - print "Content-Disposition: attachment; filename=" . > $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n"; > - print "Content-Type: application/octet-stream\r\n\r\n"; > - print `/bin/cat > ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; > - exit (0); > + &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > + print "Content-Type: application/force-download\n"; > + print "Content-Disposition: attachment; filename=" . > $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n"; > + print "Content-Type: application/octet-stream\r\n\r\n"; > + print `/bin/cat > ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; > + exit (0); > > ### > ### Display certificate > ### > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) { > - &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > - > - if ( -f > "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") > { > - &Header::showhttpheaders(); > - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > - &Header::openbigbox('100%', 'left', '', ''); > - &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:"); > - my $output = `/usr/bin/openssl x509 -text -in > ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; > - $output = &Header::cleanhtml($output,"y"); > - print "<pre>$output</pre>\n"; > - &Header::closebox(); > - print "<div align='center'><a href='/cgi > -bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; > - &Header::closebigbox(); > - &Header::closepage(); > - exit(0); > - } > + &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > + > + if ( -f > "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") > { > + &Header::showhttpheaders(); > + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > + &Header::openbigbox('100%', 'left', '', ''); > + &Header::openbox('100%', 'left', > "$Lang::tr{'cert'}:"); > + my $output = `/usr/bin/openssl x509 -text -in > ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; > + $output = &Header::cleanhtml($output,"y"); > + print "<pre>$output</pre>\n"; > + &Header::closebox(); > + print "<div align='center'><a href='/cgi > -bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; > + &Header::closebigbox(); > + &Header::closepage(); > + exit(0); > + } > > ### > ### Export Certificate to browser > ### > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) > { > - &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > + &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > > - if ( -f > "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") > { > - print "Content-Type: application/force-download\n"; > - print "Content-Disposition: attachment; filename=" . > $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n"; > - print `/bin/cat > ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; > - exit (0); > - } > + if ( -f > "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") > { > + print "Content-Type: application/force-download\n"; > + print "Content-Disposition: attachment; filename=" . > $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n"; > + print `/bin/cat > ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; > + exit (0); > + } > > ### > ### Enable/Disable connection > ### > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) > { > - > - &General::readhash("${General::swroot}/vpn/settings", > \%vpnsettings); > - &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > - > - if ($confighash{$cgiparams{'KEY'}}) { > - if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { > - $confighash{$cgiparams{'KEY'}}[0] = 'on'; > - > &General::writehasharray("${General::swroot}/vpn/config", > \%confighash); > - &writeipsecfiles(); > - system('/usr/local/bin/ipsecctrl', 'S', > $cgiparams{'KEY'}) if (&vpnenabled); > + > + &General::readhash("${General::swroot}/vpn/settings", > \%vpnsettings); > + &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > + > + if ($confighash{$cgiparams{'KEY'}}) { > + if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { > + $confighash{$cgiparams{'KEY'}}[0] = 'on'; > + &General::writehasharray("${General::swroot} > /vpn/config", \%confighash); > + &writeipsecfiles(); > + system('/usr/local/bin/ipsecctrl', 'S', > $cgiparams{'KEY'}) if (&vpnenabled); > + } else { > + system('/usr/local/bin/ipsecctrl', 'D', > $cgiparams{'KEY'}) if (&vpnenabled); > + $confighash{$cgiparams{'KEY'}}[0] = 'off'; > + &General::writehasharray("${General::swroot} > /vpn/config", \%confighash); > + &writeipsecfiles(); > + } > + sleep $sleepDelay; > } else { > - system('/usr/local/bin/ipsecctrl', 'D', > $cgiparams{'KEY'}) if (&vpnenabled); > - $confighash{$cgiparams{'KEY'}}[0] = 'off'; > - > &General::writehasharray("${General::swroot}/vpn/config", > \%confighash); > - &writeipsecfiles(); > + $errormessage = $Lang::tr{'invalid key'}; > } > - sleep $sleepDelay; > - } else { > - $errormessage = $Lang::tr{'invalid key'}; > - } > > ### > ### Restart connection > ### > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) { > - &General::readhash("${General::swroot}/vpn/settings", > \%vpnsettings); > - &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > + &General::readhash("${General::swroot}/vpn/settings", > \%vpnsettings); > + &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > > - if ($confighash{$cgiparams{'KEY'}}) { > - if (&vpnenabled) { > - system('/usr/local/bin/ipsecctrl', 'S', > $cgiparams{'KEY'}); > - sleep $sleepDelay; > + if ($confighash{$cgiparams{'KEY'}}) { > + if (&vpnenabled) { > + system('/usr/local/bin/ipsecctrl', 'S', > $cgiparams{'KEY'}); > + sleep $sleepDelay; > + } > + } else { > + $errormessage = $Lang::tr{'invalid key'}; > } > - } else { > - $errormessage = $Lang::tr{'invalid key'}; > - } > > ### > ### Remove connection > ### > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) { > - &General::readhash("${General::swroot}/vpn/settings", > \%vpnsettings); > - &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > - > - if ($confighash{$cgiparams{'KEY'}}) { > - system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) > if (&vpnenabled); > - unlink > ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem" > ); > - unlink > ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); > - delete $confighash{$cgiparams{'KEY'}}; > - &General::writehasharray("${General::swroot}/vpn/config", > \%confighash); > - &writeipsecfiles(); > - } else { > - $errormessage = $Lang::tr{'invalid key'}; > - } > + &General::readhash("${General::swroot}/vpn/settings", > \%vpnsettings); > + &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > + > + if ($confighash{$cgiparams{'KEY'}}) { > + system('/usr/local/bin/ipsecctrl', 'D', > $cgiparams{'KEY'}) if (&vpnenabled); > + unlink > ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem" > ); > + unlink > ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); > + delete $confighash{$cgiparams{'KEY'}}; > + &General::writehasharray("${General::swroot}/vpn/con > fig", \%confighash); > + &writeipsecfiles(); > + } else { > + $errormessage = $Lang::tr{'invalid key'}; > + } > &General::firewall_reload(); > ### > ### Choose between adding a host-net or net-net connection > @@ -1224,20 +1222,20 @@ END > &Header::openbigbox('100%', 'left', '', ''); > &Header::openbox('100%', 'left', $Lang::tr{'connection > type'}); > print <<END > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > - <b>$Lang::tr{'connection type'}:</b><br /> > - <table> > - <tr><td><input type='radio' name='TYPE' value='host' > checked='checked' /></td> > + <form method='post' action='$ENV{'SCRIPT_NAME'}'> > + <b>$Lang::tr{'connection type'}:</b><br /> > + <table> > + <tr><td><input type='radio' name='TYPE' value='host' > checked='checked' /></td> > <td class='base'>$Lang::tr{'host to net vpn'}</td> > - </tr><tr> > + </tr><tr> > <td><input type='radio' name='TYPE' value='net' > /></td> > <td class='base'>$Lang::tr{'net to net vpn'}</td> > - </tr><tr> > + </tr><tr> > <td align='center' colspan='2'><input type='submit' > name='ACTION' value='$Lang::tr{'add'}' /></td> > - </tr> > - </table></form> > + </tr> > + </table></form> > END > - ; > +; > &Header::closebox(); > &Header::closebigbox(); > &Header::closepage(); > @@ -1246,512 +1244,512 @@ END > ### Adding/Editing/Saving a connection > ### > } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) || > - ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) || > - ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && > $cgiparams{'ADVANCED'} eq '')) { > - > - &General::readhash("${General::swroot}/vpn/settings", > \%vpnsettings); > - &General::readhasharray("${General::swroot}/vpn/caconfig", > \%cahash); > - &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > - > - if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { > - if (! $confighash{$cgiparams{'KEY'}}[0]) { > - $errormessage = $Lang::tr{'invalid key'}; > - goto VPNCONF_END; > - } > - $cgiparams{'ENABLED'} = > $confighash{$cgiparams{'KEY'}}[0]; > - $cgiparams{'NAME'} = > $confighash{$cgiparams{'KEY'}}[1]; > - $cgiparams{'TYPE'} = > $confighash{$cgiparams{'KEY'}}[3]; > - $cgiparams{'AUTH'} = > $confighash{$cgiparams{'KEY'}}[4]; > - $cgiparams{'PSK'} = > $confighash{$cgiparams{'KEY'}}[5]; > - #$cgiparams{'free'} = > $confighash{$cgiparams{'KEY'}}[6]; > - $cgiparams{'LOCAL_ID'} = > $confighash{$cgiparams{'KEY'}}[7]; > - $cgiparams{'LOCAL_SUBNET'} = > $confighash{$cgiparams{'KEY'}}[8]; > - $cgiparams{'REMOTE_ID'} = > $confighash{$cgiparams{'KEY'}}[9]; > - $cgiparams{'REMOTE'} = > $confighash{$cgiparams{'KEY'}}[10]; > - $cgiparams{'REMOTE_SUBNET'} = > $confighash{$cgiparams{'KEY'}}[11]; > - $cgiparams{'REMARK'} = > $confighash{$cgiparams{'KEY'}}[25]; > - $cgiparams{'DPD_ACTION'} = > $confighash{$cgiparams{'KEY'}}[27]; > - $cgiparams{'IKE_VERSION'} = > $confighash{$cgiparams{'KEY'}}[29]; > - $cgiparams{'IKE_ENCRYPTION'} = > $confighash{$cgiparams{'KEY'}}[18]; > - $cgiparams{'IKE_INTEGRITY'} = > $confighash{$cgiparams{'KEY'}}[19]; > - $cgiparams{'IKE_GROUPTYPE'} = > $confighash{$cgiparams{'KEY'}}[20]; > - $cgiparams{'IKE_LIFETIME'} = > $confighash{$cgiparams{'KEY'}}[16]; > - $cgiparams{'ESP_ENCRYPTION'} = > $confighash{$cgiparams{'KEY'}}[21]; > - $cgiparams{'ESP_INTEGRITY'} = > $confighash{$cgiparams{'KEY'}}[22]; > - $cgiparams{'ESP_GROUPTYPE'} = > $confighash{$cgiparams{'KEY'}}[23]; > - if ($cgiparams{'ESP_GROUPTYPE'} eq "") { > - $cgiparams{'ESP_GROUPTYPE'} = > $cgiparams{'IKE_GROUPTYPE'}; > - } > - $cgiparams{'ESP_KEYLIFE'} = > $confighash{$cgiparams{'KEY'}}[17]; > - $cgiparams{'COMPRESSION'} = > $confighash{$cgiparams{'KEY'}}[13]; > - $cgiparams{'ONLY_PROPOSED'} = > $confighash{$cgiparams{'KEY'}}[24]; > - $cgiparams{'PFS'} = > $confighash{$cgiparams{'KEY'}}[28]; > - $cgiparams{'DPD_TIMEOUT'} = > $confighash{$cgiparams{'KEY'}}[30]; > - $cgiparams{'DPD_DELAY'} = > $confighash{$cgiparams{'KEY'}}[31]; > - $cgiparams{'FORCE_MOBIKE'} = > $confighash{$cgiparams{'KEY'}}[32]; > + ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) || > + ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && > $cgiparams{'ADVANCED'} eq '')) { > > - if (!$cgiparams{'DPD_DELAY'}) { > - $cgiparams{'DPD_DELAY'} = 30; > - } > + &General::readhash("${General::swroot}/vpn/settings", > \%vpnsettings); > + &General::readhasharray("${General::swroot}/vpn/caconfig", > \%cahash); > + &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > > - if (!$cgiparams{'DPD_TIMEOUT'}) { > - $cgiparams{'DPD_TIMEOUT'} = 120; > - } > + if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { > + if (! $confighash{$cgiparams{'KEY'}}[0]) { > + $errormessage = $Lang::tr{'invalid key'}; > + goto VPNCONF_END; > + } > + $cgiparams{'ENABLED'} = > $confighash{$cgiparams{'KEY'}}[0]; > + $cgiparams{'NAME'} = > $confighash{$cgiparams{'KEY'}}[1]; > + $cgiparams{'TYPE'} = > $confighash{$cgiparams{'KEY'}}[3]; > + $cgiparams{'AUTH'} = > $confighash{$cgiparams{'KEY'}}[4]; > + $cgiparams{'PSK'} = > $confighash{$cgiparams{'KEY'}}[5]; > + #$cgiparams{'free'} = > $confighash{$cgiparams{'KEY'}}[6]; > + $cgiparams{'LOCAL_ID'} = > $confighash{$cgiparams{'KEY'}}[7]; > + $cgiparams{'LOCAL_SUBNET'} = > $confighash{$cgiparams{'KEY'}}[8]; > + $cgiparams{'REMOTE_ID'} = > $confighash{$cgiparams{'KEY'}}[9]; > + $cgiparams{'REMOTE'} = > $confighash{$cgiparams{'KEY'}}[10]; > + $cgiparams{'REMOTE_SUBNET'} = > $confighash{$cgiparams{'KEY'}}[11]; > + $cgiparams{'REMARK'} = > $confighash{$cgiparams{'KEY'}}[25]; > + $cgiparams{'DPD_ACTION'} = > $confighash{$cgiparams{'KEY'}}[27]; > + $cgiparams{'IKE_VERSION'} = > $confighash{$cgiparams{'KEY'}}[29]; > + $cgiparams{'IKE_ENCRYPTION'} = > $confighash{$cgiparams{'KEY'}}[18]; > + $cgiparams{'IKE_INTEGRITY'} = > $confighash{$cgiparams{'KEY'}}[19]; > + $cgiparams{'IKE_GROUPTYPE'} = > $confighash{$cgiparams{'KEY'}}[20]; > + $cgiparams{'IKE_LIFETIME'} = > $confighash{$cgiparams{'KEY'}}[16]; > + $cgiparams{'ESP_ENCRYPTION'} = > $confighash{$cgiparams{'KEY'}}[21]; > + $cgiparams{'ESP_INTEGRITY'} = > $confighash{$cgiparams{'KEY'}}[22]; > + $cgiparams{'ESP_GROUPTYPE'} = > $confighash{$cgiparams{'KEY'}}[23]; > + if ($cgiparams{'ESP_GROUPTYPE'} eq "") { > + $cgiparams{'ESP_GROUPTYPE'} = > $cgiparams{'IKE_GROUPTYPE'}; > + } > + $cgiparams{'ESP_KEYLIFE'} = > $confighash{$cgiparams{'KEY'}}[17]; > + $cgiparams{'COMPRESSION'} = > $confighash{$cgiparams{'KEY'}}[13]; > + $cgiparams{'ONLY_PROPOSED'} = > $confighash{$cgiparams{'KEY'}}[24]; > + $cgiparams{'PFS'} = > $confighash{$cgiparams{'KEY'}}[28]; > + $cgiparams{'DPD_TIMEOUT'} = > $confighash{$cgiparams{'KEY'}}[30]; > + $cgiparams{'DPD_DELAY'} = > $confighash{$cgiparams{'KEY'}}[31]; > + $cgiparams{'FORCE_MOBIKE'} = > $confighash{$cgiparams{'KEY'}}[32]; > + > + if (!$cgiparams{'DPD_DELAY'}) { > + $cgiparams{'DPD_DELAY'} = 30; > + } > > - } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { > - $cgiparams{'REMARK'} = > &Header::cleanhtml($cgiparams{'REMARK'}); > - if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { > - $errormessage = $Lang::tr{'connection type is invalid'}; > - goto VPNCONF_ERROR; > - } > + if (!$cgiparams{'DPD_TIMEOUT'}) { > + $cgiparams{'DPD_TIMEOUT'} = 120; > + } > > - if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { > - $errormessage = $Lang::tr{'name must only contain > characters'}; > - goto VPNCONF_ERROR; > - } > + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { > + $cgiparams{'REMARK'} = > &Header::cleanhtml($cgiparams{'REMARK'}); > + if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { > + $errormessage = $Lang::tr{'connection type > is invalid'}; > + goto VPNCONF_ERROR; > + } > > - if ($cgiparams{'NAME'} =~ > /^(host|01|block|private|clear|packetdefault)$/) { > - $errormessage = $Lang::tr{'name is invalid'}; > - goto VPNCONF_ERROR; > - } > + if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { > + $errormessage = $Lang::tr{'name must only > contain characters'}; > + goto VPNCONF_ERROR; > + } > > - if (length($cgiparams{'NAME'}) >60) { > - $errormessage = $Lang::tr{'name too long'}; > - goto VPNCONF_ERROR; > - } > + if ($cgiparams{'NAME'} =~ > /^(host|01|block|private|clear|packetdefault)$/) { > + $errormessage = $Lang::tr{'name is > invalid'}; > + goto VPNCONF_ERROR; > + } > > - # Check if there is no other entry with this name > - if (! $cgiparams{'KEY'}) { #only for add > - foreach my $key (keys %confighash) { > - if ($confighash{$key}[1] eq $cgiparams{'NAME'}) { > - $errormessage = $Lang::tr{'a connection with > this name already exists'}; > - goto VPNCONF_ERROR; > + if (length($cgiparams{'NAME'}) >60) { > + $errormessage = $Lang::tr{'name too long'}; > + goto VPNCONF_ERROR; > } > - } > - } > > - if (($cgiparams{'TYPE'} eq 'net') && (! > $cgiparams{'REMOTE'})) { > - $errormessage = $Lang::tr{'invalid input for remote > host/ip'}; > - goto VPNCONF_ERROR; > - } > + # Check if there is no other entry with this name > + if (! $cgiparams{'KEY'}) { #only for add > + foreach my $key (keys %confighash) { > + if ($confighash{$key}[1] eq > $cgiparams{'NAME'}) { > + $errormessage = $Lang::tr{'a > connection with this name already exists'}; > + goto VPNCONF_ERROR; > + } > + } > + } > > - if ($cgiparams{'REMOTE'}) { > - if (($cgiparams{'REMOTE'} ne '%any') && (! > &General::validip($cgiparams{'REMOTE'}))) { > - if (! &General::validfqdn ($cgiparams{'REMOTE'})) { > - $errormessage = $Lang::tr{'invalid input for > remote host/ip'}; > - goto VPNCONF_ERROR; > - } else { > - if (&valid_dns_host($cgiparams{'REMOTE'})) { > - $warnmessage = "$Lang::tr{'check vpn lr'} > $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}"; > - } > + if (($cgiparams{'TYPE'} eq 'net') && (! > $cgiparams{'REMOTE'})) { > + $errormessage = $Lang::tr{'invalid input for > remote host/ip'}; > + goto VPNCONF_ERROR; > } > - } > - } > > - unless > (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) { > - $errormessage = $Lang::tr{'local subnet is invalid'}; > - goto VPNCONF_ERROR; > - } > + if ($cgiparams{'REMOTE'}) { > + if (($cgiparams{'REMOTE'} ne '%any') && (! > &General::validip($cgiparams{'REMOTE'}))) { > + if (! &General::validfqdn > ($cgiparams{'REMOTE'})) { > + $errormessage = > $Lang::tr{'invalid input for remote host/ip'}; > + goto VPNCONF_ERROR; > + } else { > + if > (&valid_dns_host($cgiparams{'REMOTE'})) { > + $warnmessage = > "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check > failed'}"; > + } > + } > + } > + } > > - # Allow only one roadwarrior/psk without remote IP-address > - if ($cgiparams{'REMOTE'} eq '' && $cgiparams{'AUTH'} eq > 'psk') { > - foreach my $key (keys %confighash) { > - if ( ($cgiparams{'KEY'} ne $key) && > - ($confighash{$key}[4] eq 'psk') && > - ($confighash{$key}[10] eq '') ) { > - $errormessage = $Lang::tr{'you can only > define one roadwarrior connection when using pre-shared key > authentication'}; > + unless > (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) { > + $errormessage = $Lang::tr{'local subnet is > invalid'}; > goto VPNCONF_ERROR; > } > - } > - } > - if (($cgiparams{'TYPE'} eq 'net') && (! > &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) { > - $errormessage = $Lang::tr{'remote subnet is invalid'}; > - goto VPNCONF_ERROR; > - } > > - if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { > - $errormessage = $Lang::tr{'invalid input'}; > - goto VPNCONF_ERROR; > - } > - if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) { > - $errormessage = $Lang::tr{'invalid input'}; > - goto VPNCONF_ERROR; > - } > + # Allow only one roadwarrior/psk without remote IP > -address > + if ($cgiparams{'REMOTE'} eq '' && $cgiparams{'AUTH'} > eq 'psk') { > + foreach my $key (keys %confighash) { > + if ( ($cgiparams{'KEY'} ne $key) && > + ($confighash{$key}[4] eq > 'psk') && > + ($confighash{$key}[10] eq > '') ) { > + $errormessage = > $Lang::tr{'you can only define one roadwarrior connection when using > pre-shared key authentication'}; > + goto VPNCONF_ERROR; > + } > + } > + } > + if (($cgiparams{'TYPE'} eq 'net') && (! > &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) { > + $errormessage = $Lang::tr{'remote subnet is > invalid'}; > + goto VPNCONF_ERROR; > + } > > - # Allow nothing or a string (DN,FDQN,) beginning with @ > - # with no comma but slashes between RID eg > @O=FR/C=Paris/OU=myhome/CN=franck > - if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*\/ > -]+|\d+\.\d+\.\d+\.\d+)$/) || > - ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*\/ > -]+|\d+\.\d+\.\d+\.\d+)$/) || > - (($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && > ($cgiparams{'LOCAL_ID'} ne '')) > - ) { > - $errormessage = $Lang::tr{'invalid local-remote id'} . > '<br />' . > - 'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*<br />' . > - 'FQDN: @ipfire.org<br />' . > - 'USER_FQDN: info(a)ipfire.org<br />' . > - 'IPV4_ADDR: 123.123.123.123'; > - goto VPNCONF_ERROR; > - } > - # If Auth is DN, verify existance of Remote ID. > - if ( $cgiparams{'REMOTE_ID'} eq '' && ( > - $cgiparams{'AUTH'} eq 'auth-dn'|| > # while creation > - $confighash{$cgiparams{'KEY'}}[2] eq '%auth-dn')){ # > while editing > - $errormessage = $Lang::tr{'vpn missing remote id'}; > - goto VPNCONF_ERROR; > - } > + if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { > + $errormessage = $Lang::tr{'invalid input'}; > + goto VPNCONF_ERROR; > + } > + if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) { > + $errormessage = $Lang::tr{'invalid input'}; > + goto VPNCONF_ERROR; > + } > > - if ($cgiparams{'TYPE'} eq 'net'){ > - $warnmessage=&General::checksubnets('',$cgiparams{'R > EMOTE_SUBNET'},'ipsec'); > - if ($warnmessage ne ''){ > - $warnmessage=$Lang::tr{'remote subnet'}." > ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage; > + # Allow nothing or a string (DN,FDQN,) beginning > with @ > + # with no comma but slashes between RID eg > @O=FR/C=Paris/OU=myhome/CN=franck > + if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. > =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) || > + ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. > =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) || > + (($cgiparams{'REMOTE_ID'} eq > $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne '')) > + ) { > + $errormessage = $Lang::tr{'invalid local > -remote id'} . '<br />' . > + 'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*<br > />' . > + 'FQDN: @ipfire.org<br />' . > + 'USER_FQDN: info(a)ipfire.org<br />' . > + 'IPV4_ADDR: 123.123.123.123'; > + goto VPNCONF_ERROR; > + } > + # If Auth is DN, verify existance of Remote ID. > + if ( $cgiparams{'REMOTE_ID'} eq '' && ( > + $cgiparams{'AUTH'} eq 'auth-dn'|| # while > creation > + $confighash{$cgiparams{'KEY'}}[2] eq '%auth > -dn')){ # while editing > + $errormessage = $Lang::tr{'vpn > missing remote id'}; > + goto VPNCONF_ERROR; > } > - } > > - if ($cgiparams{'AUTH'} eq 'psk') { > - if (! length($cgiparams{'PSK'}) ) { > - $errormessage = $Lang::tr{'pre-shared key is too > short'}; > - goto VPNCONF_ERROR; > - } > - if ($cgiparams{'PSK'} =~ /'/) { > - $cgiparams{'PSK'} =~ tr/'/ /; > - $errormessage = $Lang::tr{'invalid characters found > in pre-shared key'}; > - goto VPNCONF_ERROR; > - } > + if ($cgiparams{'TYPE'} eq 'net'){ > + $warnmessage=&General::checksubnets('',$cgip > arams{'REMOTE_SUBNET'},'ipsec'); > + if ($warnmessage ne ''){ > + $warnmessage=$Lang::tr{'remote > subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage; > + } > + } > + > + if ($cgiparams{'AUTH'} eq 'psk') { > + if (! length($cgiparams{'PSK'}) ) { > + $errormessage = $Lang::tr{'pre > -shared key is too short'}; > + goto VPNCONF_ERROR; > + } > + if ($cgiparams{'PSK'} =~ /'/) { > + $cgiparams{'PSK'} =~ tr/'/ /; > + $errormessage = $Lang::tr{'invalid > characters found in pre-shared key'}; > + goto VPNCONF_ERROR; > + } > } elsif ($cgiparams{'AUTH'} eq 'certreq') { > - if ($cgiparams{'KEY'}) { > - $errormessage = $Lang::tr{'cant change > certificates'}; > - goto VPNCONF_ERROR; > - } > - if (ref ($cgiparams{'FH'}) ne 'Fh') { > - $errormessage = $Lang::tr{'there was no file > upload'}; > - goto VPNCONF_ERROR; > - } > + if ($cgiparams{'KEY'}) { > + $errormessage = $Lang::tr{'cant change > certificates'}; > + goto VPNCONF_ERROR; > + } > + if (ref ($cgiparams{'FH'}) ne 'Fh') { > + $errormessage = $Lang::tr{'there was no file > upload'}; > + goto VPNCONF_ERROR; > + } > > - # Move uploaded certificate request to a temporary file > - (my $fh, my $filename) = tempfile( ); > - if (copy ($cgiparams{'FH'}, $fh) != 1) { > - $errormessage = $!; > - goto VPNCONF_ERROR; > - } > + # Move uploaded certificate request to a temporary > file > + (my $fh, my $filename) = tempfile( ); > + if (copy ($cgiparams{'FH'}, $fh) != 1) { > + $errormessage = $!; > + goto VPNCONF_ERROR; > + } > > - # Sign the certificate request > - &General::log("ipsec", "Signing your cert > $cgiparams{'NAME'}..."); > - my $opt = " ca -md sha256 -days 999999"; > + # Sign the certificate request > + &General::log("ipsec", "Signing your cert > $cgiparams{'NAME'}..."); > + my $opt = " ca -md sha256 -days 999999"; > $opt .= " -batch -notext"; > $opt .= " -in $filename"; > $opt .= " -out > ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; > > - if ( $errormessage = &callssl ($opt) ) { > - unlink ($filename); > - unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > - &cleanssldatabase(); > - goto VPNCONF_ERROR; > - } else { > - unlink ($filename); > - &cleanssldatabase(); > - } > - > - $cgiparams{'CERT_NAME'} = getCNfromcert > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > - if ($cgiparams{'CERT_NAME'} eq '') { > - $errormessage = $Lang::tr{'could not retrieve common > name from certificate'}; > - goto VPNCONF_ERROR; > - } > + if ( $errormessage = &callssl ($opt) ) { > + unlink ($filename); > + unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > + &cleanssldatabase(); > + goto VPNCONF_ERROR; > + } else { > + unlink ($filename); > + &cleanssldatabase(); > + } > + > + $cgiparams{'CERT_NAME'} = getCNfromcert > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > + if ($cgiparams{'CERT_NAME'} eq '') { > + $errormessage = $Lang::tr{'could not > retrieve common name from certificate'}; > + goto VPNCONF_ERROR; > + } > } elsif ($cgiparams{'AUTH'} eq 'pkcs12') { > &General::log("ipsec", "Importing from p12..."); > > if (ref ($cgiparams{'FH'}) ne 'Fh') { > - $errormessage = $Lang::tr{'there was no file > upload'}; > - goto ROOTCERT_ERROR; > + $errormessage = $Lang::tr{'there was no file > upload'}; > + goto ROOTCERT_ERROR; > } > > # Move uploaded certificate request to a temporary > file > (my $fh, my $filename) = tempfile( ); > if (copy ($cgiparams{'FH'}, $fh) != 1) { > - $errormessage = $!; > - goto ROOTCERT_ERROR; > + $errormessage = $!; > + goto ROOTCERT_ERROR; > } > > # Extract the CA certificate from the file > &General::log("ipsec", "Extracting caroot from > p12..."); > if (open(STDIN, "-|")) { > - my $opt = " pkcs12 -cacerts > -nokeys"; > + my $opt = " pkcs12 -cacerts -nokeys"; > $opt .= " -in $filename"; > $opt .= " -out /tmp/newcacert"; > - $errormessage = &callssl ($opt); > - } else { #child > - print "$cgiparams{'P12_PASS'}\n"; > - exit (0); > - } > - > - # Extract the Host certificate from the file > - if (!$errormessage) { > - &General::log("ipsec", "Extracting host cert > from p12..."); > - if (open(STDIN, "-|")) { > - my $opt = " pkcs12 -clcerts -nokeys"; > - $opt .= " -in $filename"; > - $opt .= " -out /tmp/newhostcert"; > $errormessage = &callssl ($opt); > - } else { #child > + } else { #child > print "$cgiparams{'P12_PASS'}\n"; > exit (0); > - } > - } > - > - if (!$errormessage) { > - &General::log("ipsec", "Moving cacert..."); > - #If CA have new subject, add it to our list of > CA > - my $casubject = > &Header::cleanhtml(getsubjectfromcert ('/tmp/newcacert')); > - my @names; > - foreach my $x (keys %cahash) { > - $casubject='' if ($cahash{$x}[1] eq > $casubject); > - unshift (@names,$cahash{$x}[0]); > - } > - if ($casubject) { # a new one! > - my $temp = `/usr/bin/openssl x509 -text -in > /tmp/newcacert`; > - if ($temp !~ /CA:TRUE/i) { > - $errormessage = $Lang::tr{'not a valid > ca certificate'}; > - } else { > - #compute a name for it > - my $idx=0; > - while (grep(/Imported-$idx/, @names) ) > {$idx++}; > - $cgiparams{'CA_NAME'}="Imported-$idx"; > - > $cgiparams{'CERT_NAME'}=&Header::cleanhtml(getCNfromcert > ('/tmp/newhostcert')); > - move("/tmp/newcacert", > "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); > - $errormessage = "$Lang::tr{'certificate > file move failed'}: $!" if ($? ne 0); > - if (!$errormessage) { > - my $key = &General::findhasharraykey > (\%cahash); > - $cahash{$key}[0] = > $cgiparams{'CA_NAME'}; > - $cahash{$key}[1] = $casubject; > - &General::writehasharray("${General: > :swroot}/vpn/caconfig", \%cahash); > - system('/usr/local/bin/ipsecctrl', > 'R'); > - } > - } > - } > + } > + > + # Extract the Host certificate from the file > + if (!$errormessage) { > + &General::log("ipsec", "Extracting host cert > from p12..."); > + if (open(STDIN, "-|")) { > + my $opt = " pkcs12 -clcerts > -nokeys"; > + $opt .= " -in $filename"; > + $opt .= " -out /tmp/newhostcert"; > + $errormessage = &callssl ($opt); > + } else { #child > + print "$cgiparams{'P12_PASS'}\n"; > + exit (0); > + } > + } > + > + if (!$errormessage) { > + &General::log("ipsec", "Moving cacert..."); > + #If CA have new subject, add it to our list > of CA > + my $casubject = > &Header::cleanhtml(getsubjectfromcert ('/tmp/newcacert')); > + my @names; > + foreach my $x (keys %cahash) { > + $casubject='' if ($cahash{$x}[1] eq > $casubject); > + unshift (@names,$cahash{$x}[0]); > + } > + if ($casubject) { # a new one! > + my $temp = `/usr/bin/openssl x509 > -text -in /tmp/newcacert`; > + if ($temp !~ /CA:TRUE/i) { > + $errormessage = > $Lang::tr{'not a valid ca certificate'}; > + } else { > + #compute a name for it > + my $idx=0; > + while (grep(/Imported-$idx/, > @names) ) {$idx++}; > + $cgiparams{'CA_NAME'}="Impor > ted-$idx"; > + $cgiparams{'CERT_NAME'}=&Hea > der::cleanhtml(getCNfromcert ('/tmp/newhostcert')); > + move("/tmp/newcacert", > "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); > + $errormessage = > "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); > + if (!$errormessage) { > + my $key = > &General::findhasharraykey (\%cahash); > + $cahash{$key}[0] = > $cgiparams{'CA_NAME'}; > + $cahash{$key}[1] = > $casubject; > + &General::writehasha > rray("${General::swroot}/vpn/caconfig", \%cahash); > + system('/usr/local/b > in/ipsecctrl', 'R'); > + } > + } > + } > } > if (!$errormessage) { > - &General::log("ipsec", "Moving host cert..."); > - move("/tmp/newhostcert", > "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > - $errormessage = "$Lang::tr{'certificate file > move failed'}: $!" if ($? ne 0); > - } > + &General::log("ipsec", "Moving host > cert..."); > + move("/tmp/newhostcert", > "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > + $errormessage = "$Lang::tr{'certificate file > move failed'}: $!" if ($? ne 0); > + } > > #cleanup temp files > unlink ($filename); > unlink ('/tmp/newcacert'); > unlink ('/tmp/newhostcert'); > if ($errormessage) { > - unlink > ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); > - unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > - goto VPNCONF_ERROR; > + unlink > ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); > + unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > + goto VPNCONF_ERROR; > } > &General::log("ipsec", "p12 import completed!"); > } elsif ($cgiparams{'AUTH'} eq 'certfile') { > - if ($cgiparams{'KEY'}) { > - $errormessage = $Lang::tr{'cant change > certificates'}; > - goto VPNCONF_ERROR; > - } > - if (ref ($cgiparams{'FH'}) ne 'Fh') { > - $errormessage = $Lang::tr{'there was no file > upload'}; > - goto VPNCONF_ERROR; > - } > - # Move uploaded certificate to a temporary file > - (my $fh, my $filename) = tempfile( ); > - if (copy ($cgiparams{'FH'}, $fh) != 1) { > - $errormessage = $!; > - goto VPNCONF_ERROR; > - } > - > - # Verify the certificate has a valid CA and move it > - &General::log("ipsec", "Validating imported cert against > our known CA..."); > - my $validca = 1; #assume ok > - my $test = `/usr/bin/openssl verify -CAfile > ${General::swroot}/ca/cacert.pem $filename`; > - if ($test !~ /: OK/) { > - my $validca = 0; > - foreach my $key (keys %cahash) { > - $test = `/usr/bin/openssl verify -CAfile > ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`; > - if ($test =~ /: OK/) { > - $validca = 1; > - last; > - } > - } > - } > - if (! $validca) { > - $errormessage = $Lang::tr{'certificate does not have > a valid ca associated with it'}; > - unlink ($filename); > - goto VPNCONF_ERROR; > - } else { > - move($filename, > "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > - if ($? ne 0) { > - $errormessage = "$Lang::tr{'certificate file > move failed'}: $!"; > - unlink ($filename); > - goto VPNCONF_ERROR; > + if ($cgiparams{'KEY'}) { > + $errormessage = $Lang::tr{'cant change > certificates'}; > + goto VPNCONF_ERROR; > + } > + if (ref ($cgiparams{'FH'}) ne 'Fh') { > + $errormessage = $Lang::tr{'there was no file > upload'}; > + goto VPNCONF_ERROR; > + } > + # Move uploaded certificate to a temporary file > + (my $fh, my $filename) = tempfile( ); > + if (copy ($cgiparams{'FH'}, $fh) != 1) { > + $errormessage = $!; > + goto VPNCONF_ERROR; > } > - } > > - $cgiparams{'CERT_NAME'} = getCNfromcert > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > - if ($cgiparams{'CERT_NAME'} eq '') { > - unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > - $errormessage = $Lang::tr{'could not retrieve common > name from certificate'}; > - goto VPNCONF_ERROR; > - } > + # Verify the certificate has a valid CA and move it > + &General::log("ipsec", "Validating imported cert > against our known CA..."); > + my $validca = 1; #assume ok > + my $test = `/usr/bin/openssl verify -CAfile > ${General::swroot}/ca/cacert.pem $filename`; > + if ($test !~ /: OK/) { > + my $validca = 0; > + foreach my $key (keys %cahash) { > + $test = `/usr/bin/openssl verify > -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`; > + if ($test =~ /: OK/) { > + $validca = 1; > + last; > + } > + } > + } > + if (! $validca) { > + $errormessage = $Lang::tr{'certificate does > not have a valid ca associated with it'}; > + unlink ($filename); > + goto VPNCONF_ERROR; > + } else { > + move($filename, > "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > + if ($? ne 0) { > + $errormessage = > "$Lang::tr{'certificate file move failed'}: $!"; > + unlink ($filename); > + goto VPNCONF_ERROR; > + } > + } > + > + $cgiparams{'CERT_NAME'} = getCNfromcert > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > + if ($cgiparams{'CERT_NAME'} eq '') { > + unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > + $errormessage = $Lang::tr{'could not > retrieve common name from certificate'}; > + goto VPNCONF_ERROR; > + } > } elsif ($cgiparams{'AUTH'} eq 'certgen') { > - if ($cgiparams{'KEY'}) { > - $errormessage = $Lang::tr{'cant change > certificates'}; > - goto VPNCONF_ERROR; > - } > - # Validate input since the form was submitted > - if (length($cgiparams{'CERT_NAME'}) >60) { > - $errormessage = $Lang::tr{'name too long'}; > - goto VPNCONF_ERROR; > - } > - if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) > { > - $errormessage = $Lang::tr{'invalid input for name'}; > - goto VPNCONF_ERROR; > - } > - if ($cgiparams{'CERT_EMAIL'} ne '' && (! > &General::validemail($cgiparams{'CERT_EMAIL'}))) { > - $errormessage = $Lang::tr{'invalid input for e-mail > address'}; > - goto VPNCONF_ERROR; > - } > - if (length($cgiparams{'CERT_EMAIL'}) > 40) { > - $errormessage = $Lang::tr{'e-mail address too > long'}; > - goto VPNCONF_ERROR; > - } > - if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} > !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > - $errormessage = $Lang::tr{'invalid input for > department'}; > - goto VPNCONF_ERROR; > - } > - if (length($cgiparams{'CERT_ORGANIZATION'}) >60) { > - $errormessage = $Lang::tr{'organization too long'}; > - goto VPNCONF_ERROR; > - } > - if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\ > -_]+$/) { > - $errormessage = $Lang::tr{'invalid input for > organization'}; > - goto VPNCONF_ERROR; > - } > - if ($cgiparams{'CERT_CITY'} ne '' && > $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > - $errormessage = $Lang::tr{'invalid input for city'}; > - goto VPNCONF_ERROR; > - } > - if ($cgiparams{'CERT_STATE'} ne '' && > $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > - $errormessage = $Lang::tr{'invalid input for state > or province'}; > - goto VPNCONF_ERROR; > - } > - if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) { > - $errormessage = $Lang::tr{'invalid input for > country'}; > - goto VPNCONF_ERROR; > - } > - #the exact syntax is a list comma separated of > - # email:any-validemail > - # URI: a uniform resource indicator > - # DNS: a DNS domain name > - # RID: a registered OBJECT IDENTIFIER > - # IP: an IP address > - # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:franck. > foo.com > - > - if ($cgiparams{'SUBJECTALTNAME'} ne '' && > $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 > :\/,\.\-_@]*$/) { > - $errormessage = $Lang::tr{'vpn altname syntax'}; > - goto VPNCONF_ERROR; > - } > + if ($cgiparams{'KEY'}) { > + $errormessage = $Lang::tr{'cant change > certificates'}; > + goto VPNCONF_ERROR; > + } > + # Validate input since the form was submitted > + if (length($cgiparams{'CERT_NAME'}) >60) { > + $errormessage = $Lang::tr{'name too long'}; > + goto VPNCONF_ERROR; > + } > + if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\ > -_]+$/) { > + $errormessage = $Lang::tr{'invalid input for > name'}; > + goto VPNCONF_ERROR; > + } > + if ($cgiparams{'CERT_EMAIL'} ne '' && (! > &General::validemail($cgiparams{'CERT_EMAIL'}))) { > + $errormessage = $Lang::tr{'invalid input for > e-mail address'}; > + goto VPNCONF_ERROR; > + } > + if (length($cgiparams{'CERT_EMAIL'}) > 40) { > + $errormessage = $Lang::tr{'e-mail address > too long'}; > + goto VPNCONF_ERROR; > + } > + if ($cgiparams{'CERT_OU'} ne '' && > $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > + $errormessage = $Lang::tr{'invalid input for > department'}; > + goto VPNCONF_ERROR; > + } > + if (length($cgiparams{'CERT_ORGANIZATION'}) >60) { > + $errormessage = $Lang::tr{'organization too > long'}; > + goto VPNCONF_ERROR; > + } > + if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 > ,\.\-_]+$/) { > + $errormessage = $Lang::tr{'invalid input for > organization'}; > + goto VPNCONF_ERROR; > + } > + if ($cgiparams{'CERT_CITY'} ne '' && > $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > + $errormessage = $Lang::tr{'invalid input for > city'}; > + goto VPNCONF_ERROR; > + } > + if ($cgiparams{'CERT_STATE'} ne '' && > $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > + $errormessage = $Lang::tr{'invalid input for > state or province'}; > + goto VPNCONF_ERROR; > + } > + if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) { > + $errormessage = $Lang::tr{'invalid input for > country'}; > + goto VPNCONF_ERROR; > + } > + #the exact syntax is a list comma separated of > + # email:any-validemail > + # URI: a uniform resource indicator > + # DNS: a DNS domain name > + # RID: a registered OBJECT IDENTIFIER > + # IP: an IP address > + # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:fra > nck.foo.com > + > + if ($cgiparams{'SUBJECTALTNAME'} ne '' && > $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 > :\/,\.\-_@]*$/) { > + $errormessage = $Lang::tr{'vpn altname > syntax'}; > + goto VPNCONF_ERROR; > + } > > - if (length($cgiparams{'CERT_PASS1'}) < 5) { > - $errormessage = $Lang::tr{'password too short'}; > - goto VPNCONF_ERROR; > - } > - if ($cgiparams{'CERT_PASS1'} ne > $cgiparams{'CERT_PASS2'}) { > - $errormessage = $Lang::tr{'passwords do not match'}; > - goto VPNCONF_ERROR; > - } > + if (length($cgiparams{'CERT_PASS1'}) < 5) { > + $errormessage = $Lang::tr{'password too > short'}; > + goto VPNCONF_ERROR; > + } > + if ($cgiparams{'CERT_PASS1'} ne > $cgiparams{'CERT_PASS2'}) { > + $errormessage = $Lang::tr{'passwords do not > match'}; > + goto VPNCONF_ERROR; > + } > > - # Replace empty strings with a . > - (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; > - (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; > - (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./; > + # Replace empty strings with a . > + (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; > + (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; > + (my $state = $cgiparams{'CERT_STATE'}) =~ > s/^\s*$/\./; > > - # Create the Client certificate request > - &General::log("ipsec", "Creating a cert..."); > + # Create the Client certificate request > + &General::log("ipsec", "Creating a cert..."); > > - if (open(STDIN, "-|")) { > - my $opt = " req -nodes -rand > /proc/interrupts:/proc/net/rt_cache"; > - $opt .= " -newkey rsa:2048"; > - $opt .= " -keyout > ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; > - $opt .= " -out > ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; > + if (open(STDIN, "-|")) { > + my $opt = " req -nodes -rand > /proc/interrupts:/proc/net/rt_cache"; > + $opt .= " -newkey rsa:2048"; > + $opt .= " -keyout > ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; > + $opt .= " -out > ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; > + > + if ( $errormessage = &callssl ($opt) ) { > + unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); > + unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); > + goto VPNCONF_ERROR; > + } > + } else { #child > + print "$cgiparams{'CERT_COUNTRY'}\n"; > + print "$state\n"; > + print "$city\n"; > + print "$cgiparams{'CERT_ORGANIZATION'}\n"; > + print "$ou\n"; > + print "$cgiparams{'CERT_NAME'}\n"; > + print "$cgiparams{'CERT_EMAIL'}\n"; > + print ".\n"; > + print ".\n"; > + exit (0); > + } > > - if ( $errormessage = &callssl ($opt) ) { > - unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); > - unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); > - goto VPNCONF_ERROR; > - } > - } else { #child > - print "$cgiparams{'CERT_COUNTRY'}\n"; > - print "$state\n"; > - print "$city\n"; > - print "$cgiparams{'CERT_ORGANIZATION'}\n"; > - print "$ou\n"; > - print "$cgiparams{'CERT_NAME'}\n"; > - print "$cgiparams{'CERT_EMAIL'}\n"; > - print ".\n"; > - print ".\n"; > - exit (0); > - } > - > - # Sign the client certificate request > - &General::log("ipsec", "Signing the cert > $cgiparams{'NAME'}..."); > - > - #No easy way for specifying the contain of > subjectAltName without writing a config file... > - my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); > - print $fh <<END > - basicConstraints=CA:FALSE > - nsComment="OpenSSL Generated Certificate" > - subjectKeyIdentifier=hash > - extendedKeyUsage=clientAuth > - authorityKeyIdentifier=keyid,issuer:always > + # Sign the client certificate request > + &General::log("ipsec", "Signing the cert > $cgiparams{'NAME'}..."); > + > + #No easy way for specifying the contain of > subjectAltName without writing a config file... > + my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); > + print $fh <<END > + basicConstraints=CA:FALSE > + nsComment="OpenSSL Generated Certificate" > + subjectKeyIdentifier=hash > + extendedKeyUsage=clientAuth > + authorityKeyIdentifier=keyid,issuer:always > END > ; > - print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" > if ($cgiparams{'SUBJECTALTNAME'}); > - close ($fh); > - > - my $opt = " ca -md sha256 -days 999999 -batch -notext"; > - $opt .= " -in > ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; > - $opt .= " -out > ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; > - $opt .= " -extfile $v3extname"; > - > - if ( $errormessage = &callssl ($opt) ) { > - unlink ($v3extname); > - unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); > - unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); > - unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > - &cleanssldatabase(); > - goto VPNCONF_ERROR; > - } else { > - unlink ($v3extname); > - unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); > - &cleanssldatabase(); > - } > - > - # Create the pkcs12 file > - &General::log("ipsec", "Packing a pkcs12 file..."); > - $opt = " pkcs12 -export"; > - $opt .= " -inkey > ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; > - $opt .= " -in > ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; > - $opt .= " -name \"$cgiparams{'NAME'}\""; > - $opt .= " -passout pass:$cgiparams{'CERT_PASS1'}"; > - $opt .= " -certfile > ${General::swroot}/ca/cacert.pem"; > - $opt .= " -caname > \"$vpnsettings{'ROOTCERT_ORGANIZATION'} CA\""; > - $opt .= " -out > ${General::swroot}/certs/$cgiparams{'NAME'}.p12"; > - > - if ( $errormessage = &callssl ($opt) ) { > - unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); > - unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > - unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}.p12"); > - goto VPNCONF_ERROR; > - } else { > - unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); > - } > + print $fh > "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if > ($cgiparams{'SUBJECTALTNAME'}); > + close ($fh); > + > + my $opt = " ca -md sha256 -days 999999 -batch > -notext"; > + $opt .= " -in > ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; > + $opt .= " -out > ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; > + $opt .= " -extfile $v3extname"; > + > + if ( $errormessage = &callssl ($opt) ) { > + unlink ($v3extname); > + unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); > + unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); > + unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > + &cleanssldatabase(); > + goto VPNCONF_ERROR; > + } else { > + unlink ($v3extname); > + unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); > + &cleanssldatabase(); > + } > + > + # Create the pkcs12 file > + &General::log("ipsec", "Packing a pkcs12 file..."); > + $opt = " pkcs12 -export"; > + $opt .= " -inkey > ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; > + $opt .= " -in > ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; > + $opt .= " -name \"$cgiparams{'NAME'}\""; > + $opt .= " -passout pass:$cgiparams{'CERT_PASS1'}"; > + $opt .= " -certfile > ${General::swroot}/ca/cacert.pem"; > + $opt .= " -caname > \"$vpnsettings{'ROOTCERT_ORGANIZATION'} CA\""; > + $opt .= " -out > ${General::swroot}/certs/$cgiparams{'NAME'}.p12"; > + > + if ( $errormessage = &callssl ($opt) ) { > + unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); > + unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > + unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}.p12"); > + goto VPNCONF_ERROR; > + } else { > + unlink > ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); > + } > } elsif ($cgiparams{'AUTH'} eq 'cert') { > - ;# Nothing, just editing > + ;# Nothing, just editing > } elsif ($cgiparams{'AUTH'} eq 'auth-dn') { > - $cgiparams{'CERT_NAME'} = '%auth-dn'; # a special > value saying 'no cert file' > + $cgiparams{'CERT_NAME'} = '%auth-dn'; # a special > value saying 'no cert file' > } else { > - $errormessage = $Lang::tr{'invalid input for > authentication method'}; > - goto VPNCONF_ERROR; > + $errormessage = $Lang::tr{'invalid input for > authentication method'}; > + goto VPNCONF_ERROR; > } > > # 1)Error message here is not accurate. > @@ -1759,34 +1757,34 @@ END > # 3)Present since initial version (1.3.2.11), it isn't a bug > correction > # Check if there is no other entry with this certificate > name > #if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk') > && ($cgiparams{'AUTH'} ne 'auth-dn')) { > - # foreach my $key (keys %confighash) { > + # foreach my $key (keys %confighash) { > # if ($confighash{$key}[2] eq > $cgiparams{'CERT_NAME'}) { > - # $errormessage = $Lang::tr{'a connection with > this common name already exists'}; > - # goto VPNCONF_ERROR; > + # $errormessage = $Lang::tr{'a connection > with this common name already exists'}; > + # goto VPNCONF_ERROR; > + # } > # } > - # } > #} > - # Save the config > + # Save the config > > my $key = $cgiparams{'KEY'}; > if (! $key) { > - $key = &General::findhasharraykey (\%confighash); > - foreach my $i (0 .. 32) { $confighash{$key}[$i] = "";} > + $key = &General::findhasharraykey (\%confighash); > + foreach my $i (0 .. 32) { $confighash{$key}[$i] = > "";} > } > $confighash{$key}[0] = $cgiparams{'ENABLED'}; > $confighash{$key}[1] = $cgiparams{'NAME'}; > if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') { > - $confighash{$key}[2] = $cgiparams{'CERT_NAME'}; > + $confighash{$key}[2] = $cgiparams{'CERT_NAME'}; > } > $confighash{$key}[3] = $cgiparams{'TYPE'}; > if ($cgiparams{'AUTH'} eq 'psk') { > - $confighash{$key}[4] = 'psk'; > - $confighash{$key}[5] = $cgiparams{'PSK'}; > + $confighash{$key}[4] = 'psk'; > + $confighash{$key}[5] = $cgiparams{'PSK'}; > } else { > - $confighash{$key}[4] = 'cert'; > + $confighash{$key}[4] = 'cert'; > } > if ($cgiparams{'TYPE'} eq 'net') { > - $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; > + $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; > } > $confighash{$key}[7] = $cgiparams{'LOCAL_ID'}; > $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'}; > @@ -1797,7 +1795,7 @@ END > $confighash{$key}[27] = $cgiparams{'DPD_ACTION'}; > $confighash{$key}[29] = $cgiparams{'IKE_VERSION'}; > > - #dont forget advanced value > + # don't forget advanced value > $confighash{$key}[18] = $cgiparams{'IKE_ENCRYPTION'}; > $confighash{$key}[19] = $cgiparams{'IKE_INTEGRITY'}; > $confighash{$key}[20] = $cgiparams{'IKE_GROUPTYPE'}; > @@ -1814,39 +1812,39 @@ END > $confighash{$key}[31] = $cgiparams{'DPD_DELAY'}; > $confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'}; > > - #free unused fields! > + # free unused fields! > $confighash{$key}[6] = 'off'; > $confighash{$key}[15] = 'off'; > > &General::writehasharray("${General::swroot}/vpn/config", > \%confighash); > &writeipsecfiles(); > if (&vpnenabled) { > - system('/usr/local/bin/ipsecctrl', 'S', $key); > - sleep $sleepDelay; > + system('/usr/local/bin/ipsecctrl', 'S', $key); > + sleep $sleepDelay; > } > if ($cgiparams{'EDIT_ADVANCED'} eq 'on') { > - $cgiparams{'KEY'} = $key; > - $cgiparams{'ACTION'} = $Lang::tr{'advanced'}; > + $cgiparams{'KEY'} = $key; > + $cgiparams{'ACTION'} = $Lang::tr{'advanced'}; > } > goto VPNCONF_END; > - } else { # add new connection > - $cgiparams{'ENABLED'} = 'on'; > +} else { # add new connection > + $cgiparams{'ENABLED'} = 'on'; > if ( ! -f "${General::swroot}/private/cakey.pem" ) { > - $cgiparams{'AUTH'} = 'psk'; > + $cgiparams{'AUTH'} = 'psk'; > } elsif ( ! -f "${General::swroot}/ca/cacert.pem") { > - $cgiparams{'AUTH'} = 'certfile'; > + $cgiparams{'AUTH'} = 'certfile'; > } else { > - $cgiparams{'AUTH'} = 'certgen'; > + $cgiparams{'AUTH'} = 'certgen'; > } > - $cgiparams{'LOCAL_SUBNET'} > ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; > - $cgiparams{'CERT_EMAIL'} = > $vpnsettings{'ROOTCERT_EMAIL'}; > - $cgiparams{'CERT_OU'} = > $vpnsettings{'ROOTCERT_OU'}; > - $cgiparams{'CERT_ORGANIZATION'} = > $vpnsettings{'ROOTCERT_ORGANIZATION'}; > - $cgiparams{'CERT_CITY'} = > $vpnsettings{'ROOTCERT_CITY'}; > - $cgiparams{'CERT_STATE'} = > $vpnsettings{'ROOTCERT_STATE'}; > - $cgiparams{'CERT_COUNTRY'} = > $vpnsettings{'ROOTCERT_COUNTRY'}; > + $cgiparams{'LOCAL_SUBNET'} = > "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; > + $cgiparams{'CERT_EMAIL'} = > $vpnsettings{'ROOTCERT_EMAIL'}; > + $cgiparams{'CERT_OU'} = > $vpnsettings{'ROOTCERT_OU'}; > + $cgiparams{'CERT_ORGANIZATION'} = > $vpnsettings{'ROOTCERT_ORGANIZATION'}; > + $cgiparams{'CERT_CITY'} = > $vpnsettings{'ROOTCERT_CITY'}; > + $cgiparams{'CERT_STATE'} = > $vpnsettings{'ROOTCERT_STATE'}; > + $cgiparams{'CERT_COUNTRY'} = > $vpnsettings{'ROOTCERT_COUNTRY'}; > > - # choose appropriate dpd action > + # choose appropriate dpd action > if ($cgiparams{'TYPE'} eq 'host') { > $cgiparams{'DPD_ACTION'} = 'clear'; > } else { > @@ -1867,63 +1865,63 @@ END > > # Default IKE Version to v2 > if (!$cgiparams{'IKE_VERSION'}) { > - $cgiparams{'IKE_VERSION'} = 'ikev2'; > + $cgiparams{'IKE_VERSION'} = 'ikev2'; > } > > # ID are empty > - $cgiparams{'LOCAL_ID'} = ''; > + $cgiparams{'LOCAL_ID'} = ''; > $cgiparams{'REMOTE_ID'} = ''; > > #use default advanced value > - $cgiparams{'IKE_ENCRYPTION'} = > 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96 > |aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; > #[18]; > - $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; > #[19]; > - $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; > #[20]; > - $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; > - $cgiparams{'ESP_ENCRYPTION'} = > 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96 > |aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; > #[21]; > - $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; > #[22]; > - $cgiparams{'ESP_GROUPTYPE'} = '4096|3072|2048|1536|1024'; > #[23]; > - $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; > - $cgiparams{'COMPRESSION'} = 'on'; #[13]; > - $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; > - $cgiparams{'PFS'} = 'on'; #[28]; > - } > - > - VPNCONF_ERROR: > - $checked{'ENABLED'}{'off'} = ''; > - $checked{'ENABLED'}{'on'} = ''; > - $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = > "checked='checked'"; > - > - $checked{'EDIT_ADVANCED'}{'off'} = ''; > - $checked{'EDIT_ADVANCED'}{'on'} = ''; > - $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = > "checked='checked'"; > - > - $checked{'AUTH'}{'psk'} = ''; > - $checked{'AUTH'}{'certreq'} = ''; > - $checked{'AUTH'}{'certgen'} = ''; > - $checked{'AUTH'}{'certfile'} = ''; > - $checked{'AUTH'}{'pkcs12'} = ''; > - $checked{'AUTH'}{'auth-dn'} = ''; > - $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; > - > - &Header::showhttpheaders(); > - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > - &Header::openbigbox('100%', 'left', '', $errormessage); > - if ($errormessage) { > - &Header::openbox('100%', 'left', $Lang::tr{'error > messages'}); > - print "<class name='base'>$errormessage"; > - print " </class>"; > - &Header::closebox(); > - } > + $cgiparams{'IKE_ENCRYPTION'} = > 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96 > |aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; > #[18]; > + $cgiparams{'IKE_INTEGRITY'} = > 'sha2_512|sha2_256|sha'; #[19]; > + $cgiparams{'IKE_GROUPTYPE'} = > '4096|3072|2048|1536|1024'; #[20]; > + $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; > + $cgiparams{'ESP_ENCRYPTION'} = > 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96 > |aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; > #[21]; > + $cgiparams{'ESP_INTEGRITY'} = > 'sha2_512|sha2_256|sha1'; #[22]; > + $cgiparams{'ESP_GROUPTYPE'} = > '4096|3072|2048|1536|1024'; #[23]; > + $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; > + $cgiparams{'COMPRESSION'} = 'on'; #[13]; > + $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; > + $cgiparams{'PFS'} = 'on'; > #[28]; > +} > > - if ($warnmessage) { > - &Header::openbox('100%', 'left', "$Lang::tr{'warning > messages'}:"); > - print "<class name='base'>$warnmessage"; > - print " </class>"; > - &Header::closebox(); > - } > +VPNCONF_ERROR: > + $checked{'ENABLED'}{'off'} = ''; > + $checked{'ENABLED'}{'on'} = ''; > + $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = > "checked='checked'"; > + > + $checked{'EDIT_ADVANCED'}{'off'} = ''; > + $checked{'EDIT_ADVANCED'}{'on'} = ''; > + $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = > "checked='checked'"; > + > + $checked{'AUTH'}{'psk'} = ''; > + $checked{'AUTH'}{'certreq'} = ''; > + $checked{'AUTH'}{'certgen'} = ''; > + $checked{'AUTH'}{'certfile'} = ''; > + $checked{'AUTH'}{'pkcs12'} = ''; > + $checked{'AUTH'}{'auth-dn'} = ''; > + $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; > + > + &Header::showhttpheaders(); > + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > + &Header::openbigbox('100%', 'left', '', $errormessage); > + if ($errormessage) { > + &Header::openbox('100%', 'left', $Lang::tr{'error > messages'}); > + print "<class name='base'>$errormessage"; > + print " </class>"; > + &Header::closebox(); > + } > + > + if ($warnmessage) { > + &Header::openbox('100%', 'left', "$Lang::tr{'warning > messages'}:"); > + print "<class name='base'>$warnmessage"; > + print " </class>"; > + &Header::closebox(); > + } > > - print "<form method='post' enctype='multipart/form-data' > action='$ENV{'SCRIPT_NAME'}'>"; > - print<<END > + print "<form method='post' enctype='multipart/form-data' > action='$ENV{'SCRIPT_NAME'}'>"; > + print<<END > <input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' > /> > <input type='hidden' name='IKE_VERSION' > value='$cgiparams{'IKE_VERSION'}' /> > <input type='hidden' name='IKE_ENCRYPTION' > value='$cgiparams{'IKE_ENCRYPTION'}' /> > @@ -1942,172 +1940,172 @@ END > <input type='hidden' name='DPD_TIMEOUT' > value='$cgiparams{'DPD_TIMEOUT'}' /> > <input type='hidden' name='FORCE_MOBIKE' > value='$cgiparams{'FORCE_MOBIKE'}' /> > END > - ; > - if ($cgiparams{'KEY'}) { > - print "<input type='hidden' name='KEY' > value='$cgiparams{'KEY'}' />"; > - print "<input type='hidden' name='NAME' > value='$cgiparams{'NAME'}' />"; > - print "<input type='hidden' name='AUTH' > value='$cgiparams{'AUTH'}' />"; > - } > - > - &Header::openbox('100%', 'left', "$Lang::tr{'connection'}: > $cgiparams{'NAME'}"); > - print "<table width='100%'>"; > - if (!$cgiparams{'KEY'}) { > - print <<EOF; > - <tr> > - <td > width='20%'>$Lang::tr{'name'}: <img src='/blob.gif' alt='*' > /></td> > - <td width='30%'> > - <input type='text' name='NAME' > value='$cgiparams{'NAME'}' size='25' /> > - </td> > - <td colspan="2"></td> > - </tr> > +; > + if ($cgiparams{'KEY'}) { > + print "<input type='hidden' name='KEY' > value='$cgiparams{'KEY'}' />"; > + print "<input type='hidden' name='NAME' > value='$cgiparams{'NAME'}' />"; > + print "<input type='hidden' name='AUTH' > value='$cgiparams{'AUTH'}' />"; > + } > + > + &Header::openbox('100%', 'left', "$Lang::tr{'connection'}: > $cgiparams{'NAME'}"); > + print "<table width='100%'>"; > + if (!$cgiparams{'KEY'}) { > + print <<EOF; > + <tr> > + <td > width='20%'>$Lang::tr{'name'}: <img src='/blob.gif' alt='*' > /></td> > + <td width='30%'> > + <input type='text' > name='NAME' value='$cgiparams{'NAME'}' size='25' /> > + </td> > + <td colspan="2"></td> > + </tr> > EOF > - } > + } > > - my $disabled; > - my $blob; > - if ($cgiparams{'TYPE'} eq 'host') { > + my $disabled; > + my $blob; > + if ($cgiparams{'TYPE'} eq 'host') { > $disabled = "disabled='disabled'"; > - } elsif ($cgiparams{'TYPE'} eq 'net') { > + } elsif ($cgiparams{'TYPE'} eq 'net') { > $blob = "<img src='/blob.gif' alt='*' />"; > - }; > + }; > > - print <<END > + print <<END > <tr> > <td width='20%'>$Lang::tr{'enabled'}</td> > <td width='30%'> > <input type='checkbox' name='ENABLED' > $checked{'ENABLED'}{'on'} /> > </td> > - <td class='boldbase' nowrap='nowrap' > width='20%'>$Lang::tr{'local subnet'} <img src='/blob.gif' > alt='*' /></td> > - <td width='30%'> > - <input type='text' name='LOCAL_SUBNET' > value='$cgiparams{'LOCAL_SUBNET'}' size="25" /> > - </td> > + <td class='boldbase' nowrap='nowrap' > width='20%'>$Lang::tr{'local subnet'} <img src='/blob.gif' > alt='*' /></td> > + <td width='30%'> > + <input type='text' name='LOCAL_SUBNET' > value='$cgiparams{'LOCAL_SUBNET'}' size="25" /> > + </td> > </tr> > <tr> > - <td class='boldbase' width='20%'>$Lang::tr{'remote > host/ip'}: $blob</td> > - <td width='30%'> > - <input type='text' name='REMOTE' > value='$cgiparams{'REMOTE'}' size="25" /> > - </td> > - <td class='boldbase' nowrap='nowrap' > width='20%'>$Lang::tr{'remote subnet'} $blob</td> > - <td width='30%'> > - <input $disabled type='text' name='REMOTE_SUBNET' > value='$cgiparams{'REMOTE_SUBNET'}' size="25" /> > - </td> > + <td class='boldbase' width='20%'>$Lang::tr{'remote > host/ip'}: $blob</td> > + <td width='30%'> > + <input type='text' name='REMOTE' > value='$cgiparams{'REMOTE'}' size="25" /> > + </td> > + <td class='boldbase' nowrap='nowrap' > width='20%'>$Lang::tr{'remote subnet'} $blob</td> > + <td width='30%'> > + <input $disabled type='text' > name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size="25" /> > + </td> > </tr> > <tr> > - <td class='boldbase' width='20%'>$Lang::tr{'vpn local > id'}:</td> > - <td width='30%'> > - <input type='text' name='LOCAL_ID' > value='$cgiparams{'LOCAL_ID'}' size="25" /> > - </td> > - <td class='boldbase' width='20%'>$Lang::tr{'vpn remote > id'}:</td> > - <td width='30%'> > - <input type='text' name='REMOTE_ID' > value='$cgiparams{'REMOTE_ID'}' size="25" /> > - </td> > + <td class='boldbase' width='20%'>$Lang::tr{'vpn > local id'}:</td> > + <td width='30%'> > + <input type='text' name='LOCAL_ID' > value='$cgiparams{'LOCAL_ID'}' size="25" /> > + </td> > + <td class='boldbase' width='20%'>$Lang::tr{'vpn > remote id'}:</td> > + <td width='30%'> > + <input type='text' name='REMOTE_ID' > value='$cgiparams{'REMOTE_ID'}' size="25" /> > + </td> > </tr> > <tr><td colspan="4"><br /></td></tr> > <tr> > - <td class='boldbase' width='20%'>$Lang::tr{'remark > title'}</td> > - <td colspan='3'> > - <input type='text' name='REMARK' > value='$cgiparams{'REMARK'}' maxlength='50' size="73" /> > - </td> > - </tr> > -END > - ; > - if (!$cgiparams{'KEY'}) { > - print "<tr><td colspan='3'><input type='checkbox' > name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> > $Lang::tr{'edit advanced settings when done'}</td></tr>"; > - } > - print "</table>"; > - &Header::closebox(); > - > - if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { > - &Header::openbox('100%', 'left', > $Lang::tr{'authentication'}); > - print <<END > - <table width='100%' cellpadding='0' cellspacing='5' > border='0'> > - <tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared > key'}</td> > - <td class='base' width='50%'><input type='password' > name='PSK' size='30' value='$cgiparams{'PSK'}' /></td> > + <td class='boldbase' width='20%'>$Lang::tr{'remark > title'}</td> > + <td colspan='3'> > + <input type='text' name='REMARK' > value='$cgiparams{'REMARK'}' maxlength='50' size="73" /> > + </td> > </tr> > - </table> > END > - ; > +; > + if (!$cgiparams{'KEY'}) { > + print "<tr><td colspan='3'><input type='checkbox' > name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> > $Lang::tr{'edit advanced settings when done'}</td></tr>"; > + } > + print "</table>"; > &Header::closebox(); > - } elsif (! $cgiparams{'KEY'}) { > - my $cakeydisabled = ( ! -f > "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : > ''; > - $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if > ($cakeydisabled); > - my $cacrtdisabled = ( ! -f > "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : ''; > > - &Header::openbox('100%', 'left', > $Lang::tr{'authentication'}); > - print <<END > - <table width='100%' cellpadding='0' cellspacing='5' > border='0'> > - <tr><td width='5%'><input type='radio' name='AUTH' > value='psk' $checked{'AUTH'}{'psk'} /></td> > - <td class='base' width='55%'>$Lang::tr{'use a pre-shared > key'}</td> > - <td class='base' width='40%'><input type='password' > name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr> > - <tr><td colspan='3' bgcolor='#000000'></td></tr> > - <tr><td><input type='radio' name='AUTH' value='certreq' > $checked{'AUTH'}{'certreq'} $cakeydisabled /></td> > - <td class='base'><hr />$Lang::tr{'upload a certificate > request'}</td> > - <td class='base' rowspan='3' valign='middle'><input > type='file' name='FH' size='30' $cacrtdisabled /></td></tr> > - <tr><td><input type='radio' name='AUTH' value='certfile' > $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td> > - <td class='base'>$Lang::tr{'upload a > certificate'}</td></tr> > - <tr><td><input type='radio' name='AUTH' value='pkcs12' > $cacrtdisabled /></td> > - <td class='base'>$Lang::tr{'upload p12 file'} > $Lang::tr{'pkcs12 file password'}:<input type='password' > name='P12_PASS'/></td></tr> > - <tr><td><input type='radio' name='AUTH' value='auth-dn' > $checked{'AUTH'}{'auth-dn'} $cacrtdisabled /></td> > - <td class='base'><hr />$Lang::tr{'vpn auth > -dn'}</td></tr> > - <tr><td colspan='3' bgcolor='#000000'></td></tr> > - <tr><td><input type='radio' name='AUTH' value='certgen' > $checked{'AUTH'}{'certgen'} $cakeydisabled /></td> > - <td class='base'><hr />$Lang::tr{'generate a > certificate'}</td><td> </td></tr> > - <tr><td> </td> > - <td class='base'>$Lang::tr{'users fullname or system > hostname'}: <img src='/blob.gif' alt='*' /></td> > - <td class='base' nowrap='nowrap'><input type='text' > name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' size='32' > $cakeydisabled /></td></tr> > - <tr><td> </td> > - <td class='base'>$Lang::tr{'users email'}:</td> > - <td class='base' nowrap='nowrap'><input type='text' > name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' size='32' > $cakeydisabled /></td></tr> > - <tr><td> </td> > - <td class='base'>$Lang::tr{'users department'}:</td> > - <td class='base' nowrap='nowrap'><input type='text' > name='CERT_OU' value='$cgiparams{'CERT_OU'}' size='32' $cakeydisabled > /></td></tr> > - <tr><td> </td> > - <td class='base'>$Lang::tr{'organization name'}:</td> > - <td class='base' nowrap='nowrap'><input type='text' > name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' > size='32' $cakeydisabled /></td></tr> > - <tr><td> </td> > - <td class='base'>$Lang::tr{'city'}:</td> > - <td class='base' nowrap='nowrap'><input type='text' > name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' size='32' > $cakeydisabled /></td></tr> > - <tr><td> </td> > - <td class='base'>$Lang::tr{'state or province'}:</td> > - <td class='base' nowrap='nowrap'><input type='text' > name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' size='32' > $cakeydisabled /></td></tr> > - <tr><td> </td> > - <td class='base'>$Lang::tr{'country'}:</td> > - <td class='base'><select name='CERT_COUNTRY' > $cakeydisabled> > + if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { > + &Header::openbox('100%', 'left', > $Lang::tr{'authentication'}); > + print <<END > + <table width='100%' cellpadding='0' cellspacing='5' > border='0'> > + <tr><td class='base' width='50%'>$Lang::tr{'use a > pre-shared key'}</td> > + <td class='base' width='50%'><input > type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' > /></td> > + </tr> > + </table> > END > - ; > - foreach my $country (sort keys %{Countries::countries}) { > - print "\t\t\t<option > value='$Countries::countries{$country}'"; > - if ( $Countries::countries{$country} eq > $cgiparams{'CERT_COUNTRY'} ) { > - print " selected='selected'"; > - } > - print ">$country</option>\n"; > +; > + &Header::closebox(); > + } elsif (! $cgiparams{'KEY'}) { > + my $cakeydisabled = ( ! -f > "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : > ''; > + $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full > pki'} if ($cakeydisabled); > + my $cacrtdisabled = ( ! -f > "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : ''; > + > + &Header::openbox('100%', 'left', > $Lang::tr{'authentication'}); > + print <<END > + <table width='100%' cellpadding='0' cellspacing='5' > border='0'> > + <tr><td width='5%'><input type='radio' name='AUTH' > value='psk' $checked{'AUTH'}{'psk'} /></td> > + <td class='base' width='55%'>$Lang::tr{'use > a pre-shared key'}</td> > + <td class='base' width='40%'><input > type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' > /></td></tr> > + <tr><td colspan='3' bgcolor='#000000'></td></tr> > + <tr><td><input type='radio' name='AUTH' > value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td> > + <td class='base'><hr />$Lang::tr{'upload a > certificate request'}</td> > + <td class='base' rowspan='3' > valign='middle'><input type='file' name='FH' size='30' $cacrtdisabled > /></td></tr> > + <tr><td><input type='radio' name='AUTH' > value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td> > + <td class='base'>$Lang::tr{'upload a > certificate'}</td></tr> > + <tr><td><input type='radio' name='AUTH' > value='pkcs12' $cacrtdisabled /></td> > + <td class='base'>$Lang::tr{'upload p12 > file'} $Lang::tr{'pkcs12 file password'}:<input type='password' > name='P12_PASS'/></td></tr> > + <tr><td><input type='radio' name='AUTH' value='auth > -dn' $checked{'AUTH'}{'auth-dn'} $cacrtdisabled /></td> > + <td class='base'><hr />$Lang::tr{'vpn auth > -dn'}</td></tr> > + <tr><td colspan='3' bgcolor='#000000'></td></tr> > + <tr><td><input type='radio' name='AUTH' > value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td> > + <td class='base'><hr />$Lang::tr{'generate a > certificate'}</td><td> </td></tr> > + <tr><td> </td> > + <td class='base'>$Lang::tr{'users fullname > or system hostname'}: <img src='/blob.gif' alt='*' /></td> > + <td class='base' nowrap='nowrap'><input > type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' > size='32' $cakeydisabled /></td></tr> > + <tr><td> </td> > + <td class='base'>$Lang::tr{'users > email'}:</td> > + <td class='base' nowrap='nowrap'><input > type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' > size='32' $cakeydisabled /></td></tr> > + <tr><td> </td> > + <td class='base'>$Lang::tr{'users > department'}:</td> > + <td class='base' nowrap='nowrap'><input > type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' size='32' > $cakeydisabled /></td></tr> > + <tr><td> </td> > + <td class='base'>$Lang::tr{'organization > name'}:</td> > + <td class='base' nowrap='nowrap'><input > type='text' name='CERT_ORGANIZATION' > value='$cgiparams{'CERT_ORGANIZATION'}' size='32' $cakeydisabled > /></td></tr> > + <tr><td> </td> > + <td class='base'>$Lang::tr{'city'}:</td> > + <td class='base' nowrap='nowrap'><input > type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' > size='32' $cakeydisabled /></td></tr> > + <tr><td> </td> > + <td class='base'>$Lang::tr{'state or > province'}:</td> > + <td class='base' nowrap='nowrap'><input > type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' > size='32' $cakeydisabled /></td></tr> > + <tr><td> </td> > + <td class='base'>$Lang::tr{'country'}:</td> > + <td class='base'><select name='CERT_COUNTRY' > $cakeydisabled> > +END > +; > + foreach my $country (sort keys > %{Countries::countries}) { > + print "\t\t\t<option > value='$Countries::countries{$country}'"; > + if ( $Countries::countries{$country} eq > $cgiparams{'CERT_COUNTRY'} ) { > + print " selected='selected'"; > + } > + print ">$country</option>\n"; > + } > + print <<END > + </select></td></tr> > + > + <tr><td> </td><td class='base'>$Lang::tr{'vpn > subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> > + <td class='base' nowrap='nowrap'><input > type='text' name='SUBJECTALTNAME' > value='$cgiparams{'SUBJECTALTNAME'}' size='32' $cakeydisabled > /></td></tr> > + <tr><td> </td> > + <td class='base'>$Lang::tr{'pkcs12 file > password'}: <img src='/blob.gif' alt='*' /></td> > + <td class='base' nowrap='nowrap'><input > type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' > size='32' $cakeydisabled /></td></tr> > + <tr><td> </td><td > class='base'>$Lang::tr{'pkcs12 file > password'} ($Lang::tr{'confirmation'}): <img > src='/blob.gif' alt='*' /></td> > + <td class='base' nowrap='nowrap'><input > type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' > size='32' $cakeydisabled /></td></tr> > + </table> > +END > +; > + &Header::closebox(); > } > - print <<END > - </select></td></tr> > > - <tr><td> </td><td class='base'>$Lang::tr{'vpn > subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> > - <td class='base' nowrap='nowrap'><input type='text' > name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' > $cakeydisabled /></td></tr> > - <tr><td> </td> > - <td class='base'>$Lang::tr{'pkcs12 file > password'}: <img src='/blob.gif' alt='*' /></td> > - <td class='base' nowrap='nowrap'><input type='password' > name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' > $cakeydisabled /></td></tr> > - <tr><td> </td><td class='base'>$Lang::tr{'pkcs12 file > password'} ($Lang::tr{'confirmation'}): <img > src='/blob.gif' alt='*' /></td> > - <td class='base' nowrap='nowrap'><input type='password' > name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' > $cakeydisabled /></td></tr> > - </table> > -END > - ; > - &Header::closebox(); > - } > - > - print "<div align='center'><input type='submit' name='ACTION' > value='$Lang::tr{'save'}' />"; > - if ($cgiparams{'KEY'}) { > - print "<input type='submit' name='ACTION' > value='$Lang::tr{'advanced'}' />"; > - } > - print "<input type='submit' name='ACTION' > value='$Lang::tr{'cancel'}' /></div></form>"; > - &Header::closebigbox(); > - &Header::closepage(); > - exit (0); > - > - VPNCONF_END: > + print "<div align='center'><input type='submit' > name='ACTION' value='$Lang::tr{'save'}' />"; > + if ($cgiparams{'KEY'}) { > + print "<input type='submit' name='ACTION' > value='$Lang::tr{'advanced'}' />"; > + } > + print "<input type='submit' name='ACTION' > value='$Lang::tr{'cancel'}' /></div></form>"; > + &Header::closebigbox(); > + &Header::closepage(); > + exit (0); > + > + VPNCONF_END: > } > > ### > @@ -2115,291 +2113,288 @@ END > ### > if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || > ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && > $cgiparams{'ADVANCED'} eq 'yes')) { > - &General::readhash("${General::swroot}/vpn/settings", > \%vpnsettings); > - &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > - if (! $confighash{$cgiparams{'KEY'}}) { > - $errormessage = $Lang::tr{'invalid key'}; > - goto ADVANCED_END; > - } > - > - if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { > - my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); > - if ($#temp < 0) { > - $errormessage = $Lang::tr{'invalid input'}; > - goto ADVANCED_ERROR; > - } > - foreach my $val (@temp) { > - if ($val !~ > /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { > - $errormessage = $Lang::tr{'invalid input'}; > - goto ADVANCED_ERROR; > - } > + &General::readhash("${General::swroot}/vpn/settings", > \%vpnsettings); > + &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > + if (! $confighash{$cgiparams{'KEY'}}) { > + $errormessage = $Lang::tr{'invalid key'}; > + goto ADVANCED_END; > + } > + > + if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { > + my @temp = split('\|', > $cgiparams{'IKE_ENCRYPTION'}); > + if ($#temp < 0) { > + $errormessage = $Lang::tr{'invalid input'}; > + goto ADVANCED_ERROR; > + } > + foreach my $val (@temp) { > + if ($val !~ > /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { > + $errormessage = $Lang::tr{'invalid > input'}; > + goto ADVANCED_ERROR; > + } > + } > + @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); > + if ($#temp < 0) { > + $errormessage = $Lang::tr{'invalid input'}; > + goto ADVANCED_ERROR; > + } > + foreach my $val (@temp) { > + if ($val !~ > /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) { > + $errormessage = $Lang::tr{'invalid > input'}; > + goto ADVANCED_ERROR; > + } > + } > + @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'}); > + if ($#temp < 0) { > + $errormessage = $Lang::tr{'invalid input'}; > + goto ADVANCED_ERROR; > + } > + foreach my $val (@temp) { > + if ($val !~ > /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|204 > 8|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { > + $errormessage = $Lang::tr{'invalid > input'}; > + goto ADVANCED_ERROR; > + } > + } > + if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) { > + $errormessage = $Lang::tr{'invalid input for > ike lifetime'}; > + goto ADVANCED_ERROR; > + } > + if ($cgiparams{'IKE_LIFETIME'} < 1 || > $cgiparams{'IKE_LIFETIME'} > 8) { > + $errormessage = $Lang::tr{'ike lifetime > should be between 1 and 8 hours'}; > + goto ADVANCED_ERROR; > + } > + @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'}); > + if ($#temp < 0) { > + $errormessage = $Lang::tr{'invalid input'}; > + goto ADVANCED_ERROR; > + } > + foreach my $val (@temp) { > + if ($val !~ > /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { > + $errormessage = $Lang::tr{'invalid > input'}; > + goto ADVANCED_ERROR; > + } > + } > + @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); > + if ($#temp < 0) { > + $errormessage = $Lang::tr{'invalid input'}; > + goto ADVANCED_ERROR; > + } > + foreach my $val (@temp) { > + if ($val !~ > /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) { > + $errormessage = $Lang::tr{'invalid > input'}; > + goto ADVANCED_ERROR; > + } > + } > + @temp = split('\|', $cgiparams{'ESP_GROUPTYPE'}); > + if ($#temp < 0) { > + $errormessage = $Lang::tr{'invalid input'}; > + goto ADVANCED_ERROR; > + } > + foreach my $val (@temp) { > + if ($val !~ > /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|204 > 8|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { > + $errormessage = $Lang::tr{'invalid > input'}; > + goto ADVANCED_ERROR; > + } > + } > + if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) { > + $errormessage = $Lang::tr{'invalid input for > esp keylife'}; > + goto ADVANCED_ERROR; > + } > + if ($cgiparams{'ESP_KEYLIFE'} < 1 || > $cgiparams{'ESP_KEYLIFE'} > 24) { > + $errormessage = $Lang::tr{'esp keylife > should be between 1 and 24 hours'}; > + goto ADVANCED_ERROR; > + } > + > + if (($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) || > + ($cgiparams{'FORCE_MOBIKE'} !~ > /^(|on|off)$/) || > + ($cgiparams{'ONLY_PROPOSED'} !~ > /^(|on|off)$/) || > + ($cgiparams{'PFS'} !~ /^(|on|off)$/)) { > + $errormessage = $Lang::tr{'invalid input'}; > + goto ADVANCED_ERROR; > + } > + > + if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) { > + $errormessage = $Lang::tr{'invalid input for > dpd delay'}; > + goto ADVANCED_ERROR; > + } > + > + if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) { > + $errormessage = $Lang::tr{'invalid input for > dpd timeout'}; > + goto ADVANCED_ERROR; > + } > + > + $confighash{$cgiparams{'KEY'}}[29] = > $cgiparams{'IKE_VERSION'}; > + $confighash{$cgiparams{'KEY'}}[18] = > $cgiparams{'IKE_ENCRYPTION'}; > + $confighash{$cgiparams{'KEY'}}[19] = > $cgiparams{'IKE_INTEGRITY'}; > + $confighash{$cgiparams{'KEY'}}[20] = > $cgiparams{'IKE_GROUPTYPE'}; > + $confighash{$cgiparams{'KEY'}}[16] = > $cgiparams{'IKE_LIFETIME'}; > + $confighash{$cgiparams{'KEY'}}[21] = > $cgiparams{'ESP_ENCRYPTION'}; > + $confighash{$cgiparams{'KEY'}}[22] = > $cgiparams{'ESP_INTEGRITY'}; > + $confighash{$cgiparams{'KEY'}}[23] = > $cgiparams{'ESP_GROUPTYPE'}; > + $confighash{$cgiparams{'KEY'}}[17] = > $cgiparams{'ESP_KEYLIFE'}; > + $confighash{$cgiparams{'KEY'}}[12] = 'off'; > #$cgiparams{'AGGRMODE'}; > + $confighash{$cgiparams{'KEY'}}[13] = > $cgiparams{'COMPRESSION'}; > + $confighash{$cgiparams{'KEY'}}[24] = > $cgiparams{'ONLY_PROPOSED'}; > + $confighash{$cgiparams{'KEY'}}[28] = > $cgiparams{'PFS'}; > + $confighash{$cgiparams{'KEY'}}[27] = > $cgiparams{'DPD_ACTION'}; > + $confighash{$cgiparams{'KEY'}}[30] = > $cgiparams{'DPD_TIMEOUT'}; > + $confighash{$cgiparams{'KEY'}}[31] = > $cgiparams{'DPD_DELAY'}; > + $confighash{$cgiparams{'KEY'}}[32] = > $cgiparams{'FORCE_MOBIKE'}; > + &General::writehasharray("${General::swroot}/vpn/con > fig", \%confighash); > + &writeipsecfiles(); > + if (&vpnenabled) { > + system('/usr/local/bin/ipsecctrl', 'S', > $cgiparams{'KEY'}); > + sleep $sleepDelay; > + } > + goto ADVANCED_END; > + } else { > + $cgiparams{'IKE_VERSION'} = > $confighash{$cgiparams{'KEY'}}[29]; > + $cgiparams{'IKE_ENCRYPTION'} = > $confighash{$cgiparams{'KEY'}}[18]; > + $cgiparams{'IKE_INTEGRITY'} = > $confighash{$cgiparams{'KEY'}}[19]; > + $cgiparams{'IKE_GROUPTYPE'} = > $confighash{$cgiparams{'KEY'}}[20]; > + $cgiparams{'IKE_LIFETIME'} = > $confighash{$cgiparams{'KEY'}}[16]; > + $cgiparams{'ESP_ENCRYPTION'} = > $confighash{$cgiparams{'KEY'}}[21]; > + $cgiparams{'ESP_INTEGRITY'} = > $confighash{$cgiparams{'KEY'}}[22]; > + $cgiparams{'ESP_GROUPTYPE'} = > $confighash{$cgiparams{'KEY'}}[23]; > + if ($cgiparams{'ESP_GROUPTYPE'} eq "") { > + $cgiparams{'ESP_GROUPTYPE'} = > $cgiparams{'IKE_GROUPTYPE'}; > + } > + $cgiparams{'ESP_KEYLIFE'} = > $confighash{$cgiparams{'KEY'}}[17]; > + $cgiparams{'COMPRESSION'} = > $confighash{$cgiparams{'KEY'}}[13]; > + $cgiparams{'ONLY_PROPOSED'} = > $confighash{$cgiparams{'KEY'}}[24]; > + $cgiparams{'PFS'} = > $confighash{$cgiparams{'KEY'}}[28]; > + $cgiparams{'DPD_ACTION'} = > $confighash{$cgiparams{'KEY'}}[27]; > + $cgiparams{'DPD_TIMEOUT'} = > $confighash{$cgiparams{'KEY'}}[30]; > + $cgiparams{'DPD_DELAY'} = > $confighash{$cgiparams{'KEY'}}[31]; > + $cgiparams{'FORCE_MOBIKE'} = > $confighash{$cgiparams{'KEY'}}[32]; > + > + if (!$cgiparams{'DPD_DELAY'}) { > + $cgiparams{'DPD_DELAY'} = 30; > + } > + > + if (!$cgiparams{'DPD_TIMEOUT'}) { > + $cgiparams{'DPD_TIMEOUT'} = 120; > + } > } > + > + ADVANCED_ERROR: > + $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; > + $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; > + $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; > + $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = ''; > + $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = ''; > + $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = ''; > + $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = ''; > + $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = ''; > + $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = ''; > + $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = ''; > + $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = ''; > + $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = ''; > + $checked{'IKE_ENCRYPTION'}{'3des'} = ''; > + $checked{'IKE_ENCRYPTION'}{'camellia256'} = ''; > + $checked{'IKE_ENCRYPTION'}{'camellia192'} = ''; > + $checked{'IKE_ENCRYPTION'}{'camellia128'} = ''; > + my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); > + foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = > "selected='selected'"; } > + $checked{'IKE_INTEGRITY'}{'sha2_512'} = ''; > + $checked{'IKE_INTEGRITY'}{'sha2_384'} = ''; > + $checked{'IKE_INTEGRITY'}{'sha2_256'} = ''; > + $checked{'IKE_INTEGRITY'}{'sha'} = ''; > + $checked{'IKE_INTEGRITY'}{'md5'} = ''; > + $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; > @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); > - if ($#temp < 0) { > - $errormessage = $Lang::tr{'invalid input'}; > - goto ADVANCED_ERROR; > - } > - foreach my $val (@temp) { > - if ($val !~ /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) { > - $errormessage = $Lang::tr{'invalid input'}; > - goto ADVANCED_ERROR; > - } > - } > + foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = > "selected='selected'"; } > + $checked{'IKE_GROUPTYPE'}{'768'} = ''; > + $checked{'IKE_GROUPTYPE'}{'1024'} = ''; > + $checked{'IKE_GROUPTYPE'}{'1536'} = ''; > + $checked{'IKE_GROUPTYPE'}{'2048'} = ''; > + $checked{'IKE_GROUPTYPE'}{'3072'} = ''; > + $checked{'IKE_GROUPTYPE'}{'4096'} = ''; > + $checked{'IKE_GROUPTYPE'}{'6144'} = ''; > + $checked{'IKE_GROUPTYPE'}{'8192'} = ''; > @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'}); > - if ($#temp < 0) { > - $errormessage = $Lang::tr{'invalid input'}; > - goto ADVANCED_ERROR; > - } > - foreach my $val (@temp) { > - if ($val !~ > /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|204 > 8|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { > - $errormessage = $Lang::tr{'invalid input'}; > - goto ADVANCED_ERROR; > - } > - } > - if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) { > - $errormessage = $Lang::tr{'invalid input for ike > lifetime'}; > - goto ADVANCED_ERROR; > - } > - if ($cgiparams{'IKE_LIFETIME'} < 1 || > $cgiparams{'IKE_LIFETIME'} > 8) { > - $errormessage = $Lang::tr{'ike lifetime should be > between 1 and 8 hours'}; > - goto ADVANCED_ERROR; > - } > + foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = > "selected='selected'"; } > + > + # 768 is not supported by strongswan > + $checked{'IKE_GROUPTYPE'}{'768'} = ''; > + > + $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; > + $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; > + $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; > + $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = ''; > + $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = ''; > + $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = ''; > + $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = ''; > + $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = ''; > + $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = ''; > + $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = ''; > + $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = ''; > + $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = ''; > + $checked{'ESP_ENCRYPTION'}{'3des'} = ''; > + $checked{'ESP_ENCRYPTION'}{'camellia256'} = ''; > + $checked{'ESP_ENCRYPTION'}{'camellia192'} = ''; > + $checked{'ESP_ENCRYPTION'}{'camellia128'} = ''; > @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'}); > - if ($#temp < 0) { > - $errormessage = $Lang::tr{'invalid input'}; > - goto ADVANCED_ERROR; > - } > - foreach my $val (@temp) { > - if ($val !~ > /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { > - $errormessage = $Lang::tr{'invalid input'}; > - goto ADVANCED_ERROR; > - } > - } > + foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = > "selected='selected'"; } > + $checked{'ESP_INTEGRITY'}{'sha2_512'} = ''; > + $checked{'ESP_INTEGRITY'}{'sha2_384'} = ''; > + $checked{'ESP_INTEGRITY'}{'sha2_256'} = ''; > + $checked{'ESP_INTEGRITY'}{'sha1'} = ''; > + $checked{'ESP_INTEGRITY'}{'md5'} = ''; > + $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; > @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); > - if ($#temp < 0) { > - $errormessage = $Lang::tr{'invalid input'}; > - goto ADVANCED_ERROR; > - } > - foreach my $val (@temp) { > - if ($val !~ /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) { > - $errormessage = $Lang::tr{'invalid input'}; > - goto ADVANCED_ERROR; > - } > - } > + foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = > "selected='selected'"; } > + $checked{'ESP_GROUPTYPE'}{'768'} = ''; > + $checked{'ESP_GROUPTYPE'}{'1024'} = ''; > + $checked{'ESP_GROUPTYPE'}{'1536'} = ''; > + $checked{'ESP_GROUPTYPE'}{'2048'} = ''; > + $checked{'ESP_GROUPTYPE'}{'3072'} = ''; > + $checked{'ESP_GROUPTYPE'}{'4096'} = ''; > + $checked{'ESP_GROUPTYPE'}{'6144'} = ''; > + $checked{'ESP_GROUPTYPE'}{'8192'} = ''; > + $checked{'ESP_GROUPTYPE'}{'none'} = ''; > @temp = split('\|', $cgiparams{'ESP_GROUPTYPE'}); > - if ($#temp < 0) { > - $errormessage = $Lang::tr{'invalid input'}; > - goto ADVANCED_ERROR; > - } > - foreach my $val (@temp) { > - if ($val !~ > /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|204 > 8|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { > - $errormessage = $Lang::tr{'invalid input'}; > - goto ADVANCED_ERROR; > - } > - } > - if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) { > - $errormessage = $Lang::tr{'invalid input for esp > keylife'}; > - goto ADVANCED_ERROR; > - } > - if ($cgiparams{'ESP_KEYLIFE'} < 1 || > $cgiparams{'ESP_KEYLIFE'} > 24) { > - $errormessage = $Lang::tr{'esp keylife should be between > 1 and 24 hours'}; > - goto ADVANCED_ERROR; > - } > - > - if ( > - ($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) || > - ($cgiparams{'FORCE_MOBIKE'} !~ /^(|on|off)$/) || > - ($cgiparams{'ONLY_PROPOSED'} !~ /^(|on|off)$/) || > - ($cgiparams{'PFS'} !~ /^(|on|off)$/) > - ){ > - $errormessage = $Lang::tr{'invalid input'}; > - goto ADVANCED_ERROR; > - } > - > - if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) { > - $errormessage = $Lang::tr{'invalid input for dpd > delay'}; > - goto ADVANCED_ERROR; > - } > - > - if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) { > - $errormessage = $Lang::tr{'invalid input for dpd > timeout'}; > - goto ADVANCED_ERROR; > - } > - > - $confighash{$cgiparams{'KEY'}}[29] = > $cgiparams{'IKE_VERSION'}; > - $confighash{$cgiparams{'KEY'}}[18] = > $cgiparams{'IKE_ENCRYPTION'}; > - $confighash{$cgiparams{'KEY'}}[19] = > $cgiparams{'IKE_INTEGRITY'}; > - $confighash{$cgiparams{'KEY'}}[20] = > $cgiparams{'IKE_GROUPTYPE'}; > - $confighash{$cgiparams{'KEY'}}[16] = > $cgiparams{'IKE_LIFETIME'}; > - $confighash{$cgiparams{'KEY'}}[21] = > $cgiparams{'ESP_ENCRYPTION'}; > - $confighash{$cgiparams{'KEY'}}[22] = > $cgiparams{'ESP_INTEGRITY'}; > - $confighash{$cgiparams{'KEY'}}[23] = > $cgiparams{'ESP_GROUPTYPE'}; > - $confighash{$cgiparams{'KEY'}}[17] = > $cgiparams{'ESP_KEYLIFE'}; > - $confighash{$cgiparams{'KEY'}}[12] = 'off'; > #$cgiparams{'AGGRMODE'}; > - $confighash{$cgiparams{'KEY'}}[13] = > $cgiparams{'COMPRESSION'}; > - $confighash{$cgiparams{'KEY'}}[24] = > $cgiparams{'ONLY_PROPOSED'}; > - $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'}; > - $confighash{$cgiparams{'KEY'}}[27] = > $cgiparams{'DPD_ACTION'}; > - $confighash{$cgiparams{'KEY'}}[30] = > $cgiparams{'DPD_TIMEOUT'}; > - $confighash{$cgiparams{'KEY'}}[31] = > $cgiparams{'DPD_DELAY'}; > - $confighash{$cgiparams{'KEY'}}[32] = > $cgiparams{'FORCE_MOBIKE'}; > - &General::writehasharray("${General::swroot}/vpn/config", > \%confighash); > - &writeipsecfiles(); > - if (&vpnenabled) { > - system('/usr/local/bin/ipsecctrl', 'S', > $cgiparams{'KEY'}); > - sleep $sleepDelay; > - } > - goto ADVANCED_END; > - } else { > - $cgiparams{'IKE_VERSION'} = > $confighash{$cgiparams{'KEY'}}[29]; > - $cgiparams{'IKE_ENCRYPTION'} = > $confighash{$cgiparams{'KEY'}}[18]; > - $cgiparams{'IKE_INTEGRITY'} = > $confighash{$cgiparams{'KEY'}}[19]; > - $cgiparams{'IKE_GROUPTYPE'} = > $confighash{$cgiparams{'KEY'}}[20]; > - $cgiparams{'IKE_LIFETIME'} = > $confighash{$cgiparams{'KEY'}}[16]; > - $cgiparams{'ESP_ENCRYPTION'} = > $confighash{$cgiparams{'KEY'}}[21]; > - $cgiparams{'ESP_INTEGRITY'} = > $confighash{$cgiparams{'KEY'}}[22]; > - $cgiparams{'ESP_GROUPTYPE'} = > $confighash{$cgiparams{'KEY'}}[23]; > - if ($cgiparams{'ESP_GROUPTYPE'} eq "") { > - $cgiparams{'ESP_GROUPTYPE'} = > $cgiparams{'IKE_GROUPTYPE'}; > - } > - $cgiparams{'ESP_KEYLIFE'} = > $confighash{$cgiparams{'KEY'}}[17]; > - $cgiparams{'COMPRESSION'} = > $confighash{$cgiparams{'KEY'}}[13]; > - $cgiparams{'ONLY_PROPOSED'} = > $confighash{$cgiparams{'KEY'}}[24]; > - $cgiparams{'PFS'} = > $confighash{$cgiparams{'KEY'}}[28]; > - $cgiparams{'DPD_ACTION'} = > $confighash{$cgiparams{'KEY'}}[27]; > - $cgiparams{'DPD_TIMEOUT'} = > $confighash{$cgiparams{'KEY'}}[30]; > - $cgiparams{'DPD_DELAY'} = > $confighash{$cgiparams{'KEY'}}[31]; > - $cgiparams{'FORCE_MOBIKE'} = > $confighash{$cgiparams{'KEY'}}[32]; > + foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = > "selected='selected'"; } > > - if (!$cgiparams{'DPD_DELAY'}) { > - $cgiparams{'DPD_DELAY'} = 30; > - } > + $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' > ? "checked='checked'" : '' ; > + $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq > 'on' ? "checked='checked'" : '' ; > + $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq > 'on' ? "checked='checked'" : '' ; > + $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? > "checked='checked'" : '' ; > > - if (!$cgiparams{'DPD_TIMEOUT'}) { > - $cgiparams{'DPD_TIMEOUT'} = 120; > - } > + $selected{'IKE_VERSION'}{'ikev1'} = ''; > + $selected{'IKE_VERSION'}{'ikev2'} = ''; > + $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = > "selected='selected'"; > > - } > - > - ADVANCED_ERROR: > - $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; > - $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; > - $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; > - $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = ''; > - $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = ''; > - $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = ''; > - $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = ''; > - $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = ''; > - $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = ''; > - $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = ''; > - $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = ''; > - $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = ''; > - $checked{'IKE_ENCRYPTION'}{'3des'} = ''; > - $checked{'IKE_ENCRYPTION'}{'camellia256'} = ''; > - $checked{'IKE_ENCRYPTION'}{'camellia192'} = ''; > - $checked{'IKE_ENCRYPTION'}{'camellia128'} = ''; > - my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); > - foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = > "selected='selected'"; } > - $checked{'IKE_INTEGRITY'}{'sha2_512'} = ''; > - $checked{'IKE_INTEGRITY'}{'sha2_384'} = ''; > - $checked{'IKE_INTEGRITY'}{'sha2_256'} = ''; > - $checked{'IKE_INTEGRITY'}{'sha'} = ''; > - $checked{'IKE_INTEGRITY'}{'md5'} = ''; > - $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; > - @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); > - foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = > "selected='selected'"; } > - $checked{'IKE_GROUPTYPE'}{'768'} = ''; > - $checked{'IKE_GROUPTYPE'}{'1024'} = ''; > - $checked{'IKE_GROUPTYPE'}{'1536'} = ''; > - $checked{'IKE_GROUPTYPE'}{'2048'} = ''; > - $checked{'IKE_GROUPTYPE'}{'3072'} = ''; > - $checked{'IKE_GROUPTYPE'}{'4096'} = ''; > - $checked{'IKE_GROUPTYPE'}{'6144'} = ''; > - $checked{'IKE_GROUPTYPE'}{'8192'} = ''; > - @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'}); > - foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = > "selected='selected'"; } > - > - # 768 is not supported by strongswan > - $checked{'IKE_GROUPTYPE'}{'768'} = ''; > - > - $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; > - $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; > - $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; > - $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = ''; > - $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = ''; > - $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = ''; > - $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = ''; > - $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = ''; > - $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = ''; > - $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = ''; > - $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = ''; > - $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = ''; > - $checked{'ESP_ENCRYPTION'}{'3des'} = ''; > - $checked{'ESP_ENCRYPTION'}{'camellia256'} = ''; > - $checked{'ESP_ENCRYPTION'}{'camellia192'} = ''; > - $checked{'ESP_ENCRYPTION'}{'camellia128'} = ''; > - @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'}); > - foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = > "selected='selected'"; } > - $checked{'ESP_INTEGRITY'}{'sha2_512'} = ''; > - $checked{'ESP_INTEGRITY'}{'sha2_384'} = ''; > - $checked{'ESP_INTEGRITY'}{'sha2_256'} = ''; > - $checked{'ESP_INTEGRITY'}{'sha1'} = ''; > - $checked{'ESP_INTEGRITY'}{'md5'} = ''; > - $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; > - @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); > - foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = > "selected='selected'"; } > - $checked{'ESP_GROUPTYPE'}{'768'} = ''; > - $checked{'ESP_GROUPTYPE'}{'1024'} = ''; > - $checked{'ESP_GROUPTYPE'}{'1536'} = ''; > - $checked{'ESP_GROUPTYPE'}{'2048'} = ''; > - $checked{'ESP_GROUPTYPE'}{'3072'} = ''; > - $checked{'ESP_GROUPTYPE'}{'4096'} = ''; > - $checked{'ESP_GROUPTYPE'}{'6144'} = ''; > - $checked{'ESP_GROUPTYPE'}{'8192'} = ''; > - $checked{'ESP_GROUPTYPE'}{'none'} = ''; > - @temp = split('\|', $cgiparams{'ESP_GROUPTYPE'}); > - foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = > "selected='selected'"; } > - > - $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' ? > "checked='checked'" : '' ; > - $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq 'on' ? > "checked='checked'" : '' ; > - $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq 'on' > ? "checked='checked'" : '' ; > - $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? > "checked='checked'" : '' ; > - > - $selected{'IKE_VERSION'}{'ikev1'} = ''; > - $selected{'IKE_VERSION'}{'ikev2'} = ''; > - $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = > "selected='selected'"; > - > - $selected{'DPD_ACTION'}{'clear'} = ''; > - $selected{'DPD_ACTION'}{'hold'} = ''; > - $selected{'DPD_ACTION'}{'restart'} = ''; > - $selected{'DPD_ACTION'}{'none'} = ''; > - $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = > "selected='selected'"; > - > - &Header::showhttpheaders(); > - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > - &Header::openbigbox('100%', 'left', '', $errormessage); > - > - if ($errormessage) { > - &Header::openbox('100%', 'left', $Lang::tr{'error > messages'}); > - print "<class name='base'>$errormessage"; > - print " </class>"; > - &Header::closebox(); > - } > + $selected{'DPD_ACTION'}{'clear'} = ''; > + $selected{'DPD_ACTION'}{'hold'} = ''; > + $selected{'DPD_ACTION'}{'restart'} = ''; > + $selected{'DPD_ACTION'}{'none'} = ''; > + $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = > "selected='selected'"; > > - if ($warnmessage) { > - &Header::openbox('100%', 'left', $Lang::tr{'warning > messages'}); > - print "<class name='base'>$warnmessage"; > - print " </class>"; > - &Header::closebox(); > - } > + &Header::showhttpheaders(); > + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > + &Header::openbigbox('100%', 'left', '', $errormessage); > + > + if ($errormessage) { > + &Header::openbox('100%', 'left', $Lang::tr{'error > messages'}); > + print "<class name='base'>$errormessage"; > + print " </class>"; > + &Header::closebox(); > + } > + > + if ($warnmessage) { > + &Header::openbox('100%', 'left', $Lang::tr{'warning > messages'}); > + print "<class name='base'>$warnmessage"; > + print " </class>"; > + &Header::closebox(); > + } > > - &Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:"); > - print <<EOF > - <form method='post' enctype='multipart/form-data' > action='$ENV{'SCRIPT_NAME'}'> > - <input type='hidden' name='ADVANCED' value='yes' /> > - <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> > + &Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:"); > + print <<EOF > + <form method='post' enctype='multipart/form-data' > action='$ENV{'SCRIPT_NAME'}'> > + <input type='hidden' name='ADVANCED' value='yes' /> > + <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> > > - <table width='100%'> > + <table width='100%'> > <thead> > <tr> > <th width="15%"></th> > @@ -2545,14 +2540,14 @@ if(($cgiparams{'ACTION'} eq > $Lang::tr{'advanced'}) || > </td> > </tr> > </tbody> > - </table> > + </table> > > <br><br> > > <h2>$Lang::tr{'dead peer detection'}</h2> > > - <table width="100%"> > - <tr> > + <table width="100%"> > + <tr> > <td width="15%">$Lang::tr{'dpd action'}:</td> > <td> > <select name='DPD_ACTION'> > @@ -2575,11 +2570,11 @@ if(($cgiparams{'ACTION'} eq > $Lang::tr{'advanced'}) || > <input type='text' name='DPD_DELAY' size='5' > value='$cgiparams{'DPD_DELAY'}' /> > </td> > </tr> > - </table> > + </table> > > - <hr> > + <hr> > > - <table width="100%"> > + <table width="100%"> > <tr> > <td> > <label> > @@ -2613,9 +2608,9 @@ if(($cgiparams{'ACTION'} eq > $Lang::tr{'advanced'}) || > </td> > </tr> > EOF > - ; > +; > > - print <<EOF; > + print <<EOF; > <tr> > <td align='left' colspan='1'><img src='/blob.gif' > align='top' alt='*' /> $Lang::tr{'required field'}</td> > <td align='right' colspan='2'> > @@ -2623,58 +2618,58 @@ EOF > <input type='submit' name='ACTION' > value='$Lang::tr{'cancel'}' /> > </td> > </tr> > - </table></form> > + </table></form> > EOF > > - &Header::closebox(); > - &Header::closebigbox(); > - &Header::closepage(); > - exit(0); > + &Header::closebox(); > + &Header::closebigbox(); > + &Header::closepage(); > + exit(0); > > - ADVANCED_END: > + ADVANCED_END: > } > > ### > ### Default status page > ### > - %cgiparams = (); > - %cahash = (); > - %confighash = (); > - &General::readhash("${General::swroot}/vpn/settings", > \%cgiparams); > - &General::readhasharray("${General::swroot}/vpn/caconfig", > \%cahash); > - &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > - $cgiparams{'CA_NAME'} = ''; > - > - my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`; > - > - # suggest a default name for this side > - if ($cgiparams{'VPN_IP'} eq '' && -e > "${General::swroot}/red/active") { > - if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) > { > - my $ipaddr = <IPADDR>; > - close IPADDR; > - chomp ($ipaddr); > - $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", > split(/\./, $ipaddr)), 2))[0]; > - if ($cgiparams{'VPN_IP'} eq '') { > - $cgiparams{'VPN_IP'} = $ipaddr; > - } > - } > - } > - # no IP found, use %defaultroute > - $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} > eq ''); > - > - $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined > ($cgiparams{'VPN_DELAYED_START'})); > - $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? > "checked='checked'" : ''; > - > - &Header::showhttpheaders(); > - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > - &Header::openbigbox('100%', 'left', '', $errormessage); > - > - if ($errormessage) { > - &Header::openbox('100%', 'left', $Lang::tr{'error > messages'}); > - print "<class name='base'>$errormessage\n"; > - print " </class>\n"; > - &Header::closebox(); > - } > + %cgiparams = (); > + %cahash = (); > + %confighash = (); > + &General::readhash("${General::swroot}/vpn/settings", > \%cgiparams); > + &General::readhasharray("${General::swroot}/vpn/caconfig", > \%cahash); > + &General::readhasharray("${General::swroot}/vpn/config", > \%confighash); > + $cgiparams{'CA_NAME'} = ''; > + > + my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`; > + > + # suggest a default name for this side > + if ($cgiparams{'VPN_IP'} eq '' && -e > "${General::swroot}/red/active") { > + if (open(IPADDR, "${General::swroot}/red/local > -ipaddress")) { > + my $ipaddr = <IPADDR>; > + close IPADDR; > + chomp ($ipaddr); > + $cgiparams{'VPN_IP'} = > (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; > + if ($cgiparams{'VPN_IP'} eq '') { > + $cgiparams{'VPN_IP'} = $ipaddr; > + } > + } > + } > + # no IP found, use %defaultroute > + $cgiparams{'VPN_IP'} ='%defaultroute' if > ($cgiparams{'VPN_IP'} eq ''); > + > + $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined > ($cgiparams{'VPN_DELAYED_START'})); > + $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? > "checked='checked'" : ''; > + > + &Header::showhttpheaders(); > + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > + &Header::openbigbox('100%', 'left', '', $errormessage); > + > + if ($errormessage) { > + &Header::openbox('100%', 'left', $Lang::tr{'error > messages'}); > + print "<class name='base'>$errormessage\n"; > + print " </class>\n"; > + &Header::closebox(); > + } > > if ($warnmessage) { > &Header::openbox('100%', 'left', $Lang::tr{'warning > messages'}); > @@ -2686,61 +2681,61 @@ EOF > exit 0; > } > > - &Header::openbox('100%', 'left', $Lang::tr{'global settings'}); > - print <<END > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > - <table width='100%'> > - <tr> > + &Header::openbox('100%', 'left', $Lang::tr{'global > settings'}); > + print <<END > + <form method='post' action='$ENV{'SCRIPT_NAME'}'> > + <table width='100%'> > + <tr> > <td width='20%' class='base' nowrap='nowrap'>$Lang::tr{'vpn > red name'}: <img src='/blob.gif' alt='*' /></td> > <td width='20%'><input type='text' name='VPN_IP' > value='$cgiparams{'VPN_IP'}' /></td> > <td width='20%' class='base'>$Lang::tr{'enabled'}<input > type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td> > - </tr> > + </tr> > END > - ; > +; > print <<END > - <tr> > - <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed > start'}: <img src='/blob.gif' alt='*' /><img src='/blob.gif' > alt='*' /></td> > + <tr> > + <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed > start'}: <img src='/blob.gif' alt='*' /><img src='/blob.gif' > alt='*' /></td> > <td ><input type='text' name='VPN_DELAYED_START' > value='$cgiparams{'VPN_DELAYED_START'}' /></td> > - </tr> > - <tr> > - <td class='base' nowrap='nowrap'>$Lang::tr{'host to net > vpn'}:</td> > + </tr> > + <tr> > + <td class='base' nowrap='nowrap'>$Lang::tr{'host to net > vpn'}:</td> > <td ><input type='text' name='RW_NET' > value='$cgiparams{'RW_NET'}' /></td> > - </tr> > + </tr> > </table> > <br> > <hr /> > <table width='100%'> > <tr> > - <td class='base' valign='top'><img src='/blob.gif' alt='*' > /></td> > - <td width='70%' class='base' valign='top'>$Lang::tr{'required > field'}</td><td width='30%' align='right' class='base'><input > type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td> > + <td class='base' valign='top'><img src='/blob.gif' alt='*' > /></td> > + <td width='70%' class='base' > valign='top'>$Lang::tr{'required field'}</td><td width='30%' > align='right' class='base'><input type='submit' name='ACTION' > value='$Lang::tr{'save'}' /></td> > </tr> > <tr> > - <td class='base' valign='top' nowrap='nowrap'><img > src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /> </td> > - <td class='base'> <font class='base'>$Lang::tr{'vpn > delayed start help'}</font></td> > - <td></td> > + <td class='base' valign='top' nowrap='nowrap'><img > src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /> </td> > + <td class='base'> <font class='base'>$Lang::tr{'vpn > delayed start help'}</font></td> > + <td></td> > </tr> > </table> > END > -; > - print "</form>"; > - &Header::closebox(); > - > - &Header::openbox('100%', 'left', $Lang::tr{'connection status > and controlc'}); > - print <<END > - <table width='100%' cellspacing='1' cellpadding='0' class='tbl'> > - <tr> > +; > + print "</form>"; > + &Header::closebox(); > + > + &Header::openbox('100%', 'left', $Lang::tr{'connection > status and controlc'}); > + print <<END > + <table width='100%' cellspacing='1' cellpadding='0' > class='tbl'> > + <tr> > <th width='10%' class='boldbase' > align='center'><b>$Lang::tr{'name'}</b></th> > <th width='22%' class='boldbase' > align='center'><b>$Lang::tr{'type'}</b></th> > <th width='23%' class='boldbase' > align='center'><b>$Lang::tr{'common name'}</b></th> > <th width='30%' class='boldbase' > align='center'><b>$Lang::tr{'remark'}</b></th> > <th width='10%' class='boldbase' > align='center'><b>$Lang::tr{'status'}</b></th> > <th class='boldbase' align='center' > colspan='6'><b>$Lang::tr{'action'}</b></th> > - </tr> > + </tr> > END > - ; > - my $id = 0; > - my $gif; > - foreach my $key (sort { ncmp > ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { > +; > + my $id = 0; > + my $gif; > + foreach my $key (sort { ncmp > ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { > if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else > { $gif = 'off.gif'; } > > if ($id % 2) { > @@ -2753,302 +2748,304 @@ END > print "<td align='center' nowrap='nowrap' > $col>$confighash{$key}[1]</td>"; > print "<td align='center' nowrap='nowrap' $col>" . > $Lang::tr{"$confighash{$key}[3]"} . " (" . > $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$key}[29]</td>"; > if ($confighash{$key}[2] eq '%auth-dn') { > - print "<td align='left' nowrap='nowrap' > $col>$confighash{$key}[9]</td>"; > + print "<td align='left' nowrap='nowrap' > $col>$confighash{$key}[9]</td>"; > } elsif ($confighash{$key}[4] eq 'cert') { > - print "<td align='left' nowrap='nowrap' > $col>$confighash{$key}[2]</td>"; > + print "<td align='left' nowrap='nowrap' > $col>$confighash{$key}[2]</td>"; > } else { > - print "<td align='left' $col> </td>"; > + print "<td align='left' $col> </td>"; > } > print "<td align='center' $col>$confighash{$key}[25]</td>"; > my $col1="bgcolor='${Header::colourred}'"; > # get real state > my $active = "<b><font > color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>"; > foreach my $line (@status) { > - if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA > established/) || > - ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) > - { > - $col1="bgcolor='${Header::colourgreen}'"; > - $active = "<b><font > color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>"; > - } > - } > - # move to blueif really down > + if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA > established/) || > + ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) { > + $col1="bgcolor='${Header::colourgreen}'"; > + $active = "<b><font > color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>"; > + } > + } > + # move to blue if really down > if ($confighash{$key}[0] eq 'off' && $col1 =~ > /${Header::colourred}/ ) { > $col1="bgcolor='${Header::colourblue}'"; > - $active = "<b><font > color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>"; > + $active = "<b><font > color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>"; > } > print <<END > <td align='center' $col1>$active</td> > <td align='center' $col> > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > - <input type='image' name='$Lang::tr{'restart'}' > src='/images/reload.gif' alt='$Lang::tr{'restart'}' > title='$Lang::tr{'restart'}' /> > - <input type='hidden' name='ACTION' > value='$Lang::tr{'restart'}' /> > - <input type='hidden' name='KEY' value='$key' /> > - </form> > + <form method='post' action='$ENV{'SCRIPT_NAME'}'> > + <input type='image' name='$Lang::tr{'restart'}' > src='/images/reload.gif' alt='$Lang::tr{'restart'}' > title='$Lang::tr{'restart'}' /> > + <input type='hidden' name='ACTION' > value='$Lang::tr{'restart'}' /> > + <input type='hidden' name='KEY' value='$key' /> > + </form> > </td> > END > - ; > +; > if (($confighash{$key}[4] eq 'cert') && > ($confighash{$key}[2] ne '%auth-dn')) { > - print <<END > - <td align='center' $col> > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > + print <<END > + <td align='center' $col> > + <form method='post' action='$ENV{'SCRIPT_NAME'}'> > <input type='image' name='$Lang::tr{'show > certificate'}' src='/images/info.gif' alt='$Lang::tr{'show > certificate'}' title='$Lang::tr{'show certificate'}' /> > <input type='hidden' name='ACTION' > value='$Lang::tr{'show certificate'}' /> > <input type='hidden' name='KEY' value='$key' /> > - </form> > - </td> > + </form> > + </td> > END > - ; } else { > - print "<td width='2%' $col> </td>"; > +; > + } else { > + print "<td width='2%' $col> </td>"; > } > - if ($confighash{$key}[4] eq 'cert' && -f > "${General::swroot}/certs/$confighash{$key}[1].p12") { > - print <<END > - <td align='center' $col> > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > + if ($confighash{$key}[4] eq 'cert' && -f > "${General::swroot}/certs/$confighash{$key}[1].p12") { > + print <<END > + <td align='center' $col> > + <form method='post' action='$ENV{'SCRIPT_NAME'}'> > <input type='image' name='$Lang::tr{'download pkcs12 > file'}' src='/images/floppy.gif' alt='$Lang::tr{'download pkcs12 > file'}' title='$Lang::tr{'download pkcs12 file'}' /> > <input type='hidden' name='ACTION' > value='$Lang::tr{'download pkcs12 file'}' /> > <input type='hidden' name='KEY' value='$key' /> > - </form> > + </form> > </td> > END > - ; } elsif (($confighash{$key}[4] eq 'cert') && > ($confighash{$key}[2] ne '%auth-dn')) { > - print <<END > - <td align='center' $col> > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > +; > + } elsif (($confighash{$key}[4] eq 'cert') && > ($confighash{$key}[2] ne '%auth-dn')) { > + print <<END > + <td align='center' $col> > + <form method='post' action='$ENV{'SCRIPT_NAME'}'> > <input type='image' name='$Lang::tr{'download > certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download > certificate'}' title='$Lang::tr{'download certificate'}' /> > <input type='hidden' name='ACTION' > value='$Lang::tr{'download certificate'}' /> > <input type='hidden' name='KEY' value='$key' /> > - </form> > + </form> > </td> > END > - ; } else { > - print "<td width='2%' $col> </td>"; > +; > + } else { > + print "<td width='2%' $col> </td>"; > } > print <<END > <td align='center' $col> > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > - <input type='image' name='$Lang::tr{'toggle enable > disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable > disable'}' title='$Lang::tr{'toggle enable disable'}' /> > - <input type='hidden' name='ACTION' > value='$Lang::tr{'toggle enable disable'}' /> > - <input type='hidden' name='KEY' value='$key' /> > - </form> > + <form method='post' action='$ENV{'SCRIPT_NAME'}'> > + <input type='image' name='$Lang::tr{'toggle enable > disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable > disable'}' title='$Lang::tr{'toggle enable disable'}' /> > + <input type='hidden' name='ACTION' > value='$Lang::tr{'toggle enable disable'}' /> > + <input type='hidden' name='KEY' value='$key' /> > + </form> > </td> > > <td align='center' $col> > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > - <input type='hidden' name='ACTION' > value='$Lang::tr{'edit'}' /> > - <input type='image' name='$Lang::tr{'edit'}' > src='/images/edit.gif' alt='$Lang::tr{'edit'}' > title='$Lang::tr{'edit'}' /> > - <input type='hidden' name='KEY' value='$key' /> > - </form> > + <form method='post' action='$ENV{'SCRIPT_NAME'}'> > + <input type='hidden' name='ACTION' > value='$Lang::tr{'edit'}' /> > + <input type='image' name='$Lang::tr{'edit'}' > src='/images/edit.gif' alt='$Lang::tr{'edit'}' > title='$Lang::tr{'edit'}' /> > + <input type='hidden' name='KEY' value='$key' /> > + </form> > </td> > <td align='center' $col> > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > - <input type='hidden' name='ACTION' > value='$Lang::tr{'remove'}' /> > - <input type='image' name='$Lang::tr{'remove'}' > src='/images/delete.gif' alt='$Lang::tr{'remove'}' > title='$Lang::tr{'remove'}' /> > - <input type='hidden' name='KEY' value='$key' /> > - </form> > + <form method='post' action='$ENV{'SCRIPT_NAME'}'> > + <input type='hidden' name='ACTION' > value='$Lang::tr{'remove'}' /> > + <input type='image' name='$Lang::tr{'remove'}' > src='/images/delete.gif' alt='$Lang::tr{'remove'}' > title='$Lang::tr{'remove'}' /> > + <input type='hidden' name='KEY' value='$key' /> > + </form> > </td> > </tr> > END > - ; > +; > $id++; > - } > - print "</table>"; > - > - # If the config file contains entries, print Key to action icons > - if ( $id ) { > - print <<END > - <table> > - <tr> > - <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td> > - <td> <img src='/images/on.gif' alt='$Lang::tr{'click > to disable'}' /></td> > - <td class='base'>$Lang::tr{'click to disable'}</td> > - <td> <img src='/images/info.gif' > alt='$Lang::tr{'show certificate'}' /></td> > - <td class='base'>$Lang::tr{'show certificate'}</td> > - <td> <img src='/images/edit.gif' > alt='$Lang::tr{'edit'}' /></td> > - <td class='base'>$Lang::tr{'edit'}</td> > - <td> <img src='/images/delete.gif' > alt='$Lang::tr{'remove'}' /></td> > - <td class='base'>$Lang::tr{'remove'}</td> > - </tr> > - <tr> > - <td> </td> > - <td> <img src='/images/off.gif' alt='?OFF' /></td> > - <td class='base'>$Lang::tr{'click to enable'}</td> > - <td> <img src='/images/floppy.gif' > alt='?FLOPPY' /></td> > - <td class='base'>$Lang::tr{'download certificate'}</td> > - <td> <img src='/images/reload.gif' > alt='?RELOAD'/></td> > - <td class='base'>$Lang::tr{'restart'}</td> > - </tr> > - </table> > + } > + print "</table>"; > + > + # If the config file contains entries, print Key to action > icons > + if ( $id ) { > + print <<END > + <table> > + <tr> > + <td class='boldbase'> > <b>$Lang::tr{'legend'}:</b></td> > + <td> <img src='/images/on.gif' > alt='$Lang::tr{'click to disable'}' /></td> > + <td class='base'>$Lang::tr{'click to disable'}</td> > + <td> <img src='/images/info.gif' > alt='$Lang::tr{'show certificate'}' /></td> > + <td class='base'>$Lang::tr{'show certificate'}</td> > + <td> <img src='/images/edit.gif' > alt='$Lang::tr{'edit'}' /></td> > + <td class='base'>$Lang::tr{'edit'}</td> > + <td> <img src='/images/delete.gif' > alt='$Lang::tr{'remove'}' /></td> > + <td class='base'>$Lang::tr{'remove'}</td> > + </tr> > + <tr> > + <td> </td> > + <td> <img src='/images/off.gif' alt='?OFF' > /></td> > + <td class='base'>$Lang::tr{'click to enable'}</td> > + <td> <img src='/images/floppy.gif' > alt='?FLOPPY' /></td> > + <td class='base'>$Lang::tr{'download > certificate'}</td> > + <td> <img src='/images/reload.gif' > alt='?RELOAD'/></td> > + <td class='base'>$Lang::tr{'restart'}</td> > + </tr> > + </table> > END > - ; > - } > +; > + } > > - print <<END > - <table width='100%'> > - <tr><td align='right' colspan='9'> > + print <<END > + <table width='100%'> > + <tr><td align='right' colspan='9'> > <form method='post' action='$ENV{'SCRIPT_NAME'}'> > <input type='submit' name='ACTION' value='$Lang::tr{'add'}' > /> > </form> > - </td></tr> > - </table> > + </td></tr> > + </table> > END > - ; > - &Header::closebox(); > +; > + &Header::closebox(); > > - &Header::openbox('100%', 'left', "$Lang::tr{'certificate > authorities'}"); > - print <<EOF > - <table width='100%' cellspacing='1' cellpadding='0' class='tbl'> > - <tr> > + &Header::openbox('100%', 'left', "$Lang::tr{'certificate > authorities'}"); > + print <<EOF > + <table width='100%' cellspacing='1' cellpadding='0' > class='tbl'> > + <tr> > <th width='25%' class='boldbase' > align='center'><b>$Lang::tr{'name'}</b></th> > <th width='65%' class='boldbase' > align='center'><b>$Lang::tr{'subject'}</b></th> > <th width='10%' class='boldbase' colspan='3' > align='center'><b>$Lang::tr{'action'}</b></th> > - </tr> > + </tr> > EOF > - ; > - my $col1="bgcolor='$color{'color22'}'"; > +; > + my $col1="bgcolor='$color{'color22'}'"; > my $col2="bgcolor='$color{'color20'}'"; > - if (-f "${General::swroot}/ca/cacert.pem") { > - my $casubject = &Header::cleanhtml(getsubjectfromcert > ("${General::swroot}/ca/cacert.pem")); > - print <<END > - <tr> > - <td class='base' $col1>$Lang::tr{'root certificate'}</td> > - <td class='base' $col1>$casubject</td> > - <td width='3%' align='center' $col1> > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > - <input type='hidden' name='ACTION' > value='$Lang::tr{'show root certificate'}' /> > - <input type='image' name='$Lang::tr{'edit'}' > src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' > title='$Lang::tr{'show root certificate'}' /> > - </form> > - </td> > - <td width='3%' align='center' $col1> > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > - <input type='image' name='$Lang::tr{'download root > certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download root > certificate'}' title='$Lang::tr{'download root certificate'}' /> > - <input type='hidden' name='ACTION' > value='$Lang::tr{'download root certificate'}' /> > - </form> > - </td> > - <td width='4%' $col1> </td></tr> > + if (-f "${General::swroot}/ca/cacert.pem") { > + my $casubject = > &Header::cleanhtml(getsubjectfromcert > ("${General::swroot}/ca/cacert.pem")); > + print <<END > + <tr> > + <td class='base' $col1>$Lang::tr{'root > certificate'}</td> > + <td class='base' $col1>$casubject</td> > + <td width='3%' align='center' $col1> > + <form method='post' > action='$ENV{'SCRIPT_NAME'}'> > + <input type='hidden' name='ACTION' > value='$Lang::tr{'show root certificate'}' /> > + <input type='image' name='$Lang::tr{'edit'}' > src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' > title='$Lang::tr{'show root certificate'}' /> > + </form> > + </td> > + <td width='3%' align='center' $col1> > + <form method='post' > action='$ENV{'SCRIPT_NAME'}'> > + <input type='image' > name='$Lang::tr{'download root certificate'}' > src='/images/floppy.gif' alt='$Lang::tr{'download root certificate'}' > title='$Lang::tr{'download root certificate'}' /> > + <input type='hidden' name='ACTION' > value='$Lang::tr{'download root certificate'}' /> > + </form> > + </td> > + <td width='4%' $col1> </td></tr> > END > - ; > - } else { > - # display rootcert generation buttons > - print <<END > - <tr> > - <td class='base' $col1>$Lang::tr{'root certificate'}:</td> > - <td class='base' $col1>$Lang::tr{'not present'}</td> > - <td colspan='3' $col1> </td></tr> > +; > + } else { > + # display rootcert generation buttons > + print <<END > + <tr> > + <td class='base' $col1>$Lang::tr{'root > certificate'}:</td> > + <td class='base' $col1>$Lang::tr{'not present'}</td> > + <td colspan='3' $col1> </td></tr> > END > - ; > - } > +; > + } > > - if (-f "${General::swroot}/certs/hostcert.pem") { > - my $hostsubject = &Header::cleanhtml(getsubjectfromcert > ("${General::swroot}/certs/hostcert.pem")); > + if (-f "${General::swroot}/certs/hostcert.pem") { > + my $hostsubject = > &Header::cleanhtml(getsubjectfromcert > ("${General::swroot}/certs/hostcert.pem")); > > - print <<END > - <tr> > - <td class='base' $col2>$Lang::tr{'host certificate'}</td> > - <td class='base' $col2>$hostsubject</td> > - <td width='3%' align='center' $col2> > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > - <input type='hidden' name='ACTION' > value='$Lang::tr{'show host certificate'}' /> > - <input type='image' name='$Lang::tr{'show host > certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host > certificate'}' title='$Lang::tr{'show host certificate'}' /> > - </form> > - </td> > - <td width='3%' align='center' $col2> > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > - <input type='image' name="$Lang::tr{'download host > certificate'}" src='/images/floppy.gif' alt="$Lang::tr{'download host > certificate'}" title="$Lang::tr{'download host certificate'}" /> > - <input type='hidden' name='ACTION' > value="$Lang::tr{'download host certificate'}" /> > - </form> > - </td> > - <td width='4%' $col2> </td></tr> > + print <<END > + <tr> > + <td class='base' $col2>$Lang::tr{'host > certificate'}</td> > + <td class='base' $col2>$hostsubject</td> > + <td width='3%' align='center' $col2> > + <form method='post' > action='$ENV{'SCRIPT_NAME'}'> > + <input type='hidden' name='ACTION' > value='$Lang::tr{'show host certificate'}' /> > + <input type='image' name='$Lang::tr{'show > host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host > certificate'}' title='$Lang::tr{'show host certificate'}' /> > + </form> > + </td> > + <td width='3%' align='center' $col2> > + <form method='post' > action='$ENV{'SCRIPT_NAME'}'> > + <input type='image' > name="$Lang::tr{'download host certificate'}" > src='/images/floppy.gif' alt="$Lang::tr{'download host certificate'}" > title="$Lang::tr{'download host certificate'}" /> > + <input type='hidden' name='ACTION' > value="$Lang::tr{'download host certificate'}" /> > + </form> > + </td> > + <td width='4%' $col2> </td></tr> > END > - ; > - } else { > - # Nothing > - print <<END > - <tr> > - <td width='25%' class='base' $col2>$Lang::tr{'host > certificate'}:</td> > - <td class='base' $col2>$Lang::tr{'not present'}</td> > - <td colspan='3' $col2> </td></tr> > +; > + } else { > + # Nothing > + print <<END > + <tr> > + <td width='25%' class='base' $col2>$Lang::tr{'host > certificate'}:</td> > + <td class='base' $col2>$Lang::tr{'not present'}</td> > + <td colspan='3' $col2> </td></tr> > END > - ; > - } > - > +; > + } > + > my $rowcolor = 0; > if (keys %cahash > 0) { > foreach my $key (keys %cahash) { > - if ($rowcolor++ % 2) { > - print "<tr>"; > - $col="bgcolor='$color{'color20'}'"; > - } else { > - print "<tr>"; > - $col="bgcolor='$color{'color22'}'"; > - } > - print "<td class='base' $col>$cahash{$key}[0]</td>\n"; > - print "<td class='base' $col>$cahash{$key}[1]</td>\n"; > - print <<END > - <td align='center' $col> > - <form method='post' name='cafrm${key}a' > action='$ENV{'SCRIPT_NAME'}'> > - <input type='image' name='$Lang::tr{'show ca > certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca > certificate'}' title='$Lang::tr{'show ca certificate'}' /> > - <input type='hidden' name='ACTION' > value='$Lang::tr{'show ca certificate'}' /> > - <input type='hidden' name='KEY' value='$key' /> > - </form> > - </td> > - <td align='center' $col> > - <form method='post' name='cafrm${key}b' > action='$ENV{'SCRIPT_NAME'}'> > - <input type='image' name='$Lang::tr{'download ca > certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download ca > certificate'}' title='$Lang::tr{'download ca certificate'}' /> > - <input type='hidden' name='ACTION' > value='$Lang::tr{'download ca certificate'}' /> > - <input type='hidden' name='KEY' value='$key' /> > - </form> > - </td> > - <td align='center' $col> > - <form method='post' name='cafrm${key}c' > action='$ENV{'SCRIPT_NAME'}'> > - <input type='hidden' name='ACTION' > value='$Lang::tr{'remove ca certificate'}' /> > - <input type='image' name='$Lang::tr{'remove ca > certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca > certificate'}' title='$Lang::tr{'remove ca certificate'}' /> > - <input type='hidden' name='KEY' value='$key' /> > - </form> > - </td> > - </tr> > + if ($rowcolor++ % 2) { > + print "<tr>"; > + $col="bgcolor='$color{'color > 20'}'"; > + } else { > + print "<tr>"; > + $col="bgcolor='$color{'color > 22'}'"; > + } > + print "<td class='base' > $col>$cahash{$key}[0]</td>\n"; > + print "<td class='base' > $col>$cahash{$key}[1]</td>\n"; > + print <<END > + <td align='center' $col> > + <form method='post' name='cafrm${key}a' > action='$ENV{'SCRIPT_NAME'}'> > + <input type='image' name='$Lang::tr{'show ca > certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca > certificate'}' title='$Lang::tr{'show ca certificate'}' /> > + <input type='hidden' name='ACTION' > value='$Lang::tr{'show ca certificate'}' /> > + <input type='hidden' name='KEY' value='$key' > /> > + </form> > + </td> > + <td align='center' $col> > + <form method='post' name='cafrm${key}b' > action='$ENV{'SCRIPT_NAME'}'> > + <input type='image' > name='$Lang::tr{'download ca certificate'}' src='/images/floppy.gif' > alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download > ca certificate'}' /> > + <input type='hidden' name='ACTION' > value='$Lang::tr{'download ca certificate'}' /> > + <input type='hidden' name='KEY' value='$key' > /> > + </form> > + </td> > + <td align='center' $col> > + <form method='post' name='cafrm${key}c' > action='$ENV{'SCRIPT_NAME'}'> > + <input type='hidden' name='ACTION' > value='$Lang::tr{'remove ca certificate'}' /> > + <input type='image' name='$Lang::tr{'remove > ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca > certificate'}' title='$Lang::tr{'remove ca certificate'}' /> > + <input type='hidden' name='KEY' value='$key' > /> > + </form> > + </td> > + </tr> > +END > +; > + } > + } > + print "</table>"; > + > + # If the file contains entries, print Key to action icons > + if ( -f "${General::swroot}/ca/cacert.pem") { > + print <<END > + <table><tr> > + <td class='boldbase'> > <b>$Lang::tr{'legend'}:</b></td> > + <td> <img src='/images/info.gif' > alt='$Lang::tr{'show certificate'}' /></td> > + <td class='base'>$Lang::tr{'show certificate'}</td> > + <td> <img src='/images/floppy.gif' > alt='$Lang::tr{'download certificate'}' /></td> > + <td class='base'>$Lang::tr{'download > certificate'}</td> > + </tr></table> > END > - ; > +; > } > - } > - print "</table>"; > - > - # If the file contains entries, print Key to action icons > - if ( -f "${General::swroot}/ca/cacert.pem") { > + my $createCA = -f "${General::swroot}/ca/cacert.pem" ? '' : > "<tr><td colspan='3'></td><td><input type='submit' name='ACTION' > value='$Lang::tr{'generate root/host certificates'}' /></td></tr>"; > print <<END > - <table><tr> > - <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td> > - <td> <img src='/images/info.gif' > alt='$Lang::tr{'show certificate'}' /></td> > - <td class='base'>$Lang::tr{'show certificate'}</td> > - <td> <img src='/images/floppy.gif' > alt='$Lang::tr{'download certificate'}' /></td> > - <td class='base'>$Lang::tr{'download certificate'}</td> > - </tr></table> > -END > - ; > - } > - my $createCA = -f "${General::swroot}/ca/cacert.pem" ? '' : > "<tr><td colspan='3'></td><td><input type='submit' name='ACTION' > value='$Lang::tr{'generate root/host certificates'}' /></td></tr>"; > - print <<END > - <br> > - <hr /> > - <form method='post' enctype='multipart/form-data' > action='$ENV{'SCRIPT_NAME'}'> > - <table width='100%' border='0' cellspacing='1' cellpadding='0'> > - $createCA > - <tr> > + <br> > + <hr /> > + <form method='post' enctype='multipart/form-data' > action='$ENV{'SCRIPT_NAME'}'> > + <table width='100%' border='0' cellspacing='1' > cellpadding='0'> > + $createCA > + <tr> > <td class='base' nowrap='nowrap'>$Lang::tr{'ca > name'}: <img src='/blob.gif' alt='*' /></td> > <td nowrap='nowrap'><input type='text' name='CA_NAME' > value='$cgiparams{'CA_NAME'}' size='15' /> </td> > <td nowrap='nowrap'><input type='file' name='FH' size='30' > /></td> > <td nowrap='nowrap'><input type='submit' name='ACTION' > value='$Lang::tr{'upload ca certificate'}' /></td> > - </tr> > - <tr> > + </tr> > + <tr> > <td colspan='3'>$Lang::tr{'resetting the vpn configuration > will remove the root ca, the host certificate and all certificate > based connections'}:</td> > <td align='right'><input type='submit' name='ACTION' > value='$Lang::tr{'remove x509'}' /></td> > - </tr> > - </table> > - </form> > + </tr> > + </table> > + </form> > END > - ; > - &Header::closebox(); > - &Header::closebigbox(); > - &Header::closepage(); > +; > + &Header::closebox(); > + &Header::closebigbox(); > + &Header::closepage(); > > sub array_unique($) { > my $array = shift; [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] vpnmain.cgi - Replace spaces with tab characters and fix indentation 2015-09-25 22:11 ` Michael Tremer @ 2015-09-26 6:04 ` Larsen 2015-09-28 14:33 ` Michael Tremer 0 siblings, 1 reply; 4+ messages in thread From: Larsen @ 2015-09-26 6:04 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 214832 bytes --] There is something like "git blame", isn't it? If you want to know when a line was last changed before that indentation patch, you checkout the version before, use blame, and so are able to see which commit last affected the line. Also, in general, when a line was changed after it has been added, you would have the same problem as with this patch, so I don't see what difference this makes. Lars On Sat, 26 Sep 2015 00:11:26 +0200, Michael Tremer <michael.tremer(a)ipfire.org> wrote: > Hi, > > I am not really sure if this is a patch that I want to merge. It > certainly fixes the bad coding regarding the indentation, but it will > also make it difficult to find out what changed in what commit since > there will only be this massive patch in the history. If we want to > know when a certain line in the code was added, we won't find this so > easily any more. > > I will have to discuss this with Arne. > > Best, > -Michael > > On Fri, 2015-09-25 at 23:01 +0200, Lars Schuhmacher wrote: >> Replaced spaces with tab characters. Fixed indentation. >> >> This is based on http://patchwork.ipfire.org/patch/88/ so that patch >> must be applied before. >> >> Signed-off-by: Lars Schuhmacher <larsen007(a)web.de> >> --- >> html/cgi-bin/vpnmain.cgi | 4313 +++++++++++++++++++++++------------- >> ---------- >> 1 file changed, 2155 insertions(+), 2158 deletions(-) >> >> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi >> index 5658dac..e717862 100644 >> --- a/html/cgi-bin/vpnmain.cgi >> +++ b/html/cgi-bin/vpnmain.cgi >> @@ -40,8 +40,7 @@ undef (@dummy); >> ### >> ### Initialize variables >> ### >> -my $sleepDelay = 4; # after a call to ipsecctrl S or R, wait >> this delay (seconds) before reading status >> - # (let the ipsec do its job) >> +my $sleepDelay = 4; # after a call to ipsecctrl S or R, wait this >> delay (seconds) before reading status (let the ipsec do its job) >> my %netsettings=(); >> our %cgiparams=(); >> our %vpnsettings=(); >> @@ -132,103 +131,101 @@ sub valid_dns_host { >> ### Just return true is one interface is vpn enabled >> ### >> sub vpnenabled { >> - return ($vpnsettings{'ENABLED'} eq 'on'); >> + return ($vpnsettings{'ENABLED'} eq 'on'); >> } >> ### >> -### old version: maintain serial number to one, without explication. >> -### this : let the counter go, so that each cert is >> numbered. >> +### old version: maintain serial number to one, without explication. >> +### this: let the counter go, so that each cert is numbered. >> ### >> -sub cleanssldatabase >> -{ >> - if (open(FILE, ">${General::swroot}/certs/serial")) { >> - print FILE "01"; >> - close FILE; >> - } >> - if (open(FILE, ">${General::swroot}/certs/index.txt")) { >> - print FILE ""; >> - close FILE; >> - } >> - unlink ("${General::swroot}/certs/index.txt.old"); >> - unlink ("${General::swroot}/certs/serial.old"); >> - unlink ("${General::swroot}/certs/01.pem"); >> +sub cleanssldatabase { >> + if (open(FILE, ">${General::swroot}/certs/serial")) { >> + print FILE "01"; >> + close FILE; >> + } >> + if (open(FILE, ">${General::swroot}/certs/index.txt")) { >> + print FILE ""; >> + close FILE; >> + } >> + unlink ("${General::swroot}/certs/index.txt.old"); >> + unlink ("${General::swroot}/certs/serial.old"); >> + unlink ("${General::swroot}/certs/01.pem"); >> } >> -sub newcleanssldatabase >> -{ >> - if (! -s "${General::swroot}/certs/serial" ) { >> - open(FILE, ">${General::swroot}/certs/serial"); >> - print FILE "01"; >> - close FILE; >> - } >> - if (! -s ">${General::swroot}/certs/index.txt") { >> - system ("touch ${General::swroot}/certs/index.txt"); >> - } >> - unlink ("${General::swroot}/certs/index.txt.old"); >> - unlink ("${General::swroot}/certs/serial.old"); >> -# unlink ("${General::swroot}/certs/01.pem"); numbe >> ring evolves. Wrong place to delete >> +sub newcleanssldatabase { >> + if (! -s "${General::swroot}/certs/serial" ) { >> + open(FILE, ">${General::swroot}/certs/serial"); >> + print FILE "01"; >> + close FILE; >> + } >> + if (! -s ">${General::swroot}/certs/index.txt") { >> + system ("touch ${General::swroot}/certs/index.txt"); >> + } >> + unlink ("${General::swroot}/certs/index.txt.old"); >> + unlink ("${General::swroot}/certs/serial.old"); >> +# unlink ("${General::swroot}/certs/01.pem"); >> numbering evolves. Wrong place to delete >> } >> >> ### >> ### Call openssl and return errormessage if any >> ### >> sub callssl ($) { >> - my $opt = shift; >> - my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect >> stderr >> - my $ret = ''; >> - foreach my $line (split (/\n/, $retssl)) { >> - &General::log("ipsec", "$line") if (0); # 1 >> for verbose logging >> - $ret .= '<br>'.$line if ( $line =~ /error|unknown/ ); >> - } >> - if ($ret) { >> - $ret= &Header::cleanhtml($ret); >> - } >> - return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : >> '' ; >> + my $opt = shift; >> + my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr >> + my $ret = ''; >> + foreach my $line (split (/\n/, $retssl)) { >> + &General::log("ipsec", "$line") if (0); # 1 for >> verbose logging >> + $ret .= '<br>'.$line if ( $line =~ /error|unknown/ >> ); >> + } >> + if ($ret) { >> + $ret= &Header::cleanhtml($ret); >> + } >> + return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" >> : '' ; >> } >> ### >> ### Obtain a CN from given cert >> ### >> sub getCNfromcert ($) { >> - #&General::log("ipsec", "Extracting name from $_[0]..."); >> - my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; >> - $temp =~ /Subject:.*CN=(.*)[\n]/; >> - $temp = $1; >> - $temp =~ s+/Email+, E+; >> - $temp =~ s/ ST=/ S=/; >> - $temp =~ s/,//g; >> - $temp =~ s/\'//g; >> - return $temp; >> + #&General::log("ipsec", "Extracting name from $_[0]..."); >> + my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; >> + $temp =~ /Subject:.*CN=(.*)[\n]/; >> + $temp = $1; >> + $temp =~ s+/Email+, E+; >> + $temp =~ s/ ST=/ S=/; >> + $temp =~ s/,//g; >> + $temp =~ s/\'//g; >> + return $temp; >> } >> ### >> ### Obtain Subject from given cert >> ### >> sub getsubjectfromcert ($) { >> - #&General::log("ipsec", "Extracting subject from $_[0]..."); >> - my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; >> - $temp =~ /Subject: (.*)[\n]/; >> - $temp = $1; >> - $temp =~ s+/Email+, E+; >> - $temp =~ s/ ST=/ S=/; >> - return $temp; >> + #&General::log("ipsec", "Extracting subject from $_[0]..."); >> + my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; >> + $temp =~ /Subject: (.*)[\n]/; >> + $temp = $1; >> + $temp =~ s+/Email+, E+; >> + $temp =~ s/ ST=/ S=/; >> + return $temp; >> } >> ### >> -### Combine local subnet and connection name to make a unique name >> for each connection section >> +### Combine local subnet and connection name to make a unique name >> for each connection section >> ### (this sub is not used now) >> ### >> sub makeconnname ($) { >> - my $conn = shift; >> - my $subnet = shift; >> - >> - $subnet =~ /^(.*?)\/(.*?)$/; # $1=IP $2=mask >> - my $ip = unpack('N', &Socket::inet_aton($1)); >> - if (length ($2) > 2) { >> - my $mm = unpack('N', &Socket::inet_aton($2)); >> - while ( ($mm & 1)==0 ) { >> - $ip >>= 1; >> - $mm >>= 1; >> - }; >> - } else { >> - $ip >>= (32 - $2); >> - } >> - return sprintf ("%s-%X", $conn, $ip); >> + my $conn = shift; >> + my $subnet = shift; >> + >> + $subnet =~ /^(.*?)\/(.*?)$/; # $1=IP $2=mask >> + my $ip = unpack('N', &Socket::inet_aton($1)); >> + if (length ($2) > 2) { >> + my $mm = unpack('N', &Socket::inet_aton($2)); >> + while ( ($mm & 1)==0 ) { >> + $ip >>= 1; >> + $mm >>= 1; >> + }; >> + } else { >> + $ip >>= (32 - $2); >> + } >> + return sprintf ("%s-%X", $conn, $ip); >> } >> ### >> ### Write a config file. >> @@ -238,197 +235,198 @@ sub makeconnname ($) { >> ### >> >> sub writeipsecfiles { >> - my %lconfighash = (); >> - my %lvpnsettings = (); >> - &General::readhasharray("${General::swroot}/vpn/config", >> \%lconfighash); >> - &General::readhash("${General::swroot}/vpn/settings", >> \%lvpnsettings); >> - >> - open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die >> "Unable to open ${General::swroot}/vpn/ipsec.conf: $!"; >> - open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") or die >> "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!"; >> - flock CONF, 2; >> - flock SECRETS, 2; >> - print CONF "version 2\n\n"; >> - print CONF "conn %default\n"; >> - print CONF "\tkeyingtries=%forever\n"; >> - print CONF "\n"; >> - >> - # Add user includes to config file >> - if (-e "/etc/ipsec.user.conf") { >> - print CONF "include /etc/ipsec.user.conf\n"; >> - print CONF "\n"; >> - } >> - >> - print SECRETS "include /etc/ipsec.user.secrets\n"; >> - >> - if (-f "${General::swroot}/certs/hostkey.pem") { >> - print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n" >> - } >> - my $last_secrets = ''; # old the less specifics connections >> - >> - foreach my $key (keys %lconfighash) { >> - next if ($lconfighash{$key}[0] ne 'on'); >> - >> - #remote peer is not set? => use '%any' >> - $lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] >> eq ''); >> - >> - my $localside; >> - if ($lconfighash{$key}[26] eq 'BLUE') { >> - $localside = $netsettings{'BLUE_ADDRESS'}; >> - } elsif ($lconfighash{$key}[26] eq 'GREEN') { >> - $localside = $netsettings{'GREEN_ADDRESS'}; >> - } elsif ($lconfighash{$key}[26] eq 'ORANGE') { >> - $localside = $netsettings{'ORANGE_ADDRESS'}; >> - } else { # it is RED >> - $localside = $lvpnsettings{'VPN_IP'}; >> - } >> - >> - print CONF "conn $lconfighash{$key}[1]\n"; >> - print CONF "\tleft=$localside\n"; >> - my $cidr_net=&General::ipcidr($lconfighash{$key}[8]); >> - print CONF "\tleftsubnet=$cidr_net\n"; >> - print CONF "\tleftfirewall=yes\n"; >> - print CONF "\tlefthostaccess=yes\n"; >> - >> - print CONF "\tright=$lconfighash{$key}[10]\n"; >> - if ($lconfighash{$key}[3] eq 'net') { >> - my $cidr_net=&General::ipcidr($lconfighash{$key}[11]); >> - print CONF "\trightsubnet=$cidr_net\n"; >> - } >> - >> - # Local Cert and Remote Cert (unless auth is DN dn-auth) >> - if ($lconfighash{$key}[4] eq 'cert') { >> - print CONF >> "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; >> - print CONF >> "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n >> " if ($lconfighash{$key}[2] ne '%auth-dn'); >> - } >> - >> - # Local and Remote IDs >> - print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if >> ($lconfighash{$key}[7]); >> - print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if >> ($lconfighash{$key}[9]); >> - >> - # Is PFS enabled? >> - my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off'; >> - >> - # Algorithms >> - if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && >> $lconfighash{$key}[20]) { >> - my @encs = split('\|', $lconfighash{$key}[18]); >> - my @ints = split('\|', $lconfighash{$key}[19]); >> - my @groups = split('\|', $lconfighash{$key}[20]); >> - >> - my @algos = &make_algos("ike", \@encs, \@ints, >> \@groups, 1); >> - print CONF "\tike=" . join(",", @algos); >> - >> - if ($lconfighash{$key}[24] eq 'on') { #only >> proposed algorythms? >> - print CONF "!\n"; >> - } else { >> - print CONF "\n"; >> - } >> + my %lconfighash = (); >> + my %lvpnsettings = (); >> + &General::readhasharray("${General::swroot}/vpn/config", >> \%lconfighash); >> + &General::readhash("${General::swroot}/vpn/settings", >> \%lvpnsettings); >> + >> + open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die >> "Unable to open ${General::swroot}/vpn/ipsec.conf: $!"; >> + open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") or >> die "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!"; >> + flock CONF, 2; >> + flock SECRETS, 2; >> + print CONF "version 2\n\n"; >> + print CONF "conn %default\n"; >> + print CONF "\tkeyingtries=%forever\n"; >> + print CONF "\n"; >> + >> + # Add user includes to config file >> + if (-e "/etc/ipsec.user.conf") { >> + print CONF "include /etc/ipsec.user.conf\n"; >> + print CONF "\n"; >> } >> >> - if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) { >> - my @encs = split('\|', $lconfighash{$key}[21]); >> - my @ints = split('\|', $lconfighash{$key}[22]); >> - my @groups = split('\|', $lconfighash{$key}[23]); >> + print SECRETS "include /etc/ipsec.user.secrets\n"; >> >> - # Use IKE grouptype if no ESP group type has been >> selected >> - # (for backwards compatibility) >> - if ($lconfighash{$key}[23] eq "") { >> - @groups = split('\|', >> $lconfighash{$key}[20]); >> + if (-f "${General::swroot}/certs/hostkey.pem") { >> + print SECRETS ": RSA >> ${General::swroot}/certs/hostkey.pem\n" >> + } >> + my $last_secrets = ''; # old the less specifics connections >> + >> + foreach my $key (keys %lconfighash) { >> + next if ($lconfighash{$key}[0] ne 'on'); >> + >> + #remote peer is not set? => use '%any' >> + $lconfighash{$key}[10] = '%any' if >> ($lconfighash{$key}[10] eq ''); >> + >> + my $localside; >> + if ($lconfighash{$key}[26] eq 'BLUE') { >> + $localside = $netsettings{'BLUE_ADDRESS'}; >> + } elsif ($lconfighash{$key}[26] eq 'GREEN') { >> + $localside = $netsettings{'GREEN_ADDRESS'}; >> + } elsif ($lconfighash{$key}[26] eq 'ORANGE') { >> + $localside = $netsettings{'ORANGE_ADDRESS'}; >> + } else { # it is RED >> + $localside = $lvpnsettings{'VPN_IP'}; >> } >> >> - my @algos = &make_algos("esp", \@encs, \@ints, >> \@groups, ($pfs eq "on")); >> - print CONF "\tesp=" . join(",", @algos); >> + print CONF "conn $lconfighash{$key}[1]\n"; >> + print CONF "\tleft=$localside\n"; >> + my >> $cidr_net=&General::ipcidr($lconfighash{$key}[8]); >> + print CONF "\tleftsubnet=$cidr_net\n"; >> + print CONF "\tleftfirewall=yes\n"; >> + print CONF "\tlefthostaccess=yes\n"; >> + print CONF "\tright=$lconfighash{$key}[10]\n"; >> + >> + if ($lconfighash{$key}[3] eq 'net') { >> + my >> $cidr_net=&General::ipcidr($lconfighash{$key}[11]); >> + print CONF "\trightsubnet=$cidr_net\n"; >> + } >> >> - if ($lconfighash{$key}[24] eq 'on') { #only >> proposed algorythms? >> - print CONF "!\n"; >> - } else { >> - print CONF "\n"; >> + # Local Cert and Remote Cert (unless auth is DN dn >> -auth) >> + if ($lconfighash{$key}[4] eq 'cert') { >> + print CONF >> "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; >> + print CONF >> "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n >> " if ($lconfighash{$key}[2] ne '%auth-dn'); >> } >> - } >> >> - # IKE V1 or V2 >> - if (! $lconfighash{$key}[29]) { >> - $lconfighash{$key}[29] = "ikev1"; >> - } >> - print CONF "\tkeyexchange=$lconfighash{$key}[29]\n"; >> + # Local and Remote IDs >> + print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if >> ($lconfighash{$key}[7]); >> + print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" >> if ($lconfighash{$key}[9]); >> >> - # Lifetimes >> - print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" if >> ($lconfighash{$key}[16]); >> - print CONF "\tkeylife=$lconfighash{$key}[17]h\n" if >> ($lconfighash{$key}[17]); >> + # Is PFS enabled? >> + my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : >> 'off'; >> >> - # Compression >> - print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq >> 'on'); >> + # Algorithms >> + if ($lconfighash{$key}[18] && $lconfighash{$key}[19] >> && $lconfighash{$key}[20]) { >> + my @encs = split('\|', >> $lconfighash{$key}[18]); >> + my @ints = split('\|', >> $lconfighash{$key}[19]); >> + my @groups = split('\|', >> $lconfighash{$key}[20]); >> >> - # Force MOBIKE? >> - if (($lconfighash{$key}[29] eq "ikev2") && >> ($lconfighash{$key}[32] eq 'on')) { >> - print CONF "\tmobike=yes\n"; >> - } >> + my @algos = &make_algos("ike", \@encs, >> \@ints, \@groups, 1); >> + print CONF "\tike=" . join(",", @algos); >> + >> + if ($lconfighash{$key}[24] eq 'on') { #only >> proposed algorythms? >> + print CONF "!\n"; >> + } else { >> + print CONF "\n"; >> + } >> + } >> + >> + if ($lconfighash{$key}[21] && >> $lconfighash{$key}[22]) { >> + my @encs = split('\|', >> $lconfighash{$key}[21]); >> + my @ints = split('\|', >> $lconfighash{$key}[22]); >> + my @groups = split('\|', >> $lconfighash{$key}[23]); >> + >> + # Use IKE grouptype if no ESP group type has >> been selected >> + # (for backwards compatibility) >> + if ($lconfighash{$key}[23] eq "") { >> + @groups = split('\|', >> $lconfighash{$key}[20]); >> + } >> >> - # Dead Peer Detection >> - my $dpdaction = $lconfighash{$key}[27]; >> - print CONF "\tdpdaction=$dpdaction\n"; >> + my @algos = &make_algos("esp", \@encs, >> \@ints, \@groups, ($pfs eq "on")); >> + print CONF "\tesp=" . join(",", @algos); >> >> - # If the dead peer detection is disabled and IKEv2 is used, >> - # dpddelay must be set to zero, too. >> - if ($dpdaction eq "none") { >> - if ($lconfighash{$key}[29] eq "ikev2") { >> - print CONF "\tdpddelay=0\n"; >> + if ($lconfighash{$key}[24] eq 'on') { #only >> proposed algorythms? >> + print CONF "!\n"; >> + } else { >> + print CONF "\n"; >> + } >> } >> - } else { >> - my $dpddelay = $lconfighash{$key}[31]; >> - if (!$dpddelay) { >> - $dpddelay = 30; >> - } >> - print CONF "\tdpddelay=$dpddelay\n"; >> - my $dpdtimeout = $lconfighash{$key}[30]; >> - if (!$dpdtimeout) { >> - $dpdtimeout = 120; >> - } >> - print CONF "\tdpdtimeout=$dpdtimeout\n"; >> - } >> - >> - # Build Authentication details: LEFTid RIGHTid : PSK psk >> - my $psk_line; >> - if ($lconfighash{$key}[4] eq 'psk') { >> - $psk_line = ($lconfighash{$key}[7] ? >> $lconfighash{$key}[7] : $localside) . " " ; >> - $psk_line .= $lconfighash{$key}[9] ? >> $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote >> address? >> - $psk_line .= " : PSK '$lconfighash{$key}[5]'\n"; >> - # if the line contains %any, it is less specific than >> two IP or ID, so move it at end of file. >> - if ($psk_line =~ /%any/) { >> - $last_secrets .= $psk_line; >> - } else { >> - print SECRETS $psk_line; >> - } >> - print CONF "\tauthby=secret\n"; >> - } else { >> - print CONF "\tauthby=rsasig\n"; >> - print CONF "\tleftrsasigkey=%cert\n"; >> - print CONF "\trightrsasigkey=%cert\n"; >> - } >> >> - # Automatically start only if a net-to-net connection >> - if ($lconfighash{$key}[3] eq 'host') { >> - print CONF "\tauto=add\n"; >> - print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n"; >> - } else { >> - print CONF "\tauto=start\n"; >> - } >> + # IKE V1 or V2 >> + if (! $lconfighash{$key}[29]) { >> + $lconfighash{$key}[29] = "ikev1"; >> + } >> >> - # Fragmentation >> - print CONF "\tfragmentation=yes\n"; >> + print CONF "\tkeyexchange=$lconfighash{$key}[29]\n"; >> >> - print CONF "\n"; >> - }#foreach key >> - >> - # Add post user includes to config file >> - # After the GUI-connections allows to patch connections. >> - if (-e "/etc/ipsec.user-post.conf") { >> - print CONF "include /etc/ipsec.user-post.conf\n"; >> - print CONF "\n"; >> - } >> - >> - print SECRETS $last_secrets if ($last_secrets); >> - close(CONF); >> - close(SECRETS); >> + # Lifetimes >> + print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" >> if ($lconfighash{$key}[16]); >> + print CONF "\tkeylife=$lconfighash{$key}[17]h\n" if >> ($lconfighash{$key}[17]); >> + >> + # Compression >> + print CONF "\tcompress=yes\n" if >> ($lconfighash{$key}[13] eq 'on'); >> + >> + # Force MOBIKE? >> + if (($lconfighash{$key}[29] eq "ikev2") && >> ($lconfighash{$key}[32] eq 'on')) { >> + print CONF "\tmobike=yes\n"; >> + } >> + >> + # Dead Peer Detection >> + my $dpdaction = $lconfighash{$key}[27]; >> + print CONF "\tdpdaction=$dpdaction\n"; >> + >> + # If the dead peer detection is disabled and IKEv2 >> is used, >> + # dpddelay must be set to zero, too. >> + if ($dpdaction eq "none") { >> + if ($lconfighash{$key}[29] eq "ikev2") { >> + print CONF "\tdpddelay=0\n"; >> + } >> + } else { >> + my $dpddelay = $lconfighash{$key}[31]; >> + if (!$dpddelay) { >> + $dpddelay = 30; >> + } >> + print CONF "\tdpddelay=$dpddelay\n"; >> + my $dpdtimeout = $lconfighash{$key}[30]; >> + if (!$dpdtimeout) { >> + $dpdtimeout = 120; >> + } >> + print CONF "\tdpdtimeout=$dpdtimeout\n"; >> + } >> + >> + # Build Authentication details: LEFTid RIGHTid : PSK >> psk >> + my $psk_line; >> + if ($lconfighash{$key}[4] eq 'psk') { >> + $psk_line = ($lconfighash{$key}[7] ? >> $lconfighash{$key}[7] : $localside) . " " ; >> + $psk_line .= $lconfighash{$key}[9] ? >> $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote >> address? >> + $psk_line .= " : PSK >> '$lconfighash{$key}[5]'\n"; >> + # if the line contains %any, it is less >> specific than two IP or ID, so move it at end of file. >> + if ($psk_line =~ /%any/) { >> + $last_secrets .= $psk_line; >> + } else { >> + print SECRETS $psk_line; >> + } >> + print CONF "\tauthby=secret\n"; >> + } else { >> + print CONF "\tauthby=rsasig\n"; >> + print CONF "\tleftrsasigkey=%cert\n"; >> + print CONF "\trightrsasigkey=%cert\n"; >> + } >> + >> + # Automatically start only if a net-to-net >> connection >> + if ($lconfighash{$key}[3] eq 'host') { >> + print CONF "\tauto=add\n"; >> + print CONF >> "\trightsourceip=$lvpnsettings{'RW_NET'}\n"; >> + } else { >> + print CONF "\tauto=start\n"; >> + } >> + >> + # Fragmentation >> + print CONF "\tfragmentation=yes\n"; >> + >> + print CONF "\n"; >> + } #foreach key >> + >> + # Add post user includes to config file >> + # After the GUI-connections allows to patch connections. >> + if (-e "/etc/ipsec.user-post.conf") { >> + print CONF "include /etc/ipsec.user-post.conf\n"; >> + print CONF "\n"; >> + } >> + >> + print SECRETS $last_secrets if ($last_secrets); >> + close(CONF); >> + close(SECRETS); >> } >> >> # Hook to regenerate the configuration files. >> @@ -441,779 +439,779 @@ if ($ENV{"REMOTE_ADDR"} eq "") { >> ### Save main settings >> ### >> if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} >> eq '' && $cgiparams{'KEY'} eq '') { >> - &General::readhash("${General::swroot}/vpn/settings", >> \%vpnsettings); >> - unless (&General::validfqdn($cgiparams{'VPN_IP'}) || >> &General::validip($cgiparams{'VPN_IP'}) >> - || $cgiparams{'VPN_IP'} eq '%defaultroute' ) { >> - $errormessage = $Lang::tr{'invalid input for hostname'}; >> - goto SAVE_ERROR; >> - } >> - >> - unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { >> #allow 0-999 seconds ! >> - $errormessage = $Lang::tr{'invalid time period'}; >> - goto SAVE_ERROR; >> - } >> - >> - if ( $cgiparams{'RW_NET'} ne '' and >> !&General::validipandmask($cgiparams{'RW_NET'}) ) { >> - $errormessage = $Lang::tr{'urlfilter invalid ip or mask >> error'}; >> - goto SAVE_ERROR; >> - } >> - >> - $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; >> - $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; >> - $vpnsettings{'VPN_DELAYED_START'} = >> $cgiparams{'VPN_DELAYED_START'}; >> - $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; >> - &General::writehash("${General::swroot}/vpn/settings", >> \%vpnsettings); >> - &writeipsecfiles(); >> - if (&vpnenabled) { >> - system('/usr/local/bin/ipsecctrl', 'S'); >> - } else { >> - system('/usr/local/bin/ipsecctrl', 'D'); >> - } >> - sleep $sleepDelay; >> - SAVE_ERROR: >> + &General::readhash("${General::swroot}/vpn/settings", >> \%vpnsettings); >> + >> + unless (&General::validfqdn($cgiparams{'VPN_IP'}) || >> &General::validip($cgiparams{'VPN_IP'}) >> + || $cgiparams{'VPN_IP'} eq '%defaultroute' ) { >> + $errormessage = $Lang::tr{'invalid input for >> hostname'}; >> + goto SAVE_ERROR; >> + } >> + >> + unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) >> { #allow 0-999 seconds ! >> + $errormessage = $Lang::tr{'invalid time period'}; >> + goto SAVE_ERROR; >> + } >> + >> + if ( $cgiparams{'RW_NET'} ne '' and >> !&General::validipandmask($cgiparams{'RW_NET'}) ) { >> + $errormessage = $Lang::tr{'urlfilter invalid ip or >> mask error'}; >> + goto SAVE_ERROR; >> + } >> + >> + $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; >> + $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; >> + $vpnsettings{'VPN_DELAYED_START'} = >> $cgiparams{'VPN_DELAYED_START'}; >> + $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; >> + &General::writehash("${General::swroot}/vpn/settings", >> \%vpnsettings); >> + &writeipsecfiles(); >> + if (&vpnenabled) { >> + system('/usr/local/bin/ipsecctrl', 'S'); >> + } else { >> + system('/usr/local/bin/ipsecctrl', 'D'); >> + } >> + sleep $sleepDelay; >> + SAVE_ERROR: >> ### >> ### Reset all step 2 >> ### >> } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && >> $cgiparams{'AREUSURE'} eq 'yes') { >> - &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> - >> - foreach my $key (keys %confighash) { >> - if ($confighash{$key}[4] eq 'cert') { >> - delete $confighash{$key}; >> - } >> - } >> - while (my $file = >> glob("${General::swroot}/{ca,certs,crls,private}/*")) { >> - unlink $file >> - } >> - &cleanssldatabase(); >> - if (open(FILE, ">${General::swroot}/vpn/caconfig")) { >> - print FILE ""; >> - close FILE; >> - } >> - &General::writehasharray("${General::swroot}/vpn/config", >> \%confighash); >> - &writeipsecfiles(); >> - system('/usr/local/bin/ipsecctrl', 'R'); >> - sleep $sleepDelay; >> + &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> + >> + foreach my $key (keys %confighash) { >> + if ($confighash{$key}[4] eq 'cert') { >> + delete $confighash{$key}; >> + } >> + } >> + while (my $file = >> glob("${General::swroot}/{ca,certs,crls,private}/*")) { >> + unlink $file >> + } >> + &cleanssldatabase(); >> + if (open(FILE, ">${General::swroot}/vpn/caconfig")) { >> + print FILE ""; >> + close FILE; >> + } >> + &General::writehasharray("${General::swroot}/vpn/config", >> \%confighash); >> + &writeipsecfiles(); >> + system('/usr/local/bin/ipsecctrl', 'R'); >> + sleep $sleepDelay; >> >> ### >> ### Reset all step 1 >> ### >> } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) { >> - &Header::showhttpheaders(); >> - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); >> - &Header::openbigbox('100%', 'left', '', ''); >> - &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); >> - print <<END >> + &Header::showhttpheaders(); >> + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); >> + &Header::openbigbox('100%', 'left', '', ''); >> + &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); >> + print <<END >> <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> - <table width='100%'> >> - <tr> >> - <td align='center'> >> - <input type='hidden' name='AREUSURE' value='yes' /> >> - <b><font >> color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: >> - $Lang::tr{'resetting the vpn configuration will >> remove the root ca, the host certificate and all certificate based >> connections'}</td> >> - </tr><tr> >> - <td align='center'> >> - <input type='submit' name='ACTION' >> value='$Lang::tr{'remove x509'}' /> >> + <table width='100%'> >> + <tr> >> + <td align='center'> >> + <input type='hidden' >> name='AREUSURE' value='yes' /> >> + <b><font >> color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:&nbs >> p;$Lang::tr{'resetting the vpn configuration will remove the root ca, >> the host certificate and all certificate based connections'} >> + </td> >> + </tr><tr> >> + <td align='center'> >> + <input type='submit' >> name='ACTION' value='$Lang::tr{'remove x509'}' /> >> <input type='submit' name='ACTION' >> value='$Lang::tr{'cancel'}' /></td> >> - </tr> >> - </table> >> + </tr> >> + </table> >> </form> >> END >> - ; >> - &Header::closebox(); >> - &Header::closebigbox(); >> - &Header::closepage(); >> - exit (0); >> +; >> + &Header::closebox(); >> + &Header::closebigbox(); >> + &Header::closepage(); >> + exit (0); >> >> ### >> ### Upload CA Certificate >> ### >> } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) >> { >> - &General::readhasharray("${General::swroot}/vpn/caconfig", >> \%cahash); >> - >> - if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) { >> - $errormessage = $Lang::tr{'name must only contain >> characters'}; >> - goto UPLOADCA_ERROR; >> - } >> - >> - if (length($cgiparams{'CA_NAME'}) >60) { >> - $errormessage = $Lang::tr{'name too long'}; >> - goto VPNCONF_ERROR; >> - } >> - >> - if ($cgiparams{'CA_NAME'} eq 'ca') { >> - $errormessage = $Lang::tr{'name is invalid'}; >> - goto UPLOAD_CA_ERROR; >> - } >> - >> - # Check if there is no other entry with this name >> - foreach my $key (keys %cahash) { >> - if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) { >> - $errormessage = $Lang::tr{'a ca certificate with this >> name already exists'}; >> - goto UPLOADCA_ERROR; >> - } >> - } >> - >> - if (ref ($cgiparams{'FH'}) ne 'Fh') { >> - $errormessage = $Lang::tr{'there was no file upload'}; >> - goto UPLOADCA_ERROR; >> - } >> - # Move uploaded ca to a temporary file >> - (my $fh, my $filename) = tempfile( ); >> - if (copy ($cgiparams{'FH'}, $fh) != 1) { >> - $errormessage = $!; >> - goto UPLOADCA_ERROR; >> - } >> - my $temp = `/usr/bin/openssl x509 -text -in $filename`; >> - if ($temp !~ /CA:TRUE/i) { >> - $errormessage = $Lang::tr{'not a valid ca certificate'}; >> - unlink ($filename); >> - goto UPLOADCA_ERROR; >> - } else { >> - move($filename, >> "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); >> - if ($? ne 0) { >> - $errormessage = "$Lang::tr{'certificate file move >> failed'}: $!"; >> - unlink ($filename); >> - goto UPLOADCA_ERROR; >> - } >> - } >> - >> - my $key = &General::findhasharraykey (\%cahash); >> - $cahash{$key}[0] = $cgiparams{'CA_NAME'}; >> - $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert >> ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")); >> - &General::writehasharray("${General::swroot}/vpn/caconfig", >> \%cahash); >> - >> - system('/usr/local/bin/ipsecctrl', 'R'); >> - sleep $sleepDelay; >> - >> - UPLOADCA_ERROR: >> + &General::readhasharray("${General::swroot}/vpn/caconfig", >> \%cahash); >> + >> + if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) { >> + $errormessage = $Lang::tr{'name must only contain >> characters'}; >> + goto UPLOADCA_ERROR; >> + } >> + >> + if (length($cgiparams{'CA_NAME'}) >60) { >> + $errormessage = $Lang::tr{'name too long'}; >> + goto VPNCONF_ERROR; >> + } >> + >> + if ($cgiparams{'CA_NAME'} eq 'ca') { >> + $errormessage = $Lang::tr{'name is invalid'}; >> + goto UPLOAD_CA_ERROR; >> + } >> + >> + # Check if there is no other entry with this name >> + foreach my $key (keys %cahash) { >> + if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) { >> + $errormessage = $Lang::tr{'a ca certificate >> with this name already exists'}; >> + goto UPLOADCA_ERROR; >> + } >> + } >> + >> + if (ref ($cgiparams{'FH'}) ne 'Fh') { >> + $errormessage = $Lang::tr{'there was no file >> upload'}; >> + goto UPLOADCA_ERROR; >> + } >> + # Move uploaded ca to a temporary file >> + (my $fh, my $filename) = tempfile( ); >> + if (copy ($cgiparams{'FH'}, $fh) != 1) { >> + $errormessage = $!; >> + goto UPLOADCA_ERROR; >> + } >> + my $temp = `/usr/bin/openssl x509 -text -in $filename`; >> + if ($temp !~ /CA:TRUE/i) { >> + $errormessage = $Lang::tr{'not a valid ca >> certificate'}; >> + unlink ($filename); >> + goto UPLOADCA_ERROR; >> + } else { >> + move($filename, >> "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); >> + if ($? ne 0) { >> + $errormessage = "$Lang::tr{'certificate file >> move failed'}: $!"; >> + unlink ($filename); >> + goto UPLOADCA_ERROR; >> + } >> + } >> + >> + my $key = &General::findhasharraykey (\%cahash); >> + $cahash{$key}[0] = $cgiparams{'CA_NAME'}; >> + $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert >> ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")); >> + &General::writehasharray("${General::swroot}/vpn/caconfig", >> \%cahash); >> + >> + system('/usr/local/bin/ipsecctrl', 'R'); >> + sleep $sleepDelay; >> + >> + UPLOADCA_ERROR: >> >> ### >> ### Display ca certificate >> ### >> } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) { >> - &General::readhasharray("${General::swroot}/vpn/caconfig", >> \%cahash); >> - >> - if ( -f >> "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { >> - &Header::showhttpheaders(); >> - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); >> - &Header::openbigbox('100%', 'left', '', ''); >> - &Header::openbox('100%', 'left', "$Lang::tr{'ca >> certificate'}:"); >> - my $output = `/usr/bin/openssl x509 -text -in >> ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; >> - $output = &Header::cleanhtml($output,"y"); >> - print "<pre>$output</pre>\n"; >> - &Header::closebox(); >> - print "<div align='center'><a href='/cgi >> -bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; >> - &Header::closebigbox(); >> - &Header::closepage(); >> - exit(0); >> - } else { >> - $errormessage = $Lang::tr{'invalid key'}; >> - } >> + &General::readhasharray("${General::swroot}/vpn/caconfig", >> \%cahash); >> + >> + if ( -f >> "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { >> + &Header::showhttpheaders(); >> + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); >> + &Header::openbigbox('100%', 'left', '', ''); >> + &Header::openbox('100%', 'left', "$Lang::tr{'ca >> certificate'}:"); >> + my $output = `/usr/bin/openssl x509 -text -in >> ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; >> + $output = &Header::cleanhtml($output,"y"); >> + print "<pre>$output</pre>\n"; >> + &Header::closebox(); >> + print "<div align='center'><a href='/cgi >> -bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; >> + &Header::closebigbox(); >> + &Header::closepage(); >> + exit(0); >> + } else { >> + $errormessage = $Lang::tr{'invalid key'}; >> + } >> >> ### >> ### Export ca certificate to browser >> ### >> } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca >> certificate'}) { >> - &General::readhasharray("${General::swroot}/vpn/caconfig", >> \%cahash); >> - >> - if ( -f >> "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { >> - print "Content-Type: application/force-download\n"; >> - print "Content-Type: application/octet-stream\r\n"; >> - print "Content-Disposition: attachment; >> filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; >> - print `/usr/bin/openssl x509 -in >> ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; >> - exit(0); >> - } else { >> - $errormessage = $Lang::tr{'invalid key'}; >> - } >> + &General::readhasharray("${General::swroot}/vpn/caconfig", >> \%cahash); >> + >> + if ( -f >> "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { >> + print "Content-Type: application/force-download\n"; >> + print "Content-Type: application/octet-stream\r\n"; >> + print "Content-Disposition: attachment; >> filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; >> + print `/usr/bin/openssl x509 -in >> ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; >> + exit(0); >> + } else { >> + $errormessage = $Lang::tr{'invalid key'}; >> + } >> >> ### >> ### Remove ca certificate (step 2) >> ### >> } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} >> && $cgiparams{'AREUSURE'} eq 'yes') { >> - &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> - &General::readhasharray("${General::swroot}/vpn/caconfig", >> \%cahash); >> - >> - if ( -f >> "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { >> - foreach my $key (keys %confighash) { >> - my $test = `/usr/bin/openssl verify -CAfile >> ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem >> ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; >> - if ($test =~ /: OK/) { >> - # Delete connection >> - system('/usr/local/bin/ipsecctrl', 'D', $key) if >> (&vpnenabled); >> - unlink >> ("${General::swroot}/certs/$confighash{$key}[1]cert.pem"); >> - unlink >> ("${General::swroot}/certs/$confighash{$key}[1].p12"); >> - delete $confighash{$key}; >> - &General::writehasharray("${General::swroot}/vpn/con >> fig", \%confighash); >> - &writeipsecfiles(); >> - } >> + &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> + &General::readhasharray("${General::swroot}/vpn/caconfig", >> \%cahash); >> + >> + if ( -f >> "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { >> + foreach my $key (keys %confighash) { >> + my $test = `/usr/bin/openssl verify -CAfile >> ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem >> ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; >> + if ($test =~ /: OK/) { >> + # Delete connection >> + system('/usr/local/bin/ipsecctrl', >> 'D', $key) if (&vpnenabled); >> + unlink >> ("${General::swroot}/certs/$confighash{$key}[1]cert.pem"); >> + unlink >> ("${General::swroot}/certs/$confighash{$key}[1].p12"); >> + delete $confighash{$key}; >> + &General::writehasharray("${General: >> :swroot}/vpn/config", \%confighash); >> + &writeipsecfiles(); >> + } >> + } >> + unlink >> ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); >> + delete $cahash{$cgiparams{'KEY'}}; >> + &General::writehasharray("${General::swroot}/vpn/cac >> onfig", \%cahash); >> + system('/usr/local/bin/ipsecctrl', 'R'); >> + sleep $sleepDelay; >> + } else { >> + $errormessage = $Lang::tr{'invalid key'}; >> } >> - unlink >> ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); >> - delete $cahash{$cgiparams{'KEY'}}; >> - &General::writehasharray("${General::swroot}/vpn/caconfig", >> \%cahash); >> - system('/usr/local/bin/ipsecctrl', 'R'); >> - sleep $sleepDelay; >> - } else { >> - $errormessage = $Lang::tr{'invalid key'}; >> - } >> ### >> ### Remove ca certificate (step 1) >> ### >> } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) >> { >> - &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> - &General::readhasharray("${General::swroot}/vpn/caconfig", >> \%cahash); >> - >> - my $assignedcerts = 0; >> - if ( -f >> "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { >> - foreach my $key (keys %confighash) { >> - my $test = `/usr/bin/openssl verify -CAfile >> ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem >> ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; >> - if ($test =~ /: OK/) { >> - $assignedcerts++; >> - } >> - } >> - if ($assignedcerts) { >> - &Header::showhttpheaders(); >> - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); >> - &Header::openbigbox('100%', 'left', '', ''); >> - &Header::openbox('100%', 'left', $Lang::tr{'are you >> sure'}); >> - print <<END >> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> - <table width='100%'> >> - <tr> >> - <td align='center'> >> - <input type='hidden' name='KEY' >> value='$cgiparams{'KEY'}' /> >> - <input type='hidden' name='AREUSURE' value='yes' >> /></td> >> - </tr><tr> >> - <td align='center'> >> - <b><font >> color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b> >> - $Lang::tr{'connections are associated with this >> ca. deleting the ca will delete these connections as well.'}</td> >> - </tr><tr> >> - <td align='center'> >> - <input type='submit' name='ACTION' >> value='$Lang::tr{'remove ca certificate'}' /> >> - <input type='submit' name='ACTION' >> value='$Lang::tr{'cancel'}' /></td> >> - </tr> >> - </table> >> - </form> >> + &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> + &General::readhasharray("${General::swroot}/vpn/caconfig", >> \%cahash); >> + >> + my $assignedcerts = 0; >> + if ( -f >> "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { >> + foreach my $key (keys %confighash) { >> + my $test = `/usr/bin/openssl verify -CAfile >> ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem >> ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; >> + if ($test =~ /: OK/) { >> + $assignedcerts++; >> + } >> + } >> + if ($assignedcerts) { >> + &Header::showhttpheaders(); >> + &Header::openpage($Lang::tr{'ipsec'}, 1, >> ''); >> + &Header::openbigbox('100%', 'left', '', ''); >> + &Header::openbox('100%', 'left', >> $Lang::tr{'are you sure'}); >> + print <<END >> + <form method='post' >> action='$ENV{'SCRIPT_NAME'}'> >> + <table width='100%'> >> + <tr> >> + <td align='center'> >> + <input >> type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> >> + <input type='hidden' name='AREUSURE' >> value='yes' /></td> >> + </tr><tr> >> + <td align='center'> >> + <b><font >> color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>  >> ;$Lang::tr{'connections are associated with this ca. deleting the ca >> will delete these connections as well.'}</td> >> + </tr><tr> >> + <td align='center'> >> + <input >> type='submit' name='ACTION' value='$Lang::tr{'remove ca >> certificate'}' /> >> + <input type='submit' name='ACTION' >> value='$Lang::tr{'cancel'}' /></td> >> + </tr> >> + </table> >> + </form> >> END >> - ; >> - &Header::closebox(); >> - &Header::closebigbox(); >> - &Header::closepage(); >> - exit (0); >> +; >> + &Header::closebox(); >> + &Header::closebigbox(); >> + &Header::closepage(); >> + exit (0); >> + } else { >> + unlink >> ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); >> + delete $cahash{$cgiparams{'KEY'}}; >> + &General::writehasharray("${General::swroot} >> /vpn/caconfig", \%cahash); >> + system('/usr/local/bin/ipsecctrl', 'R'); >> + sleep $sleepDelay; >> + } >> } else { >> - unlink >> ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); >> - delete $cahash{$cgiparams{'KEY'}}; >> - >> &General::writehasharray("${General::swroot}/vpn/caconfig", >> \%cahash); >> - system('/usr/local/bin/ipsecctrl', 'R'); >> - sleep $sleepDelay; >> + $errormessage = $Lang::tr{'invalid key'}; >> } >> - } else { >> - $errormessage = $Lang::tr{'invalid key'}; >> - } >> >> ### >> ### Display root certificate >> ### >> } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} >> || >> $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) >> { >> - my $output; >> - &Header::showhttpheaders(); >> - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); >> - &Header::openbigbox('100%', 'left', '', ''); >> - if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) >> { >> - &Header::openbox('100%', 'left', "$Lang::tr{'root >> certificate'}:"); >> - $output = `/usr/bin/openssl x509 -text -in >> ${General::swroot}/ca/cacert.pem`; >> - } else { >> - &Header::openbox('100%', 'left', "$Lang::tr{'host >> certificate'}:"); >> - $output = `/usr/bin/openssl x509 -text -in >> ${General::swroot}/certs/hostcert.pem`; >> - } >> - $output = &Header::cleanhtml($output,"y"); >> - print "<pre>$output</pre>\n"; >> - &Header::closebox(); >> - print "<div align='center'><a href='/cgi >> -bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; >> - &Header::closebigbox(); >> - &Header::closepage(); >> - exit(0); >> + my $output; >> + &Header::showhttpheaders(); >> + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); >> + &Header::openbigbox('100%', 'left', '', ''); >> + if ($cgiparams{'ACTION'} eq $Lang::tr{'show root >> certificate'}) { >> + &Header::openbox('100%', 'left', "$Lang::tr{'root >> certificate'}:"); >> + $output = `/usr/bin/openssl x509 -text -in >> ${General::swroot}/ca/cacert.pem`; >> + } else { >> + &Header::openbox('100%', 'left', "$Lang::tr{'host >> certificate'}:"); >> + $output = `/usr/bin/openssl x509 -text -in >> ${General::swroot}/certs/hostcert.pem`; >> + } >> + $output = &Header::cleanhtml($output,"y"); >> + print "<pre>$output</pre>\n"; >> + &Header::closebox(); >> + print "<div align='center'><a href='/cgi >> -bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; >> + &Header::closebigbox(); >> + &Header::closepage(); >> + exit(0); >> >> ### >> ### Export root certificate to browser >> ### >> } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root >> certificate'}) { >> - if ( -f "${General::swroot}/ca/cacert.pem" ) { >> - print "Content-Type: application/force-download\n"; >> - print "Content-Disposition: attachment; >> filename=cacert.pem\r\n\r\n"; >> - print `/usr/bin/openssl x509 -in >> ${General::swroot}/ca/cacert.pem`; >> - exit(0); >> - } >> + if ( -f "${General::swroot}/ca/cacert.pem" ) { >> + print "Content-Type: application/force-download\n"; >> + print "Content-Disposition: attachment; >> filename=cacert.pem\r\n\r\n"; >> + print `/usr/bin/openssl x509 -in >> ${General::swroot}/ca/cacert.pem`; >> + exit(0); >> + } >> ### >> ### Export host certificate to browser >> ### >> } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host >> certificate'}) { >> - if ( -f "${General::swroot}/certs/hostcert.pem" ) { >> - print "Content-Type: application/force-download\n"; >> - print "Content-Disposition: attachment; >> filename=hostcert.pem\r\n\r\n"; >> - print `/usr/bin/openssl x509 -in >> ${General::swroot}/certs/hostcert.pem`; >> - exit(0); >> - } >> + if ( -f "${General::swroot}/certs/hostcert.pem" ) { >> + print "Content-Type: application/force-download\n"; >> + print "Content-Disposition: attachment; >> filename=hostcert.pem\r\n\r\n"; >> + print `/usr/bin/openssl x509 -in >> ${General::swroot}/certs/hostcert.pem`; >> + exit(0); >> + } >> ### >> ### Form for generating/importing the caroot+host certificate >> ### >> } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host >> certificates'} || >> - $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { >> - >> - if (-f "${General::swroot}/ca/cacert.pem") { >> - $errormessage = $Lang::tr{'valid root certificate already >> exists'}; >> - goto ROOTCERT_SKIP; >> - } >> - >> - &General::readhash("${General::swroot}/vpn/settings", >> \%vpnsettings); >> - # fill in initial values >> - if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { >> - if (-e "${General::swroot}/red/active" && open(IPADDR, >> "${General::swroot}/red/local-ipaddress")) { >> - my $ipaddr = <IPADDR>; >> - close IPADDR; >> - chomp ($ipaddr); >> - $cgiparams{'ROOTCERT_HOSTNAME'} = >> (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; >> - if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { >> - $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; >> - } >> - } >> - $cgiparams{'ROOTCERT_COUNTRY'} = >> $vpnsettings{'ROOTCERT_COUNTRY'} if >> (!$cgiparams{'ROOTCERT_COUNTRY'}); >> - } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { >> - &General::log("ipsec", "Importing from p12..."); >> + $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { >> + >> + if (-f "${General::swroot}/ca/cacert.pem") { >> + $errormessage = $Lang::tr{'valid root certificate >> already exists'}; >> + goto ROOTCERT_SKIP; >> + } >> + >> + &General::readhash("${General::swroot}/vpn/settings", >> \%vpnsettings); >> + # fill in initial values >> + if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { >> + if (-e "${General::swroot}/red/active" && >> open(IPADDR, "${General::swroot}/red/local-ipaddress")) { >> + my $ipaddr = <IPADDR>; >> + close IPADDR; >> + chomp ($ipaddr); >> + $cgiparams{'ROOTCERT_HOSTNAME'} = >> (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; >> + if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { >> + $cgiparams{'ROOTCERT_HOSTNAME'} = >> $ipaddr; >> + } >> + } >> + $cgiparams{'ROOTCERT_COUNTRY'} = >> $vpnsettings{'ROOTCERT_COUNTRY'} if >> (!$cgiparams{'ROOTCERT_COUNTRY'}); >> + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 >> file'}) { >> + &General::log("ipsec", "Importing from p12..."); >> >> - if (ref ($cgiparams{'FH'}) ne 'Fh') { >> - $errormessage = $Lang::tr{'there was no file upload'}; >> - goto ROOTCERT_ERROR; >> - } >> + if (ref ($cgiparams{'FH'}) ne 'Fh') { >> + $errormessage = $Lang::tr{'there was no file >> upload'}; >> + goto ROOTCERT_ERROR; >> + } >> >> - # Move uploaded certificate request to a temporary file >> - (my $fh, my $filename) = tempfile( ); >> - if (copy ($cgiparams{'FH'}, $fh) != 1) { >> - $errormessage = $!; >> - goto ROOTCERT_ERROR; >> - } >> + # Move uploaded certificate request to a temporary >> file >> + (my $fh, my $filename) = tempfile( ); >> + if (copy ($cgiparams{'FH'}, $fh) != 1) { >> + $errormessage = $!; >> + goto ROOTCERT_ERROR; >> + } >> >> - # Extract the CA certificate from the file >> - &General::log("ipsec", "Extracting caroot from p12..."); >> - if (open(STDIN, "-|")) { >> - my $opt = " pkcs12 -cacerts -nokeys"; >> - $opt .= " -in $filename"; >> - $opt .= " -out /tmp/newcacert"; >> - $errormessage = &callssl ($opt); >> - } else { #child >> - print "$cgiparams{'P12_PASS'}\n"; >> - exit (0); >> - } >> - >> - # Extract the Host certificate from the file >> - if (!$errormessage) { >> - &General::log("ipsec", "Extracting host cert from >> p12..."); >> - if (open(STDIN, "-|")) { >> - my $opt = " pkcs12 -clcerts -nokeys"; >> - $opt .= " -in $filename"; >> - $opt .= " -out /tmp/newhostcert"; >> - $errormessage = &callssl ($opt); >> - } else { #child >> - print "$cgiparams{'P12_PASS'}\n"; >> - exit (0); >> - } >> - } >> - >> - # Extract the Host key from the file >> - if (!$errormessage) { >> - &General::log("ipsec", "Extracting private key from >> p12..."); >> - if (open(STDIN, "-|")) { >> - my $opt = " pkcs12 -nocerts -nodes"; >> - $opt .= " -in $filename"; >> - $opt .= " -out /tmp/newhostkey"; >> - $errormessage = &callssl ($opt); >> - } else { #child >> - print "$cgiparams{'P12_PASS'}\n"; >> - exit (0); >> - } >> - } >> - >> - if (!$errormessage) { >> - &General::log("ipsec", "Moving cacert..."); >> - move("/tmp/newcacert", >> "${General::swroot}/ca/cacert.pem"); >> - $errormessage = "$Lang::tr{'certificate file move >> failed'}: $!" if ($? ne 0); >> - } >> - >> - if (!$errormessage) { >> - &General::log("ipsec", "Moving host cert..."); >> - move("/tmp/newhostcert", >> "${General::swroot}/certs/hostcert.pem"); >> - $errormessage = "$Lang::tr{'certificate file move >> failed'}: $!" if ($? ne 0); >> - } >> - >> - if (!$errormessage) { >> - &General::log("ipsec", "Moving private key..."); >> - move("/tmp/newhostkey", >> "${General::swroot}/certs/hostkey.pem"); >> - $errormessage = "$Lang::tr{'certificate file move >> failed'}: $!" if ($? ne 0); >> - } >> - >> - #cleanup temp files >> - unlink ($filename); >> - unlink ('/tmp/newcacert'); >> - unlink ('/tmp/newhostcert'); >> - unlink ('/tmp/newhostkey'); >> - if ($errormessage) { >> - unlink ("${General::swroot}/ca/cacert.pem"); >> - unlink ("${General::swroot}/certs/hostcert.pem"); >> - unlink ("${General::swroot}/certs/hostkey.pem"); >> - goto ROOTCERT_ERROR; >> - } >> + # Extract the CA certificate from the file >> + &General::log("ipsec", "Extracting caroot from >> p12..."); >> + if (open(STDIN, "-|")) { >> + my $opt = " pkcs12 -cacerts -nokeys"; >> + $opt .= " -in $filename"; >> + $opt .= " -out /tmp/newcacert"; >> + $errormessage = &callssl ($opt); >> + } else { #child >> + print "$cgiparams{'P12_PASS'}\n"; >> + exit (0); >> + } >> >> - # Create empty CRL cannot be done because we don't have >> - # the private key for this CAROOT >> - # IPFire can only import certificates >> + # Extract the Host certificate from the file >> + if (!$errormessage) { >> + &General::log("ipsec", "Extracting host cert >> from p12..."); >> + if (open(STDIN, "-|")) { >> + my $opt = " pkcs12 -clcerts >> -nokeys"; >> + $opt .= " -in $filename"; >> + $opt .= " -out /tmp/newhostcert"; >> + $errormessage = &callssl ($opt); >> + } else { #child >> + print "$cgiparams{'P12_PASS'}\n"; >> + exit (0); >> + } >> + } >> >> - &General::log("ipsec", "p12 import completed!"); >> - &cleanssldatabase(); >> - goto ROOTCERT_SUCCESS; >> - >> - } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') { >> - >> - # Validate input since the form was submitted >> - if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){ >> - $errormessage = $Lang::tr{'organization cant be empty'}; >> - goto ROOTCERT_ERROR; >> - } >> - if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) { >> - $errormessage = $Lang::tr{'organization too long'}; >> - goto ROOTCERT_ERROR; >> - } >> - if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\ >> -_]*$/) { >> - $errormessage = $Lang::tr{'invalid input for >> organization'}; >> - goto ROOTCERT_ERROR; >> - } >> - if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){ >> - $errormessage = $Lang::tr{'hostname cant be empty'}; >> - goto ROOTCERT_ERROR; >> - } >> - unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) >> || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) { >> - $errormessage = $Lang::tr{'invalid input for hostname'}; >> - goto ROOTCERT_ERROR; >> - } >> - if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! >> &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) { >> - $errormessage = $Lang::tr{'invalid input for e-mail >> address'}; >> - goto ROOTCERT_ERROR; >> - } >> - if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) { >> - $errormessage = $Lang::tr{'e-mail address too long'}; >> - goto ROOTCERT_ERROR; >> - } >> - if ($cgiparams{'ROOTCERT_OU'} ne '' && >> $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { >> - $errormessage = $Lang::tr{'invalid input for >> department'}; >> - goto ROOTCERT_ERROR; >> - } >> - if ($cgiparams{'ROOTCERT_CITY'} ne '' && >> $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { >> - $errormessage = $Lang::tr{'invalid input for city'}; >> - goto ROOTCERT_ERROR; >> - } >> - if ($cgiparams{'ROOTCERT_STATE'} ne '' && >> $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { >> - $errormessage = $Lang::tr{'invalid input for state or >> province'}; >> - goto ROOTCERT_ERROR; >> - } >> - if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) { >> - $errormessage = $Lang::tr{'invalid input for country'}; >> - goto ROOTCERT_ERROR; >> - } >> - #the exact syntax is a list comma separated of >> - # email:any-validemail >> - # URI: a uniform resource indicator >> - # DNS: a DNS domain name >> - # RID: a registered OBJECT IDENTIFIER >> - # IP: an IP address >> - # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:franck.foo. >> com >> - >> - if ($cgiparams{'SUBJECTALTNAME'} ne '' && >> $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 >> :\/,\.\-_@]*$/) { >> - $errormessage = $Lang::tr{'vpn altname syntax'}; >> - goto VPNCONF_ERROR; >> - } >> - >> - # Copy the cgisettings to vpnsettings and save the >> configfile >> - $vpnsettings{'ROOTCERT_ORGANIZATION'} = >> $cgiparams{'ROOTCERT_ORGANIZATION'}; >> - $vpnsettings{'ROOTCERT_HOSTNAME'} = >> $cgiparams{'ROOTCERT_HOSTNAME'}; >> - $vpnsettings{'ROOTCERT_EMAIL'} = >> $cgiparams{'ROOTCERT_EMAIL'}; >> - $vpnsettings{'ROOTCERT_OU'} = >> $cgiparams{'ROOTCERT_OU'}; >> - $vpnsettings{'ROOTCERT_CITY'} = >> $cgiparams{'ROOTCERT_CITY'}; >> - $vpnsettings{'ROOTCERT_STATE'} = >> $cgiparams{'ROOTCERT_STATE'}; >> - $vpnsettings{'ROOTCERT_COUNTRY'} = >> $cgiparams{'ROOTCERT_COUNTRY'}; >> - &General::writehash("${General::swroot}/vpn/settings", >> \%vpnsettings); >> + # Extract the Host key from the file >> + if (!$errormessage) { >> + &General::log("ipsec", "Extracting private >> key from p12..."); >> + if (open(STDIN, "-|")) { >> + my $opt = " pkcs12 -nocerts -nodes"; >> + $opt .= " -in $filename"; >> + $opt .= " -out /tmp/newhostkey"; >> + $errormessage = &callssl ($opt); >> + } else { #child >> + print "$cgiparams{'P12_PASS'}\n"; >> + exit (0); >> + } >> + } >> >> - # Replace empty strings with a . >> - (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./; >> - (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./; >> - (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./; >> - >> - # Create the CA certificate >> - if (!$errormessage) { >> - &General::log("ipsec", "Creating cacert..."); >> - if (open(STDIN, "-|")) { >> - my $opt = " req -x509 -sha256 -nodes"; >> - $opt .= " -days 999999"; >> - $opt .= " -newkey rsa:4096"; >> - $opt .= " -keyout >> ${General::swroot}/private/cakey.pem"; >> - $opt .= " -out ${General::swroot}/ca/cacert.pem"; >> - >> - $errormessage = &callssl ($opt); >> - } else { #child >> - print "$cgiparams{'ROOTCERT_COUNTRY'}\n"; >> - print "$state\n"; >> - print "$city\n"; >> - print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; >> - print "$ou\n"; >> - print "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n"; >> - print "$cgiparams{'ROOTCERT_EMAIL'}\n"; >> - exit (0); >> - } >> - } >> - >> - # Create the Host certificate request >> - if (!$errormessage) { >> - &General::log("ipsec", "Creating host cert..."); >> - if (open(STDIN, "-|")) { >> - my $opt = " req -sha256 -nodes"; >> - $opt .= " -newkey rsa:2048"; >> - $opt .= " -keyout >> ${General::swroot}/certs/hostkey.pem"; >> - $opt .= " -out >> ${General::swroot}/certs/hostreq.pem"; >> - $errormessage = &callssl ($opt); >> - } else { #child >> - print "$cgiparams{'ROOTCERT_COUNTRY'}\n"; >> - print "$state\n"; >> - print "$city\n"; >> - print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; >> - print "$ou\n"; >> - print "$cgiparams{'ROOTCERT_HOSTNAME'}\n"; >> - print "$cgiparams{'ROOTCERT_EMAIL'}\n"; >> - print ".\n"; >> - print ".\n"; >> - exit (0); >> - } >> - } >> + if (!$errormessage) { >> + &General::log("ipsec", "Moving cacert..."); >> + move("/tmp/newcacert", >> "${General::swroot}/ca/cacert.pem"); >> + $errormessage = "$Lang::tr{'certificate file >> move failed'}: $!" if ($? ne 0); >> + } >> >> - # Sign the host certificate request >> - if (!$errormessage) { >> - &General::log("ipsec", "Self signing host cert..."); >> + if (!$errormessage) { >> + &General::log("ipsec", "Moving host >> cert..."); >> + move("/tmp/newhostcert", >> "${General::swroot}/certs/hostcert.pem"); >> + $errormessage = "$Lang::tr{'certificate file >> move failed'}: $!" if ($? ne 0); >> + } >> >> - #No easy way for specifying the contain of >> subjectAltName without writing a config file... >> - my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); >> - print $fh <<END >> - basicConstraints=CA:FALSE >> - nsComment="OpenSSL Generated Certificate" >> - subjectKeyIdentifier=hash >> - authorityKeyIdentifier=keyid,issuer:always >> - extendedKeyUsage = serverAuth >> + if (!$errormessage) { >> + &General::log("ipsec", "Moving private >> key..."); >> + move("/tmp/newhostkey", >> "${General::swroot}/certs/hostkey.pem"); >> + $errormessage = "$Lang::tr{'certificate file >> move failed'}: $!" if ($? ne 0); >> + } >> + >> + #cleanup temp files >> + unlink ($filename); >> + unlink ('/tmp/newcacert'); >> + unlink ('/tmp/newhostcert'); >> + unlink ('/tmp/newhostkey'); >> + if ($errormessage) { >> + unlink ("${General::swroot}/ca/cacert.pem"); >> + unlink >> ("${General::swroot}/certs/hostcert.pem"); >> + unlink >> ("${General::swroot}/certs/hostkey.pem"); >> + goto ROOTCERT_ERROR; >> + } >> + >> + # Create empty CRL cannot be done because we don't >> have >> + # the private key for this CAROOT >> + # IPFire can only import certificates >> + >> + &General::log("ipsec", "p12 import completed!"); >> + &cleanssldatabase(); >> + goto ROOTCERT_SUCCESS; >> + >> + } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') { >> + >> + # Validate input since the form was submitted >> + if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){ >> + $errormessage = $Lang::tr{'organization cant >> be empty'}; >> + goto ROOTCERT_ERROR; >> + } >> + if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) >> { >> + $errormessage = $Lang::tr{'organization too >> long'}; >> + goto ROOTCERT_ERROR; >> + } >> + if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA >> -Z0-9 ,\.\-_]*$/) { >> + $errormessage = $Lang::tr{'invalid input for >> organization'}; >> + goto ROOTCERT_ERROR; >> + } >> + if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){ >> + $errormessage = $Lang::tr{'hostname cant be >> empty'}; >> + goto ROOTCERT_ERROR; >> + } >> + unless >> (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || >> &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) { >> + $errormessage = $Lang::tr{'invalid input for >> hostname'}; >> + goto ROOTCERT_ERROR; >> + } >> + if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! >> &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) { >> + $errormessage = $Lang::tr{'invalid input for >> e-mail address'}; >> + goto ROOTCERT_ERROR; >> + } >> + if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) { >> + $errormessage = $Lang::tr{'e-mail address >> too long'}; >> + goto ROOTCERT_ERROR; >> + } >> + if ($cgiparams{'ROOTCERT_OU'} ne '' && >> $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { >> + $errormessage = $Lang::tr{'invalid input for >> department'}; >> + goto ROOTCERT_ERROR; >> + } >> + if ($cgiparams{'ROOTCERT_CITY'} ne '' && >> $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { >> + $errormessage = $Lang::tr{'invalid input for >> city'}; >> + goto ROOTCERT_ERROR; >> + } >> + if ($cgiparams{'ROOTCERT_STATE'} ne '' && >> $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { >> + $errormessage = $Lang::tr{'invalid input for >> state or province'}; >> + goto ROOTCERT_ERROR; >> + } >> + if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) { >> + $errormessage = $Lang::tr{'invalid input for >> country'}; >> + goto ROOTCERT_ERROR; >> + } >> + #the exact syntax is a list comma separated of >> + # email:any-validemail >> + # URI: a uniform resource indicator >> + # DNS: a DNS domain name >> + # RID: a registered OBJECT IDENTIFIER >> + # IP: an IP address >> + # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:fra >> nck.foo.com >> + >> + if ($cgiparams{'SUBJECTALTNAME'} ne '' && >> $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 >> :\/,\.\-_@]*$/) { >> + $errormessage = $Lang::tr{'vpn altname >> syntax'}; >> + goto VPNCONF_ERROR; >> + } >> + >> + # Copy the cgisettings to vpnsettings and save the >> configfile >> + $vpnsettings{'ROOTCERT_ORGANIZATION'} = >> $cgiparams{'ROOTCERT_ORGANIZATION'}; >> + $vpnsettings{'ROOTCERT_HOSTNAME'} = >> $cgiparams{'ROOTCERT_HOSTNAME'}; >> + $vpnsettings{'ROOTCERT_EMAIL'} >> = $cgiparams{'ROOTCERT_EMAIL'}; >> + $vpnsettings{'ROOTCERT_OU'} >> = $cgiparams{'ROOTCERT_OU'}; >> + $vpnsettings{'ROOTCERT_CITY'} >> = $cgiparams{'ROOTCERT_CITY'}; >> + $vpnsettings{'ROOTCERT_STATE'} >> = $cgiparams{'ROOTCERT_STATE'}; >> + $vpnsettings{'ROOTCERT_COUNTRY'} = >> $cgiparams{'ROOTCERT_COUNTRY'}; >> + &General::writehash("${General::swroot}/vpn/settings >> ", \%vpnsettings); >> + >> + # Replace empty strings with a . >> + (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./; >> + (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ >> s/^\s*$/\./; >> + (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ >> s/^\s*$/\./; >> + >> + # Create the CA certificate >> + if (!$errormessage) { >> + &General::log("ipsec", "Creating >> cacert..."); >> + if (open(STDIN, "-|")) { >> + my $opt = " req -x509 -sha256 >> -nodes"; >> + $opt .= " -days 999999"; >> + $opt .= " -newkey rsa:4096"; >> + $opt .= " -keyout >> ${General::swroot}/private/cakey.pem"; >> + $opt .= " -out >> ${General::swroot}/ca/cacert.pem"; >> + >> + $errormessage = &callssl ($opt); >> + } else { #child >> + print >> "$cgiparams{'ROOTCERT_COUNTRY'}\n"; >> + print "$state\n"; >> + print "$city\n"; >> + print >> "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; >> + print "$ou\n"; >> + print >> "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n"; >> + print >> "$cgiparams{'ROOTCERT_EMAIL'}\n"; >> + exit (0); >> + } >> + } >> + >> + # Create the Host certificate request >> + if (!$errormessage) { >> + &General::log("ipsec", "Creating host >> cert..."); >> + if (open(STDIN, "-|")) { >> + my $opt = " req -sha256 -nodes"; >> + $opt .= " -newkey rsa:2048"; >> + $opt .= " -keyout >> ${General::swroot}/certs/hostkey.pem"; >> + $opt .= " -out >> ${General::swroot}/certs/hostreq.pem"; >> + $errormessage = &callssl ($opt); >> + } else { #child >> + print >> "$cgiparams{'ROOTCERT_COUNTRY'}\n"; >> + print "$state\n"; >> + print "$city\n"; >> + print >> "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; >> + print "$ou\n"; >> + print >> "$cgiparams{'ROOTCERT_HOSTNAME'}\n"; >> + print >> "$cgiparams{'ROOTCERT_EMAIL'}\n"; >> + print ".\n"; >> + print ".\n"; >> + exit (0); >> + } >> + } >> + >> + # Sign the host certificate request >> + if (!$errormessage) { >> + &General::log("ipsec", "Self signing host >> cert..."); >> + >> + #No easy way for specifying the contain of >> subjectAltName without writing a config file... >> + my ($fh, $v3extname) = tempfile >> ('/tmp/XXXXXXXX'); >> + print $fh <<END >> + basicConstraints=CA:FALSE >> + nsComment="OpenSSL Generated Certificate" >> + subjectKeyIdentifier=hash >> + authorityKeyIdentifier=keyid,issuer:always >> + extendedKeyUsage = serverAuth >> END >> ; >> - print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" >> if ($cgiparams{'SUBJECTALTNAME'}); >> - close ($fh); >> - >> - my $opt = " ca -md sha256 -days 999999"; >> - $opt .= " -batch -notext"; >> - $opt .= " -in ${General::swroot}/certs/hostreq.pem"; >> - $opt .= " -out >> ${General::swroot}/certs/hostcert.pem"; >> - $opt .= " -extfile $v3extname"; >> - $errormessage = &callssl ($opt); >> - unlink ("${General::swroot}/certs/hostreq.pem"); #no >> more needed >> - unlink ($v3extname); >> - } >> - >> - # Create an empty CRL >> - if (!$errormessage) { >> - &General::log("ipsec", "Creating emptycrl..."); >> - my $opt = " ca -gencrl"; >> - $opt .= " -out ${General::swroot}/crls/cacrl.pem"; >> - $errormessage = &callssl ($opt); >> - } >> - >> - # Successfully build CA / CERT! >> - if (!$errormessage) { >> - &cleanssldatabase(); >> - goto ROOTCERT_SUCCESS; >> - } >> - >> - #Cleanup >> - unlink ("${General::swroot}/ca/cacert.pem"); >> - unlink ("${General::swroot}/certs/hostkey.pem"); >> - unlink ("${General::swroot}/certs/hostcert.pem"); >> - unlink ("${General::swroot}/crls/cacrl.pem"); >> - &cleanssldatabase(); >> - } >> - >> - ROOTCERT_ERROR: >> - &Header::showhttpheaders(); >> - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); >> - &Header::openbigbox('100%', 'left', '', $errormessage); >> - if ($errormessage) { >> - &Header::openbox('100%', 'left', $Lang::tr{'error >> messages'}); >> - print "<class name='base'>$errormessage"; >> - print " </class>"; >> - &Header::closebox(); >> - } >> - &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host >> certificates'}:"); >> - print <<END >> - <form method='post' enctype='multipart/form-data' >> action='$ENV{'SCRIPT_NAME'}'> >> - <table width='100%' border='0' cellspacing='1' cellpadding='0'> >> - <tr><td width='40%' class='base'>$Lang::tr{'organization >> name'}: <img src='/blob.gif' alt='*' /></td> >> - <td width='60%' class='base' nowrap='nowrap'><input >> type='text' name='ROOTCERT_ORGANIZATION' >> value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td></tr> >> - <tr><td class='base'>$Lang::tr{'ipfires hostname'}: <img >> src='/blob.gif' alt='*' /></td> >> - <td class='base' nowrap='nowrap'><input type='text' >> name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' >> size='32' /></td></tr> >> - <tr><td class='base'>$Lang::tr{'your e-mail'}:</td> >> - <td class='base' nowrap='nowrap'><input type='text' >> name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' >> /></td></tr> >> - <tr><td class='base'>$Lang::tr{'your department'}:</td> >> - <td class='base' nowrap='nowrap'><input type='text' >> name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' >> /></td></tr> >> - <tr><td class='base'>$Lang::tr{'city'}:</td> >> - <td class='base' nowrap='nowrap'><input type='text' >> name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' >> /></td></tr> >> - <tr><td class='base'>$Lang::tr{'state or province'}:</td> >> - <td class='base' nowrap='nowrap'><input type='text' >> name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' >> /></td></tr> >> - <tr><td class='base'>$Lang::tr{'country'}:</td> >> - <td class='base'><select name='ROOTCERT_COUNTRY'> >> + print $fh >> "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if >> ($cgiparams{'SUBJECTALTNAME'}); >> + close ($fh); >> + >> + my $opt = " ca -md sha256 -days 999999"; >> + $opt .= " -batch -notext"; >> + $opt .= " -in >> ${General::swroot}/certs/hostreq.pem"; >> + $opt .= " -out >> ${General::swroot}/certs/hostcert.pem"; >> + $opt .= " -extfile $v3extname"; >> + $errormessage = &callssl ($opt); >> + unlink >> ("${General::swroot}/certs/hostreq.pem"); #no more needed >> + unlink ($v3extname); >> + } >> + >> + # Create an empty CRL >> + if (!$errormessage) { >> + &General::log("ipsec", "Creating >> emptycrl..."); >> + my $opt = " ca -gencrl"; >> + $opt .= " -out >> ${General::swroot}/crls/cacrl.pem"; >> + $errormessage = &callssl ($opt); >> + } >> + >> + # Successfully build CA / CERT! >> + if (!$errormessage) { >> + &cleanssldatabase(); >> + goto ROOTCERT_SUCCESS; >> + } >> + >> + #Cleanup >> + unlink ("${General::swroot}/ca/cacert.pem"); >> + unlink ("${General::swroot}/certs/hostkey.pem"); >> + unlink ("${General::swroot}/certs/hostcert.pem"); >> + unlink ("${General::swroot}/crls/cacrl.pem"); >> + &cleanssldatabase(); >> + } >> + >> + ROOTCERT_ERROR: >> + &Header::showhttpheaders(); >> + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); >> + &Header::openbigbox('100%', 'left', '', $errormessage); >> + if ($errormessage) { >> + &Header::openbox('100%', 'left', $Lang::tr{'error >> messages'}); >> + print "<class name='base'>$errormessage"; >> + print " </class>"; >> + &Header::closebox(); >> + } >> + &Header::openbox('100%', 'left', "$Lang::tr{'generate >> root/host certificates'}:"); >> + print <<END >> + <form method='post' enctype='multipart/form-data' >> action='$ENV{'SCRIPT_NAME'}'> >> + <table width='100%' border='0' cellspacing='1' >> cellpadding='0'> >> + <tr><td width='40%' class='base'>$Lang::tr{'organization >> name'}: <img src='/blob.gif' alt='*' /></td> >> + <td width='60%' class='base' nowrap='nowrap'><input >> type='text' name='ROOTCERT_ORGANIZATION' >> value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td></tr> >> + <tr><td class='base'>$Lang::tr{'ipfires >> hostname'}: <img src='/blob.gif' alt='*' /></td> >> + <td class='base' nowrap='nowrap'><input type='text' >> name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' >> size='32' /></td></tr> >> + <tr><td class='base'>$Lang::tr{'your e-mail'}:</td> >> + <td class='base' nowrap='nowrap'><input type='text' >> name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' >> /></td></tr> >> + <tr><td class='base'>$Lang::tr{'your department'}:</td> >> + <td class='base' nowrap='nowrap'><input type='text' >> name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' >> /></td></tr> >> + <tr><td class='base'>$Lang::tr{'city'}:</td> >> + <td class='base' nowrap='nowrap'><input type='text' >> name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' >> /></td></tr> >> + <tr><td class='base'>$Lang::tr{'state or province'}:</td> >> + <td class='base' nowrap='nowrap'><input type='text' >> name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' >> /></td></tr> >> + <tr><td class='base'>$Lang::tr{'country'}:</td> >> + <td class='base'><select name='ROOTCERT_COUNTRY'> >> END >> - ; >> - foreach my $country (sort keys %{Countries::countries}) { >> - print "<option value='$Countries::countries{$country}'"; >> - if ( $Countries::countries{$country} eq >> $cgiparams{'ROOTCERT_COUNTRY'} ) { >> - print " selected='selected'"; >> - } >> - print ">$country</option>"; >> - } >> - print <<END >> - </select></td></tr> >> - <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} >> (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> >> +; >> + foreach my $country (sort keys %{Countries::countries}) { >> + print "<option >> value='$Countries::countries{$country}'"; >> + if ( $Countries::countries{$country} eq >> $cgiparams{'ROOTCERT_COUNTRY'} ) { >> + print " selected='selected'"; >> + } >> + print ">$country</option>"; >> + } >> + print <<END >> + </select></td></tr> >> + <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} >> (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> >> <td class='base' nowrap='nowrap'><input type='text' >> name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' >> /></td></tr> >> - <tr><td> </td> >> - <td><br /><input type='submit' name='ACTION' >> value='$Lang::tr{'generate root/host certificates'}' /><br /><br >> /></td></tr> >> - <tr><td class='base' colspan='2' align='left'> >> - <b><font >> color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: >> - $Lang::tr{'generating the root and host certificates may >> take a long time. it can take up to several minutes on older >> hardware. please be patient'} >> - </td></tr> >> - <tr><td colspan='2'><hr></td></tr> >> - <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 >> file'}:</td> >> - <td nowrap='nowrap'><input type='file' name='FH' size='32' >> /></td></tr> >> - <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td> >> - <td class='base' nowrap='nowrap'><input type='password' >> name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td></tr> >> - <tr><td> </td> >> - <td><input type='submit' name='ACTION' >> value='$Lang::tr{'upload p12 file'}' /></td></tr> >> - <tr><td class='base' colspan='2' align='left'> >> - <img src='/blob.gif' alt='*' /> $Lang::tr{'required >> field'}</td></tr> >> - </table></form> >> + <tr><td> </td> >> + <td><br /><input type='submit' name='ACTION' >> value='$Lang::tr{'generate root/host certificates'}' /><br /><br >> /></td></tr> >> + <tr><td class='base' colspan='2' align='left'> >> + <b><font >> color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: >> + $Lang::tr{'generating the root and host certificates >> may take a long time. it can take up to several minutes on older >> hardware. please be patient'} >> + </td></tr> >> + <tr><td colspan='2'><hr></td></tr> >> + <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 >> file'}:</td> >> + <td nowrap='nowrap'><input type='file' name='FH' >> size='32' /></td></tr> >> + <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td> >> + <td class='base' nowrap='nowrap'><input >> type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' >> size='32' /></td></tr> >> + <tr><td> </td> >> + <td><input type='submit' name='ACTION' >> value='$Lang::tr{'upload p12 file'}' /></td></tr> >> + <tr><td class='base' colspan='2' align='left'> >> + <img src='/blob.gif' alt='*' >> /> $Lang::tr{'required field'}</td></tr> >> + </table></form> >> END >> - ; >> - &Header::closebox(); >> - &Header::closebigbox(); >> - &Header::closepage(); >> - exit(0); >> - >> - ROOTCERT_SUCCESS: >> - if (&vpnenabled) { >> - system('/usr/local/bin/ipsecctrl', 'S'); >> - sleep $sleepDelay; >> - } >> - ROOTCERT_SKIP: >> +; >> + &Header::closebox(); >> + &Header::closebigbox(); >> + &Header::closepage(); >> + exit(0); >> + >> + ROOTCERT_SUCCESS: >> + if (&vpnenabled) { >> + system('/usr/local/bin/ipsecctrl', 'S'); >> + sleep $sleepDelay; >> + } >> + ROOTCERT_SKIP: >> ### >> ### Export PKCS12 file to browser >> ### >> } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) >> { >> - &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> - print "Content-Type: application/force-download\n"; >> - print "Content-Disposition: attachment; filename=" . >> $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n"; >> - print "Content-Type: application/octet-stream\r\n\r\n"; >> - print `/bin/cat >> ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; >> - exit (0); >> + &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> + print "Content-Type: application/force-download\n"; >> + print "Content-Disposition: attachment; filename=" . >> $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n"; >> + print "Content-Type: application/octet-stream\r\n\r\n"; >> + print `/bin/cat >> ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; >> + exit (0); >> >> ### >> ### Display certificate >> ### >> } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) { >> - &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> - >> - if ( -f >> "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") >> { >> - &Header::showhttpheaders(); >> - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); >> - &Header::openbigbox('100%', 'left', '', ''); >> - &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:"); >> - my $output = `/usr/bin/openssl x509 -text -in >> ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; >> - $output = &Header::cleanhtml($output,"y"); >> - print "<pre>$output</pre>\n"; >> - &Header::closebox(); >> - print "<div align='center'><a href='/cgi >> -bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; >> - &Header::closebigbox(); >> - &Header::closepage(); >> - exit(0); >> - } >> + &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> + >> + if ( -f >> "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") >> { >> + &Header::showhttpheaders(); >> + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); >> + &Header::openbigbox('100%', 'left', '', ''); >> + &Header::openbox('100%', 'left', >> "$Lang::tr{'cert'}:"); >> + my $output = `/usr/bin/openssl x509 -text -in >> ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; >> + $output = &Header::cleanhtml($output,"y"); >> + print "<pre>$output</pre>\n"; >> + &Header::closebox(); >> + print "<div align='center'><a href='/cgi >> -bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; >> + &Header::closebigbox(); >> + &Header::closepage(); >> + exit(0); >> + } >> >> ### >> ### Export Certificate to browser >> ### >> } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) >> { >> - &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> + &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> >> - if ( -f >> "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") >> { >> - print "Content-Type: application/force-download\n"; >> - print "Content-Disposition: attachment; filename=" . >> $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n"; >> - print `/bin/cat >> ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; >> - exit (0); >> - } >> + if ( -f >> "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") >> { >> + print "Content-Type: application/force-download\n"; >> + print "Content-Disposition: attachment; filename=" . >> $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n"; >> + print `/bin/cat >> ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; >> + exit (0); >> + } >> >> ### >> ### Enable/Disable connection >> ### >> } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) >> { >> - >> - &General::readhash("${General::swroot}/vpn/settings", >> \%vpnsettings); >> - &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> - >> - if ($confighash{$cgiparams{'KEY'}}) { >> - if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { >> - $confighash{$cgiparams{'KEY'}}[0] = 'on'; >> - >> &General::writehasharray("${General::swroot}/vpn/config", >> \%confighash); >> - &writeipsecfiles(); >> - system('/usr/local/bin/ipsecctrl', 'S', >> $cgiparams{'KEY'}) if (&vpnenabled); >> + >> + &General::readhash("${General::swroot}/vpn/settings", >> \%vpnsettings); >> + &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> + >> + if ($confighash{$cgiparams{'KEY'}}) { >> + if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { >> + $confighash{$cgiparams{'KEY'}}[0] = 'on'; >> + &General::writehasharray("${General::swroot} >> /vpn/config", \%confighash); >> + &writeipsecfiles(); >> + system('/usr/local/bin/ipsecctrl', 'S', >> $cgiparams{'KEY'}) if (&vpnenabled); >> + } else { >> + system('/usr/local/bin/ipsecctrl', 'D', >> $cgiparams{'KEY'}) if (&vpnenabled); >> + $confighash{$cgiparams{'KEY'}}[0] = 'off'; >> + &General::writehasharray("${General::swroot} >> /vpn/config", \%confighash); >> + &writeipsecfiles(); >> + } >> + sleep $sleepDelay; >> } else { >> - system('/usr/local/bin/ipsecctrl', 'D', >> $cgiparams{'KEY'}) if (&vpnenabled); >> - $confighash{$cgiparams{'KEY'}}[0] = 'off'; >> - >> &General::writehasharray("${General::swroot}/vpn/config", >> \%confighash); >> - &writeipsecfiles(); >> + $errormessage = $Lang::tr{'invalid key'}; >> } >> - sleep $sleepDelay; >> - } else { >> - $errormessage = $Lang::tr{'invalid key'}; >> - } >> >> ### >> ### Restart connection >> ### >> } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) { >> - &General::readhash("${General::swroot}/vpn/settings", >> \%vpnsettings); >> - &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> + &General::readhash("${General::swroot}/vpn/settings", >> \%vpnsettings); >> + &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> >> - if ($confighash{$cgiparams{'KEY'}}) { >> - if (&vpnenabled) { >> - system('/usr/local/bin/ipsecctrl', 'S', >> $cgiparams{'KEY'}); >> - sleep $sleepDelay; >> + if ($confighash{$cgiparams{'KEY'}}) { >> + if (&vpnenabled) { >> + system('/usr/local/bin/ipsecctrl', 'S', >> $cgiparams{'KEY'}); >> + sleep $sleepDelay; >> + } >> + } else { >> + $errormessage = $Lang::tr{'invalid key'}; >> } >> - } else { >> - $errormessage = $Lang::tr{'invalid key'}; >> - } >> >> ### >> ### Remove connection >> ### >> } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) { >> - &General::readhash("${General::swroot}/vpn/settings", >> \%vpnsettings); >> - &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> - >> - if ($confighash{$cgiparams{'KEY'}}) { >> - system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) >> if (&vpnenabled); >> - unlink >> ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem" >> ); >> - unlink >> ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); >> - delete $confighash{$cgiparams{'KEY'}}; >> - &General::writehasharray("${General::swroot}/vpn/config", >> \%confighash); >> - &writeipsecfiles(); >> - } else { >> - $errormessage = $Lang::tr{'invalid key'}; >> - } >> + &General::readhash("${General::swroot}/vpn/settings", >> \%vpnsettings); >> + &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> + >> + if ($confighash{$cgiparams{'KEY'}}) { >> + system('/usr/local/bin/ipsecctrl', 'D', >> $cgiparams{'KEY'}) if (&vpnenabled); >> + unlink >> ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem" >> ); >> + unlink >> ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); >> + delete $confighash{$cgiparams{'KEY'}}; >> + &General::writehasharray("${General::swroot}/vpn/con >> fig", \%confighash); >> + &writeipsecfiles(); >> + } else { >> + $errormessage = $Lang::tr{'invalid key'}; >> + } >> &General::firewall_reload(); >> ### >> ### Choose between adding a host-net or net-net connection >> @@ -1224,20 +1222,20 @@ END >> &Header::openbigbox('100%', 'left', '', ''); >> &Header::openbox('100%', 'left', $Lang::tr{'connection >> type'}); >> print <<END >> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> - <b>$Lang::tr{'connection type'}:</b><br /> >> - <table> >> - <tr><td><input type='radio' name='TYPE' value='host' >> checked='checked' /></td> >> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> + <b>$Lang::tr{'connection type'}:</b><br /> >> + <table> >> + <tr><td><input type='radio' name='TYPE' value='host' >> checked='checked' /></td> >> <td class='base'>$Lang::tr{'host to net vpn'}</td> >> - </tr><tr> >> + </tr><tr> >> <td><input type='radio' name='TYPE' value='net' >> /></td> >> <td class='base'>$Lang::tr{'net to net vpn'}</td> >> - </tr><tr> >> + </tr><tr> >> <td align='center' colspan='2'><input type='submit' >> name='ACTION' value='$Lang::tr{'add'}' /></td> >> - </tr> >> - </table></form> >> + </tr> >> + </table></form> >> END >> - ; >> +; >> &Header::closebox(); >> &Header::closebigbox(); >> &Header::closepage(); >> @@ -1246,512 +1244,512 @@ END >> ### Adding/Editing/Saving a connection >> ### >> } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) || >> - ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) || >> - ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && >> $cgiparams{'ADVANCED'} eq '')) { >> - >> - &General::readhash("${General::swroot}/vpn/settings", >> \%vpnsettings); >> - &General::readhasharray("${General::swroot}/vpn/caconfig", >> \%cahash); >> - &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> - >> - if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { >> - if (! $confighash{$cgiparams{'KEY'}}[0]) { >> - $errormessage = $Lang::tr{'invalid key'}; >> - goto VPNCONF_END; >> - } >> - $cgiparams{'ENABLED'} = >> $confighash{$cgiparams{'KEY'}}[0]; >> - $cgiparams{'NAME'} = >> $confighash{$cgiparams{'KEY'}}[1]; >> - $cgiparams{'TYPE'} = >> $confighash{$cgiparams{'KEY'}}[3]; >> - $cgiparams{'AUTH'} = >> $confighash{$cgiparams{'KEY'}}[4]; >> - $cgiparams{'PSK'} = >> $confighash{$cgiparams{'KEY'}}[5]; >> - #$cgiparams{'free'} = >> $confighash{$cgiparams{'KEY'}}[6]; >> - $cgiparams{'LOCAL_ID'} = >> $confighash{$cgiparams{'KEY'}}[7]; >> - $cgiparams{'LOCAL_SUBNET'} = >> $confighash{$cgiparams{'KEY'}}[8]; >> - $cgiparams{'REMOTE_ID'} = >> $confighash{$cgiparams{'KEY'}}[9]; >> - $cgiparams{'REMOTE'} = >> $confighash{$cgiparams{'KEY'}}[10]; >> - $cgiparams{'REMOTE_SUBNET'} = >> $confighash{$cgiparams{'KEY'}}[11]; >> - $cgiparams{'REMARK'} = >> $confighash{$cgiparams{'KEY'}}[25]; >> - $cgiparams{'DPD_ACTION'} = >> $confighash{$cgiparams{'KEY'}}[27]; >> - $cgiparams{'IKE_VERSION'} = >> $confighash{$cgiparams{'KEY'}}[29]; >> - $cgiparams{'IKE_ENCRYPTION'} = >> $confighash{$cgiparams{'KEY'}}[18]; >> - $cgiparams{'IKE_INTEGRITY'} = >> $confighash{$cgiparams{'KEY'}}[19]; >> - $cgiparams{'IKE_GROUPTYPE'} = >> $confighash{$cgiparams{'KEY'}}[20]; >> - $cgiparams{'IKE_LIFETIME'} = >> $confighash{$cgiparams{'KEY'}}[16]; >> - $cgiparams{'ESP_ENCRYPTION'} = >> $confighash{$cgiparams{'KEY'}}[21]; >> - $cgiparams{'ESP_INTEGRITY'} = >> $confighash{$cgiparams{'KEY'}}[22]; >> - $cgiparams{'ESP_GROUPTYPE'} = >> $confighash{$cgiparams{'KEY'}}[23]; >> - if ($cgiparams{'ESP_GROUPTYPE'} eq "") { >> - $cgiparams{'ESP_GROUPTYPE'} = >> $cgiparams{'IKE_GROUPTYPE'}; >> - } >> - $cgiparams{'ESP_KEYLIFE'} = >> $confighash{$cgiparams{'KEY'}}[17]; >> - $cgiparams{'COMPRESSION'} = >> $confighash{$cgiparams{'KEY'}}[13]; >> - $cgiparams{'ONLY_PROPOSED'} = >> $confighash{$cgiparams{'KEY'}}[24]; >> - $cgiparams{'PFS'} = >> $confighash{$cgiparams{'KEY'}}[28]; >> - $cgiparams{'DPD_TIMEOUT'} = >> $confighash{$cgiparams{'KEY'}}[30]; >> - $cgiparams{'DPD_DELAY'} = >> $confighash{$cgiparams{'KEY'}}[31]; >> - $cgiparams{'FORCE_MOBIKE'} = >> $confighash{$cgiparams{'KEY'}}[32]; >> + ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) || >> + ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && >> $cgiparams{'ADVANCED'} eq '')) { >> >> - if (!$cgiparams{'DPD_DELAY'}) { >> - $cgiparams{'DPD_DELAY'} = 30; >> - } >> + &General::readhash("${General::swroot}/vpn/settings", >> \%vpnsettings); >> + &General::readhasharray("${General::swroot}/vpn/caconfig", >> \%cahash); >> + &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> >> - if (!$cgiparams{'DPD_TIMEOUT'}) { >> - $cgiparams{'DPD_TIMEOUT'} = 120; >> - } >> + if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { >> + if (! $confighash{$cgiparams{'KEY'}}[0]) { >> + $errormessage = $Lang::tr{'invalid key'}; >> + goto VPNCONF_END; >> + } >> + $cgiparams{'ENABLED'} = >> $confighash{$cgiparams{'KEY'}}[0]; >> + $cgiparams{'NAME'} = >> $confighash{$cgiparams{'KEY'}}[1]; >> + $cgiparams{'TYPE'} = >> $confighash{$cgiparams{'KEY'}}[3]; >> + $cgiparams{'AUTH'} = >> $confighash{$cgiparams{'KEY'}}[4]; >> + $cgiparams{'PSK'} = >> $confighash{$cgiparams{'KEY'}}[5]; >> + #$cgiparams{'free'} = >> $confighash{$cgiparams{'KEY'}}[6]; >> + $cgiparams{'LOCAL_ID'} = >> $confighash{$cgiparams{'KEY'}}[7]; >> + $cgiparams{'LOCAL_SUBNET'} = >> $confighash{$cgiparams{'KEY'}}[8]; >> + $cgiparams{'REMOTE_ID'} = >> $confighash{$cgiparams{'KEY'}}[9]; >> + $cgiparams{'REMOTE'} = >> $confighash{$cgiparams{'KEY'}}[10]; >> + $cgiparams{'REMOTE_SUBNET'} = >> $confighash{$cgiparams{'KEY'}}[11]; >> + $cgiparams{'REMARK'} = >> $confighash{$cgiparams{'KEY'}}[25]; >> + $cgiparams{'DPD_ACTION'} = >> $confighash{$cgiparams{'KEY'}}[27]; >> + $cgiparams{'IKE_VERSION'} = >> $confighash{$cgiparams{'KEY'}}[29]; >> + $cgiparams{'IKE_ENCRYPTION'} = >> $confighash{$cgiparams{'KEY'}}[18]; >> + $cgiparams{'IKE_INTEGRITY'} = >> $confighash{$cgiparams{'KEY'}}[19]; >> + $cgiparams{'IKE_GROUPTYPE'} = >> $confighash{$cgiparams{'KEY'}}[20]; >> + $cgiparams{'IKE_LIFETIME'} = >> $confighash{$cgiparams{'KEY'}}[16]; >> + $cgiparams{'ESP_ENCRYPTION'} = >> $confighash{$cgiparams{'KEY'}}[21]; >> + $cgiparams{'ESP_INTEGRITY'} = >> $confighash{$cgiparams{'KEY'}}[22]; >> + $cgiparams{'ESP_GROUPTYPE'} = >> $confighash{$cgiparams{'KEY'}}[23]; >> + if ($cgiparams{'ESP_GROUPTYPE'} eq "") { >> + $cgiparams{'ESP_GROUPTYPE'} = >> $cgiparams{'IKE_GROUPTYPE'}; >> + } >> + $cgiparams{'ESP_KEYLIFE'} = >> $confighash{$cgiparams{'KEY'}}[17]; >> + $cgiparams{'COMPRESSION'} = >> $confighash{$cgiparams{'KEY'}}[13]; >> + $cgiparams{'ONLY_PROPOSED'} = >> $confighash{$cgiparams{'KEY'}}[24]; >> + $cgiparams{'PFS'} = >> $confighash{$cgiparams{'KEY'}}[28]; >> + $cgiparams{'DPD_TIMEOUT'} = >> $confighash{$cgiparams{'KEY'}}[30]; >> + $cgiparams{'DPD_DELAY'} = >> $confighash{$cgiparams{'KEY'}}[31]; >> + $cgiparams{'FORCE_MOBIKE'} = >> $confighash{$cgiparams{'KEY'}}[32]; >> + >> + if (!$cgiparams{'DPD_DELAY'}) { >> + $cgiparams{'DPD_DELAY'} = 30; >> + } >> >> - } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { >> - $cgiparams{'REMARK'} = >> &Header::cleanhtml($cgiparams{'REMARK'}); >> - if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { >> - $errormessage = $Lang::tr{'connection type is invalid'}; >> - goto VPNCONF_ERROR; >> - } >> + if (!$cgiparams{'DPD_TIMEOUT'}) { >> + $cgiparams{'DPD_TIMEOUT'} = 120; >> + } >> >> - if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { >> - $errormessage = $Lang::tr{'name must only contain >> characters'}; >> - goto VPNCONF_ERROR; >> - } >> + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { >> + $cgiparams{'REMARK'} = >> &Header::cleanhtml($cgiparams{'REMARK'}); >> + if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { >> + $errormessage = $Lang::tr{'connection type >> is invalid'}; >> + goto VPNCONF_ERROR; >> + } >> >> - if ($cgiparams{'NAME'} =~ >> /^(host|01|block|private|clear|packetdefault)$/) { >> - $errormessage = $Lang::tr{'name is invalid'}; >> - goto VPNCONF_ERROR; >> - } >> + if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { >> + $errormessage = $Lang::tr{'name must only >> contain characters'}; >> + goto VPNCONF_ERROR; >> + } >> >> - if (length($cgiparams{'NAME'}) >60) { >> - $errormessage = $Lang::tr{'name too long'}; >> - goto VPNCONF_ERROR; >> - } >> + if ($cgiparams{'NAME'} =~ >> /^(host|01|block|private|clear|packetdefault)$/) { >> + $errormessage = $Lang::tr{'name is >> invalid'}; >> + goto VPNCONF_ERROR; >> + } >> >> - # Check if there is no other entry with this name >> - if (! $cgiparams{'KEY'}) { #only for add >> - foreach my $key (keys %confighash) { >> - if ($confighash{$key}[1] eq $cgiparams{'NAME'}) { >> - $errormessage = $Lang::tr{'a connection with >> this name already exists'}; >> - goto VPNCONF_ERROR; >> + if (length($cgiparams{'NAME'}) >60) { >> + $errormessage = $Lang::tr{'name too long'}; >> + goto VPNCONF_ERROR; >> } >> - } >> - } >> >> - if (($cgiparams{'TYPE'} eq 'net') && (! >> $cgiparams{'REMOTE'})) { >> - $errormessage = $Lang::tr{'invalid input for remote >> host/ip'}; >> - goto VPNCONF_ERROR; >> - } >> + # Check if there is no other entry with this name >> + if (! $cgiparams{'KEY'}) { #only for add >> + foreach my $key (keys %confighash) { >> + if ($confighash{$key}[1] eq >> $cgiparams{'NAME'}) { >> + $errormessage = $Lang::tr{'a >> connection with this name already exists'}; >> + goto VPNCONF_ERROR; >> + } >> + } >> + } >> >> - if ($cgiparams{'REMOTE'}) { >> - if (($cgiparams{'REMOTE'} ne '%any') && (! >> &General::validip($cgiparams{'REMOTE'}))) { >> - if (! &General::validfqdn ($cgiparams{'REMOTE'})) { >> - $errormessage = $Lang::tr{'invalid input for >> remote host/ip'}; >> - goto VPNCONF_ERROR; >> - } else { >> - if (&valid_dns_host($cgiparams{'REMOTE'})) { >> - $warnmessage = "$Lang::tr{'check vpn lr'} >> $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}"; >> - } >> + if (($cgiparams{'TYPE'} eq 'net') && (! >> $cgiparams{'REMOTE'})) { >> + $errormessage = $Lang::tr{'invalid input for >> remote host/ip'}; >> + goto VPNCONF_ERROR; >> } >> - } >> - } >> >> - unless >> (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) { >> - $errormessage = $Lang::tr{'local subnet is invalid'}; >> - goto VPNCONF_ERROR; >> - } >> + if ($cgiparams{'REMOTE'}) { >> + if (($cgiparams{'REMOTE'} ne '%any') && (! >> &General::validip($cgiparams{'REMOTE'}))) { >> + if (! &General::validfqdn >> ($cgiparams{'REMOTE'})) { >> + $errormessage = >> $Lang::tr{'invalid input for remote host/ip'}; >> + goto VPNCONF_ERROR; >> + } else { >> + if >> (&valid_dns_host($cgiparams{'REMOTE'})) { >> + $warnmessage = >> "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check >> failed'}"; >> + } >> + } >> + } >> + } >> >> - # Allow only one roadwarrior/psk without remote IP-address >> - if ($cgiparams{'REMOTE'} eq '' && $cgiparams{'AUTH'} eq >> 'psk') { >> - foreach my $key (keys %confighash) { >> - if ( ($cgiparams{'KEY'} ne $key) && >> - ($confighash{$key}[4] eq 'psk') && >> - ($confighash{$key}[10] eq '') ) { >> - $errormessage = $Lang::tr{'you can only >> define one roadwarrior connection when using pre-shared key >> authentication'}; >> + unless >> (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) { >> + $errormessage = $Lang::tr{'local subnet is >> invalid'}; >> goto VPNCONF_ERROR; >> } >> - } >> - } >> - if (($cgiparams{'TYPE'} eq 'net') && (! >> &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) { >> - $errormessage = $Lang::tr{'remote subnet is invalid'}; >> - goto VPNCONF_ERROR; >> - } >> >> - if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { >> - $errormessage = $Lang::tr{'invalid input'}; >> - goto VPNCONF_ERROR; >> - } >> - if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) { >> - $errormessage = $Lang::tr{'invalid input'}; >> - goto VPNCONF_ERROR; >> - } >> + # Allow only one roadwarrior/psk without remote IP >> -address >> + if ($cgiparams{'REMOTE'} eq '' && $cgiparams{'AUTH'} >> eq 'psk') { >> + foreach my $key (keys %confighash) { >> + if ( ($cgiparams{'KEY'} ne $key) && >> + ($confighash{$key}[4] eq >> 'psk') && >> + ($confighash{$key}[10] eq >> '') ) { >> + $errormessage = >> $Lang::tr{'you can only define one roadwarrior connection when using >> pre-shared key authentication'}; >> + goto VPNCONF_ERROR; >> + } >> + } >> + } >> + if (($cgiparams{'TYPE'} eq 'net') && (! >> &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) { >> + $errormessage = $Lang::tr{'remote subnet is >> invalid'}; >> + goto VPNCONF_ERROR; >> + } >> >> - # Allow nothing or a string (DN,FDQN,) beginning with @ >> - # with no comma but slashes between RID eg >> @O=FR/C=Paris/OU=myhome/CN=franck >> - if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*\/ >> -]+|\d+\.\d+\.\d+\.\d+)$/) || >> - ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*\/ >> -]+|\d+\.\d+\.\d+\.\d+)$/) || >> - (($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && >> ($cgiparams{'LOCAL_ID'} ne '')) >> - ) { >> - $errormessage = $Lang::tr{'invalid local-remote id'} . >> '<br />' . >> - 'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*<br />' . >> - 'FQDN: @ipfire.org<br />' . >> - 'USER_FQDN: info(a)ipfire.org<br />' . >> - 'IPV4_ADDR: 123.123.123.123'; >> - goto VPNCONF_ERROR; >> - } >> - # If Auth is DN, verify existance of Remote ID. >> - if ( $cgiparams{'REMOTE_ID'} eq '' && ( >> - $cgiparams{'AUTH'} eq 'auth-dn'|| >> # while creation >> - $confighash{$cgiparams{'KEY'}}[2] eq '%auth-dn')){ # >> while editing >> - $errormessage = $Lang::tr{'vpn missing remote id'}; >> - goto VPNCONF_ERROR; >> - } >> + if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { >> + $errormessage = $Lang::tr{'invalid input'}; >> + goto VPNCONF_ERROR; >> + } >> + if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) { >> + $errormessage = $Lang::tr{'invalid input'}; >> + goto VPNCONF_ERROR; >> + } >> >> - if ($cgiparams{'TYPE'} eq 'net'){ >> - $warnmessage=&General::checksubnets('',$cgiparams{'R >> EMOTE_SUBNET'},'ipsec'); >> - if ($warnmessage ne ''){ >> - $warnmessage=$Lang::tr{'remote subnet'}." >> ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage; >> + # Allow nothing or a string (DN,FDQN,) beginning >> with @ >> + # with no comma but slashes between RID eg >> @O=FR/C=Paris/OU=myhome/CN=franck >> + if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. >> =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) || >> + ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. >> =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) || >> + (($cgiparams{'REMOTE_ID'} eq >> $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne '')) >> + ) { >> + $errormessage = $Lang::tr{'invalid local >> -remote id'} . '<br />' . >> + 'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*<br >> />' . >> + 'FQDN: @ipfire.org<br />' . >> + 'USER_FQDN: info(a)ipfire.org<br />' . >> + 'IPV4_ADDR: 123.123.123.123'; >> + goto VPNCONF_ERROR; >> + } >> + # If Auth is DN, verify existance of Remote ID. >> + if ( $cgiparams{'REMOTE_ID'} eq '' && ( >> + $cgiparams{'AUTH'} eq 'auth-dn'|| # while >> creation >> + $confighash{$cgiparams{'KEY'}}[2] eq '%auth >> -dn')){ # while editing >> + $errormessage = $Lang::tr{'vpn >> missing remote id'}; >> + goto VPNCONF_ERROR; >> } >> - } >> >> - if ($cgiparams{'AUTH'} eq 'psk') { >> - if (! length($cgiparams{'PSK'}) ) { >> - $errormessage = $Lang::tr{'pre-shared key is too >> short'}; >> - goto VPNCONF_ERROR; >> - } >> - if ($cgiparams{'PSK'} =~ /'/) { >> - $cgiparams{'PSK'} =~ tr/'/ /; >> - $errormessage = $Lang::tr{'invalid characters found >> in pre-shared key'}; >> - goto VPNCONF_ERROR; >> - } >> + if ($cgiparams{'TYPE'} eq 'net'){ >> + $warnmessage=&General::checksubnets('',$cgip >> arams{'REMOTE_SUBNET'},'ipsec'); >> + if ($warnmessage ne ''){ >> + $warnmessage=$Lang::tr{'remote >> subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage; >> + } >> + } >> + >> + if ($cgiparams{'AUTH'} eq 'psk') { >> + if (! length($cgiparams{'PSK'}) ) { >> + $errormessage = $Lang::tr{'pre >> -shared key is too short'}; >> + goto VPNCONF_ERROR; >> + } >> + if ($cgiparams{'PSK'} =~ /'/) { >> + $cgiparams{'PSK'} =~ tr/'/ /; >> + $errormessage = $Lang::tr{'invalid >> characters found in pre-shared key'}; >> + goto VPNCONF_ERROR; >> + } >> } elsif ($cgiparams{'AUTH'} eq 'certreq') { >> - if ($cgiparams{'KEY'}) { >> - $errormessage = $Lang::tr{'cant change >> certificates'}; >> - goto VPNCONF_ERROR; >> - } >> - if (ref ($cgiparams{'FH'}) ne 'Fh') { >> - $errormessage = $Lang::tr{'there was no file >> upload'}; >> - goto VPNCONF_ERROR; >> - } >> + if ($cgiparams{'KEY'}) { >> + $errormessage = $Lang::tr{'cant change >> certificates'}; >> + goto VPNCONF_ERROR; >> + } >> + if (ref ($cgiparams{'FH'}) ne 'Fh') { >> + $errormessage = $Lang::tr{'there was no file >> upload'}; >> + goto VPNCONF_ERROR; >> + } >> >> - # Move uploaded certificate request to a temporary file >> - (my $fh, my $filename) = tempfile( ); >> - if (copy ($cgiparams{'FH'}, $fh) != 1) { >> - $errormessage = $!; >> - goto VPNCONF_ERROR; >> - } >> + # Move uploaded certificate request to a temporary >> file >> + (my $fh, my $filename) = tempfile( ); >> + if (copy ($cgiparams{'FH'}, $fh) != 1) { >> + $errormessage = $!; >> + goto VPNCONF_ERROR; >> + } >> >> - # Sign the certificate request >> - &General::log("ipsec", "Signing your cert >> $cgiparams{'NAME'}..."); >> - my $opt = " ca -md sha256 -days 999999"; >> + # Sign the certificate request >> + &General::log("ipsec", "Signing your cert >> $cgiparams{'NAME'}..."); >> + my $opt = " ca -md sha256 -days 999999"; >> $opt .= " -batch -notext"; >> $opt .= " -in $filename"; >> $opt .= " -out >> ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; >> >> - if ( $errormessage = &callssl ($opt) ) { >> - unlink ($filename); >> - unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); >> - &cleanssldatabase(); >> - goto VPNCONF_ERROR; >> - } else { >> - unlink ($filename); >> - &cleanssldatabase(); >> - } >> - >> - $cgiparams{'CERT_NAME'} = getCNfromcert >> ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); >> - if ($cgiparams{'CERT_NAME'} eq '') { >> - $errormessage = $Lang::tr{'could not retrieve common >> name from certificate'}; >> - goto VPNCONF_ERROR; >> - } >> + if ( $errormessage = &callssl ($opt) ) { >> + unlink ($filename); >> + unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); >> + &cleanssldatabase(); >> + goto VPNCONF_ERROR; >> + } else { >> + unlink ($filename); >> + &cleanssldatabase(); >> + } >> + >> + $cgiparams{'CERT_NAME'} = getCNfromcert >> ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); >> + if ($cgiparams{'CERT_NAME'} eq '') { >> + $errormessage = $Lang::tr{'could not >> retrieve common name from certificate'}; >> + goto VPNCONF_ERROR; >> + } >> } elsif ($cgiparams{'AUTH'} eq 'pkcs12') { >> &General::log("ipsec", "Importing from p12..."); >> >> if (ref ($cgiparams{'FH'}) ne 'Fh') { >> - $errormessage = $Lang::tr{'there was no file >> upload'}; >> - goto ROOTCERT_ERROR; >> + $errormessage = $Lang::tr{'there was no file >> upload'}; >> + goto ROOTCERT_ERROR; >> } >> >> # Move uploaded certificate request to a temporary >> file >> (my $fh, my $filename) = tempfile( ); >> if (copy ($cgiparams{'FH'}, $fh) != 1) { >> - $errormessage = $!; >> - goto ROOTCERT_ERROR; >> + $errormessage = $!; >> + goto ROOTCERT_ERROR; >> } >> >> # Extract the CA certificate from the file >> &General::log("ipsec", "Extracting caroot from >> p12..."); >> if (open(STDIN, "-|")) { >> - my $opt = " pkcs12 -cacerts >> -nokeys"; >> + my $opt = " pkcs12 -cacerts -nokeys"; >> $opt .= " -in $filename"; >> $opt .= " -out /tmp/newcacert"; >> - $errormessage = &callssl ($opt); >> - } else { #child >> - print "$cgiparams{'P12_PASS'}\n"; >> - exit (0); >> - } >> - >> - # Extract the Host certificate from the file >> - if (!$errormessage) { >> - &General::log("ipsec", "Extracting host cert >> from p12..."); >> - if (open(STDIN, "-|")) { >> - my $opt = " pkcs12 -clcerts -nokeys"; >> - $opt .= " -in $filename"; >> - $opt .= " -out /tmp/newhostcert"; >> $errormessage = &callssl ($opt); >> - } else { #child >> + } else { #child >> print "$cgiparams{'P12_PASS'}\n"; >> exit (0); >> - } >> - } >> - >> - if (!$errormessage) { >> - &General::log("ipsec", "Moving cacert..."); >> - #If CA have new subject, add it to our list of >> CA >> - my $casubject = >> &Header::cleanhtml(getsubjectfromcert ('/tmp/newcacert')); >> - my @names; >> - foreach my $x (keys %cahash) { >> - $casubject='' if ($cahash{$x}[1] eq >> $casubject); >> - unshift (@names,$cahash{$x}[0]); >> - } >> - if ($casubject) { # a new one! >> - my $temp = `/usr/bin/openssl x509 -text -in >> /tmp/newcacert`; >> - if ($temp !~ /CA:TRUE/i) { >> - $errormessage = $Lang::tr{'not a valid >> ca certificate'}; >> - } else { >> - #compute a name for it >> - my $idx=0; >> - while (grep(/Imported-$idx/, @names) ) >> {$idx++}; >> - $cgiparams{'CA_NAME'}="Imported-$idx"; >> - >> $cgiparams{'CERT_NAME'}=&Header::cleanhtml(getCNfromcert >> ('/tmp/newhostcert')); >> - move("/tmp/newcacert", >> "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); >> - $errormessage = "$Lang::tr{'certificate >> file move failed'}: $!" if ($? ne 0); >> - if (!$errormessage) { >> - my $key = &General::findhasharraykey >> (\%cahash); >> - $cahash{$key}[0] = >> $cgiparams{'CA_NAME'}; >> - $cahash{$key}[1] = $casubject; >> - &General::writehasharray("${General: >> :swroot}/vpn/caconfig", \%cahash); >> - system('/usr/local/bin/ipsecctrl', >> 'R'); >> - } >> - } >> - } >> + } >> + >> + # Extract the Host certificate from the file >> + if (!$errormessage) { >> + &General::log("ipsec", "Extracting host cert >> from p12..."); >> + if (open(STDIN, "-|")) { >> + my $opt = " pkcs12 -clcerts >> -nokeys"; >> + $opt .= " -in $filename"; >> + $opt .= " -out /tmp/newhostcert"; >> + $errormessage = &callssl ($opt); >> + } else { #child >> + print "$cgiparams{'P12_PASS'}\n"; >> + exit (0); >> + } >> + } >> + >> + if (!$errormessage) { >> + &General::log("ipsec", "Moving cacert..."); >> + #If CA have new subject, add it to our list >> of CA >> + my $casubject = >> &Header::cleanhtml(getsubjectfromcert ('/tmp/newcacert')); >> + my @names; >> + foreach my $x (keys %cahash) { >> + $casubject='' if ($cahash{$x}[1] eq >> $casubject); >> + unshift (@names,$cahash{$x}[0]); >> + } >> + if ($casubject) { # a new one! >> + my $temp = `/usr/bin/openssl x509 >> -text -in /tmp/newcacert`; >> + if ($temp !~ /CA:TRUE/i) { >> + $errormessage = >> $Lang::tr{'not a valid ca certificate'}; >> + } else { >> + #compute a name for it >> + my $idx=0; >> + while (grep(/Imported-$idx/, >> @names) ) {$idx++}; >> + $cgiparams{'CA_NAME'}="Impor >> ted-$idx"; >> + $cgiparams{'CERT_NAME'}=&Hea >> der::cleanhtml(getCNfromcert ('/tmp/newhostcert')); >> + move("/tmp/newcacert", >> "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); >> + $errormessage = >> "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); >> + if (!$errormessage) { >> + my $key = >> &General::findhasharraykey (\%cahash); >> + $cahash{$key}[0] = >> $cgiparams{'CA_NAME'}; >> + $cahash{$key}[1] = >> $casubject; >> + &General::writehasha >> rray("${General::swroot}/vpn/caconfig", \%cahash); >> + system('/usr/local/b >> in/ipsecctrl', 'R'); >> + } >> + } >> + } >> } >> if (!$errormessage) { >> - &General::log("ipsec", "Moving host cert..."); >> - move("/tmp/newhostcert", >> "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); >> - $errormessage = "$Lang::tr{'certificate file >> move failed'}: $!" if ($? ne 0); >> - } >> + &General::log("ipsec", "Moving host >> cert..."); >> + move("/tmp/newhostcert", >> "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); >> + $errormessage = "$Lang::tr{'certificate file >> move failed'}: $!" if ($? ne 0); >> + } >> >> #cleanup temp files >> unlink ($filename); >> unlink ('/tmp/newcacert'); >> unlink ('/tmp/newhostcert'); >> if ($errormessage) { >> - unlink >> ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); >> - unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); >> - goto VPNCONF_ERROR; >> + unlink >> ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); >> + unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); >> + goto VPNCONF_ERROR; >> } >> &General::log("ipsec", "p12 import completed!"); >> } elsif ($cgiparams{'AUTH'} eq 'certfile') { >> - if ($cgiparams{'KEY'}) { >> - $errormessage = $Lang::tr{'cant change >> certificates'}; >> - goto VPNCONF_ERROR; >> - } >> - if (ref ($cgiparams{'FH'}) ne 'Fh') { >> - $errormessage = $Lang::tr{'there was no file >> upload'}; >> - goto VPNCONF_ERROR; >> - } >> - # Move uploaded certificate to a temporary file >> - (my $fh, my $filename) = tempfile( ); >> - if (copy ($cgiparams{'FH'}, $fh) != 1) { >> - $errormessage = $!; >> - goto VPNCONF_ERROR; >> - } >> - >> - # Verify the certificate has a valid CA and move it >> - &General::log("ipsec", "Validating imported cert against >> our known CA..."); >> - my $validca = 1; #assume ok >> - my $test = `/usr/bin/openssl verify -CAfile >> ${General::swroot}/ca/cacert.pem $filename`; >> - if ($test !~ /: OK/) { >> - my $validca = 0; >> - foreach my $key (keys %cahash) { >> - $test = `/usr/bin/openssl verify -CAfile >> ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`; >> - if ($test =~ /: OK/) { >> - $validca = 1; >> - last; >> - } >> - } >> - } >> - if (! $validca) { >> - $errormessage = $Lang::tr{'certificate does not have >> a valid ca associated with it'}; >> - unlink ($filename); >> - goto VPNCONF_ERROR; >> - } else { >> - move($filename, >> "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); >> - if ($? ne 0) { >> - $errormessage = "$Lang::tr{'certificate file >> move failed'}: $!"; >> - unlink ($filename); >> - goto VPNCONF_ERROR; >> + if ($cgiparams{'KEY'}) { >> + $errormessage = $Lang::tr{'cant change >> certificates'}; >> + goto VPNCONF_ERROR; >> + } >> + if (ref ($cgiparams{'FH'}) ne 'Fh') { >> + $errormessage = $Lang::tr{'there was no file >> upload'}; >> + goto VPNCONF_ERROR; >> + } >> + # Move uploaded certificate to a temporary file >> + (my $fh, my $filename) = tempfile( ); >> + if (copy ($cgiparams{'FH'}, $fh) != 1) { >> + $errormessage = $!; >> + goto VPNCONF_ERROR; >> } >> - } >> >> - $cgiparams{'CERT_NAME'} = getCNfromcert >> ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); >> - if ($cgiparams{'CERT_NAME'} eq '') { >> - unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); >> - $errormessage = $Lang::tr{'could not retrieve common >> name from certificate'}; >> - goto VPNCONF_ERROR; >> - } >> + # Verify the certificate has a valid CA and move it >> + &General::log("ipsec", "Validating imported cert >> against our known CA..."); >> + my $validca = 1; #assume ok >> + my $test = `/usr/bin/openssl verify -CAfile >> ${General::swroot}/ca/cacert.pem $filename`; >> + if ($test !~ /: OK/) { >> + my $validca = 0; >> + foreach my $key (keys %cahash) { >> + $test = `/usr/bin/openssl verify >> -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`; >> + if ($test =~ /: OK/) { >> + $validca = 1; >> + last; >> + } >> + } >> + } >> + if (! $validca) { >> + $errormessage = $Lang::tr{'certificate does >> not have a valid ca associated with it'}; >> + unlink ($filename); >> + goto VPNCONF_ERROR; >> + } else { >> + move($filename, >> "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); >> + if ($? ne 0) { >> + $errormessage = >> "$Lang::tr{'certificate file move failed'}: $!"; >> + unlink ($filename); >> + goto VPNCONF_ERROR; >> + } >> + } >> + >> + $cgiparams{'CERT_NAME'} = getCNfromcert >> ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); >> + if ($cgiparams{'CERT_NAME'} eq '') { >> + unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); >> + $errormessage = $Lang::tr{'could not >> retrieve common name from certificate'}; >> + goto VPNCONF_ERROR; >> + } >> } elsif ($cgiparams{'AUTH'} eq 'certgen') { >> - if ($cgiparams{'KEY'}) { >> - $errormessage = $Lang::tr{'cant change >> certificates'}; >> - goto VPNCONF_ERROR; >> - } >> - # Validate input since the form was submitted >> - if (length($cgiparams{'CERT_NAME'}) >60) { >> - $errormessage = $Lang::tr{'name too long'}; >> - goto VPNCONF_ERROR; >> - } >> - if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) >> { >> - $errormessage = $Lang::tr{'invalid input for name'}; >> - goto VPNCONF_ERROR; >> - } >> - if ($cgiparams{'CERT_EMAIL'} ne '' && (! >> &General::validemail($cgiparams{'CERT_EMAIL'}))) { >> - $errormessage = $Lang::tr{'invalid input for e-mail >> address'}; >> - goto VPNCONF_ERROR; >> - } >> - if (length($cgiparams{'CERT_EMAIL'}) > 40) { >> - $errormessage = $Lang::tr{'e-mail address too >> long'}; >> - goto VPNCONF_ERROR; >> - } >> - if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} >> !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { >> - $errormessage = $Lang::tr{'invalid input for >> department'}; >> - goto VPNCONF_ERROR; >> - } >> - if (length($cgiparams{'CERT_ORGANIZATION'}) >60) { >> - $errormessage = $Lang::tr{'organization too long'}; >> - goto VPNCONF_ERROR; >> - } >> - if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\ >> -_]+$/) { >> - $errormessage = $Lang::tr{'invalid input for >> organization'}; >> - goto VPNCONF_ERROR; >> - } >> - if ($cgiparams{'CERT_CITY'} ne '' && >> $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { >> - $errormessage = $Lang::tr{'invalid input for city'}; >> - goto VPNCONF_ERROR; >> - } >> - if ($cgiparams{'CERT_STATE'} ne '' && >> $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { >> - $errormessage = $Lang::tr{'invalid input for state >> or province'}; >> - goto VPNCONF_ERROR; >> - } >> - if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) { >> - $errormessage = $Lang::tr{'invalid input for >> country'}; >> - goto VPNCONF_ERROR; >> - } >> - #the exact syntax is a list comma separated of >> - # email:any-validemail >> - # URI: a uniform resource indicator >> - # DNS: a DNS domain name >> - # RID: a registered OBJECT IDENTIFIER >> - # IP: an IP address >> - # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:franck. >> foo.com >> - >> - if ($cgiparams{'SUBJECTALTNAME'} ne '' && >> $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 >> :\/,\.\-_@]*$/) { >> - $errormessage = $Lang::tr{'vpn altname syntax'}; >> - goto VPNCONF_ERROR; >> - } >> + if ($cgiparams{'KEY'}) { >> + $errormessage = $Lang::tr{'cant change >> certificates'}; >> + goto VPNCONF_ERROR; >> + } >> + # Validate input since the form was submitted >> + if (length($cgiparams{'CERT_NAME'}) >60) { >> + $errormessage = $Lang::tr{'name too long'}; >> + goto VPNCONF_ERROR; >> + } >> + if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\ >> -_]+$/) { >> + $errormessage = $Lang::tr{'invalid input for >> name'}; >> + goto VPNCONF_ERROR; >> + } >> + if ($cgiparams{'CERT_EMAIL'} ne '' && (! >> &General::validemail($cgiparams{'CERT_EMAIL'}))) { >> + $errormessage = $Lang::tr{'invalid input for >> e-mail address'}; >> + goto VPNCONF_ERROR; >> + } >> + if (length($cgiparams{'CERT_EMAIL'}) > 40) { >> + $errormessage = $Lang::tr{'e-mail address >> too long'}; >> + goto VPNCONF_ERROR; >> + } >> + if ($cgiparams{'CERT_OU'} ne '' && >> $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { >> + $errormessage = $Lang::tr{'invalid input for >> department'}; >> + goto VPNCONF_ERROR; >> + } >> + if (length($cgiparams{'CERT_ORGANIZATION'}) >60) { >> + $errormessage = $Lang::tr{'organization too >> long'}; >> + goto VPNCONF_ERROR; >> + } >> + if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 >> ,\.\-_]+$/) { >> + $errormessage = $Lang::tr{'invalid input for >> organization'}; >> + goto VPNCONF_ERROR; >> + } >> + if ($cgiparams{'CERT_CITY'} ne '' && >> $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { >> + $errormessage = $Lang::tr{'invalid input for >> city'}; >> + goto VPNCONF_ERROR; >> + } >> + if ($cgiparams{'CERT_STATE'} ne '' && >> $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { >> + $errormessage = $Lang::tr{'invalid input for >> state or province'}; >> + goto VPNCONF_ERROR; >> + } >> + if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) { >> + $errormessage = $Lang::tr{'invalid input for >> country'}; >> + goto VPNCONF_ERROR; >> + } >> + #the exact syntax is a list comma separated of >> + # email:any-validemail >> + # URI: a uniform resource indicator >> + # DNS: a DNS domain name >> + # RID: a registered OBJECT IDENTIFIER >> + # IP: an IP address >> + # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:fra >> nck.foo.com >> + >> + if ($cgiparams{'SUBJECTALTNAME'} ne '' && >> $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 >> :\/,\.\-_@]*$/) { >> + $errormessage = $Lang::tr{'vpn altname >> syntax'}; >> + goto VPNCONF_ERROR; >> + } >> >> - if (length($cgiparams{'CERT_PASS1'}) < 5) { >> - $errormessage = $Lang::tr{'password too short'}; >> - goto VPNCONF_ERROR; >> - } >> - if ($cgiparams{'CERT_PASS1'} ne >> $cgiparams{'CERT_PASS2'}) { >> - $errormessage = $Lang::tr{'passwords do not match'}; >> - goto VPNCONF_ERROR; >> - } >> + if (length($cgiparams{'CERT_PASS1'}) < 5) { >> + $errormessage = $Lang::tr{'password too >> short'}; >> + goto VPNCONF_ERROR; >> + } >> + if ($cgiparams{'CERT_PASS1'} ne >> $cgiparams{'CERT_PASS2'}) { >> + $errormessage = $Lang::tr{'passwords do not >> match'}; >> + goto VPNCONF_ERROR; >> + } >> >> - # Replace empty strings with a . >> - (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; >> - (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; >> - (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./; >> + # Replace empty strings with a . >> + (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; >> + (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; >> + (my $state = $cgiparams{'CERT_STATE'}) =~ >> s/^\s*$/\./; >> >> - # Create the Client certificate request >> - &General::log("ipsec", "Creating a cert..."); >> + # Create the Client certificate request >> + &General::log("ipsec", "Creating a cert..."); >> >> - if (open(STDIN, "-|")) { >> - my $opt = " req -nodes -rand >> /proc/interrupts:/proc/net/rt_cache"; >> - $opt .= " -newkey rsa:2048"; >> - $opt .= " -keyout >> ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; >> - $opt .= " -out >> ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; >> + if (open(STDIN, "-|")) { >> + my $opt = " req -nodes -rand >> /proc/interrupts:/proc/net/rt_cache"; >> + $opt .= " -newkey rsa:2048"; >> + $opt .= " -keyout >> ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; >> + $opt .= " -out >> ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; >> + >> + if ( $errormessage = &callssl ($opt) ) { >> + unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); >> + unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); >> + goto VPNCONF_ERROR; >> + } >> + } else { #child >> + print "$cgiparams{'CERT_COUNTRY'}\n"; >> + print "$state\n"; >> + print "$city\n"; >> + print "$cgiparams{'CERT_ORGANIZATION'}\n"; >> + print "$ou\n"; >> + print "$cgiparams{'CERT_NAME'}\n"; >> + print "$cgiparams{'CERT_EMAIL'}\n"; >> + print ".\n"; >> + print ".\n"; >> + exit (0); >> + } >> >> - if ( $errormessage = &callssl ($opt) ) { >> - unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); >> - unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); >> - goto VPNCONF_ERROR; >> - } >> - } else { #child >> - print "$cgiparams{'CERT_COUNTRY'}\n"; >> - print "$state\n"; >> - print "$city\n"; >> - print "$cgiparams{'CERT_ORGANIZATION'}\n"; >> - print "$ou\n"; >> - print "$cgiparams{'CERT_NAME'}\n"; >> - print "$cgiparams{'CERT_EMAIL'}\n"; >> - print ".\n"; >> - print ".\n"; >> - exit (0); >> - } >> - >> - # Sign the client certificate request >> - &General::log("ipsec", "Signing the cert >> $cgiparams{'NAME'}..."); >> - >> - #No easy way for specifying the contain of >> subjectAltName without writing a config file... >> - my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); >> - print $fh <<END >> - basicConstraints=CA:FALSE >> - nsComment="OpenSSL Generated Certificate" >> - subjectKeyIdentifier=hash >> - extendedKeyUsage=clientAuth >> - authorityKeyIdentifier=keyid,issuer:always >> + # Sign the client certificate request >> + &General::log("ipsec", "Signing the cert >> $cgiparams{'NAME'}..."); >> + >> + #No easy way for specifying the contain of >> subjectAltName without writing a config file... >> + my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); >> + print $fh <<END >> + basicConstraints=CA:FALSE >> + nsComment="OpenSSL Generated Certificate" >> + subjectKeyIdentifier=hash >> + extendedKeyUsage=clientAuth >> + authorityKeyIdentifier=keyid,issuer:always >> END >> ; >> - print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" >> if ($cgiparams{'SUBJECTALTNAME'}); >> - close ($fh); >> - >> - my $opt = " ca -md sha256 -days 999999 -batch -notext"; >> - $opt .= " -in >> ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; >> - $opt .= " -out >> ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; >> - $opt .= " -extfile $v3extname"; >> - >> - if ( $errormessage = &callssl ($opt) ) { >> - unlink ($v3extname); >> - unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); >> - unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); >> - unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); >> - &cleanssldatabase(); >> - goto VPNCONF_ERROR; >> - } else { >> - unlink ($v3extname); >> - unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); >> - &cleanssldatabase(); >> - } >> - >> - # Create the pkcs12 file >> - &General::log("ipsec", "Packing a pkcs12 file..."); >> - $opt = " pkcs12 -export"; >> - $opt .= " -inkey >> ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; >> - $opt .= " -in >> ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; >> - $opt .= " -name \"$cgiparams{'NAME'}\""; >> - $opt .= " -passout pass:$cgiparams{'CERT_PASS1'}"; >> - $opt .= " -certfile >> ${General::swroot}/ca/cacert.pem"; >> - $opt .= " -caname >> \"$vpnsettings{'ROOTCERT_ORGANIZATION'} CA\""; >> - $opt .= " -out >> ${General::swroot}/certs/$cgiparams{'NAME'}.p12"; >> - >> - if ( $errormessage = &callssl ($opt) ) { >> - unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); >> - unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); >> - unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}.p12"); >> - goto VPNCONF_ERROR; >> - } else { >> - unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); >> - } >> + print $fh >> "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if >> ($cgiparams{'SUBJECTALTNAME'}); >> + close ($fh); >> + >> + my $opt = " ca -md sha256 -days 999999 -batch >> -notext"; >> + $opt .= " -in >> ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; >> + $opt .= " -out >> ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; >> + $opt .= " -extfile $v3extname"; >> + >> + if ( $errormessage = &callssl ($opt) ) { >> + unlink ($v3extname); >> + unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); >> + unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); >> + unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); >> + &cleanssldatabase(); >> + goto VPNCONF_ERROR; >> + } else { >> + unlink ($v3extname); >> + unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); >> + &cleanssldatabase(); >> + } >> + >> + # Create the pkcs12 file >> + &General::log("ipsec", "Packing a pkcs12 file..."); >> + $opt = " pkcs12 -export"; >> + $opt .= " -inkey >> ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; >> + $opt .= " -in >> ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; >> + $opt .= " -name \"$cgiparams{'NAME'}\""; >> + $opt .= " -passout pass:$cgiparams{'CERT_PASS1'}"; >> + $opt .= " -certfile >> ${General::swroot}/ca/cacert.pem"; >> + $opt .= " -caname >> \"$vpnsettings{'ROOTCERT_ORGANIZATION'} CA\""; >> + $opt .= " -out >> ${General::swroot}/certs/$cgiparams{'NAME'}.p12"; >> + >> + if ( $errormessage = &callssl ($opt) ) { >> + unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); >> + unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); >> + unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}.p12"); >> + goto VPNCONF_ERROR; >> + } else { >> + unlink >> ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); >> + } >> } elsif ($cgiparams{'AUTH'} eq 'cert') { >> - ;# Nothing, just editing >> + ;# Nothing, just editing >> } elsif ($cgiparams{'AUTH'} eq 'auth-dn') { >> - $cgiparams{'CERT_NAME'} = '%auth-dn'; # a special >> value saying 'no cert file' >> + $cgiparams{'CERT_NAME'} = '%auth-dn'; # a special >> value saying 'no cert file' >> } else { >> - $errormessage = $Lang::tr{'invalid input for >> authentication method'}; >> - goto VPNCONF_ERROR; >> + $errormessage = $Lang::tr{'invalid input for >> authentication method'}; >> + goto VPNCONF_ERROR; >> } >> >> # 1)Error message here is not accurate. >> @@ -1759,34 +1757,34 @@ END >> # 3)Present since initial version (1.3.2.11), it isn't a bug >> correction >> # Check if there is no other entry with this certificate >> name >> #if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk') >> && ($cgiparams{'AUTH'} ne 'auth-dn')) { >> - # foreach my $key (keys %confighash) { >> + # foreach my $key (keys %confighash) { >> # if ($confighash{$key}[2] eq >> $cgiparams{'CERT_NAME'}) { >> - # $errormessage = $Lang::tr{'a connection with >> this common name already exists'}; >> - # goto VPNCONF_ERROR; >> + # $errormessage = $Lang::tr{'a connection >> with this common name already exists'}; >> + # goto VPNCONF_ERROR; >> + # } >> # } >> - # } >> #} >> - # Save the config >> + # Save the config >> >> my $key = $cgiparams{'KEY'}; >> if (! $key) { >> - $key = &General::findhasharraykey (\%confighash); >> - foreach my $i (0 .. 32) { $confighash{$key}[$i] = "";} >> + $key = &General::findhasharraykey (\%confighash); >> + foreach my $i (0 .. 32) { $confighash{$key}[$i] = >> "";} >> } >> $confighash{$key}[0] = $cgiparams{'ENABLED'}; >> $confighash{$key}[1] = $cgiparams{'NAME'}; >> if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') { >> - $confighash{$key}[2] = $cgiparams{'CERT_NAME'}; >> + $confighash{$key}[2] = $cgiparams{'CERT_NAME'}; >> } >> $confighash{$key}[3] = $cgiparams{'TYPE'}; >> if ($cgiparams{'AUTH'} eq 'psk') { >> - $confighash{$key}[4] = 'psk'; >> - $confighash{$key}[5] = $cgiparams{'PSK'}; >> + $confighash{$key}[4] = 'psk'; >> + $confighash{$key}[5] = $cgiparams{'PSK'}; >> } else { >> - $confighash{$key}[4] = 'cert'; >> + $confighash{$key}[4] = 'cert'; >> } >> if ($cgiparams{'TYPE'} eq 'net') { >> - $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; >> + $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; >> } >> $confighash{$key}[7] = $cgiparams{'LOCAL_ID'}; >> $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'}; >> @@ -1797,7 +1795,7 @@ END >> $confighash{$key}[27] = $cgiparams{'DPD_ACTION'}; >> $confighash{$key}[29] = $cgiparams{'IKE_VERSION'}; >> >> - #dont forget advanced value >> + # don't forget advanced value >> $confighash{$key}[18] = $cgiparams{'IKE_ENCRYPTION'}; >> $confighash{$key}[19] = $cgiparams{'IKE_INTEGRITY'}; >> $confighash{$key}[20] = $cgiparams{'IKE_GROUPTYPE'}; >> @@ -1814,39 +1812,39 @@ END >> $confighash{$key}[31] = $cgiparams{'DPD_DELAY'}; >> $confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'}; >> >> - #free unused fields! >> + # free unused fields! >> $confighash{$key}[6] = 'off'; >> $confighash{$key}[15] = 'off'; >> >> &General::writehasharray("${General::swroot}/vpn/config", >> \%confighash); >> &writeipsecfiles(); >> if (&vpnenabled) { >> - system('/usr/local/bin/ipsecctrl', 'S', $key); >> - sleep $sleepDelay; >> + system('/usr/local/bin/ipsecctrl', 'S', $key); >> + sleep $sleepDelay; >> } >> if ($cgiparams{'EDIT_ADVANCED'} eq 'on') { >> - $cgiparams{'KEY'} = $key; >> - $cgiparams{'ACTION'} = $Lang::tr{'advanced'}; >> + $cgiparams{'KEY'} = $key; >> + $cgiparams{'ACTION'} = $Lang::tr{'advanced'}; >> } >> goto VPNCONF_END; >> - } else { # add new connection >> - $cgiparams{'ENABLED'} = 'on'; >> +} else { # add new connection >> + $cgiparams{'ENABLED'} = 'on'; >> if ( ! -f "${General::swroot}/private/cakey.pem" ) { >> - $cgiparams{'AUTH'} = 'psk'; >> + $cgiparams{'AUTH'} = 'psk'; >> } elsif ( ! -f "${General::swroot}/ca/cacert.pem") { >> - $cgiparams{'AUTH'} = 'certfile'; >> + $cgiparams{'AUTH'} = 'certfile'; >> } else { >> - $cgiparams{'AUTH'} = 'certgen'; >> + $cgiparams{'AUTH'} = 'certgen'; >> } >> - $cgiparams{'LOCAL_SUBNET'} >> ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; >> - $cgiparams{'CERT_EMAIL'} = >> $vpnsettings{'ROOTCERT_EMAIL'}; >> - $cgiparams{'CERT_OU'} = >> $vpnsettings{'ROOTCERT_OU'}; >> - $cgiparams{'CERT_ORGANIZATION'} = >> $vpnsettings{'ROOTCERT_ORGANIZATION'}; >> - $cgiparams{'CERT_CITY'} = >> $vpnsettings{'ROOTCERT_CITY'}; >> - $cgiparams{'CERT_STATE'} = >> $vpnsettings{'ROOTCERT_STATE'}; >> - $cgiparams{'CERT_COUNTRY'} = >> $vpnsettings{'ROOTCERT_COUNTRY'}; >> + $cgiparams{'LOCAL_SUBNET'} = >> "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; >> + $cgiparams{'CERT_EMAIL'} = >> $vpnsettings{'ROOTCERT_EMAIL'}; >> + $cgiparams{'CERT_OU'} = >> $vpnsettings{'ROOTCERT_OU'}; >> + $cgiparams{'CERT_ORGANIZATION'} = >> $vpnsettings{'ROOTCERT_ORGANIZATION'}; >> + $cgiparams{'CERT_CITY'} = >> $vpnsettings{'ROOTCERT_CITY'}; >> + $cgiparams{'CERT_STATE'} = >> $vpnsettings{'ROOTCERT_STATE'}; >> + $cgiparams{'CERT_COUNTRY'} = >> $vpnsettings{'ROOTCERT_COUNTRY'}; >> >> - # choose appropriate dpd action >> + # choose appropriate dpd action >> if ($cgiparams{'TYPE'} eq 'host') { >> $cgiparams{'DPD_ACTION'} = 'clear'; >> } else { >> @@ -1867,63 +1865,63 @@ END >> >> # Default IKE Version to v2 >> if (!$cgiparams{'IKE_VERSION'}) { >> - $cgiparams{'IKE_VERSION'} = 'ikev2'; >> + $cgiparams{'IKE_VERSION'} = 'ikev2'; >> } >> >> # ID are empty >> - $cgiparams{'LOCAL_ID'} = ''; >> + $cgiparams{'LOCAL_ID'} = ''; >> $cgiparams{'REMOTE_ID'} = ''; >> >> #use default advanced value >> - $cgiparams{'IKE_ENCRYPTION'} = >> 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96 >> |aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; >> #[18]; >> - $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; >> #[19]; >> - $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; >> #[20]; >> - $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; >> - $cgiparams{'ESP_ENCRYPTION'} = >> 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96 >> |aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; >> #[21]; >> - $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; >> #[22]; >> - $cgiparams{'ESP_GROUPTYPE'} = '4096|3072|2048|1536|1024'; >> #[23]; >> - $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; >> - $cgiparams{'COMPRESSION'} = 'on'; #[13]; >> - $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; >> - $cgiparams{'PFS'} = 'on'; #[28]; >> - } >> - >> - VPNCONF_ERROR: >> - $checked{'ENABLED'}{'off'} = ''; >> - $checked{'ENABLED'}{'on'} = ''; >> - $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = >> "checked='checked'"; >> - >> - $checked{'EDIT_ADVANCED'}{'off'} = ''; >> - $checked{'EDIT_ADVANCED'}{'on'} = ''; >> - $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = >> "checked='checked'"; >> - >> - $checked{'AUTH'}{'psk'} = ''; >> - $checked{'AUTH'}{'certreq'} = ''; >> - $checked{'AUTH'}{'certgen'} = ''; >> - $checked{'AUTH'}{'certfile'} = ''; >> - $checked{'AUTH'}{'pkcs12'} = ''; >> - $checked{'AUTH'}{'auth-dn'} = ''; >> - $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; >> - >> - &Header::showhttpheaders(); >> - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); >> - &Header::openbigbox('100%', 'left', '', $errormessage); >> - if ($errormessage) { >> - &Header::openbox('100%', 'left', $Lang::tr{'error >> messages'}); >> - print "<class name='base'>$errormessage"; >> - print " </class>"; >> - &Header::closebox(); >> - } >> + $cgiparams{'IKE_ENCRYPTION'} = >> 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96 >> |aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; >> #[18]; >> + $cgiparams{'IKE_INTEGRITY'} = >> 'sha2_512|sha2_256|sha'; #[19]; >> + $cgiparams{'IKE_GROUPTYPE'} = >> '4096|3072|2048|1536|1024'; #[20]; >> + $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; >> + $cgiparams{'ESP_ENCRYPTION'} = >> 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96 >> |aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; >> #[21]; >> + $cgiparams{'ESP_INTEGRITY'} = >> 'sha2_512|sha2_256|sha1'; #[22]; >> + $cgiparams{'ESP_GROUPTYPE'} = >> '4096|3072|2048|1536|1024'; #[23]; >> + $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; >> + $cgiparams{'COMPRESSION'} = 'on'; #[13]; >> + $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; >> + $cgiparams{'PFS'} = 'on'; >> #[28]; >> +} >> >> - if ($warnmessage) { >> - &Header::openbox('100%', 'left', "$Lang::tr{'warning >> messages'}:"); >> - print "<class name='base'>$warnmessage"; >> - print " </class>"; >> - &Header::closebox(); >> - } >> +VPNCONF_ERROR: >> + $checked{'ENABLED'}{'off'} = ''; >> + $checked{'ENABLED'}{'on'} = ''; >> + $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = >> "checked='checked'"; >> + >> + $checked{'EDIT_ADVANCED'}{'off'} = ''; >> + $checked{'EDIT_ADVANCED'}{'on'} = ''; >> + $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = >> "checked='checked'"; >> + >> + $checked{'AUTH'}{'psk'} = ''; >> + $checked{'AUTH'}{'certreq'} = ''; >> + $checked{'AUTH'}{'certgen'} = ''; >> + $checked{'AUTH'}{'certfile'} = ''; >> + $checked{'AUTH'}{'pkcs12'} = ''; >> + $checked{'AUTH'}{'auth-dn'} = ''; >> + $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; >> + >> + &Header::showhttpheaders(); >> + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); >> + &Header::openbigbox('100%', 'left', '', $errormessage); >> + if ($errormessage) { >> + &Header::openbox('100%', 'left', $Lang::tr{'error >> messages'}); >> + print "<class name='base'>$errormessage"; >> + print " </class>"; >> + &Header::closebox(); >> + } >> + >> + if ($warnmessage) { >> + &Header::openbox('100%', 'left', "$Lang::tr{'warning >> messages'}:"); >> + print "<class name='base'>$warnmessage"; >> + print " </class>"; >> + &Header::closebox(); >> + } >> >> - print "<form method='post' enctype='multipart/form-data' >> action='$ENV{'SCRIPT_NAME'}'>"; >> - print<<END >> + print "<form method='post' enctype='multipart/form-data' >> action='$ENV{'SCRIPT_NAME'}'>"; >> + print<<END >> <input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' >> /> >> <input type='hidden' name='IKE_VERSION' >> value='$cgiparams{'IKE_VERSION'}' /> >> <input type='hidden' name='IKE_ENCRYPTION' >> value='$cgiparams{'IKE_ENCRYPTION'}' /> >> @@ -1942,172 +1940,172 @@ END >> <input type='hidden' name='DPD_TIMEOUT' >> value='$cgiparams{'DPD_TIMEOUT'}' /> >> <input type='hidden' name='FORCE_MOBIKE' >> value='$cgiparams{'FORCE_MOBIKE'}' /> >> END >> - ; >> - if ($cgiparams{'KEY'}) { >> - print "<input type='hidden' name='KEY' >> value='$cgiparams{'KEY'}' />"; >> - print "<input type='hidden' name='NAME' >> value='$cgiparams{'NAME'}' />"; >> - print "<input type='hidden' name='AUTH' >> value='$cgiparams{'AUTH'}' />"; >> - } >> - >> - &Header::openbox('100%', 'left', "$Lang::tr{'connection'}: >> $cgiparams{'NAME'}"); >> - print "<table width='100%'>"; >> - if (!$cgiparams{'KEY'}) { >> - print <<EOF; >> - <tr> >> - <td >> width='20%'>$Lang::tr{'name'}: <img src='/blob.gif' alt='*' >> /></td> >> - <td width='30%'> >> - <input type='text' name='NAME' >> value='$cgiparams{'NAME'}' size='25' /> >> - </td> >> - <td colspan="2"></td> >> - </tr> >> +; >> + if ($cgiparams{'KEY'}) { >> + print "<input type='hidden' name='KEY' >> value='$cgiparams{'KEY'}' />"; >> + print "<input type='hidden' name='NAME' >> value='$cgiparams{'NAME'}' />"; >> + print "<input type='hidden' name='AUTH' >> value='$cgiparams{'AUTH'}' />"; >> + } >> + >> + &Header::openbox('100%', 'left', "$Lang::tr{'connection'}: >> $cgiparams{'NAME'}"); >> + print "<table width='100%'>"; >> + if (!$cgiparams{'KEY'}) { >> + print <<EOF; >> + <tr> >> + <td >> width='20%'>$Lang::tr{'name'}: <img src='/blob.gif' alt='*' >> /></td> >> + <td width='30%'> >> + <input type='text' >> name='NAME' value='$cgiparams{'NAME'}' size='25' /> >> + </td> >> + <td colspan="2"></td> >> + </tr> >> EOF >> - } >> + } >> >> - my $disabled; >> - my $blob; >> - if ($cgiparams{'TYPE'} eq 'host') { >> + my $disabled; >> + my $blob; >> + if ($cgiparams{'TYPE'} eq 'host') { >> $disabled = "disabled='disabled'"; >> - } elsif ($cgiparams{'TYPE'} eq 'net') { >> + } elsif ($cgiparams{'TYPE'} eq 'net') { >> $blob = "<img src='/blob.gif' alt='*' />"; >> - }; >> + }; >> >> - print <<END >> + print <<END >> <tr> >> <td width='20%'>$Lang::tr{'enabled'}</td> >> <td width='30%'> >> <input type='checkbox' name='ENABLED' >> $checked{'ENABLED'}{'on'} /> >> </td> >> - <td class='boldbase' nowrap='nowrap' >> width='20%'>$Lang::tr{'local subnet'} <img src='/blob.gif' >> alt='*' /></td> >> - <td width='30%'> >> - <input type='text' name='LOCAL_SUBNET' >> value='$cgiparams{'LOCAL_SUBNET'}' size="25" /> >> - </td> >> + <td class='boldbase' nowrap='nowrap' >> width='20%'>$Lang::tr{'local subnet'} <img src='/blob.gif' >> alt='*' /></td> >> + <td width='30%'> >> + <input type='text' name='LOCAL_SUBNET' >> value='$cgiparams{'LOCAL_SUBNET'}' size="25" /> >> + </td> >> </tr> >> <tr> >> - <td class='boldbase' width='20%'>$Lang::tr{'remote >> host/ip'}: $blob</td> >> - <td width='30%'> >> - <input type='text' name='REMOTE' >> value='$cgiparams{'REMOTE'}' size="25" /> >> - </td> >> - <td class='boldbase' nowrap='nowrap' >> width='20%'>$Lang::tr{'remote subnet'} $blob</td> >> - <td width='30%'> >> - <input $disabled type='text' name='REMOTE_SUBNET' >> value='$cgiparams{'REMOTE_SUBNET'}' size="25" /> >> - </td> >> + <td class='boldbase' width='20%'>$Lang::tr{'remote >> host/ip'}: $blob</td> >> + <td width='30%'> >> + <input type='text' name='REMOTE' >> value='$cgiparams{'REMOTE'}' size="25" /> >> + </td> >> + <td class='boldbase' nowrap='nowrap' >> width='20%'>$Lang::tr{'remote subnet'} $blob</td> >> + <td width='30%'> >> + <input $disabled type='text' >> name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size="25" /> >> + </td> >> </tr> >> <tr> >> - <td class='boldbase' width='20%'>$Lang::tr{'vpn local >> id'}:</td> >> - <td width='30%'> >> - <input type='text' name='LOCAL_ID' >> value='$cgiparams{'LOCAL_ID'}' size="25" /> >> - </td> >> - <td class='boldbase' width='20%'>$Lang::tr{'vpn remote >> id'}:</td> >> - <td width='30%'> >> - <input type='text' name='REMOTE_ID' >> value='$cgiparams{'REMOTE_ID'}' size="25" /> >> - </td> >> + <td class='boldbase' width='20%'>$Lang::tr{'vpn >> local id'}:</td> >> + <td width='30%'> >> + <input type='text' name='LOCAL_ID' >> value='$cgiparams{'LOCAL_ID'}' size="25" /> >> + </td> >> + <td class='boldbase' width='20%'>$Lang::tr{'vpn >> remote id'}:</td> >> + <td width='30%'> >> + <input type='text' name='REMOTE_ID' >> value='$cgiparams{'REMOTE_ID'}' size="25" /> >> + </td> >> </tr> >> <tr><td colspan="4"><br /></td></tr> >> <tr> >> - <td class='boldbase' width='20%'>$Lang::tr{'remark >> title'}</td> >> - <td colspan='3'> >> - <input type='text' name='REMARK' >> value='$cgiparams{'REMARK'}' maxlength='50' size="73" /> >> - </td> >> - </tr> >> -END >> - ; >> - if (!$cgiparams{'KEY'}) { >> - print "<tr><td colspan='3'><input type='checkbox' >> name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> >> $Lang::tr{'edit advanced settings when done'}</td></tr>"; >> - } >> - print "</table>"; >> - &Header::closebox(); >> - >> - if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { >> - &Header::openbox('100%', 'left', >> $Lang::tr{'authentication'}); >> - print <<END >> - <table width='100%' cellpadding='0' cellspacing='5' >> border='0'> >> - <tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared >> key'}</td> >> - <td class='base' width='50%'><input type='password' >> name='PSK' size='30' value='$cgiparams{'PSK'}' /></td> >> + <td class='boldbase' width='20%'>$Lang::tr{'remark >> title'}</td> >> + <td colspan='3'> >> + <input type='text' name='REMARK' >> value='$cgiparams{'REMARK'}' maxlength='50' size="73" /> >> + </td> >> </tr> >> - </table> >> END >> - ; >> +; >> + if (!$cgiparams{'KEY'}) { >> + print "<tr><td colspan='3'><input type='checkbox' >> name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> >> $Lang::tr{'edit advanced settings when done'}</td></tr>"; >> + } >> + print "</table>"; >> &Header::closebox(); >> - } elsif (! $cgiparams{'KEY'}) { >> - my $cakeydisabled = ( ! -f >> "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : >> ''; >> - $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if >> ($cakeydisabled); >> - my $cacrtdisabled = ( ! -f >> "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : ''; >> >> - &Header::openbox('100%', 'left', >> $Lang::tr{'authentication'}); >> - print <<END >> - <table width='100%' cellpadding='0' cellspacing='5' >> border='0'> >> - <tr><td width='5%'><input type='radio' name='AUTH' >> value='psk' $checked{'AUTH'}{'psk'} /></td> >> - <td class='base' width='55%'>$Lang::tr{'use a pre-shared >> key'}</td> >> - <td class='base' width='40%'><input type='password' >> name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr> >> - <tr><td colspan='3' bgcolor='#000000'></td></tr> >> - <tr><td><input type='radio' name='AUTH' value='certreq' >> $checked{'AUTH'}{'certreq'} $cakeydisabled /></td> >> - <td class='base'><hr />$Lang::tr{'upload a certificate >> request'}</td> >> - <td class='base' rowspan='3' valign='middle'><input >> type='file' name='FH' size='30' $cacrtdisabled /></td></tr> >> - <tr><td><input type='radio' name='AUTH' value='certfile' >> $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td> >> - <td class='base'>$Lang::tr{'upload a >> certificate'}</td></tr> >> - <tr><td><input type='radio' name='AUTH' value='pkcs12' >> $cacrtdisabled /></td> >> - <td class='base'>$Lang::tr{'upload p12 file'} >> $Lang::tr{'pkcs12 file password'}:<input type='password' >> name='P12_PASS'/></td></tr> >> - <tr><td><input type='radio' name='AUTH' value='auth-dn' >> $checked{'AUTH'}{'auth-dn'} $cacrtdisabled /></td> >> - <td class='base'><hr />$Lang::tr{'vpn auth >> -dn'}</td></tr> >> - <tr><td colspan='3' bgcolor='#000000'></td></tr> >> - <tr><td><input type='radio' name='AUTH' value='certgen' >> $checked{'AUTH'}{'certgen'} $cakeydisabled /></td> >> - <td class='base'><hr />$Lang::tr{'generate a >> certificate'}</td><td> </td></tr> >> - <tr><td> </td> >> - <td class='base'>$Lang::tr{'users fullname or system >> hostname'}: <img src='/blob.gif' alt='*' /></td> >> - <td class='base' nowrap='nowrap'><input type='text' >> name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' size='32' >> $cakeydisabled /></td></tr> >> - <tr><td> </td> >> - <td class='base'>$Lang::tr{'users email'}:</td> >> - <td class='base' nowrap='nowrap'><input type='text' >> name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' size='32' >> $cakeydisabled /></td></tr> >> - <tr><td> </td> >> - <td class='base'>$Lang::tr{'users department'}:</td> >> - <td class='base' nowrap='nowrap'><input type='text' >> name='CERT_OU' value='$cgiparams{'CERT_OU'}' size='32' $cakeydisabled >> /></td></tr> >> - <tr><td> </td> >> - <td class='base'>$Lang::tr{'organization name'}:</td> >> - <td class='base' nowrap='nowrap'><input type='text' >> name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' >> size='32' $cakeydisabled /></td></tr> >> - <tr><td> </td> >> - <td class='base'>$Lang::tr{'city'}:</td> >> - <td class='base' nowrap='nowrap'><input type='text' >> name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' size='32' >> $cakeydisabled /></td></tr> >> - <tr><td> </td> >> - <td class='base'>$Lang::tr{'state or province'}:</td> >> - <td class='base' nowrap='nowrap'><input type='text' >> name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' size='32' >> $cakeydisabled /></td></tr> >> - <tr><td> </td> >> - <td class='base'>$Lang::tr{'country'}:</td> >> - <td class='base'><select name='CERT_COUNTRY' >> $cakeydisabled> >> + if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { >> + &Header::openbox('100%', 'left', >> $Lang::tr{'authentication'}); >> + print <<END >> + <table width='100%' cellpadding='0' cellspacing='5' >> border='0'> >> + <tr><td class='base' width='50%'>$Lang::tr{'use a >> pre-shared key'}</td> >> + <td class='base' width='50%'><input >> type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' >> /></td> >> + </tr> >> + </table> >> END >> - ; >> - foreach my $country (sort keys %{Countries::countries}) { >> - print "\t\t\t<option >> value='$Countries::countries{$country}'"; >> - if ( $Countries::countries{$country} eq >> $cgiparams{'CERT_COUNTRY'} ) { >> - print " selected='selected'"; >> - } >> - print ">$country</option>\n"; >> +; >> + &Header::closebox(); >> + } elsif (! $cgiparams{'KEY'}) { >> + my $cakeydisabled = ( ! -f >> "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : >> ''; >> + $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full >> pki'} if ($cakeydisabled); >> + my $cacrtdisabled = ( ! -f >> "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : ''; >> + >> + &Header::openbox('100%', 'left', >> $Lang::tr{'authentication'}); >> + print <<END >> + <table width='100%' cellpadding='0' cellspacing='5' >> border='0'> >> + <tr><td width='5%'><input type='radio' name='AUTH' >> value='psk' $checked{'AUTH'}{'psk'} /></td> >> + <td class='base' width='55%'>$Lang::tr{'use >> a pre-shared key'}</td> >> + <td class='base' width='40%'><input >> type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' >> /></td></tr> >> + <tr><td colspan='3' bgcolor='#000000'></td></tr> >> + <tr><td><input type='radio' name='AUTH' >> value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td> >> + <td class='base'><hr />$Lang::tr{'upload a >> certificate request'}</td> >> + <td class='base' rowspan='3' >> valign='middle'><input type='file' name='FH' size='30' $cacrtdisabled >> /></td></tr> >> + <tr><td><input type='radio' name='AUTH' >> value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td> >> + <td class='base'>$Lang::tr{'upload a >> certificate'}</td></tr> >> + <tr><td><input type='radio' name='AUTH' >> value='pkcs12' $cacrtdisabled /></td> >> + <td class='base'>$Lang::tr{'upload p12 >> file'} $Lang::tr{'pkcs12 file password'}:<input type='password' >> name='P12_PASS'/></td></tr> >> + <tr><td><input type='radio' name='AUTH' value='auth >> -dn' $checked{'AUTH'}{'auth-dn'} $cacrtdisabled /></td> >> + <td class='base'><hr />$Lang::tr{'vpn auth >> -dn'}</td></tr> >> + <tr><td colspan='3' bgcolor='#000000'></td></tr> >> + <tr><td><input type='radio' name='AUTH' >> value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td> >> + <td class='base'><hr />$Lang::tr{'generate a >> certificate'}</td><td> </td></tr> >> + <tr><td> </td> >> + <td class='base'>$Lang::tr{'users fullname >> or system hostname'}: <img src='/blob.gif' alt='*' /></td> >> + <td class='base' nowrap='nowrap'><input >> type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' >> size='32' $cakeydisabled /></td></tr> >> + <tr><td> </td> >> + <td class='base'>$Lang::tr{'users >> email'}:</td> >> + <td class='base' nowrap='nowrap'><input >> type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' >> size='32' $cakeydisabled /></td></tr> >> + <tr><td> </td> >> + <td class='base'>$Lang::tr{'users >> department'}:</td> >> + <td class='base' nowrap='nowrap'><input >> type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' size='32' >> $cakeydisabled /></td></tr> >> + <tr><td> </td> >> + <td class='base'>$Lang::tr{'organization >> name'}:</td> >> + <td class='base' nowrap='nowrap'><input >> type='text' name='CERT_ORGANIZATION' >> value='$cgiparams{'CERT_ORGANIZATION'}' size='32' $cakeydisabled >> /></td></tr> >> + <tr><td> </td> >> + <td class='base'>$Lang::tr{'city'}:</td> >> + <td class='base' nowrap='nowrap'><input >> type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' >> size='32' $cakeydisabled /></td></tr> >> + <tr><td> </td> >> + <td class='base'>$Lang::tr{'state or >> province'}:</td> >> + <td class='base' nowrap='nowrap'><input >> type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' >> size='32' $cakeydisabled /></td></tr> >> + <tr><td> </td> >> + <td class='base'>$Lang::tr{'country'}:</td> >> + <td class='base'><select name='CERT_COUNTRY' >> $cakeydisabled> >> +END >> +; >> + foreach my $country (sort keys >> %{Countries::countries}) { >> + print "\t\t\t<option >> value='$Countries::countries{$country}'"; >> + if ( $Countries::countries{$country} eq >> $cgiparams{'CERT_COUNTRY'} ) { >> + print " selected='selected'"; >> + } >> + print ">$country</option>\n"; >> + } >> + print <<END >> + </select></td></tr> >> + >> + <tr><td> </td><td class='base'>$Lang::tr{'vpn >> subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> >> + <td class='base' nowrap='nowrap'><input >> type='text' name='SUBJECTALTNAME' >> value='$cgiparams{'SUBJECTALTNAME'}' size='32' $cakeydisabled >> /></td></tr> >> + <tr><td> </td> >> + <td class='base'>$Lang::tr{'pkcs12 file >> password'}: <img src='/blob.gif' alt='*' /></td> >> + <td class='base' nowrap='nowrap'><input >> type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' >> size='32' $cakeydisabled /></td></tr> >> + <tr><td> </td><td >> class='base'>$Lang::tr{'pkcs12 file >> password'} ($Lang::tr{'confirmation'}): <img >> src='/blob.gif' alt='*' /></td> >> + <td class='base' nowrap='nowrap'><input >> type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' >> size='32' $cakeydisabled /></td></tr> >> + </table> >> +END >> +; >> + &Header::closebox(); >> } >> - print <<END >> - </select></td></tr> >> >> - <tr><td> </td><td class='base'>$Lang::tr{'vpn >> subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> >> - <td class='base' nowrap='nowrap'><input type='text' >> name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' >> $cakeydisabled /></td></tr> >> - <tr><td> </td> >> - <td class='base'>$Lang::tr{'pkcs12 file >> password'}: <img src='/blob.gif' alt='*' /></td> >> - <td class='base' nowrap='nowrap'><input type='password' >> name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' >> $cakeydisabled /></td></tr> >> - <tr><td> </td><td class='base'>$Lang::tr{'pkcs12 file >> password'} ($Lang::tr{'confirmation'}): <img >> src='/blob.gif' alt='*' /></td> >> - <td class='base' nowrap='nowrap'><input type='password' >> name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' >> $cakeydisabled /></td></tr> >> - </table> >> -END >> - ; >> - &Header::closebox(); >> - } >> - >> - print "<div align='center'><input type='submit' name='ACTION' >> value='$Lang::tr{'save'}' />"; >> - if ($cgiparams{'KEY'}) { >> - print "<input type='submit' name='ACTION' >> value='$Lang::tr{'advanced'}' />"; >> - } >> - print "<input type='submit' name='ACTION' >> value='$Lang::tr{'cancel'}' /></div></form>"; >> - &Header::closebigbox(); >> - &Header::closepage(); >> - exit (0); >> - >> - VPNCONF_END: >> + print "<div align='center'><input type='submit' >> name='ACTION' value='$Lang::tr{'save'}' />"; >> + if ($cgiparams{'KEY'}) { >> + print "<input type='submit' name='ACTION' >> value='$Lang::tr{'advanced'}' />"; >> + } >> + print "<input type='submit' name='ACTION' >> value='$Lang::tr{'cancel'}' /></div></form>"; >> + &Header::closebigbox(); >> + &Header::closepage(); >> + exit (0); >> + >> + VPNCONF_END: >> } >> >> ### >> @@ -2115,291 +2113,288 @@ END >> ### >> if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || >> ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && >> $cgiparams{'ADVANCED'} eq 'yes')) { >> - &General::readhash("${General::swroot}/vpn/settings", >> \%vpnsettings); >> - &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> - if (! $confighash{$cgiparams{'KEY'}}) { >> - $errormessage = $Lang::tr{'invalid key'}; >> - goto ADVANCED_END; >> - } >> - >> - if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { >> - my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); >> - if ($#temp < 0) { >> - $errormessage = $Lang::tr{'invalid input'}; >> - goto ADVANCED_ERROR; >> - } >> - foreach my $val (@temp) { >> - if ($val !~ >> /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { >> - $errormessage = $Lang::tr{'invalid input'}; >> - goto ADVANCED_ERROR; >> - } >> + &General::readhash("${General::swroot}/vpn/settings", >> \%vpnsettings); >> + &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> + if (! $confighash{$cgiparams{'KEY'}}) { >> + $errormessage = $Lang::tr{'invalid key'}; >> + goto ADVANCED_END; >> + } >> + >> + if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { >> + my @temp = split('\|', >> $cgiparams{'IKE_ENCRYPTION'}); >> + if ($#temp < 0) { >> + $errormessage = $Lang::tr{'invalid input'}; >> + goto ADVANCED_ERROR; >> + } >> + foreach my $val (@temp) { >> + if ($val !~ >> /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { >> + $errormessage = $Lang::tr{'invalid >> input'}; >> + goto ADVANCED_ERROR; >> + } >> + } >> + @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); >> + if ($#temp < 0) { >> + $errormessage = $Lang::tr{'invalid input'}; >> + goto ADVANCED_ERROR; >> + } >> + foreach my $val (@temp) { >> + if ($val !~ >> /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) { >> + $errormessage = $Lang::tr{'invalid >> input'}; >> + goto ADVANCED_ERROR; >> + } >> + } >> + @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'}); >> + if ($#temp < 0) { >> + $errormessage = $Lang::tr{'invalid input'}; >> + goto ADVANCED_ERROR; >> + } >> + foreach my $val (@temp) { >> + if ($val !~ >> /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|204 >> 8|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { >> + $errormessage = $Lang::tr{'invalid >> input'}; >> + goto ADVANCED_ERROR; >> + } >> + } >> + if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) { >> + $errormessage = $Lang::tr{'invalid input for >> ike lifetime'}; >> + goto ADVANCED_ERROR; >> + } >> + if ($cgiparams{'IKE_LIFETIME'} < 1 || >> $cgiparams{'IKE_LIFETIME'} > 8) { >> + $errormessage = $Lang::tr{'ike lifetime >> should be between 1 and 8 hours'}; >> + goto ADVANCED_ERROR; >> + } >> + @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'}); >> + if ($#temp < 0) { >> + $errormessage = $Lang::tr{'invalid input'}; >> + goto ADVANCED_ERROR; >> + } >> + foreach my $val (@temp) { >> + if ($val !~ >> /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { >> + $errormessage = $Lang::tr{'invalid >> input'}; >> + goto ADVANCED_ERROR; >> + } >> + } >> + @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); >> + if ($#temp < 0) { >> + $errormessage = $Lang::tr{'invalid input'}; >> + goto ADVANCED_ERROR; >> + } >> + foreach my $val (@temp) { >> + if ($val !~ >> /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) { >> + $errormessage = $Lang::tr{'invalid >> input'}; >> + goto ADVANCED_ERROR; >> + } >> + } >> + @temp = split('\|', $cgiparams{'ESP_GROUPTYPE'}); >> + if ($#temp < 0) { >> + $errormessage = $Lang::tr{'invalid input'}; >> + goto ADVANCED_ERROR; >> + } >> + foreach my $val (@temp) { >> + if ($val !~ >> /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|204 >> 8|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { >> + $errormessage = $Lang::tr{'invalid >> input'}; >> + goto ADVANCED_ERROR; >> + } >> + } >> + if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) { >> + $errormessage = $Lang::tr{'invalid input for >> esp keylife'}; >> + goto ADVANCED_ERROR; >> + } >> + if ($cgiparams{'ESP_KEYLIFE'} < 1 || >> $cgiparams{'ESP_KEYLIFE'} > 24) { >> + $errormessage = $Lang::tr{'esp keylife >> should be between 1 and 24 hours'}; >> + goto ADVANCED_ERROR; >> + } >> + >> + if (($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) || >> + ($cgiparams{'FORCE_MOBIKE'} !~ >> /^(|on|off)$/) || >> + ($cgiparams{'ONLY_PROPOSED'} !~ >> /^(|on|off)$/) || >> + ($cgiparams{'PFS'} !~ /^(|on|off)$/)) { >> + $errormessage = $Lang::tr{'invalid input'}; >> + goto ADVANCED_ERROR; >> + } >> + >> + if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) { >> + $errormessage = $Lang::tr{'invalid input for >> dpd delay'}; >> + goto ADVANCED_ERROR; >> + } >> + >> + if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) { >> + $errormessage = $Lang::tr{'invalid input for >> dpd timeout'}; >> + goto ADVANCED_ERROR; >> + } >> + >> + $confighash{$cgiparams{'KEY'}}[29] = >> $cgiparams{'IKE_VERSION'}; >> + $confighash{$cgiparams{'KEY'}}[18] = >> $cgiparams{'IKE_ENCRYPTION'}; >> + $confighash{$cgiparams{'KEY'}}[19] = >> $cgiparams{'IKE_INTEGRITY'}; >> + $confighash{$cgiparams{'KEY'}}[20] = >> $cgiparams{'IKE_GROUPTYPE'}; >> + $confighash{$cgiparams{'KEY'}}[16] = >> $cgiparams{'IKE_LIFETIME'}; >> + $confighash{$cgiparams{'KEY'}}[21] = >> $cgiparams{'ESP_ENCRYPTION'}; >> + $confighash{$cgiparams{'KEY'}}[22] = >> $cgiparams{'ESP_INTEGRITY'}; >> + $confighash{$cgiparams{'KEY'}}[23] = >> $cgiparams{'ESP_GROUPTYPE'}; >> + $confighash{$cgiparams{'KEY'}}[17] = >> $cgiparams{'ESP_KEYLIFE'}; >> + $confighash{$cgiparams{'KEY'}}[12] = 'off'; >> #$cgiparams{'AGGRMODE'}; >> + $confighash{$cgiparams{'KEY'}}[13] = >> $cgiparams{'COMPRESSION'}; >> + $confighash{$cgiparams{'KEY'}}[24] = >> $cgiparams{'ONLY_PROPOSED'}; >> + $confighash{$cgiparams{'KEY'}}[28] = >> $cgiparams{'PFS'}; >> + $confighash{$cgiparams{'KEY'}}[27] = >> $cgiparams{'DPD_ACTION'}; >> + $confighash{$cgiparams{'KEY'}}[30] = >> $cgiparams{'DPD_TIMEOUT'}; >> + $confighash{$cgiparams{'KEY'}}[31] = >> $cgiparams{'DPD_DELAY'}; >> + $confighash{$cgiparams{'KEY'}}[32] = >> $cgiparams{'FORCE_MOBIKE'}; >> + &General::writehasharray("${General::swroot}/vpn/con >> fig", \%confighash); >> + &writeipsecfiles(); >> + if (&vpnenabled) { >> + system('/usr/local/bin/ipsecctrl', 'S', >> $cgiparams{'KEY'}); >> + sleep $sleepDelay; >> + } >> + goto ADVANCED_END; >> + } else { >> + $cgiparams{'IKE_VERSION'} = >> $confighash{$cgiparams{'KEY'}}[29]; >> + $cgiparams{'IKE_ENCRYPTION'} = >> $confighash{$cgiparams{'KEY'}}[18]; >> + $cgiparams{'IKE_INTEGRITY'} = >> $confighash{$cgiparams{'KEY'}}[19]; >> + $cgiparams{'IKE_GROUPTYPE'} = >> $confighash{$cgiparams{'KEY'}}[20]; >> + $cgiparams{'IKE_LIFETIME'} = >> $confighash{$cgiparams{'KEY'}}[16]; >> + $cgiparams{'ESP_ENCRYPTION'} = >> $confighash{$cgiparams{'KEY'}}[21]; >> + $cgiparams{'ESP_INTEGRITY'} = >> $confighash{$cgiparams{'KEY'}}[22]; >> + $cgiparams{'ESP_GROUPTYPE'} = >> $confighash{$cgiparams{'KEY'}}[23]; >> + if ($cgiparams{'ESP_GROUPTYPE'} eq "") { >> + $cgiparams{'ESP_GROUPTYPE'} = >> $cgiparams{'IKE_GROUPTYPE'}; >> + } >> + $cgiparams{'ESP_KEYLIFE'} = >> $confighash{$cgiparams{'KEY'}}[17]; >> + $cgiparams{'COMPRESSION'} = >> $confighash{$cgiparams{'KEY'}}[13]; >> + $cgiparams{'ONLY_PROPOSED'} = >> $confighash{$cgiparams{'KEY'}}[24]; >> + $cgiparams{'PFS'} = >> $confighash{$cgiparams{'KEY'}}[28]; >> + $cgiparams{'DPD_ACTION'} = >> $confighash{$cgiparams{'KEY'}}[27]; >> + $cgiparams{'DPD_TIMEOUT'} = >> $confighash{$cgiparams{'KEY'}}[30]; >> + $cgiparams{'DPD_DELAY'} = >> $confighash{$cgiparams{'KEY'}}[31]; >> + $cgiparams{'FORCE_MOBIKE'} = >> $confighash{$cgiparams{'KEY'}}[32]; >> + >> + if (!$cgiparams{'DPD_DELAY'}) { >> + $cgiparams{'DPD_DELAY'} = 30; >> + } >> + >> + if (!$cgiparams{'DPD_TIMEOUT'}) { >> + $cgiparams{'DPD_TIMEOUT'} = 120; >> + } >> } >> + >> + ADVANCED_ERROR: >> + $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; >> + $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; >> + $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; >> + $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = ''; >> + $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = ''; >> + $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = ''; >> + $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = ''; >> + $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = ''; >> + $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = ''; >> + $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = ''; >> + $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = ''; >> + $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = ''; >> + $checked{'IKE_ENCRYPTION'}{'3des'} = ''; >> + $checked{'IKE_ENCRYPTION'}{'camellia256'} = ''; >> + $checked{'IKE_ENCRYPTION'}{'camellia192'} = ''; >> + $checked{'IKE_ENCRYPTION'}{'camellia128'} = ''; >> + my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); >> + foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = >> "selected='selected'"; } >> + $checked{'IKE_INTEGRITY'}{'sha2_512'} = ''; >> + $checked{'IKE_INTEGRITY'}{'sha2_384'} = ''; >> + $checked{'IKE_INTEGRITY'}{'sha2_256'} = ''; >> + $checked{'IKE_INTEGRITY'}{'sha'} = ''; >> + $checked{'IKE_INTEGRITY'}{'md5'} = ''; >> + $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; >> @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); >> - if ($#temp < 0) { >> - $errormessage = $Lang::tr{'invalid input'}; >> - goto ADVANCED_ERROR; >> - } >> - foreach my $val (@temp) { >> - if ($val !~ /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) { >> - $errormessage = $Lang::tr{'invalid input'}; >> - goto ADVANCED_ERROR; >> - } >> - } >> + foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = >> "selected='selected'"; } >> + $checked{'IKE_GROUPTYPE'}{'768'} = ''; >> + $checked{'IKE_GROUPTYPE'}{'1024'} = ''; >> + $checked{'IKE_GROUPTYPE'}{'1536'} = ''; >> + $checked{'IKE_GROUPTYPE'}{'2048'} = ''; >> + $checked{'IKE_GROUPTYPE'}{'3072'} = ''; >> + $checked{'IKE_GROUPTYPE'}{'4096'} = ''; >> + $checked{'IKE_GROUPTYPE'}{'6144'} = ''; >> + $checked{'IKE_GROUPTYPE'}{'8192'} = ''; >> @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'}); >> - if ($#temp < 0) { >> - $errormessage = $Lang::tr{'invalid input'}; >> - goto ADVANCED_ERROR; >> - } >> - foreach my $val (@temp) { >> - if ($val !~ >> /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|204 >> 8|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { >> - $errormessage = $Lang::tr{'invalid input'}; >> - goto ADVANCED_ERROR; >> - } >> - } >> - if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) { >> - $errormessage = $Lang::tr{'invalid input for ike >> lifetime'}; >> - goto ADVANCED_ERROR; >> - } >> - if ($cgiparams{'IKE_LIFETIME'} < 1 || >> $cgiparams{'IKE_LIFETIME'} > 8) { >> - $errormessage = $Lang::tr{'ike lifetime should be >> between 1 and 8 hours'}; >> - goto ADVANCED_ERROR; >> - } >> + foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = >> "selected='selected'"; } >> + >> + # 768 is not supported by strongswan >> + $checked{'IKE_GROUPTYPE'}{'768'} = ''; >> + >> + $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; >> + $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; >> + $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; >> + $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = ''; >> + $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = ''; >> + $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = ''; >> + $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = ''; >> + $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = ''; >> + $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = ''; >> + $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = ''; >> + $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = ''; >> + $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = ''; >> + $checked{'ESP_ENCRYPTION'}{'3des'} = ''; >> + $checked{'ESP_ENCRYPTION'}{'camellia256'} = ''; >> + $checked{'ESP_ENCRYPTION'}{'camellia192'} = ''; >> + $checked{'ESP_ENCRYPTION'}{'camellia128'} = ''; >> @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'}); >> - if ($#temp < 0) { >> - $errormessage = $Lang::tr{'invalid input'}; >> - goto ADVANCED_ERROR; >> - } >> - foreach my $val (@temp) { >> - if ($val !~ >> /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { >> - $errormessage = $Lang::tr{'invalid input'}; >> - goto ADVANCED_ERROR; >> - } >> - } >> + foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = >> "selected='selected'"; } >> + $checked{'ESP_INTEGRITY'}{'sha2_512'} = ''; >> + $checked{'ESP_INTEGRITY'}{'sha2_384'} = ''; >> + $checked{'ESP_INTEGRITY'}{'sha2_256'} = ''; >> + $checked{'ESP_INTEGRITY'}{'sha1'} = ''; >> + $checked{'ESP_INTEGRITY'}{'md5'} = ''; >> + $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; >> @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); >> - if ($#temp < 0) { >> - $errormessage = $Lang::tr{'invalid input'}; >> - goto ADVANCED_ERROR; >> - } >> - foreach my $val (@temp) { >> - if ($val !~ /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) { >> - $errormessage = $Lang::tr{'invalid input'}; >> - goto ADVANCED_ERROR; >> - } >> - } >> + foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = >> "selected='selected'"; } >> + $checked{'ESP_GROUPTYPE'}{'768'} = ''; >> + $checked{'ESP_GROUPTYPE'}{'1024'} = ''; >> + $checked{'ESP_GROUPTYPE'}{'1536'} = ''; >> + $checked{'ESP_GROUPTYPE'}{'2048'} = ''; >> + $checked{'ESP_GROUPTYPE'}{'3072'} = ''; >> + $checked{'ESP_GROUPTYPE'}{'4096'} = ''; >> + $checked{'ESP_GROUPTYPE'}{'6144'} = ''; >> + $checked{'ESP_GROUPTYPE'}{'8192'} = ''; >> + $checked{'ESP_GROUPTYPE'}{'none'} = ''; >> @temp = split('\|', $cgiparams{'ESP_GROUPTYPE'}); >> - if ($#temp < 0) { >> - $errormessage = $Lang::tr{'invalid input'}; >> - goto ADVANCED_ERROR; >> - } >> - foreach my $val (@temp) { >> - if ($val !~ >> /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|204 >> 8|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { >> - $errormessage = $Lang::tr{'invalid input'}; >> - goto ADVANCED_ERROR; >> - } >> - } >> - if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) { >> - $errormessage = $Lang::tr{'invalid input for esp >> keylife'}; >> - goto ADVANCED_ERROR; >> - } >> - if ($cgiparams{'ESP_KEYLIFE'} < 1 || >> $cgiparams{'ESP_KEYLIFE'} > 24) { >> - $errormessage = $Lang::tr{'esp keylife should be between >> 1 and 24 hours'}; >> - goto ADVANCED_ERROR; >> - } >> - >> - if ( >> - ($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) || >> - ($cgiparams{'FORCE_MOBIKE'} !~ /^(|on|off)$/) || >> - ($cgiparams{'ONLY_PROPOSED'} !~ /^(|on|off)$/) || >> - ($cgiparams{'PFS'} !~ /^(|on|off)$/) >> - ){ >> - $errormessage = $Lang::tr{'invalid input'}; >> - goto ADVANCED_ERROR; >> - } >> - >> - if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) { >> - $errormessage = $Lang::tr{'invalid input for dpd >> delay'}; >> - goto ADVANCED_ERROR; >> - } >> - >> - if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) { >> - $errormessage = $Lang::tr{'invalid input for dpd >> timeout'}; >> - goto ADVANCED_ERROR; >> - } >> - >> - $confighash{$cgiparams{'KEY'}}[29] = >> $cgiparams{'IKE_VERSION'}; >> - $confighash{$cgiparams{'KEY'}}[18] = >> $cgiparams{'IKE_ENCRYPTION'}; >> - $confighash{$cgiparams{'KEY'}}[19] = >> $cgiparams{'IKE_INTEGRITY'}; >> - $confighash{$cgiparams{'KEY'}}[20] = >> $cgiparams{'IKE_GROUPTYPE'}; >> - $confighash{$cgiparams{'KEY'}}[16] = >> $cgiparams{'IKE_LIFETIME'}; >> - $confighash{$cgiparams{'KEY'}}[21] = >> $cgiparams{'ESP_ENCRYPTION'}; >> - $confighash{$cgiparams{'KEY'}}[22] = >> $cgiparams{'ESP_INTEGRITY'}; >> - $confighash{$cgiparams{'KEY'}}[23] = >> $cgiparams{'ESP_GROUPTYPE'}; >> - $confighash{$cgiparams{'KEY'}}[17] = >> $cgiparams{'ESP_KEYLIFE'}; >> - $confighash{$cgiparams{'KEY'}}[12] = 'off'; >> #$cgiparams{'AGGRMODE'}; >> - $confighash{$cgiparams{'KEY'}}[13] = >> $cgiparams{'COMPRESSION'}; >> - $confighash{$cgiparams{'KEY'}}[24] = >> $cgiparams{'ONLY_PROPOSED'}; >> - $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'}; >> - $confighash{$cgiparams{'KEY'}}[27] = >> $cgiparams{'DPD_ACTION'}; >> - $confighash{$cgiparams{'KEY'}}[30] = >> $cgiparams{'DPD_TIMEOUT'}; >> - $confighash{$cgiparams{'KEY'}}[31] = >> $cgiparams{'DPD_DELAY'}; >> - $confighash{$cgiparams{'KEY'}}[32] = >> $cgiparams{'FORCE_MOBIKE'}; >> - &General::writehasharray("${General::swroot}/vpn/config", >> \%confighash); >> - &writeipsecfiles(); >> - if (&vpnenabled) { >> - system('/usr/local/bin/ipsecctrl', 'S', >> $cgiparams{'KEY'}); >> - sleep $sleepDelay; >> - } >> - goto ADVANCED_END; >> - } else { >> - $cgiparams{'IKE_VERSION'} = >> $confighash{$cgiparams{'KEY'}}[29]; >> - $cgiparams{'IKE_ENCRYPTION'} = >> $confighash{$cgiparams{'KEY'}}[18]; >> - $cgiparams{'IKE_INTEGRITY'} = >> $confighash{$cgiparams{'KEY'}}[19]; >> - $cgiparams{'IKE_GROUPTYPE'} = >> $confighash{$cgiparams{'KEY'}}[20]; >> - $cgiparams{'IKE_LIFETIME'} = >> $confighash{$cgiparams{'KEY'}}[16]; >> - $cgiparams{'ESP_ENCRYPTION'} = >> $confighash{$cgiparams{'KEY'}}[21]; >> - $cgiparams{'ESP_INTEGRITY'} = >> $confighash{$cgiparams{'KEY'}}[22]; >> - $cgiparams{'ESP_GROUPTYPE'} = >> $confighash{$cgiparams{'KEY'}}[23]; >> - if ($cgiparams{'ESP_GROUPTYPE'} eq "") { >> - $cgiparams{'ESP_GROUPTYPE'} = >> $cgiparams{'IKE_GROUPTYPE'}; >> - } >> - $cgiparams{'ESP_KEYLIFE'} = >> $confighash{$cgiparams{'KEY'}}[17]; >> - $cgiparams{'COMPRESSION'} = >> $confighash{$cgiparams{'KEY'}}[13]; >> - $cgiparams{'ONLY_PROPOSED'} = >> $confighash{$cgiparams{'KEY'}}[24]; >> - $cgiparams{'PFS'} = >> $confighash{$cgiparams{'KEY'}}[28]; >> - $cgiparams{'DPD_ACTION'} = >> $confighash{$cgiparams{'KEY'}}[27]; >> - $cgiparams{'DPD_TIMEOUT'} = >> $confighash{$cgiparams{'KEY'}}[30]; >> - $cgiparams{'DPD_DELAY'} = >> $confighash{$cgiparams{'KEY'}}[31]; >> - $cgiparams{'FORCE_MOBIKE'} = >> $confighash{$cgiparams{'KEY'}}[32]; >> + foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = >> "selected='selected'"; } >> >> - if (!$cgiparams{'DPD_DELAY'}) { >> - $cgiparams{'DPD_DELAY'} = 30; >> - } >> + $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' >> ? "checked='checked'" : '' ; >> + $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq >> 'on' ? "checked='checked'" : '' ; >> + $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq >> 'on' ? "checked='checked'" : '' ; >> + $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? >> "checked='checked'" : '' ; >> >> - if (!$cgiparams{'DPD_TIMEOUT'}) { >> - $cgiparams{'DPD_TIMEOUT'} = 120; >> - } >> + $selected{'IKE_VERSION'}{'ikev1'} = ''; >> + $selected{'IKE_VERSION'}{'ikev2'} = ''; >> + $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = >> "selected='selected'"; >> >> - } >> - >> - ADVANCED_ERROR: >> - $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; >> - $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; >> - $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; >> - $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = ''; >> - $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = ''; >> - $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = ''; >> - $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = ''; >> - $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = ''; >> - $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = ''; >> - $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = ''; >> - $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = ''; >> - $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = ''; >> - $checked{'IKE_ENCRYPTION'}{'3des'} = ''; >> - $checked{'IKE_ENCRYPTION'}{'camellia256'} = ''; >> - $checked{'IKE_ENCRYPTION'}{'camellia192'} = ''; >> - $checked{'IKE_ENCRYPTION'}{'camellia128'} = ''; >> - my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); >> - foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = >> "selected='selected'"; } >> - $checked{'IKE_INTEGRITY'}{'sha2_512'} = ''; >> - $checked{'IKE_INTEGRITY'}{'sha2_384'} = ''; >> - $checked{'IKE_INTEGRITY'}{'sha2_256'} = ''; >> - $checked{'IKE_INTEGRITY'}{'sha'} = ''; >> - $checked{'IKE_INTEGRITY'}{'md5'} = ''; >> - $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; >> - @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); >> - foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = >> "selected='selected'"; } >> - $checked{'IKE_GROUPTYPE'}{'768'} = ''; >> - $checked{'IKE_GROUPTYPE'}{'1024'} = ''; >> - $checked{'IKE_GROUPTYPE'}{'1536'} = ''; >> - $checked{'IKE_GROUPTYPE'}{'2048'} = ''; >> - $checked{'IKE_GROUPTYPE'}{'3072'} = ''; >> - $checked{'IKE_GROUPTYPE'}{'4096'} = ''; >> - $checked{'IKE_GROUPTYPE'}{'6144'} = ''; >> - $checked{'IKE_GROUPTYPE'}{'8192'} = ''; >> - @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'}); >> - foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = >> "selected='selected'"; } >> - >> - # 768 is not supported by strongswan >> - $checked{'IKE_GROUPTYPE'}{'768'} = ''; >> - >> - $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; >> - $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; >> - $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; >> - $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = ''; >> - $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = ''; >> - $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = ''; >> - $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = ''; >> - $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = ''; >> - $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = ''; >> - $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = ''; >> - $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = ''; >> - $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = ''; >> - $checked{'ESP_ENCRYPTION'}{'3des'} = ''; >> - $checked{'ESP_ENCRYPTION'}{'camellia256'} = ''; >> - $checked{'ESP_ENCRYPTION'}{'camellia192'} = ''; >> - $checked{'ESP_ENCRYPTION'}{'camellia128'} = ''; >> - @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'}); >> - foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = >> "selected='selected'"; } >> - $checked{'ESP_INTEGRITY'}{'sha2_512'} = ''; >> - $checked{'ESP_INTEGRITY'}{'sha2_384'} = ''; >> - $checked{'ESP_INTEGRITY'}{'sha2_256'} = ''; >> - $checked{'ESP_INTEGRITY'}{'sha1'} = ''; >> - $checked{'ESP_INTEGRITY'}{'md5'} = ''; >> - $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; >> - @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); >> - foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = >> "selected='selected'"; } >> - $checked{'ESP_GROUPTYPE'}{'768'} = ''; >> - $checked{'ESP_GROUPTYPE'}{'1024'} = ''; >> - $checked{'ESP_GROUPTYPE'}{'1536'} = ''; >> - $checked{'ESP_GROUPTYPE'}{'2048'} = ''; >> - $checked{'ESP_GROUPTYPE'}{'3072'} = ''; >> - $checked{'ESP_GROUPTYPE'}{'4096'} = ''; >> - $checked{'ESP_GROUPTYPE'}{'6144'} = ''; >> - $checked{'ESP_GROUPTYPE'}{'8192'} = ''; >> - $checked{'ESP_GROUPTYPE'}{'none'} = ''; >> - @temp = split('\|', $cgiparams{'ESP_GROUPTYPE'}); >> - foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = >> "selected='selected'"; } >> - >> - $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' ? >> "checked='checked'" : '' ; >> - $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq 'on' ? >> "checked='checked'" : '' ; >> - $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq 'on' >> ? "checked='checked'" : '' ; >> - $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? >> "checked='checked'" : '' ; >> - >> - $selected{'IKE_VERSION'}{'ikev1'} = ''; >> - $selected{'IKE_VERSION'}{'ikev2'} = ''; >> - $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = >> "selected='selected'"; >> - >> - $selected{'DPD_ACTION'}{'clear'} = ''; >> - $selected{'DPD_ACTION'}{'hold'} = ''; >> - $selected{'DPD_ACTION'}{'restart'} = ''; >> - $selected{'DPD_ACTION'}{'none'} = ''; >> - $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = >> "selected='selected'"; >> - >> - &Header::showhttpheaders(); >> - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); >> - &Header::openbigbox('100%', 'left', '', $errormessage); >> - >> - if ($errormessage) { >> - &Header::openbox('100%', 'left', $Lang::tr{'error >> messages'}); >> - print "<class name='base'>$errormessage"; >> - print " </class>"; >> - &Header::closebox(); >> - } >> + $selected{'DPD_ACTION'}{'clear'} = ''; >> + $selected{'DPD_ACTION'}{'hold'} = ''; >> + $selected{'DPD_ACTION'}{'restart'} = ''; >> + $selected{'DPD_ACTION'}{'none'} = ''; >> + $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = >> "selected='selected'"; >> >> - if ($warnmessage) { >> - &Header::openbox('100%', 'left', $Lang::tr{'warning >> messages'}); >> - print "<class name='base'>$warnmessage"; >> - print " </class>"; >> - &Header::closebox(); >> - } >> + &Header::showhttpheaders(); >> + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); >> + &Header::openbigbox('100%', 'left', '', $errormessage); >> + >> + if ($errormessage) { >> + &Header::openbox('100%', 'left', $Lang::tr{'error >> messages'}); >> + print "<class name='base'>$errormessage"; >> + print " </class>"; >> + &Header::closebox(); >> + } >> + >> + if ($warnmessage) { >> + &Header::openbox('100%', 'left', $Lang::tr{'warning >> messages'}); >> + print "<class name='base'>$warnmessage"; >> + print " </class>"; >> + &Header::closebox(); >> + } >> >> - &Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:"); >> - print <<EOF >> - <form method='post' enctype='multipart/form-data' >> action='$ENV{'SCRIPT_NAME'}'> >> - <input type='hidden' name='ADVANCED' value='yes' /> >> - <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> >> + &Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:"); >> + print <<EOF >> + <form method='post' enctype='multipart/form-data' >> action='$ENV{'SCRIPT_NAME'}'> >> + <input type='hidden' name='ADVANCED' value='yes' /> >> + <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> >> >> - <table width='100%'> >> + <table width='100%'> >> <thead> >> <tr> >> <th width="15%"></th> >> @@ -2545,14 +2540,14 @@ if(($cgiparams{'ACTION'} eq >> $Lang::tr{'advanced'}) || >> </td> >> </tr> >> </tbody> >> - </table> >> + </table> >> >> <br><br> >> >> <h2>$Lang::tr{'dead peer detection'}</h2> >> >> - <table width="100%"> >> - <tr> >> + <table width="100%"> >> + <tr> >> <td width="15%">$Lang::tr{'dpd action'}:</td> >> <td> >> <select name='DPD_ACTION'> >> @@ -2575,11 +2570,11 @@ if(($cgiparams{'ACTION'} eq >> $Lang::tr{'advanced'}) || >> <input type='text' name='DPD_DELAY' size='5' >> value='$cgiparams{'DPD_DELAY'}' /> >> </td> >> </tr> >> - </table> >> + </table> >> >> - <hr> >> + <hr> >> >> - <table width="100%"> >> + <table width="100%"> >> <tr> >> <td> >> <label> >> @@ -2613,9 +2608,9 @@ if(($cgiparams{'ACTION'} eq >> $Lang::tr{'advanced'}) || >> </td> >> </tr> >> EOF >> - ; >> +; >> >> - print <<EOF; >> + print <<EOF; >> <tr> >> <td align='left' colspan='1'><img src='/blob.gif' >> align='top' alt='*' /> $Lang::tr{'required field'}</td> >> <td align='right' colspan='2'> >> @@ -2623,58 +2618,58 @@ EOF >> <input type='submit' name='ACTION' >> value='$Lang::tr{'cancel'}' /> >> </td> >> </tr> >> - </table></form> >> + </table></form> >> EOF >> >> - &Header::closebox(); >> - &Header::closebigbox(); >> - &Header::closepage(); >> - exit(0); >> + &Header::closebox(); >> + &Header::closebigbox(); >> + &Header::closepage(); >> + exit(0); >> >> - ADVANCED_END: >> + ADVANCED_END: >> } >> >> ### >> ### Default status page >> ### >> - %cgiparams = (); >> - %cahash = (); >> - %confighash = (); >> - &General::readhash("${General::swroot}/vpn/settings", >> \%cgiparams); >> - &General::readhasharray("${General::swroot}/vpn/caconfig", >> \%cahash); >> - &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> - $cgiparams{'CA_NAME'} = ''; >> - >> - my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`; >> - >> - # suggest a default name for this side >> - if ($cgiparams{'VPN_IP'} eq '' && -e >> "${General::swroot}/red/active") { >> - if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) >> { >> - my $ipaddr = <IPADDR>; >> - close IPADDR; >> - chomp ($ipaddr); >> - $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", >> split(/\./, $ipaddr)), 2))[0]; >> - if ($cgiparams{'VPN_IP'} eq '') { >> - $cgiparams{'VPN_IP'} = $ipaddr; >> - } >> - } >> - } >> - # no IP found, use %defaultroute >> - $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} >> eq ''); >> - >> - $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined >> ($cgiparams{'VPN_DELAYED_START'})); >> - $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? >> "checked='checked'" : ''; >> - >> - &Header::showhttpheaders(); >> - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); >> - &Header::openbigbox('100%', 'left', '', $errormessage); >> - >> - if ($errormessage) { >> - &Header::openbox('100%', 'left', $Lang::tr{'error >> messages'}); >> - print "<class name='base'>$errormessage\n"; >> - print " </class>\n"; >> - &Header::closebox(); >> - } >> + %cgiparams = (); >> + %cahash = (); >> + %confighash = (); >> + &General::readhash("${General::swroot}/vpn/settings", >> \%cgiparams); >> + &General::readhasharray("${General::swroot}/vpn/caconfig", >> \%cahash); >> + &General::readhasharray("${General::swroot}/vpn/config", >> \%confighash); >> + $cgiparams{'CA_NAME'} = ''; >> + >> + my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`; >> + >> + # suggest a default name for this side >> + if ($cgiparams{'VPN_IP'} eq '' && -e >> "${General::swroot}/red/active") { >> + if (open(IPADDR, "${General::swroot}/red/local >> -ipaddress")) { >> + my $ipaddr = <IPADDR>; >> + close IPADDR; >> + chomp ($ipaddr); >> + $cgiparams{'VPN_IP'} = >> (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; >> + if ($cgiparams{'VPN_IP'} eq '') { >> + $cgiparams{'VPN_IP'} = $ipaddr; >> + } >> + } >> + } >> + # no IP found, use %defaultroute >> + $cgiparams{'VPN_IP'} ='%defaultroute' if >> ($cgiparams{'VPN_IP'} eq ''); >> + >> + $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined >> ($cgiparams{'VPN_DELAYED_START'})); >> + $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? >> "checked='checked'" : ''; >> + >> + &Header::showhttpheaders(); >> + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); >> + &Header::openbigbox('100%', 'left', '', $errormessage); >> + >> + if ($errormessage) { >> + &Header::openbox('100%', 'left', $Lang::tr{'error >> messages'}); >> + print "<class name='base'>$errormessage\n"; >> + print " </class>\n"; >> + &Header::closebox(); >> + } >> >> if ($warnmessage) { >> &Header::openbox('100%', 'left', $Lang::tr{'warning >> messages'}); >> @@ -2686,61 +2681,61 @@ EOF >> exit 0; >> } >> >> - &Header::openbox('100%', 'left', $Lang::tr{'global settings'}); >> - print <<END >> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> - <table width='100%'> >> - <tr> >> + &Header::openbox('100%', 'left', $Lang::tr{'global >> settings'}); >> + print <<END >> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> + <table width='100%'> >> + <tr> >> <td width='20%' class='base' nowrap='nowrap'>$Lang::tr{'vpn >> red name'}: <img src='/blob.gif' alt='*' /></td> >> <td width='20%'><input type='text' name='VPN_IP' >> value='$cgiparams{'VPN_IP'}' /></td> >> <td width='20%' class='base'>$Lang::tr{'enabled'}<input >> type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td> >> - </tr> >> + </tr> >> END >> - ; >> +; >> print <<END >> - <tr> >> - <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed >> start'}: <img src='/blob.gif' alt='*' /><img src='/blob.gif' >> alt='*' /></td> >> + <tr> >> + <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed >> start'}: <img src='/blob.gif' alt='*' /><img src='/blob.gif' >> alt='*' /></td> >> <td ><input type='text' name='VPN_DELAYED_START' >> value='$cgiparams{'VPN_DELAYED_START'}' /></td> >> - </tr> >> - <tr> >> - <td class='base' nowrap='nowrap'>$Lang::tr{'host to net >> vpn'}:</td> >> + </tr> >> + <tr> >> + <td class='base' nowrap='nowrap'>$Lang::tr{'host to net >> vpn'}:</td> >> <td ><input type='text' name='RW_NET' >> value='$cgiparams{'RW_NET'}' /></td> >> - </tr> >> + </tr> >> </table> >> <br> >> <hr /> >> <table width='100%'> >> <tr> >> - <td class='base' valign='top'><img src='/blob.gif' alt='*' >> /></td> >> - <td width='70%' class='base' valign='top'>$Lang::tr{'required >> field'}</td><td width='30%' align='right' class='base'><input >> type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td> >> + <td class='base' valign='top'><img src='/blob.gif' alt='*' >> /></td> >> + <td width='70%' class='base' >> valign='top'>$Lang::tr{'required field'}</td><td width='30%' >> align='right' class='base'><input type='submit' name='ACTION' >> value='$Lang::tr{'save'}' /></td> >> </tr> >> <tr> >> - <td class='base' valign='top' nowrap='nowrap'><img >> src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /> </td> >> - <td class='base'> <font class='base'>$Lang::tr{'vpn >> delayed start help'}</font></td> >> - <td></td> >> + <td class='base' valign='top' nowrap='nowrap'><img >> src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /> </td> >> + <td class='base'> <font class='base'>$Lang::tr{'vpn >> delayed start help'}</font></td> >> + <td></td> >> </tr> >> </table> >> END >> -; >> - print "</form>"; >> - &Header::closebox(); >> - >> - &Header::openbox('100%', 'left', $Lang::tr{'connection status >> and controlc'}); >> - print <<END >> - <table width='100%' cellspacing='1' cellpadding='0' class='tbl'> >> - <tr> >> +; >> + print "</form>"; >> + &Header::closebox(); >> + >> + &Header::openbox('100%', 'left', $Lang::tr{'connection >> status and controlc'}); >> + print <<END >> + <table width='100%' cellspacing='1' cellpadding='0' >> class='tbl'> >> + <tr> >> <th width='10%' class='boldbase' >> align='center'><b>$Lang::tr{'name'}</b></th> >> <th width='22%' class='boldbase' >> align='center'><b>$Lang::tr{'type'}</b></th> >> <th width='23%' class='boldbase' >> align='center'><b>$Lang::tr{'common name'}</b></th> >> <th width='30%' class='boldbase' >> align='center'><b>$Lang::tr{'remark'}</b></th> >> <th width='10%' class='boldbase' >> align='center'><b>$Lang::tr{'status'}</b></th> >> <th class='boldbase' align='center' >> colspan='6'><b>$Lang::tr{'action'}</b></th> >> - </tr> >> + </tr> >> END >> - ; >> - my $id = 0; >> - my $gif; >> - foreach my $key (sort { ncmp >> ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { >> +; >> + my $id = 0; >> + my $gif; >> + foreach my $key (sort { ncmp >> ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { >> if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else >> { $gif = 'off.gif'; } >> >> if ($id % 2) { >> @@ -2753,302 +2748,304 @@ END >> print "<td align='center' nowrap='nowrap' >> $col>$confighash{$key}[1]</td>"; >> print "<td align='center' nowrap='nowrap' $col>" . >> $Lang::tr{"$confighash{$key}[3]"} . " (" . >> $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$key}[29]</td>"; >> if ($confighash{$key}[2] eq '%auth-dn') { >> - print "<td align='left' nowrap='nowrap' >> $col>$confighash{$key}[9]</td>"; >> + print "<td align='left' nowrap='nowrap' >> $col>$confighash{$key}[9]</td>"; >> } elsif ($confighash{$key}[4] eq 'cert') { >> - print "<td align='left' nowrap='nowrap' >> $col>$confighash{$key}[2]</td>"; >> + print "<td align='left' nowrap='nowrap' >> $col>$confighash{$key}[2]</td>"; >> } else { >> - print "<td align='left' $col> </td>"; >> + print "<td align='left' $col> </td>"; >> } >> print "<td align='center' $col>$confighash{$key}[25]</td>"; >> my $col1="bgcolor='${Header::colourred}'"; >> # get real state >> my $active = "<b><font >> color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>"; >> foreach my $line (@status) { >> - if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA >> established/) || >> - ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) >> - { >> - $col1="bgcolor='${Header::colourgreen}'"; >> - $active = "<b><font >> color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>"; >> - } >> - } >> - # move to blueif really down >> + if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA >> established/) || >> + ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) { >> + $col1="bgcolor='${Header::colourgreen}'"; >> + $active = "<b><font >> color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>"; >> + } >> + } >> + # move to blue if really down >> if ($confighash{$key}[0] eq 'off' && $col1 =~ >> /${Header::colourred}/ ) { >> $col1="bgcolor='${Header::colourblue}'"; >> - $active = "<b><font >> color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>"; >> + $active = "<b><font >> color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>"; >> } >> print <<END >> <td align='center' $col1>$active</td> >> <td align='center' $col> >> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> - <input type='image' name='$Lang::tr{'restart'}' >> src='/images/reload.gif' alt='$Lang::tr{'restart'}' >> title='$Lang::tr{'restart'}' /> >> - <input type='hidden' name='ACTION' >> value='$Lang::tr{'restart'}' /> >> - <input type='hidden' name='KEY' value='$key' /> >> - </form> >> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> + <input type='image' name='$Lang::tr{'restart'}' >> src='/images/reload.gif' alt='$Lang::tr{'restart'}' >> title='$Lang::tr{'restart'}' /> >> + <input type='hidden' name='ACTION' >> value='$Lang::tr{'restart'}' /> >> + <input type='hidden' name='KEY' value='$key' /> >> + </form> >> </td> >> END >> - ; >> +; >> if (($confighash{$key}[4] eq 'cert') && >> ($confighash{$key}[2] ne '%auth-dn')) { >> - print <<END >> - <td align='center' $col> >> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> + print <<END >> + <td align='center' $col> >> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> <input type='image' name='$Lang::tr{'show >> certificate'}' src='/images/info.gif' alt='$Lang::tr{'show >> certificate'}' title='$Lang::tr{'show certificate'}' /> >> <input type='hidden' name='ACTION' >> value='$Lang::tr{'show certificate'}' /> >> <input type='hidden' name='KEY' value='$key' /> >> - </form> >> - </td> >> + </form> >> + </td> >> END >> - ; } else { >> - print "<td width='2%' $col> </td>"; >> +; >> + } else { >> + print "<td width='2%' $col> </td>"; >> } >> - if ($confighash{$key}[4] eq 'cert' && -f >> "${General::swroot}/certs/$confighash{$key}[1].p12") { >> - print <<END >> - <td align='center' $col> >> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> + if ($confighash{$key}[4] eq 'cert' && -f >> "${General::swroot}/certs/$confighash{$key}[1].p12") { >> + print <<END >> + <td align='center' $col> >> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> <input type='image' name='$Lang::tr{'download pkcs12 >> file'}' src='/images/floppy.gif' alt='$Lang::tr{'download pkcs12 >> file'}' title='$Lang::tr{'download pkcs12 file'}' /> >> <input type='hidden' name='ACTION' >> value='$Lang::tr{'download pkcs12 file'}' /> >> <input type='hidden' name='KEY' value='$key' /> >> - </form> >> + </form> >> </td> >> END >> - ; } elsif (($confighash{$key}[4] eq 'cert') && >> ($confighash{$key}[2] ne '%auth-dn')) { >> - print <<END >> - <td align='center' $col> >> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> +; >> + } elsif (($confighash{$key}[4] eq 'cert') && >> ($confighash{$key}[2] ne '%auth-dn')) { >> + print <<END >> + <td align='center' $col> >> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> <input type='image' name='$Lang::tr{'download >> certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download >> certificate'}' title='$Lang::tr{'download certificate'}' /> >> <input type='hidden' name='ACTION' >> value='$Lang::tr{'download certificate'}' /> >> <input type='hidden' name='KEY' value='$key' /> >> - </form> >> + </form> >> </td> >> END >> - ; } else { >> - print "<td width='2%' $col> </td>"; >> +; >> + } else { >> + print "<td width='2%' $col> </td>"; >> } >> print <<END >> <td align='center' $col> >> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> - <input type='image' name='$Lang::tr{'toggle enable >> disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable >> disable'}' title='$Lang::tr{'toggle enable disable'}' /> >> - <input type='hidden' name='ACTION' >> value='$Lang::tr{'toggle enable disable'}' /> >> - <input type='hidden' name='KEY' value='$key' /> >> - </form> >> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> + <input type='image' name='$Lang::tr{'toggle enable >> disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable >> disable'}' title='$Lang::tr{'toggle enable disable'}' /> >> + <input type='hidden' name='ACTION' >> value='$Lang::tr{'toggle enable disable'}' /> >> + <input type='hidden' name='KEY' value='$key' /> >> + </form> >> </td> >> >> <td align='center' $col> >> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> - <input type='hidden' name='ACTION' >> value='$Lang::tr{'edit'}' /> >> - <input type='image' name='$Lang::tr{'edit'}' >> src='/images/edit.gif' alt='$Lang::tr{'edit'}' >> title='$Lang::tr{'edit'}' /> >> - <input type='hidden' name='KEY' value='$key' /> >> - </form> >> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> + <input type='hidden' name='ACTION' >> value='$Lang::tr{'edit'}' /> >> + <input type='image' name='$Lang::tr{'edit'}' >> src='/images/edit.gif' alt='$Lang::tr{'edit'}' >> title='$Lang::tr{'edit'}' /> >> + <input type='hidden' name='KEY' value='$key' /> >> + </form> >> </td> >> <td align='center' $col> >> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> - <input type='hidden' name='ACTION' >> value='$Lang::tr{'remove'}' /> >> - <input type='image' name='$Lang::tr{'remove'}' >> src='/images/delete.gif' alt='$Lang::tr{'remove'}' >> title='$Lang::tr{'remove'}' /> >> - <input type='hidden' name='KEY' value='$key' /> >> - </form> >> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> + <input type='hidden' name='ACTION' >> value='$Lang::tr{'remove'}' /> >> + <input type='image' name='$Lang::tr{'remove'}' >> src='/images/delete.gif' alt='$Lang::tr{'remove'}' >> title='$Lang::tr{'remove'}' /> >> + <input type='hidden' name='KEY' value='$key' /> >> + </form> >> </td> >> </tr> >> END >> - ; >> +; >> $id++; >> - } >> - print "</table>"; >> - >> - # If the config file contains entries, print Key to action icons >> - if ( $id ) { >> - print <<END >> - <table> >> - <tr> >> - <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td> >> - <td> <img src='/images/on.gif' alt='$Lang::tr{'click >> to disable'}' /></td> >> - <td class='base'>$Lang::tr{'click to disable'}</td> >> - <td> <img src='/images/info.gif' >> alt='$Lang::tr{'show certificate'}' /></td> >> - <td class='base'>$Lang::tr{'show certificate'}</td> >> - <td> <img src='/images/edit.gif' >> alt='$Lang::tr{'edit'}' /></td> >> - <td class='base'>$Lang::tr{'edit'}</td> >> - <td> <img src='/images/delete.gif' >> alt='$Lang::tr{'remove'}' /></td> >> - <td class='base'>$Lang::tr{'remove'}</td> >> - </tr> >> - <tr> >> - <td> </td> >> - <td> <img src='/images/off.gif' alt='?OFF' /></td> >> - <td class='base'>$Lang::tr{'click to enable'}</td> >> - <td> <img src='/images/floppy.gif' >> alt='?FLOPPY' /></td> >> - <td class='base'>$Lang::tr{'download certificate'}</td> >> - <td> <img src='/images/reload.gif' >> alt='?RELOAD'/></td> >> - <td class='base'>$Lang::tr{'restart'}</td> >> - </tr> >> - </table> >> + } >> + print "</table>"; >> + >> + # If the config file contains entries, print Key to action >> icons >> + if ( $id ) { >> + print <<END >> + <table> >> + <tr> >> + <td class='boldbase'> >> <b>$Lang::tr{'legend'}:</b></td> >> + <td> <img src='/images/on.gif' >> alt='$Lang::tr{'click to disable'}' /></td> >> + <td class='base'>$Lang::tr{'click to disable'}</td> >> + <td> <img src='/images/info.gif' >> alt='$Lang::tr{'show certificate'}' /></td> >> + <td class='base'>$Lang::tr{'show certificate'}</td> >> + <td> <img src='/images/edit.gif' >> alt='$Lang::tr{'edit'}' /></td> >> + <td class='base'>$Lang::tr{'edit'}</td> >> + <td> <img src='/images/delete.gif' >> alt='$Lang::tr{'remove'}' /></td> >> + <td class='base'>$Lang::tr{'remove'}</td> >> + </tr> >> + <tr> >> + <td> </td> >> + <td> <img src='/images/off.gif' alt='?OFF' >> /></td> >> + <td class='base'>$Lang::tr{'click to enable'}</td> >> + <td> <img src='/images/floppy.gif' >> alt='?FLOPPY' /></td> >> + <td class='base'>$Lang::tr{'download >> certificate'}</td> >> + <td> <img src='/images/reload.gif' >> alt='?RELOAD'/></td> >> + <td class='base'>$Lang::tr{'restart'}</td> >> + </tr> >> + </table> >> END >> - ; >> - } >> +; >> + } >> >> - print <<END >> - <table width='100%'> >> - <tr><td align='right' colspan='9'> >> + print <<END >> + <table width='100%'> >> + <tr><td align='right' colspan='9'> >> <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> <input type='submit' name='ACTION' value='$Lang::tr{'add'}' >> /> >> </form> >> - </td></tr> >> - </table> >> + </td></tr> >> + </table> >> END >> - ; >> - &Header::closebox(); >> +; >> + &Header::closebox(); >> >> - &Header::openbox('100%', 'left', "$Lang::tr{'certificate >> authorities'}"); >> - print <<EOF >> - <table width='100%' cellspacing='1' cellpadding='0' class='tbl'> >> - <tr> >> + &Header::openbox('100%', 'left', "$Lang::tr{'certificate >> authorities'}"); >> + print <<EOF >> + <table width='100%' cellspacing='1' cellpadding='0' >> class='tbl'> >> + <tr> >> <th width='25%' class='boldbase' >> align='center'><b>$Lang::tr{'name'}</b></th> >> <th width='65%' class='boldbase' >> align='center'><b>$Lang::tr{'subject'}</b></th> >> <th width='10%' class='boldbase' colspan='3' >> align='center'><b>$Lang::tr{'action'}</b></th> >> - </tr> >> + </tr> >> EOF >> - ; >> - my $col1="bgcolor='$color{'color22'}'"; >> +; >> + my $col1="bgcolor='$color{'color22'}'"; >> my $col2="bgcolor='$color{'color20'}'"; >> - if (-f "${General::swroot}/ca/cacert.pem") { >> - my $casubject = &Header::cleanhtml(getsubjectfromcert >> ("${General::swroot}/ca/cacert.pem")); >> - print <<END >> - <tr> >> - <td class='base' $col1>$Lang::tr{'root certificate'}</td> >> - <td class='base' $col1>$casubject</td> >> - <td width='3%' align='center' $col1> >> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> - <input type='hidden' name='ACTION' >> value='$Lang::tr{'show root certificate'}' /> >> - <input type='image' name='$Lang::tr{'edit'}' >> src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' >> title='$Lang::tr{'show root certificate'}' /> >> - </form> >> - </td> >> - <td width='3%' align='center' $col1> >> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> - <input type='image' name='$Lang::tr{'download root >> certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download root >> certificate'}' title='$Lang::tr{'download root certificate'}' /> >> - <input type='hidden' name='ACTION' >> value='$Lang::tr{'download root certificate'}' /> >> - </form> >> - </td> >> - <td width='4%' $col1> </td></tr> >> + if (-f "${General::swroot}/ca/cacert.pem") { >> + my $casubject = >> &Header::cleanhtml(getsubjectfromcert >> ("${General::swroot}/ca/cacert.pem")); >> + print <<END >> + <tr> >> + <td class='base' $col1>$Lang::tr{'root >> certificate'}</td> >> + <td class='base' $col1>$casubject</td> >> + <td width='3%' align='center' $col1> >> + <form method='post' >> action='$ENV{'SCRIPT_NAME'}'> >> + <input type='hidden' name='ACTION' >> value='$Lang::tr{'show root certificate'}' /> >> + <input type='image' name='$Lang::tr{'edit'}' >> src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' >> title='$Lang::tr{'show root certificate'}' /> >> + </form> >> + </td> >> + <td width='3%' align='center' $col1> >> + <form method='post' >> action='$ENV{'SCRIPT_NAME'}'> >> + <input type='image' >> name='$Lang::tr{'download root certificate'}' >> src='/images/floppy.gif' alt='$Lang::tr{'download root certificate'}' >> title='$Lang::tr{'download root certificate'}' /> >> + <input type='hidden' name='ACTION' >> value='$Lang::tr{'download root certificate'}' /> >> + </form> >> + </td> >> + <td width='4%' $col1> </td></tr> >> END >> - ; >> - } else { >> - # display rootcert generation buttons >> - print <<END >> - <tr> >> - <td class='base' $col1>$Lang::tr{'root certificate'}:</td> >> - <td class='base' $col1>$Lang::tr{'not present'}</td> >> - <td colspan='3' $col1> </td></tr> >> +; >> + } else { >> + # display rootcert generation buttons >> + print <<END >> + <tr> >> + <td class='base' $col1>$Lang::tr{'root >> certificate'}:</td> >> + <td class='base' $col1>$Lang::tr{'not present'}</td> >> + <td colspan='3' $col1> </td></tr> >> END >> - ; >> - } >> +; >> + } >> >> - if (-f "${General::swroot}/certs/hostcert.pem") { >> - my $hostsubject = &Header::cleanhtml(getsubjectfromcert >> ("${General::swroot}/certs/hostcert.pem")); >> + if (-f "${General::swroot}/certs/hostcert.pem") { >> + my $hostsubject = >> &Header::cleanhtml(getsubjectfromcert >> ("${General::swroot}/certs/hostcert.pem")); >> >> - print <<END >> - <tr> >> - <td class='base' $col2>$Lang::tr{'host certificate'}</td> >> - <td class='base' $col2>$hostsubject</td> >> - <td width='3%' align='center' $col2> >> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> - <input type='hidden' name='ACTION' >> value='$Lang::tr{'show host certificate'}' /> >> - <input type='image' name='$Lang::tr{'show host >> certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host >> certificate'}' title='$Lang::tr{'show host certificate'}' /> >> - </form> >> - </td> >> - <td width='3%' align='center' $col2> >> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> >> - <input type='image' name="$Lang::tr{'download host >> certificate'}" src='/images/floppy.gif' alt="$Lang::tr{'download host >> certificate'}" title="$Lang::tr{'download host certificate'}" /> >> - <input type='hidden' name='ACTION' >> value="$Lang::tr{'download host certificate'}" /> >> - </form> >> - </td> >> - <td width='4%' $col2> </td></tr> >> + print <<END >> + <tr> >> + <td class='base' $col2>$Lang::tr{'host >> certificate'}</td> >> + <td class='base' $col2>$hostsubject</td> >> + <td width='3%' align='center' $col2> >> + <form method='post' >> action='$ENV{'SCRIPT_NAME'}'> >> + <input type='hidden' name='ACTION' >> value='$Lang::tr{'show host certificate'}' /> >> + <input type='image' name='$Lang::tr{'show >> host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host >> certificate'}' title='$Lang::tr{'show host certificate'}' /> >> + </form> >> + </td> >> + <td width='3%' align='center' $col2> >> + <form method='post' >> action='$ENV{'SCRIPT_NAME'}'> >> + <input type='image' >> name="$Lang::tr{'download host certificate'}" >> src='/images/floppy.gif' alt="$Lang::tr{'download host certificate'}" >> title="$Lang::tr{'download host certificate'}" /> >> + <input type='hidden' name='ACTION' >> value="$Lang::tr{'download host certificate'}" /> >> + </form> >> + </td> >> + <td width='4%' $col2> </td></tr> >> END >> - ; >> - } else { >> - # Nothing >> - print <<END >> - <tr> >> - <td width='25%' class='base' $col2>$Lang::tr{'host >> certificate'}:</td> >> - <td class='base' $col2>$Lang::tr{'not present'}</td> >> - <td colspan='3' $col2> </td></tr> >> +; >> + } else { >> + # Nothing >> + print <<END >> + <tr> >> + <td width='25%' class='base' $col2>$Lang::tr{'host >> certificate'}:</td> >> + <td class='base' $col2>$Lang::tr{'not present'}</td> >> + <td colspan='3' $col2> </td></tr> >> END >> - ; >> - } >> - >> +; >> + } >> + >> my $rowcolor = 0; >> if (keys %cahash > 0) { >> foreach my $key (keys %cahash) { >> - if ($rowcolor++ % 2) { >> - print "<tr>"; >> - $col="bgcolor='$color{'color20'}'"; >> - } else { >> - print "<tr>"; >> - $col="bgcolor='$color{'color22'}'"; >> - } >> - print "<td class='base' $col>$cahash{$key}[0]</td>\n"; >> - print "<td class='base' $col>$cahash{$key}[1]</td>\n"; >> - print <<END >> - <td align='center' $col> >> - <form method='post' name='cafrm${key}a' >> action='$ENV{'SCRIPT_NAME'}'> >> - <input type='image' name='$Lang::tr{'show ca >> certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca >> certificate'}' title='$Lang::tr{'show ca certificate'}' /> >> - <input type='hidden' name='ACTION' >> value='$Lang::tr{'show ca certificate'}' /> >> - <input type='hidden' name='KEY' value='$key' /> >> - </form> >> - </td> >> - <td align='center' $col> >> - <form method='post' name='cafrm${key}b' >> action='$ENV{'SCRIPT_NAME'}'> >> - <input type='image' name='$Lang::tr{'download ca >> certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download ca >> certificate'}' title='$Lang::tr{'download ca certificate'}' /> >> - <input type='hidden' name='ACTION' >> value='$Lang::tr{'download ca certificate'}' /> >> - <input type='hidden' name='KEY' value='$key' /> >> - </form> >> - </td> >> - <td align='center' $col> >> - <form method='post' name='cafrm${key}c' >> action='$ENV{'SCRIPT_NAME'}'> >> - <input type='hidden' name='ACTION' >> value='$Lang::tr{'remove ca certificate'}' /> >> - <input type='image' name='$Lang::tr{'remove ca >> certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca >> certificate'}' title='$Lang::tr{'remove ca certificate'}' /> >> - <input type='hidden' name='KEY' value='$key' /> >> - </form> >> - </td> >> - </tr> >> + if ($rowcolor++ % 2) { >> + print "<tr>"; >> + $col="bgcolor='$color{'color >> 20'}'"; >> + } else { >> + print "<tr>"; >> + $col="bgcolor='$color{'color >> 22'}'"; >> + } >> + print "<td class='base' >> $col>$cahash{$key}[0]</td>\n"; >> + print "<td class='base' >> $col>$cahash{$key}[1]</td>\n"; >> + print <<END >> + <td align='center' $col> >> + <form method='post' name='cafrm${key}a' >> action='$ENV{'SCRIPT_NAME'}'> >> + <input type='image' name='$Lang::tr{'show ca >> certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca >> certificate'}' title='$Lang::tr{'show ca certificate'}' /> >> + <input type='hidden' name='ACTION' >> value='$Lang::tr{'show ca certificate'}' /> >> + <input type='hidden' name='KEY' value='$key' >> /> >> + </form> >> + </td> >> + <td align='center' $col> >> + <form method='post' name='cafrm${key}b' >> action='$ENV{'SCRIPT_NAME'}'> >> + <input type='image' >> name='$Lang::tr{'download ca certificate'}' src='/images/floppy.gif' >> alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download >> ca certificate'}' /> >> + <input type='hidden' name='ACTION' >> value='$Lang::tr{'download ca certificate'}' /> >> + <input type='hidden' name='KEY' value='$key' >> /> >> + </form> >> + </td> >> + <td align='center' $col> >> + <form method='post' name='cafrm${key}c' >> action='$ENV{'SCRIPT_NAME'}'> >> + <input type='hidden' name='ACTION' >> value='$Lang::tr{'remove ca certificate'}' /> >> + <input type='image' name='$Lang::tr{'remove >> ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca >> certificate'}' title='$Lang::tr{'remove ca certificate'}' /> >> + <input type='hidden' name='KEY' value='$key' >> /> >> + </form> >> + </td> >> + </tr> >> +END >> +; >> + } >> + } >> + print "</table>"; >> + >> + # If the file contains entries, print Key to action icons >> + if ( -f "${General::swroot}/ca/cacert.pem") { >> + print <<END >> + <table><tr> >> + <td class='boldbase'> >> <b>$Lang::tr{'legend'}:</b></td> >> + <td> <img src='/images/info.gif' >> alt='$Lang::tr{'show certificate'}' /></td> >> + <td class='base'>$Lang::tr{'show certificate'}</td> >> + <td> <img src='/images/floppy.gif' >> alt='$Lang::tr{'download certificate'}' /></td> >> + <td class='base'>$Lang::tr{'download >> certificate'}</td> >> + </tr></table> >> END >> - ; >> +; >> } >> - } >> - print "</table>"; >> - >> - # If the file contains entries, print Key to action icons >> - if ( -f "${General::swroot}/ca/cacert.pem") { >> + my $createCA = -f "${General::swroot}/ca/cacert.pem" ? '' : >> "<tr><td colspan='3'></td><td><input type='submit' name='ACTION' >> value='$Lang::tr{'generate root/host certificates'}' /></td></tr>"; >> print <<END >> - <table><tr> >> - <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td> >> - <td> <img src='/images/info.gif' >> alt='$Lang::tr{'show certificate'}' /></td> >> - <td class='base'>$Lang::tr{'show certificate'}</td> >> - <td> <img src='/images/floppy.gif' >> alt='$Lang::tr{'download certificate'}' /></td> >> - <td class='base'>$Lang::tr{'download certificate'}</td> >> - </tr></table> >> -END >> - ; >> - } >> - my $createCA = -f "${General::swroot}/ca/cacert.pem" ? '' : >> "<tr><td colspan='3'></td><td><input type='submit' name='ACTION' >> value='$Lang::tr{'generate root/host certificates'}' /></td></tr>"; >> - print <<END >> - <br> >> - <hr /> >> - <form method='post' enctype='multipart/form-data' >> action='$ENV{'SCRIPT_NAME'}'> >> - <table width='100%' border='0' cellspacing='1' cellpadding='0'> >> - $createCA >> - <tr> >> + <br> >> + <hr /> >> + <form method='post' enctype='multipart/form-data' >> action='$ENV{'SCRIPT_NAME'}'> >> + <table width='100%' border='0' cellspacing='1' >> cellpadding='0'> >> + $createCA >> + <tr> >> <td class='base' nowrap='nowrap'>$Lang::tr{'ca >> name'}: <img src='/blob.gif' alt='*' /></td> >> <td nowrap='nowrap'><input type='text' name='CA_NAME' >> value='$cgiparams{'CA_NAME'}' size='15' /> </td> >> <td nowrap='nowrap'><input type='file' name='FH' size='30' >> /></td> >> <td nowrap='nowrap'><input type='submit' name='ACTION' >> value='$Lang::tr{'upload ca certificate'}' /></td> >> - </tr> >> - <tr> >> + </tr> >> + <tr> >> <td colspan='3'>$Lang::tr{'resetting the vpn configuration >> will remove the root ca, the host certificate and all certificate >> based connections'}:</td> >> <td align='right'><input type='submit' name='ACTION' >> value='$Lang::tr{'remove x509'}' /></td> >> - </tr> >> - </table> >> - </form> >> + </tr> >> + </table> >> + </form> >> END >> - ; >> - &Header::closebox(); >> - &Header::closebigbox(); >> - &Header::closepage(); >> +; >> + &Header::closebox(); >> + &Header::closebigbox(); >> + &Header::closepage(); >> >> sub array_unique($) { >> my $array = shift; ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] vpnmain.cgi - Replace spaces with tab characters and fix indentation 2015-09-26 6:04 ` Larsen @ 2015-09-28 14:33 ` Michael Tremer 0 siblings, 0 replies; 4+ messages in thread From: Michael Tremer @ 2015-09-28 14:33 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 237758 bytes --] On Sat, 2015-09-26 at 08:04 +0200, Larsen wrote: > There is something like "git blame", isn't it? There is. That is what won't work that easily any more. > If you want to know when a line was last changed before that > indentation > patch, you checkout the version before, use blame, and so are able to > see > which commit last affected the line. Yes, that just makes things more complicated. > Also, in general, when a line was changed after it has been added, > you > would have the same problem as with this patch, so I don't see what > difference this makes. I decided to merge the patch. Afterwards I went on to merge some other branches that also touch vpnmain.cgi. Of course I had to reapply all the changed in that second branch manually. Hopefully that does not crash anything. So in general I think this is not a very good thing to do with code that is still developed though. Best, -Michael > On Sat, 26 Sep 2015 00:11:26 +0200, Michael Tremer > <michael.tremer(a)ipfire.org> wrote: > > > Hi, > > > > I am not really sure if this is a patch that I want to merge. It > > certainly fixes the bad coding regarding the indentation, but it > > will > > also make it difficult to find out what changed in what commit > > since > > there will only be this massive patch in the history. If we want to > > know when a certain line in the code was added, we won't find this > > so > > easily any more. > > > > I will have to discuss this with Arne. > > > > Best, > > -Michael > > > > On Fri, 2015-09-25 at 23:01 +0200, Lars Schuhmacher wrote: > > > Replaced spaces with tab characters. Fixed indentation. > > > > > > This is based on http://patchwork.ipfire.org/patch/88/ so that > > > patch > > > must be applied before. > > > > > > Signed-off-by: Lars Schuhmacher <larsen007(a)web.de> > > > --- > > > html/cgi-bin/vpnmain.cgi | 4313 +++++++++++++++++++++++--------- > > > ---- > > > ---------- > > > 1 file changed, 2155 insertions(+), 2158 deletions(-) > > > > > > diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi > > > index 5658dac..e717862 100644 > > > --- a/html/cgi-bin/vpnmain.cgi > > > +++ b/html/cgi-bin/vpnmain.cgi > > > @@ -40,8 +40,7 @@ undef (@dummy); > > > ### > > > ### Initialize variables > > > ### > > > -my $sleepDelay = 4; # after a call to ipsecctrl S or R, > > > wait > > > this delay (seconds) before reading status > > > - # (let the ipsec do its job) > > > +my $sleepDelay = 4; # after a call to ipsecctrl S or R, wait > > > this > > > delay (seconds) before reading status (let the ipsec do its job) > > > my %netsettings=(); > > > our %cgiparams=(); > > > our %vpnsettings=(); > > > @@ -132,103 +131,101 @@ sub valid_dns_host { > > > ### Just return true is one interface is vpn enabled > > > ### > > > sub vpnenabled { > > > - return ($vpnsettings{'ENABLED'} eq 'on'); > > > + return ($vpnsettings{'ENABLED'} eq 'on'); > > > } > > > ### > > > -### old version: maintain serial number to one, without > > > explication. > > > -### this : let the counter go, so that each cert is > > > numbered. > > > +### old version: maintain serial number to one, without > > > explication. > > > +### this: let the counter go, so that each cert is numbered. > > > ### > > > -sub cleanssldatabase > > > -{ > > > - if (open(FILE, ">${General::swroot}/certs/serial")) { > > > - print FILE "01"; > > > - close FILE; > > > - } > > > - if (open(FILE, ">${General::swroot}/certs/index.txt")) { > > > - print FILE ""; > > > - close FILE; > > > - } > > > - unlink ("${General::swroot}/certs/index.txt.old"); > > > - unlink ("${General::swroot}/certs/serial.old"); > > > - unlink ("${General::swroot}/certs/01.pem"); > > > +sub cleanssldatabase { > > > + if (open(FILE, ">${General::swroot}/certs/serial")) { > > > + print FILE "01"; > > > + close FILE; > > > + } > > > + if (open(FILE, ">${General::swroot}/certs/index.txt")) { > > > + print FILE ""; > > > + close FILE; > > > + } > > > + unlink ("${General::swroot}/certs/index.txt.old"); > > > + unlink ("${General::swroot}/certs/serial.old"); > > > + unlink ("${General::swroot}/certs/01.pem"); > > > } > > > -sub newcleanssldatabase > > > -{ > > > - if (! -s "${General::swroot}/certs/serial" ) { > > > - open(FILE, ">${General::swroot}/certs/serial"); > > > - print FILE "01"; > > > - close FILE; > > > - } > > > - if (! -s ">${General::swroot}/certs/index.txt") { > > > - system ("touch ${General::swroot}/certs/index.txt"); > > > - } > > > - unlink ("${General::swroot}/certs/index.txt.old"); > > > - unlink ("${General::swroot}/certs/serial.old"); > > > -# unlink ("${General::swroot}/certs/01.pem"); n > > > umbe > > > ring evolves. Wrong place to delete > > > +sub newcleanssldatabase { > > > + if (! -s "${General::swroot}/certs/serial" ) { > > > + open(FILE, ">${General::swroot}/certs/serial"); > > > + print FILE "01"; > > > + close FILE; > > > + } > > > + if (! -s ">${General::swroot}/certs/index.txt") { > > > + system ("touch > > > ${General::swroot}/certs/index.txt"); > > > + } > > > + unlink ("${General::swroot}/certs/index.txt.old"); > > > + unlink ("${General::swroot}/certs/serial.old"); > > > +# unlink ("${General::swroot}/certs/01.pem"); > > > numbering evolves. Wrong place to delete > > > } > > > > > > ### > > > ### Call openssl and return errormessage if any > > > ### > > > sub callssl ($) { > > > - my $opt = shift; > > > - my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect > > > stderr > > > - my $ret = ''; > > > - foreach my $line (split (/\n/, $retssl)) { > > > - &General::log("ipsec", "$line") if (0); # > > > 1 > > > for verbose logging > > > - $ret .= '<br>'.$line if ( $line =~ /error|unknown/ ); > > > - } > > > - if ($ret) { > > > - $ret= &Header::cleanhtml($ret); > > > - } > > > - return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" > > > : > > > '' ; > > > + my $opt = shift; > > > + my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect > > > stderr > > > + my $ret = ''; > > > + foreach my $line (split (/\n/, $retssl)) { > > > + &General::log("ipsec", "$line") if (0); # 1 for > > > verbose logging > > > + $ret .= '<br>'.$line if ( $line =~ > > > /error|unknown/ > > > ); > > > + } > > > + if ($ret) { > > > + $ret= &Header::cleanhtml($ret); > > > + } > > > + return $ret ? "$Lang::tr{'openssl produced an error'}: > > > $ret" > > > : '' ; > > > } > > > ### > > > ### Obtain a CN from given cert > > > ### > > > sub getCNfromcert ($) { > > > - #&General::log("ipsec", "Extracting name from $_[0]..."); > > > - my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; > > > - $temp =~ /Subject:.*CN=(.*)[\n]/; > > > - $temp = $1; > > > - $temp =~ s+/Email+, E+; > > > - $temp =~ s/ ST=/ S=/; > > > - $temp =~ s/,//g; > > > - $temp =~ s/\'//g; > > > - return $temp; > > > + #&General::log("ipsec", "Extracting name from > > > $_[0]..."); > > > + my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; > > > + $temp =~ /Subject:.*CN=(.*)[\n]/; > > > + $temp = $1; > > > + $temp =~ s+/Email+, E+; > > > + $temp =~ s/ ST=/ S=/; > > > + $temp =~ s/,//g; > > > + $temp =~ s/\'//g; > > > + return $temp; > > > } > > > ### > > > ### Obtain Subject from given cert > > > ### > > > sub getsubjectfromcert ($) { > > > - #&General::log("ipsec", "Extracting subject from $_[0]..."); > > > - my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; > > > - $temp =~ /Subject: (.*)[\n]/; > > > - $temp = $1; > > > - $temp =~ s+/Email+, E+; > > > - $temp =~ s/ ST=/ S=/; > > > - return $temp; > > > + #&General::log("ipsec", "Extracting subject from > > > $_[0]..."); > > > + my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; > > > + $temp =~ /Subject: (.*)[\n]/; > > > + $temp = $1; > > > + $temp =~ s+/Email+, E+; > > > + $temp =~ s/ ST=/ S=/; > > > + return $temp; > > > } > > > ### > > > -### Combine local subnet and connection name to make a unique > > > name > > > for each connection section > > > +### Combine local subnet and connection name to make a unique > > > name > > > for each connection section > > > ### (this sub is not used now) > > > ### > > > sub makeconnname ($) { > > > - my $conn = shift; > > > - my $subnet = shift; > > > - > > > - $subnet =~ /^(.*?)\/(.*?)$/; # $1=IP $2=mask > > > - my $ip = unpack('N', &Socket::inet_aton($1)); > > > - if (length ($2) > 2) { > > > - my $mm = unpack('N', &Socket::inet_aton($2)); > > > - while ( ($mm & 1)==0 ) { > > > - $ip >>= 1; > > > - $mm >>= 1; > > > - }; > > > - } else { > > > - $ip >>= (32 - $2); > > > - } > > > - return sprintf ("%s-%X", $conn, $ip); > > > + my $conn = shift; > > > + my $subnet = shift; > > > + > > > + $subnet =~ /^(.*?)\/(.*?)$/; # $1=IP $2=mask > > > + my $ip = unpack('N', &Socket::inet_aton($1)); > > > + if (length ($2) > 2) { > > > + my $mm = unpack('N', &Socket::inet_aton($2)); > > > + while ( ($mm & 1)==0 ) { > > > + $ip >>= 1; > > > + $mm >>= 1; > > > + }; > > > + } else { > > > + $ip >>= (32 - $2); > > > + } > > > + return sprintf ("%s-%X", $conn, $ip); > > > } > > > ### > > > ### Write a config file. > > > @@ -238,197 +235,198 @@ sub makeconnname ($) { > > > ### > > > > > > sub writeipsecfiles { > > > - my %lconfighash = (); > > > - my %lvpnsettings = (); > > > - &General::readhasharray("${General::swroot}/vpn/config", > > > \%lconfighash); > > > - &General::readhash("${General::swroot}/vpn/settings", > > > \%lvpnsettings); > > > - > > > - open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die > > > "Unable to open ${General::swroot}/vpn/ipsec.conf: $!"; > > > - open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") or > > > die > > > "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!"; > > > - flock CONF, 2; > > > - flock SECRETS, 2; > > > - print CONF "version 2\n\n"; > > > - print CONF "conn %default\n"; > > > - print CONF "\tkeyingtries=%forever\n"; > > > - print CONF "\n"; > > > - > > > - # Add user includes to config file > > > - if (-e "/etc/ipsec.user.conf") { > > > - print CONF "include /etc/ipsec.user.conf\n"; > > > - print CONF "\n"; > > > - } > > > - > > > - print SECRETS "include /etc/ipsec.user.secrets\n"; > > > - > > > - if (-f "${General::swroot}/certs/hostkey.pem") { > > > - print SECRETS ": RSA > > > ${General::swroot}/certs/hostkey.pem\n" > > > - } > > > - my $last_secrets = ''; # old the less specifics connections > > > - > > > - foreach my $key (keys %lconfighash) { > > > - next if ($lconfighash{$key}[0] ne 'on'); > > > - > > > - #remote peer is not set? => use '%any' > > > - $lconfighash{$key}[10] = '%any' if > > > ($lconfighash{$key}[10] > > > eq ''); > > > - > > > - my $localside; > > > - if ($lconfighash{$key}[26] eq 'BLUE') { > > > - $localside = $netsettings{'BLUE_ADDRESS'}; > > > - } elsif ($lconfighash{$key}[26] eq 'GREEN') { > > > - $localside = $netsettings{'GREEN_ADDRESS'}; > > > - } elsif ($lconfighash{$key}[26] eq 'ORANGE') { > > > - $localside = $netsettings{'ORANGE_ADDRESS'}; > > > - } else { # it is RED > > > - $localside = $lvpnsettings{'VPN_IP'}; > > > - } > > > - > > > - print CONF "conn $lconfighash{$key}[1]\n"; > > > - print CONF "\tleft=$localside\n"; > > > - my $cidr_net=&General::ipcidr($lconfighash{$key}[8]); > > > - print CONF "\tleftsubnet=$cidr_net\n"; > > > - print CONF "\tleftfirewall=yes\n"; > > > - print CONF "\tlefthostaccess=yes\n"; > > > - > > > - print CONF "\tright=$lconfighash{$key}[10]\n"; > > > - if ($lconfighash{$key}[3] eq 'net') { > > > - my > > > $cidr_net=&General::ipcidr($lconfighash{$key}[11]); > > > - print CONF "\trightsubnet=$cidr_net\n"; > > > - } > > > - > > > - # Local Cert and Remote Cert (unless auth is DN dn-auth) > > > - if ($lconfighash{$key}[4] eq 'cert') { > > > - print CONF > > > "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; > > > - print CONF > > > "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.p > > > em\n > > > " if ($lconfighash{$key}[2] ne '%auth-dn'); > > > - } > > > - > > > - # Local and Remote IDs > > > - print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if > > > ($lconfighash{$key}[7]); > > > - print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if > > > ($lconfighash{$key}[9]); > > > - > > > - # Is PFS enabled? > > > - my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off'; > > > - > > > - # Algorithms > > > - if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && > > > $lconfighash{$key}[20]) { > > > - my @encs = split('\|', > > > $lconfighash{$key}[18]); > > > - my @ints = split('\|', > > > $lconfighash{$key}[19]); > > > - my @groups = split('\|', > > > $lconfighash{$key}[20]); > > > - > > > - my @algos = &make_algos("ike", \@encs, \@ints, > > > \@groups, 1); > > > - print CONF "\tike=" . join(",", @algos); > > > - > > > - if ($lconfighash{$key}[24] eq 'on') { #on > > > ly > > > proposed algorythms? > > > - print CONF "!\n"; > > > - } else { > > > - print CONF "\n"; > > > - } > > > + my %lconfighash = (); > > > + my %lvpnsettings = (); > > > + &General::readhasharray("${General::swroot}/vpn/config", > > > \%lconfighash); > > > + &General::readhash("${General::swroot}/vpn/settings", > > > \%lvpnsettings); > > > + > > > + open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die > > > "Unable to open ${General::swroot}/vpn/ipsec.conf: $!"; > > > + open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") > > > or > > > die "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!"; > > > + flock CONF, 2; > > > + flock SECRETS, 2; > > > + print CONF "version 2\n\n"; > > > + print CONF "conn %default\n"; > > > + print CONF "\tkeyingtries=%forever\n"; > > > + print CONF "\n"; > > > + > > > + # Add user includes to config file > > > + if (-e "/etc/ipsec.user.conf") { > > > + print CONF "include /etc/ipsec.user.conf\n"; > > > + print CONF "\n"; > > > } > > > > > > - if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) { > > > - my @encs = split('\|', > > > $lconfighash{$key}[21]); > > > - my @ints = split('\|', > > > $lconfighash{$key}[22]); > > > - my @groups = split('\|', > > > $lconfighash{$key}[23]); > > > + print SECRETS "include /etc/ipsec.user.secrets\n"; > > > > > > - # Use IKE grouptype if no ESP group type has > > > been > > > selected > > > - # (for backwards compatibility) > > > - if ($lconfighash{$key}[23] eq "") { > > > - @groups = split('\|', > > > $lconfighash{$key}[20]); > > > + if (-f "${General::swroot}/certs/hostkey.pem") { > > > + print SECRETS ": RSA > > > ${General::swroot}/certs/hostkey.pem\n" > > > + } > > > + my $last_secrets = ''; # old the less specifics > > > connections > > > + > > > + foreach my $key (keys %lconfighash) { > > > + next if ($lconfighash{$key}[0] ne 'on'); > > > + > > > + #remote peer is not set? => use '%any' > > > + $lconfighash{$key}[10] = '%any' if > > > ($lconfighash{$key}[10] eq ''); > > > + > > > + my $localside; > > > + if ($lconfighash{$key}[26] eq 'BLUE') { > > > + $localside = > > > $netsettings{'BLUE_ADDRESS'}; > > > + } elsif ($lconfighash{$key}[26] eq 'GREEN') { > > > + $localside = > > > $netsettings{'GREEN_ADDRESS'}; > > > + } elsif ($lconfighash{$key}[26] eq 'ORANGE') { > > > + $localside = > > > $netsettings{'ORANGE_ADDRESS'}; > > > + } else { # it is RED > > > + $localside = $lvpnsettings{'VPN_IP'}; > > > } > > > > > > - my @algos = &make_algos("esp", \@encs, \@ints, > > > \@groups, ($pfs eq "on")); > > > - print CONF "\tesp=" . join(",", @algos); > > > + print CONF "conn $lconfighash{$key}[1]\n"; > > > + print CONF "\tleft=$localside\n"; > > > + my > > > $cidr_net=&General::ipcidr($lconfighash{$key}[8]); > > > + print CONF "\tleftsubnet=$cidr_net\n"; > > > + print CONF "\tleftfirewall=yes\n"; > > > + print CONF "\tlefthostaccess=yes\n"; > > > + print CONF "\tright=$lconfighash{$key}[10]\n"; > > > + > > > + if ($lconfighash{$key}[3] eq 'net') { > > > + my > > > $cidr_net=&General::ipcidr($lconfighash{$key}[11]); > > > + print CONF "\trightsubnet=$cidr_net\n"; > > > + } > > > > > > - if ($lconfighash{$key}[24] eq 'on') { #on > > > ly > > > proposed algorythms? > > > - print CONF "!\n"; > > > - } else { > > > - print CONF "\n"; > > > + # Local Cert and Remote Cert (unless auth is DN > > > dn > > > -auth) > > > + if ($lconfighash{$key}[4] eq 'cert') { > > > + print CONF > > > "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; > > > + print CONF > > > "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.p > > > em\n > > > " if ($lconfighash{$key}[2] ne '%auth-dn'); > > > } > > > - } > > > > > > - # IKE V1 or V2 > > > - if (! $lconfighash{$key}[29]) { > > > - $lconfighash{$key}[29] = "ikev1"; > > > - } > > > - print CONF "\tkeyexchange=$lconfighash{$key}[29]\n"; > > > + # Local and Remote IDs > > > + print CONF > > > "\tleftid=\"$lconfighash{$key}[7]\"\n" if > > > ($lconfighash{$key}[7]); > > > + print CONF > > > "\trightid=\"$lconfighash{$key}[9]\"\n" > > > if ($lconfighash{$key}[9]); > > > > > > - # Lifetimes > > > - print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" if > > > ($lconfighash{$key}[16]); > > > - print CONF "\tkeylife=$lconfighash{$key}[17]h\n" if > > > ($lconfighash{$key}[17]); > > > + # Is PFS enabled? > > > + my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' > > > : > > > 'off'; > > > > > > - # Compression > > > - print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] > > > eq > > > 'on'); > > > + # Algorithms > > > + if ($lconfighash{$key}[18] && > > > $lconfighash{$key}[19] > > > && $lconfighash{$key}[20]) { > > > + my @encs = split('\|', > > > $lconfighash{$key}[18]); > > > + my @ints = split('\|', > > > $lconfighash{$key}[19]); > > > + my @groups = split('\|', > > > $lconfighash{$key}[20]); > > > > > > - # Force MOBIKE? > > > - if (($lconfighash{$key}[29] eq "ikev2") && > > > ($lconfighash{$key}[32] eq 'on')) { > > > - print CONF "\tmobike=yes\n"; > > > - } > > > + my @algos = &make_algos("ike", \@encs, > > > \@ints, \@groups, 1); > > > + print CONF "\tike=" . join(",", @algos); > > > + > > > + if ($lconfighash{$key}[24] eq 'on') { > > > #only > > > proposed algorythms? > > > + print CONF "!\n"; > > > + } else { > > > + print CONF "\n"; > > > + } > > > + } > > > + > > > + if ($lconfighash{$key}[21] && > > > $lconfighash{$key}[22]) { > > > + my @encs = split('\|', > > > $lconfighash{$key}[21]); > > > + my @ints = split('\|', > > > $lconfighash{$key}[22]); > > > + my @groups = split('\|', > > > $lconfighash{$key}[23]); > > > + > > > + # Use IKE grouptype if no ESP group type > > > has > > > been selected > > > + # (for backwards compatibility) > > > + if ($lconfighash{$key}[23] eq "") { > > > + @groups = split('\|', > > > $lconfighash{$key}[20]); > > > + } > > > > > > - # Dead Peer Detection > > > - my $dpdaction = $lconfighash{$key}[27]; > > > - print CONF "\tdpdaction=$dpdaction\n"; > > > + my @algos = &make_algos("esp", \@encs, > > > \@ints, \@groups, ($pfs eq "on")); > > > + print CONF "\tesp=" . join(",", @algos); > > > > > > - # If the dead peer detection is disabled and IKEv2 is > > > used, > > > - # dpddelay must be set to zero, too. > > > - if ($dpdaction eq "none") { > > > - if ($lconfighash{$key}[29] eq "ikev2") { > > > - print CONF "\tdpddelay=0\n"; > > > + if ($lconfighash{$key}[24] eq 'on') { > > > #only > > > proposed algorythms? > > > + print CONF "!\n"; > > > + } else { > > > + print CONF "\n"; > > > + } > > > } > > > - } else { > > > - my $dpddelay = $lconfighash{$key}[31]; > > > - if (!$dpddelay) { > > > - $dpddelay = 30; > > > - } > > > - print CONF "\tdpddelay=$dpddelay\n"; > > > - my $dpdtimeout = $lconfighash{$key}[30]; > > > - if (!$dpdtimeout) { > > > - $dpdtimeout = 120; > > > - } > > > - print CONF "\tdpdtimeout=$dpdtimeout\n"; > > > - } > > > - > > > - # Build Authentication details: LEFTid RIGHTid : PSK > > > psk > > > - my $psk_line; > > > - if ($lconfighash{$key}[4] eq 'psk') { > > > - $psk_line = ($lconfighash{$key}[7] ? > > > $lconfighash{$key}[7] : $localside) . " " ; > > > - $psk_line .= $lconfighash{$key}[9] ? > > > $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or > > > remote > > > address? > > > - $psk_line .= " : PSK '$lconfighash{$key}[5]'\n"; > > > - # if the line contains %any, it is less specific > > > than > > > two IP or ID, so move it at end of file. > > > - if ($psk_line =~ /%any/) { > > > - $last_secrets .= $psk_line; > > > - } else { > > > - print SECRETS $psk_line; > > > - } > > > - print CONF "\tauthby=secret\n"; > > > - } else { > > > - print CONF "\tauthby=rsasig\n"; > > > - print CONF "\tleftrsasigkey=%cert\n"; > > > - print CONF "\trightrsasigkey=%cert\n"; > > > - } > > > > > > - # Automatically start only if a net-to-net connection > > > - if ($lconfighash{$key}[3] eq 'host') { > > > - print CONF "\tauto=add\n"; > > > - print CONF > > > "\trightsourceip=$lvpnsettings{'RW_NET'}\n"; > > > - } else { > > > - print CONF "\tauto=start\n"; > > > - } > > > + # IKE V1 or V2 > > > + if (! $lconfighash{$key}[29]) { > > > + $lconfighash{$key}[29] = "ikev1"; > > > + } > > > > > > - # Fragmentation > > > - print CONF "\tfragmentation=yes\n"; > > > + print CONF > > > "\tkeyexchange=$lconfighash{$key}[29]\n"; > > > > > > - print CONF "\n"; > > > - }#foreach key > > > - > > > - # Add post user includes to config file > > > - # After the GUI-connections allows to patch connections. > > > - if (-e "/etc/ipsec.user-post.conf") { > > > - print CONF "include /etc/ipsec.user-post.conf\n"; > > > - print CONF "\n"; > > > - } > > > - > > > - print SECRETS $last_secrets if ($last_secrets); > > > - close(CONF); > > > - close(SECRETS); > > > + # Lifetimes > > > + print CONF > > > "\tikelifetime=$lconfighash{$key}[16]h\n" > > > if ($lconfighash{$key}[16]); > > > + print CONF "\tkeylife=$lconfighash{$key}[17]h\n" > > > if > > > ($lconfighash{$key}[17]); > > > + > > > + # Compression > > > + print CONF "\tcompress=yes\n" if > > > ($lconfighash{$key}[13] eq 'on'); > > > + > > > + # Force MOBIKE? > > > + if (($lconfighash{$key}[29] eq "ikev2") && > > > ($lconfighash{$key}[32] eq 'on')) { > > > + print CONF "\tmobike=yes\n"; > > > + } > > > + > > > + # Dead Peer Detection > > > + my $dpdaction = $lconfighash{$key}[27]; > > > + print CONF "\tdpdaction=$dpdaction\n"; > > > + > > > + # If the dead peer detection is disabled and > > > IKEv2 > > > is used, > > > + # dpddelay must be set to zero, too. > > > + if ($dpdaction eq "none") { > > > + if ($lconfighash{$key}[29] eq "ikev2") { > > > + print CONF "\tdpddelay=0\n"; > > > + } > > > + } else { > > > + my $dpddelay = $lconfighash{$key}[31]; > > > + if (!$dpddelay) { > > > + $dpddelay = 30; > > > + } > > > + print CONF "\tdpddelay=$dpddelay\n"; > > > + my $dpdtimeout = $lconfighash{$key}[30]; > > > + if (!$dpdtimeout) { > > > + $dpdtimeout = 120; > > > + } > > > + print CONF "\tdpdtimeout=$dpdtimeout\n"; > > > + } > > > + > > > + # Build Authentication details: LEFTid RIGHTid : > > > PSK > > > psk > > > + my $psk_line; > > > + if ($lconfighash{$key}[4] eq 'psk') { > > > + $psk_line = ($lconfighash{$key}[7] ? > > > $lconfighash{$key}[7] : $localside) . " " ; > > > + $psk_line .= $lconfighash{$key}[9] ? > > > $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or > > > remote > > > address? > > > + $psk_line .= " : PSK > > > '$lconfighash{$key}[5]'\n"; > > > + # if the line contains %any, it is less > > > specific than two IP or ID, so move it at end of file. > > > + if ($psk_line =~ /%any/) { > > > + $last_secrets .= $psk_line; > > > + } else { > > > + print SECRETS $psk_line; > > > + } > > > + print CONF "\tauthby=secret\n"; > > > + } else { > > > + print CONF "\tauthby=rsasig\n"; > > > + print CONF "\tleftrsasigkey=%cert\n"; > > > + print CONF "\trightrsasigkey=%cert\n"; > > > + } > > > + > > > + # Automatically start only if a net-to-net > > > connection > > > + if ($lconfighash{$key}[3] eq 'host') { > > > + print CONF "\tauto=add\n"; > > > + print CONF > > > "\trightsourceip=$lvpnsettings{'RW_NET'}\n"; > > > + } else { > > > + print CONF "\tauto=start\n"; > > > + } > > > + > > > + # Fragmentation > > > + print CONF "\tfragmentation=yes\n"; > > > + > > > + print CONF "\n"; > > > + } #foreach key > > > + > > > + # Add post user includes to config file > > > + # After the GUI-connections allows to patch connections. > > > + if (-e "/etc/ipsec.user-post.conf") { > > > + print CONF "include /etc/ipsec.user > > > -post.conf\n"; > > > + print CONF "\n"; > > > + } > > > + > > > + print SECRETS $last_secrets if ($last_secrets); > > > + close(CONF); > > > + close(SECRETS); > > > } > > > > > > # Hook to regenerate the configuration files. > > > @@ -441,779 +439,779 @@ if ($ENV{"REMOTE_ADDR"} eq "") { > > > ### Save main settings > > > ### > > > if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && > > > $cgiparams{'TYPE'} > > > eq '' && $cgiparams{'KEY'} eq '') { > > > - &General::readhash("${General::swroot}/vpn/settings", > > > \%vpnsettings); > > > - unless (&General::validfqdn($cgiparams{'VPN_IP'}) || > > > &General::validip($cgiparams{'VPN_IP'}) > > > - || $cgiparams{'VPN_IP'} eq '%defaultroute' ) { > > > - $errormessage = $Lang::tr{'invalid input for hostname'}; > > > - goto SAVE_ERROR; > > > - } > > > - > > > - unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) > > > { > > > #allow 0-999 seconds ! > > > - $errormessage = $Lang::tr{'invalid time period'}; > > > - goto SAVE_ERROR; > > > - } > > > - > > > - if ( $cgiparams{'RW_NET'} ne '' and > > > !&General::validipandmask($cgiparams{'RW_NET'}) ) { > > > - $errormessage = $Lang::tr{'urlfilter invalid ip or mask > > > error'}; > > > - goto SAVE_ERROR; > > > - } > > > - > > > - $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; > > > - $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; > > > - $vpnsettings{'VPN_DELAYED_START'} = > > > $cgiparams{'VPN_DELAYED_START'}; > > > - $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; > > > - &General::writehash("${General::swroot}/vpn/settings", > > > \%vpnsettings); > > > - &writeipsecfiles(); > > > - if (&vpnenabled) { > > > - system('/usr/local/bin/ipsecctrl', 'S'); > > > - } else { > > > - system('/usr/local/bin/ipsecctrl', 'D'); > > > - } > > > - sleep $sleepDelay; > > > - SAVE_ERROR: > > > + &General::readhash("${General::swroot}/vpn/settings", > > > \%vpnsettings); > > > + > > > + unless (&General::validfqdn($cgiparams{'VPN_IP'}) || > > > &General::validip($cgiparams{'VPN_IP'}) > > > + || $cgiparams{'VPN_IP'} eq '%defaultroute' ) { > > > + $errormessage = $Lang::tr{'invalid input for > > > hostname'}; > > > + goto SAVE_ERROR; > > > + } > > > + > > > + unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0 > > > -9]{1,3}$/ ) > > > { #allow 0-999 seconds ! > > > + $errormessage = $Lang::tr{'invalid time > > > period'}; > > > + goto SAVE_ERROR; > > > + } > > > + > > > + if ( $cgiparams{'RW_NET'} ne '' and > > > !&General::validipandmask($cgiparams{'RW_NET'}) ) { > > > + $errormessage = $Lang::tr{'urlfilter invalid ip > > > or > > > mask error'}; > > > + goto SAVE_ERROR; > > > + } > > > + > > > + $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; > > > + $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; > > > + $vpnsettings{'VPN_DELAYED_START'} = > > > $cgiparams{'VPN_DELAYED_START'}; > > > + $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; > > > + &General::writehash("${General::swroot}/vpn/settings", > > > \%vpnsettings); > > > + &writeipsecfiles(); > > > + if (&vpnenabled) { > > > + system('/usr/local/bin/ipsecctrl', 'S'); > > > + } else { > > > + system('/usr/local/bin/ipsecctrl', 'D'); > > > + } > > > + sleep $sleepDelay; > > > + SAVE_ERROR: > > > ### > > > ### Reset all step 2 > > > ### > > > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && > > > $cgiparams{'AREUSURE'} eq 'yes') { > > > - &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > - > > > - foreach my $key (keys %confighash) { > > > - if ($confighash{$key}[4] eq 'cert') { > > > - delete $confighash{$key}; > > > - } > > > - } > > > - while (my $file = > > > glob("${General::swroot}/{ca,certs,crls,private}/*")) { > > > - unlink $file > > > - } > > > - &cleanssldatabase(); > > > - if (open(FILE, ">${General::swroot}/vpn/caconfig")) { > > > - print FILE ""; > > > - close FILE; > > > - } > > > - &General::writehasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > - &writeipsecfiles(); > > > - system('/usr/local/bin/ipsecctrl', 'R'); > > > - sleep $sleepDelay; > > > + &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > + > > > + foreach my $key (keys %confighash) { > > > + if ($confighash{$key}[4] eq 'cert') { > > > + delete $confighash{$key}; > > > + } > > > + } > > > + while (my $file = > > > glob("${General::swroot}/{ca,certs,crls,private}/*")) { > > > + unlink $file > > > + } > > > + &cleanssldatabase(); > > > + if (open(FILE, ">${General::swroot}/vpn/caconfig")) { > > > + print FILE ""; > > > + close FILE; > > > + } > > > + &General::writehasharray("${General::swroot}/vpn/config" > > > , > > > \%confighash); > > > + &writeipsecfiles(); > > > + system('/usr/local/bin/ipsecctrl', 'R'); > > > + sleep $sleepDelay; > > > > > > ### > > > ### Reset all step 1 > > > ### > > > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) { > > > - &Header::showhttpheaders(); > > > - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > > > - &Header::openbigbox('100%', 'left', '', ''); > > > - &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); > > > - print <<END > > > + &Header::showhttpheaders(); > > > + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > > > + &Header::openbigbox('100%', 'left', '', ''); > > > + &Header::openbox('100%', 'left', $Lang::tr{'are you > > > sure'}); > > > + print <<END > > > <form method='post' action='$ENV{'SCRIPT_NAME'}'> > > > - <table width='100%'> > > > - <tr> > > > - <td align='center'> > > > - <input type='hidden' name='AREUSURE' value='yes' > > > /> > > > - <b><font > > > color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: > > > - $Lang::tr{'resetting the vpn configuration will > > > remove the root ca, the host certificate and all certificate > > > based > > > connections'}</td> > > > - </tr><tr> > > > - <td align='center'> > > > - <input type='submit' name='ACTION' > > > value='$Lang::tr{'remove x509'}' /> > > > + <table width='100%'> > > > + <tr> > > > + <td align='center'> > > > + <input type='hidden' > > > name='AREUSURE' value='yes' /> > > > + <b><font > > > color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: > > > &nbs > > > p;$Lang::tr{'resetting the vpn configuration will remove the root > > > ca, > > > the host certificate and all certificate based connections'} > > > + </td> > > > + </tr><tr> > > > + <td align='center'> > > > + <input type='submit' > > > name='ACTION' value='$Lang::tr{'remove x509'}' /> > > > <input type='submit' name='ACTION' > > > value='$Lang::tr{'cancel'}' /></td> > > > - </tr> > > > - </table> > > > + </tr> > > > + </table> > > > </form> > > > END > > > - ; > > > - &Header::closebox(); > > > - &Header::closebigbox(); > > > - &Header::closepage(); > > > - exit (0); > > > +; > > > + &Header::closebox(); > > > + &Header::closebigbox(); > > > + &Header::closepage(); > > > + exit (0); > > > > > > ### > > > ### Upload CA Certificate > > > ### > > > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca > > > certificate'}) > > > { > > > - &General::readhasharray("${General::swroot}/vpn/caconfig", > > > \%cahash); > > > - > > > - if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) { > > > - $errormessage = $Lang::tr{'name must only contain > > > characters'}; > > > - goto UPLOADCA_ERROR; > > > - } > > > - > > > - if (length($cgiparams{'CA_NAME'}) >60) { > > > - $errormessage = $Lang::tr{'name too long'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - > > > - if ($cgiparams{'CA_NAME'} eq 'ca') { > > > - $errormessage = $Lang::tr{'name is invalid'}; > > > - goto UPLOAD_CA_ERROR; > > > - } > > > - > > > - # Check if there is no other entry with this name > > > - foreach my $key (keys %cahash) { > > > - if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) { > > > - $errormessage = $Lang::tr{'a ca certificate with > > > this > > > name already exists'}; > > > - goto UPLOADCA_ERROR; > > > - } > > > - } > > > - > > > - if (ref ($cgiparams{'FH'}) ne 'Fh') { > > > - $errormessage = $Lang::tr{'there was no file upload'}; > > > - goto UPLOADCA_ERROR; > > > - } > > > - # Move uploaded ca to a temporary file > > > - (my $fh, my $filename) = tempfile( ); > > > - if (copy ($cgiparams{'FH'}, $fh) != 1) { > > > - $errormessage = $!; > > > - goto UPLOADCA_ERROR; > > > - } > > > - my $temp = `/usr/bin/openssl x509 -text -in $filename`; > > > - if ($temp !~ /CA:TRUE/i) { > > > - $errormessage = $Lang::tr{'not a valid ca certificate'}; > > > - unlink ($filename); > > > - goto UPLOADCA_ERROR; > > > - } else { > > > - move($filename, > > > "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); > > > - if ($? ne 0) { > > > - $errormessage = "$Lang::tr{'certificate file move > > > failed'}: $!"; > > > - unlink ($filename); > > > - goto UPLOADCA_ERROR; > > > - } > > > - } > > > - > > > - my $key = &General::findhasharraykey (\%cahash); > > > - $cahash{$key}[0] = $cgiparams{'CA_NAME'}; > > > - $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert > > > ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")); > > > - &General::writehasharray("${General::swroot}/vpn/caconfig", > > > \%cahash); > > > - > > > - system('/usr/local/bin/ipsecctrl', 'R'); > > > - sleep $sleepDelay; > > > - > > > - UPLOADCA_ERROR: > > > + &General::readhasharray("${General::swroot}/vpn/caconfig > > > ", > > > \%cahash); > > > + > > > + if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) { > > > + $errormessage = $Lang::tr{'name must only > > > contain > > > characters'}; > > > + goto UPLOADCA_ERROR; > > > + } > > > + > > > + if (length($cgiparams{'CA_NAME'}) >60) { > > > + $errormessage = $Lang::tr{'name too long'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + > > > + if ($cgiparams{'CA_NAME'} eq 'ca') { > > > + $errormessage = $Lang::tr{'name is invalid'}; > > > + goto UPLOAD_CA_ERROR; > > > + } > > > + > > > + # Check if there is no other entry with this name > > > + foreach my $key (keys %cahash) { > > > + if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) { > > > + $errormessage = $Lang::tr{'a ca > > > certificate > > > with this name already exists'}; > > > + goto UPLOADCA_ERROR; > > > + } > > > + } > > > + > > > + if (ref ($cgiparams{'FH'}) ne 'Fh') { > > > + $errormessage = $Lang::tr{'there was no file > > > upload'}; > > > + goto UPLOADCA_ERROR; > > > + } > > > + # Move uploaded ca to a temporary file > > > + (my $fh, my $filename) = tempfile( ); > > > + if (copy ($cgiparams{'FH'}, $fh) != 1) { > > > + $errormessage = $!; > > > + goto UPLOADCA_ERROR; > > > + } > > > + my $temp = `/usr/bin/openssl x509 -text -in $filename`; > > > + if ($temp !~ /CA:TRUE/i) { > > > + $errormessage = $Lang::tr{'not a valid ca > > > certificate'}; > > > + unlink ($filename); > > > + goto UPLOADCA_ERROR; > > > + } else { > > > + move($filename, > > > "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); > > > + if ($? ne 0) { > > > + $errormessage = "$Lang::tr{'certificate > > > file > > > move failed'}: $!"; > > > + unlink ($filename); > > > + goto UPLOADCA_ERROR; > > > + } > > > + } > > > + > > > + my $key = &General::findhasharraykey (\%cahash); > > > + $cahash{$key}[0] = $cgiparams{'CA_NAME'}; > > > + $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert > > > ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")); > > > + &General::writehasharray("${General::swroot}/vpn/caconfi > > > g", > > > \%cahash); > > > + > > > + system('/usr/local/bin/ipsecctrl', 'R'); > > > + sleep $sleepDelay; > > > + > > > + UPLOADCA_ERROR: > > > > > > ### > > > ### Display ca certificate > > > ### > > > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca > > > certificate'}) { > > > - &General::readhasharray("${General::swroot}/vpn/caconfig", > > > \%cahash); > > > - > > > - if ( -f > > > "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { > > > - &Header::showhttpheaders(); > > > - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > > > - &Header::openbigbox('100%', 'left', '', ''); > > > - &Header::openbox('100%', 'left', "$Lang::tr{'ca > > > certificate'}:"); > > > - my $output = `/usr/bin/openssl x509 -text -in > > > ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; > > > - $output = &Header::cleanhtml($output,"y"); > > > - print "<pre>$output</pre>\n"; > > > - &Header::closebox(); > > > - print "<div align='center'><a href='/cgi > > > -bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; > > > - &Header::closebigbox(); > > > - &Header::closepage(); > > > - exit(0); > > > - } else { > > > - $errormessage = $Lang::tr{'invalid key'}; > > > - } > > > + &General::readhasharray("${General::swroot}/vpn/caconfig > > > ", > > > \%cahash); > > > + > > > + if ( -f > > > "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { > > > + &Header::showhttpheaders(); > > > + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > > > + &Header::openbigbox('100%', 'left', '', ''); > > > + &Header::openbox('100%', 'left', "$Lang::tr{'ca > > > certificate'}:"); > > > + my $output = `/usr/bin/openssl x509 -text -in > > > ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; > > > + $output = &Header::cleanhtml($output,"y"); > > > + print "<pre>$output</pre>\n"; > > > + &Header::closebox(); > > > + print "<div align='center'><a href='/cgi > > > -bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; > > > + &Header::closebigbox(); > > > + &Header::closepage(); > > > + exit(0); > > > + } else { > > > + $errormessage = $Lang::tr{'invalid key'}; > > > + } > > > > > > ### > > > ### Export ca certificate to browser > > > ### > > > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca > > > certificate'}) { > > > - &General::readhasharray("${General::swroot}/vpn/caconfig", > > > \%cahash); > > > - > > > - if ( -f > > > "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { > > > - print "Content-Type: application/force-download\n"; > > > - print "Content-Type: application/octet-stream\r\n"; > > > - print "Content-Disposition: attachment; > > > filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; > > > - print `/usr/bin/openssl x509 -in > > > ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; > > > - exit(0); > > > - } else { > > > - $errormessage = $Lang::tr{'invalid key'}; > > > - } > > > + &General::readhasharray("${General::swroot}/vpn/caconfig > > > ", > > > \%cahash); > > > + > > > + if ( -f > > > "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { > > > + print "Content-Type: application/force > > > -download\n"; > > > + print "Content-Type: application/octet > > > -stream\r\n"; > > > + print "Content-Disposition: attachment; > > > filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; > > > + print `/usr/bin/openssl x509 -in > > > ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; > > > + exit(0); > > > + } else { > > > + $errormessage = $Lang::tr{'invalid key'}; > > > + } > > > > > > ### > > > ### Remove ca certificate (step 2) > > > ### > > > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca > > > certificate'} > > > && $cgiparams{'AREUSURE'} eq 'yes') { > > > - &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > - &General::readhasharray("${General::swroot}/vpn/caconfig", > > > \%cahash); > > > - > > > - if ( -f > > > "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { > > > - foreach my $key (keys %confighash) { > > > - my $test = `/usr/bin/openssl verify -CAfile > > > ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem > > > ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; > > > - if ($test =~ /: OK/) { > > > - # Delete connection > > > - system('/usr/local/bin/ipsecctrl', 'D', $key) if > > > (&vpnenabled); > > > - unlink > > > ("${General::swroot}/certs/$confighash{$key}[1]cert.pem"); > > > - unlink > > > ("${General::swroot}/certs/$confighash{$key}[1].p12"); > > > - delete $confighash{$key}; > > > - &General::writehasharray("${General::swroot}/vpn > > > /con > > > fig", \%confighash); > > > - &writeipsecfiles(); > > > - } > > > + &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > + &General::readhasharray("${General::swroot}/vpn/caconfig > > > ", > > > \%cahash); > > > + > > > + if ( -f > > > "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { > > > + foreach my $key (keys %confighash) { > > > + my $test = `/usr/bin/openssl verify > > > -CAfile > > > ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem > > > ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; > > > + if ($test =~ /: OK/) { > > > + # Delete connection > > > + system('/usr/local/bin/ipsecctrl > > > ', > > > 'D', $key) if (&vpnenabled); > > > + unlink > > > ("${General::swroot}/certs/$confighash{$key}[1]cert.pem"); > > > + unlink > > > ("${General::swroot}/certs/$confighash{$key}[1].p12"); > > > + delete $confighash{$key}; > > > + &General::writehasharray("${Gene > > > ral: > > > :swroot}/vpn/config", \%confighash); > > > + &writeipsecfiles(); > > > + } > > > + } > > > + unlink > > > ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); > > > + delete $cahash{$cgiparams{'KEY'}}; > > > + &General::writehasharray("${General::swroot}/vpn > > > /cac > > > onfig", \%cahash); > > > + system('/usr/local/bin/ipsecctrl', 'R'); > > > + sleep $sleepDelay; > > > + } else { > > > + $errormessage = $Lang::tr{'invalid key'}; > > > } > > > - unlink > > > ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); > > > - delete $cahash{$cgiparams{'KEY'}}; > > > - &General::writehasharray("${General::swroot}/vpn/caconfi > > > g", > > > \%cahash); > > > - system('/usr/local/bin/ipsecctrl', 'R'); > > > - sleep $sleepDelay; > > > - } else { > > > - $errormessage = $Lang::tr{'invalid key'}; > > > - } > > > ### > > > ### Remove ca certificate (step 1) > > > ### > > > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca > > > certificate'}) > > > { > > > - &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > - &General::readhasharray("${General::swroot}/vpn/caconfig", > > > \%cahash); > > > - > > > - my $assignedcerts = 0; > > > - if ( -f > > > "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { > > > - foreach my $key (keys %confighash) { > > > - my $test = `/usr/bin/openssl verify -CAfile > > > ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem > > > ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; > > > - if ($test =~ /: OK/) { > > > - $assignedcerts++; > > > - } > > > - } > > > - if ($assignedcerts) { > > > - &Header::showhttpheaders(); > > > - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > > > - &Header::openbigbox('100%', 'left', '', ''); > > > - &Header::openbox('100%', 'left', $Lang::tr{'are you > > > sure'}); > > > - print <<END > > > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > > > - <table width='100%'> > > > - <tr> > > > - <td align='center'> > > > - <input type='hidden' name='KEY' > > > value='$cgiparams{'KEY'}' /> > > > - <input type='hidden' name='AREUSURE' > > > value='yes' > > > /></td> > > > - </tr><tr> > > > - <td align='center'> > > > - <b><font > > > color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b> > > > - $Lang::tr{'connections are associated with > > > this > > > ca. deleting the ca will delete these connections as > > > well.'}</td> > > > - </tr><tr> > > > - <td align='center'> > > > - <input type='submit' name='ACTION' > > > value='$Lang::tr{'remove ca certificate'}' /> > > > - <input type='submit' name='ACTION' > > > value='$Lang::tr{'cancel'}' /></td> > > > - </tr> > > > - </table> > > > - </form> > > > + &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > + &General::readhasharray("${General::swroot}/vpn/caconfig > > > ", > > > \%cahash); > > > + > > > + my $assignedcerts = 0; > > > + if ( -f > > > "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { > > > + foreach my $key (keys %confighash) { > > > + my $test = `/usr/bin/openssl verify > > > -CAfile > > > ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem > > > ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; > > > + if ($test =~ /: OK/) { > > > + $assignedcerts++; > > > + } > > > + } > > > + if ($assignedcerts) { > > > + &Header::showhttpheaders(); > > > + &Header::openpage($Lang::tr{'ipsec'}, 1, > > > ''); > > > + &Header::openbigbox('100%', 'left', '', > > > ''); > > > + &Header::openbox('100%', 'left', > > > $Lang::tr{'are you sure'}); > > > + print <<END > > > + <form method='post' > > > action='$ENV{'SCRIPT_NAME'}'> > > > + <table width='100%'> > > > + <tr> > > > + <td > > > align='center'> > > > + <input > > > type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> > > > + <input type='hidden' name='AREUSURE' > > > value='yes' /></td> > > > + </tr><tr> > > > + <td > > > align='center'> > > > + <b><font > > > color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>& > > > nbsp > > > ;$Lang::tr{'connections are associated with this ca. deleting > > > the ca > > > will delete these connections as well.'}</td> > > > + </tr><tr> > > > + <td > > > align='center'> > > > + <input > > > type='submit' name='ACTION' value='$Lang::tr{'remove ca > > > certificate'}' /> > > > + <input type='submit' name='ACTION' > > > value='$Lang::tr{'cancel'}' /></td> > > > + </tr> > > > + </table> > > > + </form> > > > END > > > - ; > > > - &Header::closebox(); > > > - &Header::closebigbox(); > > > - &Header::closepage(); > > > - exit (0); > > > +; > > > + &Header::closebox(); > > > + &Header::closebigbox(); > > > + &Header::closepage(); > > > + exit (0); > > > + } else { > > > + unlink > > > ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); > > > + delete $cahash{$cgiparams{'KEY'}}; > > > + &General::writehasharray("${General::swr > > > oot} > > > /vpn/caconfig", \%cahash); > > > + system('/usr/local/bin/ipsecctrl', 'R'); > > > + sleep $sleepDelay; > > > + } > > > } else { > > > - unlink > > > ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); > > > - delete $cahash{$cgiparams{'KEY'}}; > > > - > > > &General::writehasharray("${General::swroot}/vpn/caconfig", > > > \%cahash); > > > - system('/usr/local/bin/ipsecctrl', 'R'); > > > - sleep $sleepDelay; > > > + $errormessage = $Lang::tr{'invalid key'}; > > > } > > > - } else { > > > - $errormessage = $Lang::tr{'invalid key'}; > > > - } > > > > > > ### > > > ### Display root certificate > > > ### > > > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root > > > certificate'} > > > > > > > > $cgiparams{'ACTION'} eq $Lang::tr{'show host > > > certificate'}) > > > { > > > - my $output; > > > - &Header::showhttpheaders(); > > > - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > > > - &Header::openbigbox('100%', 'left', '', ''); > > > - if ($cgiparams{'ACTION'} eq $Lang::tr{'show root > > > certificate'}) > > > { > > > - &Header::openbox('100%', 'left', "$Lang::tr{'root > > > certificate'}:"); > > > - $output = `/usr/bin/openssl x509 -text -in > > > ${General::swroot}/ca/cacert.pem`; > > > - } else { > > > - &Header::openbox('100%', 'left', "$Lang::tr{'host > > > certificate'}:"); > > > - $output = `/usr/bin/openssl x509 -text -in > > > ${General::swroot}/certs/hostcert.pem`; > > > - } > > > - $output = &Header::cleanhtml($output,"y"); > > > - print "<pre>$output</pre>\n"; > > > - &Header::closebox(); > > > - print "<div align='center'><a href='/cgi > > > -bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; > > > - &Header::closebigbox(); > > > - &Header::closepage(); > > > - exit(0); > > > + my $output; > > > + &Header::showhttpheaders(); > > > + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > > > + &Header::openbigbox('100%', 'left', '', ''); > > > + if ($cgiparams{'ACTION'} eq $Lang::tr{'show root > > > certificate'}) { > > > + &Header::openbox('100%', 'left', > > > "$Lang::tr{'root > > > certificate'}:"); > > > + $output = `/usr/bin/openssl x509 -text -in > > > ${General::swroot}/ca/cacert.pem`; > > > + } else { > > > + &Header::openbox('100%', 'left', > > > "$Lang::tr{'host > > > certificate'}:"); > > > + $output = `/usr/bin/openssl x509 -text -in > > > ${General::swroot}/certs/hostcert.pem`; > > > + } > > > + $output = &Header::cleanhtml($output,"y"); > > > + print "<pre>$output</pre>\n"; > > > + &Header::closebox(); > > > + print "<div align='center'><a href='/cgi > > > -bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; > > > + &Header::closebigbox(); > > > + &Header::closepage(); > > > + exit(0); > > > > > > ### > > > ### Export root certificate to browser > > > ### > > > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root > > > certificate'}) { > > > - if ( -f "${General::swroot}/ca/cacert.pem" ) { > > > - print "Content-Type: application/force-download\n"; > > > - print "Content-Disposition: attachment; > > > filename=cacert.pem\r\n\r\n"; > > > - print `/usr/bin/openssl x509 -in > > > ${General::swroot}/ca/cacert.pem`; > > > - exit(0); > > > - } > > > + if ( -f "${General::swroot}/ca/cacert.pem" ) { > > > + print "Content-Type: application/force > > > -download\n"; > > > + print "Content-Disposition: attachment; > > > filename=cacert.pem\r\n\r\n"; > > > + print `/usr/bin/openssl x509 -in > > > ${General::swroot}/ca/cacert.pem`; > > > + exit(0); > > > + } > > > ### > > > ### Export host certificate to browser > > > ### > > > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host > > > certificate'}) { > > > - if ( -f "${General::swroot}/certs/hostcert.pem" ) { > > > - print "Content-Type: application/force-download\n"; > > > - print "Content-Disposition: attachment; > > > filename=hostcert.pem\r\n\r\n"; > > > - print `/usr/bin/openssl x509 -in > > > ${General::swroot}/certs/hostcert.pem`; > > > - exit(0); > > > - } > > > + if ( -f "${General::swroot}/certs/hostcert.pem" ) { > > > + print "Content-Type: application/force > > > -download\n"; > > > + print "Content-Disposition: attachment; > > > filename=hostcert.pem\r\n\r\n"; > > > + print `/usr/bin/openssl x509 -in > > > ${General::swroot}/certs/hostcert.pem`; > > > + exit(0); > > > + } > > > ### > > > ### Form for generating/importing the caroot+host certificate > > > ### > > > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host > > > certificates'} || > > > - $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { > > > - > > > - if (-f "${General::swroot}/ca/cacert.pem") { > > > - $errormessage = $Lang::tr{'valid root certificate > > > already > > > exists'}; > > > - goto ROOTCERT_SKIP; > > > - } > > > - > > > - &General::readhash("${General::swroot}/vpn/settings", > > > \%vpnsettings); > > > - # fill in initial values > > > - if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { > > > - if (-e "${General::swroot}/red/active" && open(IPADDR, > > > "${General::swroot}/red/local-ipaddress")) { > > > - my $ipaddr = <IPADDR>; > > > - close IPADDR; > > > - chomp ($ipaddr); > > > - $cgiparams{'ROOTCERT_HOSTNAME'} = > > > (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; > > > - if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { > > > - $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; > > > - } > > > - } > > > - $cgiparams{'ROOTCERT_COUNTRY'} = > > > $vpnsettings{'ROOTCERT_COUNTRY'} if > > > (!$cgiparams{'ROOTCERT_COUNTRY'}); > > > - } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 > > > file'}) { > > > - &General::log("ipsec", "Importing from p12..."); > > > + $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { > > > + > > > + if (-f "${General::swroot}/ca/cacert.pem") { > > > + $errormessage = $Lang::tr{'valid root > > > certificate > > > already exists'}; > > > + goto ROOTCERT_SKIP; > > > + } > > > + > > > + &General::readhash("${General::swroot}/vpn/settings", > > > \%vpnsettings); > > > + # fill in initial values > > > + if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { > > > + if (-e "${General::swroot}/red/active" && > > > open(IPADDR, "${General::swroot}/red/local-ipaddress")) { > > > + my $ipaddr = <IPADDR>; > > > + close IPADDR; > > > + chomp ($ipaddr); > > > + $cgiparams{'ROOTCERT_HOSTNAME'} = > > > (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; > > > + if ($cgiparams{'ROOTCERT_HOSTNAME'} eq > > > '') { > > > + $cgiparams{'ROOTCERT_HOSTNAME'} > > > = > > > $ipaddr; > > > + } > > > + } > > > + $cgiparams{'ROOTCERT_COUNTRY'} = > > > $vpnsettings{'ROOTCERT_COUNTRY'} if > > > (!$cgiparams{'ROOTCERT_COUNTRY'}); > > > + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 > > > file'}) { > > > + &General::log("ipsec", "Importing from p12..."); > > > > > > - if (ref ($cgiparams{'FH'}) ne 'Fh') { > > > - $errormessage = $Lang::tr{'there was no file > > > upload'}; > > > - goto ROOTCERT_ERROR; > > > - } > > > + if (ref ($cgiparams{'FH'}) ne 'Fh') { > > > + $errormessage = $Lang::tr{'there was no > > > file > > > upload'}; > > > + goto ROOTCERT_ERROR; > > > + } > > > > > > - # Move uploaded certificate request to a temporary file > > > - (my $fh, my $filename) = tempfile( ); > > > - if (copy ($cgiparams{'FH'}, $fh) != 1) { > > > - $errormessage = $!; > > > - goto ROOTCERT_ERROR; > > > - } > > > + # Move uploaded certificate request to a > > > temporary > > > file > > > + (my $fh, my $filename) = tempfile( ); > > > + if (copy ($cgiparams{'FH'}, $fh) != 1) { > > > + $errormessage = $!; > > > + goto ROOTCERT_ERROR; > > > + } > > > > > > - # Extract the CA certificate from the file > > > - &General::log("ipsec", "Extracting caroot from p12..."); > > > - if (open(STDIN, "-|")) { > > > - my $opt = " pkcs12 -cacerts -nokeys"; > > > - $opt .= " -in $filename"; > > > - $opt .= " -out /tmp/newcacert"; > > > - $errormessage = &callssl ($opt); > > > - } else { #child > > > - print "$cgiparams{'P12_PASS'}\n"; > > > - exit (0); > > > - } > > > - > > > - # Extract the Host certificate from the file > > > - if (!$errormessage) { > > > - &General::log("ipsec", "Extracting host cert from > > > p12..."); > > > - if (open(STDIN, "-|")) { > > > - my $opt = " pkcs12 -clcerts -nokeys"; > > > - $opt .= " -in $filename"; > > > - $opt .= " -out /tmp/newhostcert"; > > > - $errormessage = &callssl ($opt); > > > - } else { #child > > > - print "$cgiparams{'P12_PASS'}\n"; > > > - exit (0); > > > - } > > > - } > > > - > > > - # Extract the Host key from the file > > > - if (!$errormessage) { > > > - &General::log("ipsec", "Extracting private key from > > > p12..."); > > > - if (open(STDIN, "-|")) { > > > - my $opt = " pkcs12 -nocerts -nodes"; > > > - $opt .= " -in $filename"; > > > - $opt .= " -out /tmp/newhostkey"; > > > - $errormessage = &callssl ($opt); > > > - } else { #child > > > - print "$cgiparams{'P12_PASS'}\n"; > > > - exit (0); > > > - } > > > - } > > > - > > > - if (!$errormessage) { > > > - &General::log("ipsec", "Moving cacert..."); > > > - move("/tmp/newcacert", > > > "${General::swroot}/ca/cacert.pem"); > > > - $errormessage = "$Lang::tr{'certificate file move > > > failed'}: $!" if ($? ne 0); > > > - } > > > - > > > - if (!$errormessage) { > > > - &General::log("ipsec", "Moving host cert..."); > > > - move("/tmp/newhostcert", > > > "${General::swroot}/certs/hostcert.pem"); > > > - $errormessage = "$Lang::tr{'certificate file move > > > failed'}: $!" if ($? ne 0); > > > - } > > > - > > > - if (!$errormessage) { > > > - &General::log("ipsec", "Moving private key..."); > > > - move("/tmp/newhostkey", > > > "${General::swroot}/certs/hostkey.pem"); > > > - $errormessage = "$Lang::tr{'certificate file move > > > failed'}: $!" if ($? ne 0); > > > - } > > > - > > > - #cleanup temp files > > > - unlink ($filename); > > > - unlink ('/tmp/newcacert'); > > > - unlink ('/tmp/newhostcert'); > > > - unlink ('/tmp/newhostkey'); > > > - if ($errormessage) { > > > - unlink ("${General::swroot}/ca/cacert.pem"); > > > - unlink ("${General::swroot}/certs/hostcert.pem"); > > > - unlink ("${General::swroot}/certs/hostkey.pem"); > > > - goto ROOTCERT_ERROR; > > > - } > > > + # Extract the CA certificate from the file > > > + &General::log("ipsec", "Extracting caroot from > > > p12..."); > > > + if (open(STDIN, "-|")) { > > > + my $opt = " pkcs12 -cacerts -nokeys"; > > > + $opt .= " -in $filename"; > > > + $opt .= " -out /tmp/newcacert"; > > > + $errormessage = &callssl ($opt); > > > + } else { #child > > > + print "$cgiparams{'P12_PASS'}\n"; > > > + exit (0); > > > + } > > > > > > - # Create empty CRL cannot be done because we don't have > > > - # the private key for this CAROOT > > > - # IPFire can only import certificates > > > + # Extract the Host certificate from the file > > > + if (!$errormessage) { > > > + &General::log("ipsec", "Extracting host > > > cert > > > from p12..."); > > > + if (open(STDIN, "-|")) { > > > + my $opt = " pkcs12 -clcerts > > > -nokeys"; > > > + $opt .= " -in $filename"; > > > + $opt .= " -out > > > /tmp/newhostcert"; > > > + $errormessage = &callssl ($opt); > > > + } else { #child > > > + print > > > "$cgiparams{'P12_PASS'}\n"; > > > + exit (0); > > > + } > > > + } > > > > > > - &General::log("ipsec", "p12 import completed!"); > > > - &cleanssldatabase(); > > > - goto ROOTCERT_SUCCESS; > > > - > > > - } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') { > > > - > > > - # Validate input since the form was submitted > > > - if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){ > > > - $errormessage = $Lang::tr{'organization cant be > > > empty'}; > > > - goto ROOTCERT_ERROR; > > > - } > > > - if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) { > > > - $errormessage = $Lang::tr{'organization too long'}; > > > - goto ROOTCERT_ERROR; > > > - } > > > - if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 > > > ,\.\ > > > -_]*$/) { > > > - $errormessage = $Lang::tr{'invalid input for > > > organization'}; > > > - goto ROOTCERT_ERROR; > > > - } > > > - if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){ > > > - $errormessage = $Lang::tr{'hostname cant be empty'}; > > > - goto ROOTCERT_ERROR; > > > - } > > > - unless > > > (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) > > > > > &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) { > > > - $errormessage = $Lang::tr{'invalid input for > > > hostname'}; > > > - goto ROOTCERT_ERROR; > > > - } > > > - if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! > > > &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) { > > > - $errormessage = $Lang::tr{'invalid input for e-mail > > > address'}; > > > - goto ROOTCERT_ERROR; > > > - } > > > - if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) { > > > - $errormessage = $Lang::tr{'e-mail address too > > > long'}; > > > - goto ROOTCERT_ERROR; > > > - } > > > - if ($cgiparams{'ROOTCERT_OU'} ne '' && > > > $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > > > - $errormessage = $Lang::tr{'invalid input for > > > department'}; > > > - goto ROOTCERT_ERROR; > > > - } > > > - if ($cgiparams{'ROOTCERT_CITY'} ne '' && > > > $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > > > - $errormessage = $Lang::tr{'invalid input for city'}; > > > - goto ROOTCERT_ERROR; > > > - } > > > - if ($cgiparams{'ROOTCERT_STATE'} ne '' && > > > $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > > > - $errormessage = $Lang::tr{'invalid input for state > > > or > > > province'}; > > > - goto ROOTCERT_ERROR; > > > - } > > > - if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) { > > > - $errormessage = $Lang::tr{'invalid input for > > > country'}; > > > - goto ROOTCERT_ERROR; > > > - } > > > - #the exact syntax is a list comma separated of > > > - # email:any-validemail > > > - # URI: a uniform resource indicator > > > - # DNS: a DNS domain name > > > - # RID: a registered OBJECT IDENTIFIER > > > - # IP: an IP address > > > - # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:franck. > > > foo. > > > com > > > - > > > - if ($cgiparams{'SUBJECTALTNAME'} ne '' && > > > $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0 > > > -9 > > > :\/,\.\-_@]*$/) { > > > - $errormessage = $Lang::tr{'vpn altname syntax'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - > > > - # Copy the cgisettings to vpnsettings and save the > > > configfile > > > - $vpnsettings{'ROOTCERT_ORGANIZATION'} = > > > $cgiparams{'ROOTCERT_ORGANIZATION'}; > > > - $vpnsettings{'ROOTCERT_HOSTNAME'} = > > > $cgiparams{'ROOTCERT_HOSTNAME'}; > > > - $vpnsettings{'ROOTCERT_EMAIL'} = > > > $cgiparams{'ROOTCERT_EMAIL'}; > > > - $vpnsettings{'ROOTCERT_OU'} = > > > $cgiparams{'ROOTCERT_OU'}; > > > - $vpnsettings{'ROOTCERT_CITY'} = > > > $cgiparams{'ROOTCERT_CITY'}; > > > - $vpnsettings{'ROOTCERT_STATE'} = > > > $cgiparams{'ROOTCERT_STATE'}; > > > - $vpnsettings{'ROOTCERT_COUNTRY'} = > > > $cgiparams{'ROOTCERT_COUNTRY'}; > > > - &General::writehash("${General::swroot}/vpn/settings", > > > \%vpnsettings); > > > + # Extract the Host key from the file > > > + if (!$errormessage) { > > > + &General::log("ipsec", "Extracting > > > private > > > key from p12..."); > > > + if (open(STDIN, "-|")) { > > > + my $opt = " pkcs12 -nocerts > > > -nodes"; > > > + $opt .= " -in $filename"; > > > + $opt .= " -out /tmp/newhostkey"; > > > + $errormessage = &callssl ($opt); > > > + } else { #child > > > + print > > > "$cgiparams{'P12_PASS'}\n"; > > > + exit (0); > > > + } > > > + } > > > > > > - # Replace empty strings with a . > > > - (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./; > > > - (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./; > > > - (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ > > > s/^\s*$/\./; > > > - > > > - # Create the CA certificate > > > - if (!$errormessage) { > > > - &General::log("ipsec", "Creating cacert..."); > > > - if (open(STDIN, "-|")) { > > > - my $opt = " req -x509 -sha256 -nodes"; > > > - $opt .= " -days 999999"; > > > - $opt .= " -newkey rsa:4096"; > > > - $opt .= " -keyout > > > ${General::swroot}/private/cakey.pem"; > > > - $opt .= " -out > > > ${General::swroot}/ca/cacert.pem"; > > > - > > > - $errormessage = &callssl ($opt); > > > - } else { #child > > > - print "$cgiparams{'ROOTCERT_COUNTRY'}\n"; > > > - print "$state\n"; > > > - print "$city\n"; > > > - print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; > > > - print "$ou\n"; > > > - print "$cgiparams{'ROOTCERT_ORGANIZATION'} > > > CA\n"; > > > - print "$cgiparams{'ROOTCERT_EMAIL'}\n"; > > > - exit (0); > > > - } > > > - } > > > - > > > - # Create the Host certificate request > > > - if (!$errormessage) { > > > - &General::log("ipsec", "Creating host cert..."); > > > - if (open(STDIN, "-|")) { > > > - my $opt = " req -sha256 -nodes"; > > > - $opt .= " -newkey rsa:2048"; > > > - $opt .= " -keyout > > > ${General::swroot}/certs/hostkey.pem"; > > > - $opt .= " -out > > > ${General::swroot}/certs/hostreq.pem"; > > > - $errormessage = &callssl ($opt); > > > - } else { #child > > > - print "$cgiparams{'ROOTCERT_COUNTRY'}\n"; > > > - print "$state\n"; > > > - print "$city\n"; > > > - print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; > > > - print "$ou\n"; > > > - print "$cgiparams{'ROOTCERT_HOSTNAME'}\n"; > > > - print "$cgiparams{'ROOTCERT_EMAIL'}\n"; > > > - print ".\n"; > > > - print ".\n"; > > > - exit (0); > > > - } > > > - } > > > + if (!$errormessage) { > > > + &General::log("ipsec", "Moving > > > cacert..."); > > > + move("/tmp/newcacert", > > > "${General::swroot}/ca/cacert.pem"); > > > + $errormessage = "$Lang::tr{'certificate > > > file > > > move failed'}: $!" if ($? ne 0); > > > + } > > > > > > - # Sign the host certificate request > > > - if (!$errormessage) { > > > - &General::log("ipsec", "Self signing host cert..."); > > > + if (!$errormessage) { > > > + &General::log("ipsec", "Moving host > > > cert..."); > > > + move("/tmp/newhostcert", > > > "${General::swroot}/certs/hostcert.pem"); > > > + $errormessage = "$Lang::tr{'certificate > > > file > > > move failed'}: $!" if ($? ne 0); > > > + } > > > > > > - #No easy way for specifying the contain of > > > subjectAltName without writing a config file... > > > - my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); > > > - print $fh <<END > > > - basicConstraints=CA:FALSE > > > - nsComment="OpenSSL Generated Certificate" > > > - subjectKeyIdentifier=hash > > > - authorityKeyIdentifier=keyid,issuer:always > > > - extendedKeyUsage = serverAuth > > > + if (!$errormessage) { > > > + &General::log("ipsec", "Moving private > > > key..."); > > > + move("/tmp/newhostkey", > > > "${General::swroot}/certs/hostkey.pem"); > > > + $errormessage = "$Lang::tr{'certificate > > > file > > > move failed'}: $!" if ($? ne 0); > > > + } > > > + > > > + #cleanup temp files > > > + unlink ($filename); > > > + unlink ('/tmp/newcacert'); > > > + unlink ('/tmp/newhostcert'); > > > + unlink ('/tmp/newhostkey'); > > > + if ($errormessage) { > > > + unlink > > > ("${General::swroot}/ca/cacert.pem"); > > > + unlink > > > ("${General::swroot}/certs/hostcert.pem"); > > > + unlink > > > ("${General::swroot}/certs/hostkey.pem"); > > > + goto ROOTCERT_ERROR; > > > + } > > > + > > > + # Create empty CRL cannot be done because we > > > don't > > > have > > > + # the private key for this CAROOT > > > + # IPFire can only import certificates > > > + > > > + &General::log("ipsec", "p12 import completed!"); > > > + &cleanssldatabase(); > > > + goto ROOTCERT_SUCCESS; > > > + > > > + } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') { > > > + > > > + # Validate input since the form was submitted > > > + if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){ > > > + $errormessage = $Lang::tr{'organization > > > cant > > > be empty'}; > > > + goto ROOTCERT_ERROR; > > > + } > > > + if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) > > > >60) > > > { > > > + $errormessage = $Lang::tr{'organization > > > too > > > long'}; > > > + goto ROOTCERT_ERROR; > > > + } > > > + if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a > > > -zA > > > -Z0-9 ,\.\-_]*$/) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > organization'}; > > > + goto ROOTCERT_ERROR; > > > + } > > > + if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){ > > > + $errormessage = $Lang::tr{'hostname cant > > > be > > > empty'}; > > > + goto ROOTCERT_ERROR; > > > + } > > > + unless > > > (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || > > > &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > hostname'}; > > > + goto ROOTCERT_ERROR; > > > + } > > > + if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! > > > &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > e-mail address'}; > > > + goto ROOTCERT_ERROR; > > > + } > > > + if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) { > > > + $errormessage = $Lang::tr{'e-mail > > > address > > > too long'}; > > > + goto ROOTCERT_ERROR; > > > + } > > > + if ($cgiparams{'ROOTCERT_OU'} ne '' && > > > $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > department'}; > > > + goto ROOTCERT_ERROR; > > > + } > > > + if ($cgiparams{'ROOTCERT_CITY'} ne '' && > > > $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > city'}; > > > + goto ROOTCERT_ERROR; > > > + } > > > + if ($cgiparams{'ROOTCERT_STATE'} ne '' && > > > $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > state or province'}; > > > + goto ROOTCERT_ERROR; > > > + } > > > + if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A > > > -Z]*$/) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > country'}; > > > + goto ROOTCERT_ERROR; > > > + } > > > + #the exact syntax is a list comma separated of > > > + # email:any-validemail > > > + # URI: a uniform resource indicator > > > + # DNS: a DNS domain name > > > + # RID: a registered OBJECT IDENTIFIER > > > + # IP: an IP address > > > + # example: email:franck(a)foo.com,IP:10.0.0.10,DNS > > > :fra > > > nck.foo.com > > > + > > > + if ($cgiparams{'SUBJECTALTNAME'} ne '' && > > > $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0 > > > -9 > > > :\/,\.\-_@]*$/) { > > > + $errormessage = $Lang::tr{'vpn altname > > > syntax'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + > > > + # Copy the cgisettings to vpnsettings and save > > > the > > > configfile > > > + $vpnsettings{'ROOTCERT_ORGANIZATION'} = > > > $cgiparams{'ROOTCERT_ORGANIZATION'}; > > > + $vpnsettings{'ROOTCERT_HOSTNAME'} > > > = > > > $cgiparams{'ROOTCERT_HOSTNAME'}; > > > + $vpnsettings{'ROOTCERT_EMAIL'} > > > = $cgiparams{'ROOTCERT_EMAIL'}; > > > + $vpnsettings{'ROOTCERT_OU'} > > > > > > = $cgiparams{'ROOTCERT_OU'}; > > > + $vpnsettings{'ROOTCERT_CITY'} > > > = $cgiparams{'ROOTCERT_CITY'}; > > > + $vpnsettings{'ROOTCERT_STATE'} > > > = $cgiparams{'ROOTCERT_STATE'}; > > > + $vpnsettings{'ROOTCERT_COUNTRY'} > > > = > > > $cgiparams{'ROOTCERT_COUNTRY'}; > > > + &General::writehash("${General::swroot}/vpn/sett > > > ings > > > ", \%vpnsettings); > > > + > > > + # Replace empty strings with a . > > > + (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ > > > s/^\s*$/\./; > > > + (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ > > > s/^\s*$/\./; > > > + (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ > > > s/^\s*$/\./; > > > + > > > + # Create the CA certificate > > > + if (!$errormessage) { > > > + &General::log("ipsec", "Creating > > > cacert..."); > > > + if (open(STDIN, "-|")) { > > > + my $opt = " req -x509 -sha256 > > > -nodes"; > > > + $opt .= " -days 999999"; > > > + $opt .= " -newkey rsa:4096"; > > > + $opt .= " -keyout > > > ${General::swroot}/private/cakey.pem"; > > > + $opt .= " -out > > > ${General::swroot}/ca/cacert.pem"; > > > + > > > + $errormessage = &callssl ($opt); > > > + } else { #child > > > + print > > > "$cgiparams{'ROOTCERT_COUNTRY'}\n"; > > > + print "$state\n"; > > > + print "$city\n"; > > > + print > > > "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; > > > + print "$ou\n"; > > > + print > > > "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n"; > > > + print > > > "$cgiparams{'ROOTCERT_EMAIL'}\n"; > > > + exit (0); > > > + } > > > + } > > > + > > > + # Create the Host certificate request > > > + if (!$errormessage) { > > > + &General::log("ipsec", "Creating host > > > cert..."); > > > + if (open(STDIN, "-|")) { > > > + my $opt = " req -sha256 -nodes"; > > > + $opt .= " -newkey rsa:2048"; > > > + $opt .= " -keyout > > > ${General::swroot}/certs/hostkey.pem"; > > > + $opt .= " -out > > > ${General::swroot}/certs/hostreq.pem"; > > > + $errormessage = &callssl ($opt); > > > + } else { #child > > > + print > > > "$cgiparams{'ROOTCERT_COUNTRY'}\n"; > > > + print "$state\n"; > > > + print "$city\n"; > > > + print > > > "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; > > > + print "$ou\n"; > > > + print > > > "$cgiparams{'ROOTCERT_HOSTNAME'}\n"; > > > + print > > > "$cgiparams{'ROOTCERT_EMAIL'}\n"; > > > + print ".\n"; > > > + print ".\n"; > > > + exit (0); > > > + } > > > + } > > > + > > > + # Sign the host certificate request > > > + if (!$errormessage) { > > > + &General::log("ipsec", "Self signing > > > host > > > cert..."); > > > + > > > + #No easy way for specifying the contain > > > of > > > subjectAltName without writing a config file... > > > + my ($fh, $v3extname) = tempfile > > > ('/tmp/XXXXXXXX'); > > > + print $fh <<END > > > + basicConstraints=CA:FALSE > > > + nsComment="OpenSSL Generated > > > Certificate" > > > + subjectKeyIdentifier=hash > > > + authorityKeyIdentifier=keyid,issuer:alwa > > > ys > > > + extendedKeyUsage = serverAuth > > > END > > > ; > > > - print $fh > > > "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" > > > if ($cgiparams{'SUBJECTALTNAME'}); > > > - close ($fh); > > > - > > > - my $opt = " ca -md sha256 -days 999999"; > > > - $opt .= " -batch -notext"; > > > - $opt .= " -in > > > ${General::swroot}/certs/hostreq.pem"; > > > - $opt .= " -out > > > ${General::swroot}/certs/hostcert.pem"; > > > - $opt .= " -extfile $v3extname"; > > > - $errormessage = &callssl ($opt); > > > - unlink ("${General::swroot}/certs/hostreq.pem"); #no > > > more needed > > > - unlink ($v3extname); > > > - } > > > - > > > - # Create an empty CRL > > > - if (!$errormessage) { > > > - &General::log("ipsec", "Creating emptycrl..."); > > > - my $opt = " ca -gencrl"; > > > - $opt .= " -out > > > ${General::swroot}/crls/cacrl.pem"; > > > - $errormessage = &callssl ($opt); > > > - } > > > - > > > - # Successfully build CA / CERT! > > > - if (!$errormessage) { > > > - &cleanssldatabase(); > > > - goto ROOTCERT_SUCCESS; > > > - } > > > - > > > - #Cleanup > > > - unlink ("${General::swroot}/ca/cacert.pem"); > > > - unlink ("${General::swroot}/certs/hostkey.pem"); > > > - unlink ("${General::swroot}/certs/hostcert.pem"); > > > - unlink ("${General::swroot}/crls/cacrl.pem"); > > > - &cleanssldatabase(); > > > - } > > > - > > > - ROOTCERT_ERROR: > > > - &Header::showhttpheaders(); > > > - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > > > - &Header::openbigbox('100%', 'left', '', $errormessage); > > > - if ($errormessage) { > > > - &Header::openbox('100%', 'left', $Lang::tr{'error > > > messages'}); > > > - print "<class name='base'>$errormessage"; > > > - print " </class>"; > > > - &Header::closebox(); > > > - } > > > - &Header::openbox('100%', 'left', "$Lang::tr{'generate > > > root/host > > > certificates'}:"); > > > - print <<END > > > - <form method='post' enctype='multipart/form-data' > > > action='$ENV{'SCRIPT_NAME'}'> > > > - <table width='100%' border='0' cellspacing='1' > > > cellpadding='0'> > > > - <tr><td width='40%' class='base'>$Lang::tr{'organization > > > name'}: <img src='/blob.gif' alt='*' /></td> > > > - <td width='60%' class='base' nowrap='nowrap'><input > > > type='text' name='ROOTCERT_ORGANIZATION' > > > value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' > > > /></td></tr> > > > - <tr><td class='base'>$Lang::tr{'ipfires > > > hostname'}: <img > > > src='/blob.gif' alt='*' /></td> > > > - <td class='base' nowrap='nowrap'><input type='text' > > > name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' > > > size='32' /></td></tr> > > > - <tr><td class='base'>$Lang::tr{'your e-mail'}:</td> > > > - <td class='base' nowrap='nowrap'><input type='text' > > > name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' > > > size='32' > > > /></td></tr> > > > - <tr><td class='base'>$Lang::tr{'your department'}:</td> > > > - <td class='base' nowrap='nowrap'><input type='text' > > > name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' > > > /></td></tr> > > > - <tr><td class='base'>$Lang::tr{'city'}:</td> > > > - <td class='base' nowrap='nowrap'><input type='text' > > > name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' > > > size='32' > > > /></td></tr> > > > - <tr><td class='base'>$Lang::tr{'state or province'}:</td> > > > - <td class='base' nowrap='nowrap'><input type='text' > > > name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' > > > size='32' > > > /></td></tr> > > > - <tr><td class='base'>$Lang::tr{'country'}:</td> > > > - <td class='base'><select name='ROOTCERT_COUNTRY'> > > > + print $fh > > > "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if > > > ($cgiparams{'SUBJECTALTNAME'}); > > > + close ($fh); > > > + > > > + my $opt = " ca -md sha256 -days 999999"; > > > + $opt .= " -batch -notext"; > > > + $opt .= " -in > > > ${General::swroot}/certs/hostreq.pem"; > > > + $opt .= " -out > > > ${General::swroot}/certs/hostcert.pem"; > > > + $opt .= " -extfile $v3extname"; > > > + $errormessage = &callssl ($opt); > > > + unlink > > > ("${General::swroot}/certs/hostreq.pem"); #no more needed > > > + unlink ($v3extname); > > > + } > > > + > > > + # Create an empty CRL > > > + if (!$errormessage) { > > > + &General::log("ipsec", "Creating > > > emptycrl..."); > > > + my $opt = " ca -gencrl"; > > > + $opt .= " -out > > > ${General::swroot}/crls/cacrl.pem"; > > > + $errormessage = &callssl ($opt); > > > + } > > > + > > > + # Successfully build CA / CERT! > > > + if (!$errormessage) { > > > + &cleanssldatabase(); > > > + goto ROOTCERT_SUCCESS; > > > + } > > > + > > > + #Cleanup > > > + unlink ("${General::swroot}/ca/cacert.pem"); > > > + unlink ("${General::swroot}/certs/hostkey.pem"); > > > + unlink > > > ("${General::swroot}/certs/hostcert.pem"); > > > + unlink ("${General::swroot}/crls/cacrl.pem"); > > > + &cleanssldatabase(); > > > + } > > > + > > > + ROOTCERT_ERROR: > > > + &Header::showhttpheaders(); > > > + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > > > + &Header::openbigbox('100%', 'left', '', $errormessage); > > > + if ($errormessage) { > > > + &Header::openbox('100%', 'left', > > > $Lang::tr{'error > > > messages'}); > > > + print "<class name='base'>$errormessage"; > > > + print " </class>"; > > > + &Header::closebox(); > > > + } > > > + &Header::openbox('100%', 'left', "$Lang::tr{'generate > > > root/host certificates'}:"); > > > + print <<END > > > + <form method='post' enctype='multipart/form-data' > > > action='$ENV{'SCRIPT_NAME'}'> > > > + <table width='100%' border='0' cellspacing='1' > > > cellpadding='0'> > > > + <tr><td width='40%' class='base'>$Lang::tr{'organization > > > name'}: <img src='/blob.gif' alt='*' /></td> > > > + <td width='60%' class='base' > > > nowrap='nowrap'><input > > > type='text' name='ROOTCERT_ORGANIZATION' > > > value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' > > > /></td></tr> > > > + <tr><td class='base'>$Lang::tr{'ipfires > > > hostname'}: <img src='/blob.gif' alt='*' /></td> > > > + <td class='base' nowrap='nowrap'><input > > > type='text' > > > name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' > > > size='32' /></td></tr> > > > + <tr><td class='base'>$Lang::tr{'your e-mail'}:</td> > > > + <td class='base' nowrap='nowrap'><input > > > type='text' > > > name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' > > > size='32' > > > /></td></tr> > > > + <tr><td class='base'>$Lang::tr{'your department'}:</td> > > > + <td class='base' nowrap='nowrap'><input > > > type='text' > > > name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' > > > /></td></tr> > > > + <tr><td class='base'>$Lang::tr{'city'}:</td> > > > + <td class='base' nowrap='nowrap'><input > > > type='text' > > > name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' > > > size='32' > > > /></td></tr> > > > + <tr><td class='base'>$Lang::tr{'state or > > > province'}:</td> > > > + <td class='base' nowrap='nowrap'><input > > > type='text' > > > name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' > > > size='32' > > > /></td></tr> > > > + <tr><td class='base'>$Lang::tr{'country'}:</td> > > > + <td class='base'><select > > > name='ROOTCERT_COUNTRY'> > > > END > > > - ; > > > - foreach my $country (sort keys %{Countries::countries}) { > > > - print "<option value='$Countries::countries{$country}'"; > > > - if ( $Countries::countries{$country} eq > > > $cgiparams{'ROOTCERT_COUNTRY'} ) { > > > - print " selected='selected'"; > > > - } > > > - print ">$country</option>"; > > > - } > > > - print <<END > > > - </select></td></tr> > > > - <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} > > > (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> > > > +; > > > + foreach my $country (sort keys %{Countries::countries}) > > > { > > > + print "<option > > > value='$Countries::countries{$country}'"; > > > + if ( $Countries::countries{$country} eq > > > $cgiparams{'ROOTCERT_COUNTRY'} ) { > > > + print " selected='selected'"; > > > + } > > > + print ">$country</option>"; > > > + } > > > + print <<END > > > + </select></td></tr> > > > + <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} > > > (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> > > > <td class='base' nowrap='nowrap'><input type='text' > > > name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' > > > size='32' > > > /></td></tr> > > > - <tr><td> </td> > > > - <td><br /><input type='submit' name='ACTION' > > > value='$Lang::tr{'generate root/host certificates'}' /><br /><br > > > /></td></tr> > > > - <tr><td class='base' colspan='2' align='left'> > > > - <b><font > > > color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: > > > - $Lang::tr{'generating the root and host certificates may > > > take a long time. it can take up to several minutes on older > > > hardware. please be patient'} > > > - </td></tr> > > > - <tr><td colspan='2'><hr></td></tr> > > > - <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 > > > file'}:</td> > > > - <td nowrap='nowrap'><input type='file' name='FH' > > > size='32' > > > /></td></tr> > > > - <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td> > > > - <td class='base' nowrap='nowrap'><input type='password' > > > name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' > > > /></td></tr> > > > - <tr><td> </td> > > > - <td><input type='submit' name='ACTION' > > > value='$Lang::tr{'upload p12 file'}' /></td></tr> > > > - <tr><td class='base' colspan='2' align='left'> > > > - <img src='/blob.gif' alt='*' /> $Lang::tr{'required > > > field'}</td></tr> > > > - </table></form> > > > + <tr><td> </td> > > > + <td><br /><input type='submit' name='ACTION' > > > value='$Lang::tr{'generate root/host certificates'}' /><br /><br > > > /></td></tr> > > > + <tr><td class='base' colspan='2' align='left'> > > > + <b><font > > > color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: > > > + $Lang::tr{'generating the root and host > > > certificates > > > may take a long time. it can take up to several minutes on older > > > hardware. please be patient'} > > > + </td></tr> > > > + <tr><td colspan='2'><hr></td></tr> > > > + <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload > > > p12 > > > file'}:</td> > > > + <td nowrap='nowrap'><input type='file' name='FH' > > > size='32' /></td></tr> > > > + <tr><td class='base'>$Lang::tr{'pkcs12 file > > > password'}:</td> > > > + <td class='base' nowrap='nowrap'><input > > > type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' > > > size='32' /></td></tr> > > > + <tr><td> </td> > > > + <td><input type='submit' name='ACTION' > > > value='$Lang::tr{'upload p12 file'}' /></td></tr> > > > + <tr><td class='base' colspan='2' align='left'> > > > + <img src='/blob.gif' alt='*' > > > /> $Lang::tr{'required field'}</td></tr> > > > + </table></form> > > > END > > > - ; > > > - &Header::closebox(); > > > - &Header::closebigbox(); > > > - &Header::closepage(); > > > - exit(0); > > > - > > > - ROOTCERT_SUCCESS: > > > - if (&vpnenabled) { > > > - system('/usr/local/bin/ipsecctrl', 'S'); > > > - sleep $sleepDelay; > > > - } > > > - ROOTCERT_SKIP: > > > +; > > > + &Header::closebox(); > > > + &Header::closebigbox(); > > > + &Header::closepage(); > > > + exit(0); > > > + > > > + ROOTCERT_SUCCESS: > > > + if (&vpnenabled) { > > > + system('/usr/local/bin/ipsecctrl', 'S'); > > > + sleep $sleepDelay; > > > + } > > > + ROOTCERT_SKIP: > > > ### > > > ### Export PKCS12 file to browser > > > ### > > > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 > > > file'}) > > > { > > > - &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > - print "Content-Type: application/force-download\n"; > > > - print "Content-Disposition: attachment; filename=" . > > > $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n"; > > > - print "Content-Type: application/octet-stream\r\n\r\n"; > > > - print `/bin/cat > > > ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; > > > - exit (0); > > > + &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > + print "Content-Type: application/force-download\n"; > > > + print "Content-Disposition: attachment; filename=" . > > > $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n"; > > > + print "Content-Type: application/octet-stream\r\n\r\n"; > > > + print `/bin/cat > > > ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; > > > + exit (0); > > > > > > ### > > > ### Display certificate > > > ### > > > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) > > > { > > > - &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > - > > > - if ( -f > > > "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.p > > > em") > > > { > > > - &Header::showhttpheaders(); > > > - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > > > - &Header::openbigbox('100%', 'left', '', ''); > > > - &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:"); > > > - my $output = `/usr/bin/openssl x509 -text -in > > > ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pe > > > m`; > > > - $output = &Header::cleanhtml($output,"y"); > > > - print "<pre>$output</pre>\n"; > > > - &Header::closebox(); > > > - print "<div align='center'><a href='/cgi > > > -bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; > > > - &Header::closebigbox(); > > > - &Header::closepage(); > > > - exit(0); > > > - } > > > + &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > + > > > + if ( -f > > > "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.p > > > em") > > > { > > > + &Header::showhttpheaders(); > > > + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > > > + &Header::openbigbox('100%', 'left', '', ''); > > > + &Header::openbox('100%', 'left', > > > "$Lang::tr{'cert'}:"); > > > + my $output = `/usr/bin/openssl x509 -text -in > > > ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pe > > > m`; > > > + $output = &Header::cleanhtml($output,"y"); > > > + print "<pre>$output</pre>\n"; > > > + &Header::closebox(); > > > + print "<div align='center'><a href='/cgi > > > -bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; > > > + &Header::closebigbox(); > > > + &Header::closepage(); > > > + exit(0); > > > + } > > > > > > ### > > > ### Export Certificate to browser > > > ### > > > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download > > > certificate'}) > > > { > > > - &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > + &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > > > > - if ( -f > > > "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.p > > > em") > > > { > > > - print "Content-Type: application/force-download\n"; > > > - print "Content-Disposition: attachment; filename=" . > > > $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n"; > > > - print `/bin/cat > > > ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pe > > > m`; > > > - exit (0); > > > - } > > > + if ( -f > > > "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.p > > > em") > > > { > > > + print "Content-Type: application/force > > > -download\n"; > > > + print "Content-Disposition: attachment; > > > filename=" . > > > $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n"; > > > + print `/bin/cat > > > ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pe > > > m`; > > > + exit (0); > > > + } > > > > > > ### > > > ### Enable/Disable connection > > > ### > > > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable > > > disable'}) > > > { > > > - > > > - &General::readhash("${General::swroot}/vpn/settings", > > > \%vpnsettings); > > > - &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > - > > > - if ($confighash{$cgiparams{'KEY'}}) { > > > - if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { > > > - $confighash{$cgiparams{'KEY'}}[0] = 'on'; > > > - > > > &General::writehasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > - &writeipsecfiles(); > > > - system('/usr/local/bin/ipsecctrl', 'S', > > > $cgiparams{'KEY'}) if (&vpnenabled); > > > + > > > + &General::readhash("${General::swroot}/vpn/settings", > > > \%vpnsettings); > > > + &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > + > > > + if ($confighash{$cgiparams{'KEY'}}) { > > > + if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') > > > { > > > + $confighash{$cgiparams{'KEY'}}[0] = > > > 'on'; > > > + &General::writehasharray("${General::swr > > > oot} > > > /vpn/config", \%confighash); > > > + &writeipsecfiles(); > > > + system('/usr/local/bin/ipsecctrl', 'S', > > > $cgiparams{'KEY'}) if (&vpnenabled); > > > + } else { > > > + system('/usr/local/bin/ipsecctrl', 'D', > > > $cgiparams{'KEY'}) if (&vpnenabled); > > > + $confighash{$cgiparams{'KEY'}}[0] = > > > 'off'; > > > + &General::writehasharray("${General::swr > > > oot} > > > /vpn/config", \%confighash); > > > + &writeipsecfiles(); > > > + } > > > + sleep $sleepDelay; > > > } else { > > > - system('/usr/local/bin/ipsecctrl', 'D', > > > $cgiparams{'KEY'}) if (&vpnenabled); > > > - $confighash{$cgiparams{'KEY'}}[0] = 'off'; > > > - > > > &General::writehasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > - &writeipsecfiles(); > > > + $errormessage = $Lang::tr{'invalid key'}; > > > } > > > - sleep $sleepDelay; > > > - } else { > > > - $errormessage = $Lang::tr{'invalid key'}; > > > - } > > > > > > ### > > > ### Restart connection > > > ### > > > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) { > > > - &General::readhash("${General::swroot}/vpn/settings", > > > \%vpnsettings); > > > - &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > + &General::readhash("${General::swroot}/vpn/settings", > > > \%vpnsettings); > > > + &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > > > > - if ($confighash{$cgiparams{'KEY'}}) { > > > - if (&vpnenabled) { > > > - system('/usr/local/bin/ipsecctrl', 'S', > > > $cgiparams{'KEY'}); > > > - sleep $sleepDelay; > > > + if ($confighash{$cgiparams{'KEY'}}) { > > > + if (&vpnenabled) { > > > + system('/usr/local/bin/ipsecctrl', 'S', > > > $cgiparams{'KEY'}); > > > + sleep $sleepDelay; > > > + } > > > + } else { > > > + $errormessage = $Lang::tr{'invalid key'}; > > > } > > > - } else { > > > - $errormessage = $Lang::tr{'invalid key'}; > > > - } > > > > > > ### > > > ### Remove connection > > > ### > > > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) { > > > - &General::readhash("${General::swroot}/vpn/settings", > > > \%vpnsettings); > > > - &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > - > > > - if ($confighash{$cgiparams{'KEY'}}) { > > > - system('/usr/local/bin/ipsecctrl', 'D', > > > $cgiparams{'KEY'}) > > > if (&vpnenabled); > > > - unlink > > > ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert. > > > pem" > > > ); > > > - unlink > > > ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12" > > > ); > > > - delete $confighash{$cgiparams{'KEY'}}; > > > - &General::writehasharray("${General::swroot}/vpn/config" > > > , > > > \%confighash); > > > - &writeipsecfiles(); > > > - } else { > > > - $errormessage = $Lang::tr{'invalid key'}; > > > - } > > > + &General::readhash("${General::swroot}/vpn/settings", > > > \%vpnsettings); > > > + &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > + > > > + if ($confighash{$cgiparams{'KEY'}}) { > > > + system('/usr/local/bin/ipsecctrl', 'D', > > > $cgiparams{'KEY'}) if (&vpnenabled); > > > + unlink > > > ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert. > > > pem" > > > ); > > > + unlink > > > ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12" > > > ); > > > + delete $confighash{$cgiparams{'KEY'}}; > > > + &General::writehasharray("${General::swroot}/vpn > > > /con > > > fig", \%confighash); > > > + &writeipsecfiles(); > > > + } else { > > > + $errormessage = $Lang::tr{'invalid key'}; > > > + } > > > &General::firewall_reload(); > > > ### > > > ### Choose between adding a host-net or net-net connection > > > @@ -1224,20 +1222,20 @@ END > > > &Header::openbigbox('100%', 'left', '', ''); > > > &Header::openbox('100%', 'left', $Lang::tr{'connection > > > type'}); > > > print <<END > > > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > > > - <b>$Lang::tr{'connection type'}:</b><br /> > > > - <table> > > > - <tr><td><input type='radio' name='TYPE' value='host' > > > checked='checked' /></td> > > > + <form method='post' > > > action='$ENV{'SCRIPT_NAME'}'> > > > + <b>$Lang::tr{'connection type'}:</b><br /> > > > + <table> > > > + <tr><td><input type='radio' name='TYPE' > > > value='host' > > > checked='checked' /></td> > > > <td class='base'>$Lang::tr{'host to net > > > vpn'}</td> > > > - </tr><tr> > > > + </tr><tr> > > > <td><input type='radio' name='TYPE' value='net' > > > /></td> > > > <td class='base'>$Lang::tr{'net to net > > > vpn'}</td> > > > - </tr><tr> > > > + </tr><tr> > > > <td align='center' colspan='2'><input > > > type='submit' > > > name='ACTION' value='$Lang::tr{'add'}' /></td> > > > - </tr> > > > - </table></form> > > > + </tr> > > > + </table></form> > > > END > > > - ; > > > +; > > > &Header::closebox(); > > > &Header::closebigbox(); > > > &Header::closepage(); > > > @@ -1246,512 +1244,512 @@ END > > > ### Adding/Editing/Saving a connection > > > ### > > > } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) || > > > - ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) || > > > - ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && > > > $cgiparams{'ADVANCED'} eq '')) { > > > - > > > - &General::readhash("${General::swroot}/vpn/settings", > > > \%vpnsettings); > > > - &General::readhasharray("${General::swroot}/vpn/caconfig", > > > \%cahash); > > > - &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > - > > > - if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { > > > - if (! $confighash{$cgiparams{'KEY'}}[0]) { > > > - $errormessage = $Lang::tr{'invalid key'}; > > > - goto VPNCONF_END; > > > - } > > > - $cgiparams{'ENABLED'} = > > > $confighash{$cgiparams{'KEY'}}[0]; > > > - $cgiparams{'NAME'} = > > > $confighash{$cgiparams{'KEY'}}[1]; > > > - $cgiparams{'TYPE'} = > > > $confighash{$cgiparams{'KEY'}}[3]; > > > - $cgiparams{'AUTH'} = > > > $confighash{$cgiparams{'KEY'}}[4]; > > > - $cgiparams{'PSK'} = > > > $confighash{$cgiparams{'KEY'}}[5]; > > > - #$cgiparams{'free'} = > > > $confighash{$cgiparams{'KEY'}}[6]; > > > - $cgiparams{'LOCAL_ID'} = > > > $confighash{$cgiparams{'KEY'}}[7]; > > > - $cgiparams{'LOCAL_SUBNET'} = > > > $confighash{$cgiparams{'KEY'}}[8]; > > > - $cgiparams{'REMOTE_ID'} = > > > $confighash{$cgiparams{'KEY'}}[9]; > > > - $cgiparams{'REMOTE'} = > > > $confighash{$cgiparams{'KEY'}}[10]; > > > - $cgiparams{'REMOTE_SUBNET'} = > > > $confighash{$cgiparams{'KEY'}}[11]; > > > - $cgiparams{'REMARK'} = > > > $confighash{$cgiparams{'KEY'}}[25]; > > > - $cgiparams{'DPD_ACTION'} = > > > $confighash{$cgiparams{'KEY'}}[27]; > > > - $cgiparams{'IKE_VERSION'} = > > > $confighash{$cgiparams{'KEY'}}[29]; > > > - $cgiparams{'IKE_ENCRYPTION'} = > > > $confighash{$cgiparams{'KEY'}}[18]; > > > - $cgiparams{'IKE_INTEGRITY'} = > > > $confighash{$cgiparams{'KEY'}}[19]; > > > - $cgiparams{'IKE_GROUPTYPE'} = > > > $confighash{$cgiparams{'KEY'}}[20]; > > > - $cgiparams{'IKE_LIFETIME'} = > > > $confighash{$cgiparams{'KEY'}}[16]; > > > - $cgiparams{'ESP_ENCRYPTION'} = > > > $confighash{$cgiparams{'KEY'}}[21]; > > > - $cgiparams{'ESP_INTEGRITY'} = > > > $confighash{$cgiparams{'KEY'}}[22]; > > > - $cgiparams{'ESP_GROUPTYPE'} = > > > $confighash{$cgiparams{'KEY'}}[23]; > > > - if ($cgiparams{'ESP_GROUPTYPE'} eq "") { > > > - $cgiparams{'ESP_GROUPTYPE'} = > > > $cgiparams{'IKE_GROUPTYPE'}; > > > - } > > > - $cgiparams{'ESP_KEYLIFE'} = > > > $confighash{$cgiparams{'KEY'}}[17]; > > > - $cgiparams{'COMPRESSION'} = > > > $confighash{$cgiparams{'KEY'}}[13]; > > > - $cgiparams{'ONLY_PROPOSED'} = > > > $confighash{$cgiparams{'KEY'}}[24]; > > > - $cgiparams{'PFS'} = > > > $confighash{$cgiparams{'KEY'}}[28]; > > > - $cgiparams{'DPD_TIMEOUT'} = > > > $confighash{$cgiparams{'KEY'}}[30]; > > > - $cgiparams{'DPD_DELAY'} = > > > $confighash{$cgiparams{'KEY'}}[31]; > > > - $cgiparams{'FORCE_MOBIKE'} = > > > $confighash{$cgiparams{'KEY'}}[32]; > > > + ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) || > > > + ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && > > > $cgiparams{'ADVANCED'} eq '')) { > > > > > > - if (!$cgiparams{'DPD_DELAY'}) { > > > - $cgiparams{'DPD_DELAY'} = 30; > > > - } > > > + &General::readhash("${General::swroot}/vpn/settings", > > > \%vpnsettings); > > > + &General::readhasharray("${General::swroot}/vpn/caconfig > > > ", > > > \%cahash); > > > + &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > > > > - if (!$cgiparams{'DPD_TIMEOUT'}) { > > > - $cgiparams{'DPD_TIMEOUT'} = 120; > > > - } > > > + if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { > > > + if (! $confighash{$cgiparams{'KEY'}}[0]) { > > > + $errormessage = $Lang::tr{'invalid > > > key'}; > > > + goto VPNCONF_END; > > > + } > > > + $cgiparams{'ENABLED'} = > > > $confighash{$cgiparams{'KEY'}}[0]; > > > + $cgiparams{'NAME'} > > > = > > > $confighash{$cgiparams{'KEY'}}[1]; > > > + $cgiparams{'TYPE'} > > > = > > > $confighash{$cgiparams{'KEY'}}[3]; > > > + $cgiparams{'AUTH'} > > > = > > > $confighash{$cgiparams{'KEY'}}[4]; > > > + $cgiparams{'PSK'} > > > = > > > $confighash{$cgiparams{'KEY'}}[5]; > > > + #$cgiparams{'free'} > > > = > > > $confighash{$cgiparams{'KEY'}}[6]; > > > + $cgiparams{'LOCAL_ID'} = > > > $confighash{$cgiparams{'KEY'}}[7]; > > > + $cgiparams{'LOCAL_SUBNET'} = > > > $confighash{$cgiparams{'KEY'}}[8]; > > > + $cgiparams{'REMOTE_ID'} = > > > $confighash{$cgiparams{'KEY'}}[9]; > > > + $cgiparams{'REMOTE'} = > > > $confighash{$cgiparams{'KEY'}}[10]; > > > + $cgiparams{'REMOTE_SUBNET'} = > > > $confighash{$cgiparams{'KEY'}}[11]; > > > + $cgiparams{'REMARK'} = > > > $confighash{$cgiparams{'KEY'}}[25]; > > > + $cgiparams{'DPD_ACTION'} = > > > $confighash{$cgiparams{'KEY'}}[27]; > > > + $cgiparams{'IKE_VERSION'} = > > > $confighash{$cgiparams{'KEY'}}[29]; > > > + $cgiparams{'IKE_ENCRYPTION'} = > > > $confighash{$cgiparams{'KEY'}}[18]; > > > + $cgiparams{'IKE_INTEGRITY'} = > > > $confighash{$cgiparams{'KEY'}}[19]; > > > + $cgiparams{'IKE_GROUPTYPE'} = > > > $confighash{$cgiparams{'KEY'}}[20]; > > > + $cgiparams{'IKE_LIFETIME'} = > > > $confighash{$cgiparams{'KEY'}}[16]; > > > + $cgiparams{'ESP_ENCRYPTION'} = > > > $confighash{$cgiparams{'KEY'}}[21]; > > > + $cgiparams{'ESP_INTEGRITY'} = > > > $confighash{$cgiparams{'KEY'}}[22]; > > > + $cgiparams{'ESP_GROUPTYPE'} = > > > $confighash{$cgiparams{'KEY'}}[23]; > > > + if ($cgiparams{'ESP_GROUPTYPE'} eq "") { > > > + $cgiparams{'ESP_GROUPTYPE'} = > > > $cgiparams{'IKE_GROUPTYPE'}; > > > + } > > > + $cgiparams{'ESP_KEYLIFE'} = > > > $confighash{$cgiparams{'KEY'}}[17]; > > > + $cgiparams{'COMPRESSION'} = > > > $confighash{$cgiparams{'KEY'}}[13]; > > > + $cgiparams{'ONLY_PROPOSED'} = > > > $confighash{$cgiparams{'KEY'}}[24]; > > > + $cgiparams{'PFS'} > > > = > > > $confighash{$cgiparams{'KEY'}}[28]; > > > + $cgiparams{'DPD_TIMEOUT'} = > > > $confighash{$cgiparams{'KEY'}}[30]; > > > + $cgiparams{'DPD_DELAY'} = > > > $confighash{$cgiparams{'KEY'}}[31]; > > > + $cgiparams{'FORCE_MOBIKE'} = > > > $confighash{$cgiparams{'KEY'}}[32]; > > > + > > > + if (!$cgiparams{'DPD_DELAY'}) { > > > + $cgiparams{'DPD_DELAY'} = 30; > > > + } > > > > > > - } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { > > > - $cgiparams{'REMARK'} = > > > &Header::cleanhtml($cgiparams{'REMARK'}); > > > - if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { > > > - $errormessage = $Lang::tr{'connection type is > > > invalid'}; > > > - goto VPNCONF_ERROR; > > > - } > > > + if (!$cgiparams{'DPD_TIMEOUT'}) { > > > + $cgiparams{'DPD_TIMEOUT'} = 120; > > > + } > > > > > > - if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { > > > - $errormessage = $Lang::tr{'name must only contain > > > characters'}; > > > - goto VPNCONF_ERROR; > > > - } > > > + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { > > > + $cgiparams{'REMARK'} = > > > &Header::cleanhtml($cgiparams{'REMARK'}); > > > + if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { > > > + $errormessage = $Lang::tr{'connection > > > type > > > is invalid'}; > > > + goto VPNCONF_ERROR; > > > + } > > > > > > - if ($cgiparams{'NAME'} =~ > > > /^(host|01|block|private|clear|packetdefault)$/) { > > > - $errormessage = $Lang::tr{'name is invalid'}; > > > - goto VPNCONF_ERROR; > > > - } > > > + if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { > > > + $errormessage = $Lang::tr{'name must > > > only > > > contain characters'}; > > > + goto VPNCONF_ERROR; > > > + } > > > > > > - if (length($cgiparams{'NAME'}) >60) { > > > - $errormessage = $Lang::tr{'name too long'}; > > > - goto VPNCONF_ERROR; > > > - } > > > + if ($cgiparams{'NAME'} =~ > > > /^(host|01|block|private|clear|packetdefault)$/) { > > > + $errormessage = $Lang::tr{'name is > > > invalid'}; > > > + goto VPNCONF_ERROR; > > > + } > > > > > > - # Check if there is no other entry with this name > > > - if (! $cgiparams{'KEY'}) { #only for add > > > - foreach my $key (keys %confighash) { > > > - if ($confighash{$key}[1] eq $cgiparams{'NAME'}) > > > { > > > - $errormessage = $Lang::tr{'a connection with > > > this name already exists'}; > > > - goto VPNCONF_ERROR; > > > + if (length($cgiparams{'NAME'}) >60) { > > > + $errormessage = $Lang::tr{'name too > > > long'}; > > > + goto VPNCONF_ERROR; > > > } > > > - } > > > - } > > > > > > - if (($cgiparams{'TYPE'} eq 'net') && (! > > > $cgiparams{'REMOTE'})) { > > > - $errormessage = $Lang::tr{'invalid input for remote > > > host/ip'}; > > > - goto VPNCONF_ERROR; > > > - } > > > + # Check if there is no other entry with this > > > name > > > + if (! $cgiparams{'KEY'}) { #only for add > > > + foreach my $key (keys %confighash) { > > > + if ($confighash{$key}[1] eq > > > $cgiparams{'NAME'}) { > > > + $errormessage = > > > $Lang::tr{'a > > > connection with this name already exists'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + } > > > + } > > > > > > - if ($cgiparams{'REMOTE'}) { > > > - if (($cgiparams{'REMOTE'} ne '%any') && (! > > > &General::validip($cgiparams{'REMOTE'}))) { > > > - if (! &General::validfqdn > > > ($cgiparams{'REMOTE'})) { > > > - $errormessage = $Lang::tr{'invalid input for > > > remote host/ip'}; > > > - goto VPNCONF_ERROR; > > > - } else { > > > - if (&valid_dns_host($cgiparams{'REMOTE'})) { > > > - $warnmessage = "$Lang::tr{'check vpn > > > lr'} > > > $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}"; > > > - } > > > + if (($cgiparams{'TYPE'} eq 'net') && (! > > > $cgiparams{'REMOTE'})) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > remote host/ip'}; > > > + goto VPNCONF_ERROR; > > > } > > > - } > > > - } > > > > > > - unless > > > (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) { > > > - $errormessage = $Lang::tr{'local subnet is > > > invalid'}; > > > - goto VPNCONF_ERROR; > > > - } > > > + if ($cgiparams{'REMOTE'}) { > > > + if (($cgiparams{'REMOTE'} ne '%any') && > > > (! > > > &General::validip($cgiparams{'REMOTE'}))) { > > > + if (! &General::validfqdn > > > ($cgiparams{'REMOTE'})) { > > > + $errormessage = > > > $Lang::tr{'invalid input for remote host/ip'}; > > > + goto VPNCONF_ERROR; > > > + } else { > > > + if > > > (&valid_dns_host($cgiparams{'REMOTE'})) { > > > + $warnmessage = > > > "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns > > > check > > > failed'}"; > > > + } > > > + } > > > + } > > > + } > > > > > > - # Allow only one roadwarrior/psk without remote IP > > > -address > > > - if ($cgiparams{'REMOTE'} eq '' && $cgiparams{'AUTH'} eq > > > 'psk') { > > > - foreach my $key (keys %confighash) { > > > - if ( ($cgiparams{'KEY'} ne $key) && > > > - ($confighash{$key}[4] eq 'psk') && > > > - ($confighash{$key}[10] eq '') ) { > > > - $errormessage = $Lang::tr{'you can only > > > define one roadwarrior connection when using pre-shared key > > > authentication'}; > > > + unless > > > (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) { > > > + $errormessage = $Lang::tr{'local subnet > > > is > > > invalid'}; > > > goto VPNCONF_ERROR; > > > } > > > - } > > > - } > > > - if (($cgiparams{'TYPE'} eq 'net') && (! > > > &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) { > > > - $errormessage = $Lang::tr{'remote subnet is > > > invalid'}; > > > - goto VPNCONF_ERROR; > > > - } > > > > > > - if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { > > > - $errormessage = $Lang::tr{'invalid input'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) { > > > - $errormessage = $Lang::tr{'invalid input'}; > > > - goto VPNCONF_ERROR; > > > - } > > > + # Allow only one roadwarrior/psk without remote > > > IP > > > -address > > > + if ($cgiparams{'REMOTE'} eq '' && > > > $cgiparams{'AUTH'} > > > eq 'psk') { > > > + foreach my $key (keys %confighash) { > > > + if ( ($cgiparams{'KEY'} ne $key) > > > && > > > + ($confighash{$key}[4] eq > > > 'psk') && > > > + ($confighash{$key}[10] > > > eq > > > '') ) { > > > + $errormessage = > > > $Lang::tr{'you can only define one roadwarrior connection when > > > using > > > pre-shared key authentication'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + } > > > + } > > > + if (($cgiparams{'TYPE'} eq 'net') && (! > > > &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) { > > > + $errormessage = $Lang::tr{'remote subnet > > > is > > > invalid'}; > > > + goto VPNCONF_ERROR; > > > + } > > > > > > - # Allow nothing or a string (DN,FDQN,) beginning with @ > > > - # with no comma but slashes between RID eg > > > @O=FR/C=Paris/OU=myhome/CN=franck > > > - if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*\/ > > > -]+|\d+\.\d+\.\d+\.\d+)$/) || > > > - ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*\/ > > > -]+|\d+\.\d+\.\d+\.\d+)$/) || > > > - (($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) > > > && > > > ($cgiparams{'LOCAL_ID'} ne '')) > > > - ) { > > > - $errormessage = $Lang::tr{'invalid local-remote id'} > > > . > > > '<br />' . > > > - 'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*<br />' . > > > - 'FQDN: @ipfire.org<br />' . > > > - 'USER_FQDN: info(a)ipfire.org<br />' . > > > - 'IPV4_ADDR: 123.123.123.123'; > > > - goto VPNCONF_ERROR; > > > - } > > > - # If Auth is DN, verify existance of Remote ID. > > > - if ( $cgiparams{'REMOTE_ID'} eq '' && ( > > > - $cgiparams{'AUTH'} eq 'auth-dn'|| > > > # while creation > > > - $confighash{$cgiparams{'KEY'}}[2] eq '%auth > > > -dn')){ # > > > while editing > > > - $errormessage = $Lang::tr{'vpn missing remote id'}; > > > - goto VPNCONF_ERROR; > > > - } > > > + if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { > > > + $errormessage = $Lang::tr{'invalid > > > input'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) > > > { > > > + $errormessage = $Lang::tr{'invalid > > > input'}; > > > + goto VPNCONF_ERROR; > > > + } > > > > > > - if ($cgiparams{'TYPE'} eq 'net'){ > > > - $warnmessage=&General::checksubnets('',$cgiparam > > > s{'R > > > EMOTE_SUBNET'},'ipsec'); > > > - if ($warnmessage ne ''){ > > > - $warnmessage=$Lang::tr{'remote > > > subnet'}." > > > ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage; > > > + # Allow nothing or a string (DN,FDQN,) beginning > > > with @ > > > + # with no comma but slashes between RID eg > > > @O=FR/C=Paris/OU=myhome/CN=franck > > > + if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. > > > =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) || > > > + ($cgiparams{'REMOTE_ID'} !~ /^(|[\w. > > > -]*@[\w. > > > =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) || > > > + (($cgiparams{'REMOTE_ID'} eq > > > $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne '')) > > > + ) { > > > + $errormessage = $Lang::tr{'invalid local > > > -remote id'} . '<br />' . > > > + 'DER_ASN1_DN: > > > @c=FR/ou=Paris/ou=Home/cn=*<br > > > />' . > > > + 'FQDN: @ipfire.org<br />' . > > > + 'USER_FQDN: info(a)ipfire.org<br />' . > > > + 'IPV4_ADDR: 123.123.123.123'; > > > + goto VPNCONF_ERROR; > > > + } > > > + # If Auth is DN, verify existance of Remote ID. > > > + if ( $cgiparams{'REMOTE_ID'} eq '' && ( > > > + $cgiparams{'AUTH'} eq 'auth-dn'|| # > > > while > > > creation > > > + $confighash{$cgiparams{'KEY'}}[2] eq > > > '%auth > > > -dn')){ # while editing > > > + $errormessage = $Lang::tr{'vpn > > > missing remote id'}; > > > + goto VPNCONF_ERROR; > > > } > > > - } > > > > > > - if ($cgiparams{'AUTH'} eq 'psk') { > > > - if (! length($cgiparams{'PSK'}) ) { > > > - $errormessage = $Lang::tr{'pre-shared key is too > > > short'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - if ($cgiparams{'PSK'} =~ /'/) { > > > - $cgiparams{'PSK'} =~ tr/'/ /; > > > - $errormessage = $Lang::tr{'invalid characters > > > found > > > in pre-shared key'}; > > > - goto VPNCONF_ERROR; > > > - } > > > + if ($cgiparams{'TYPE'} eq 'net'){ > > > + $warnmessage=&General::checksubnets('',$ > > > cgip > > > arams{'REMOTE_SUBNET'},'ipsec'); > > > + if ($warnmessage ne ''){ > > > + $warnmessage=$Lang::tr{'remote > > > subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage; > > > + } > > > + } > > > + > > > + if ($cgiparams{'AUTH'} eq 'psk') { > > > + if (! length($cgiparams{'PSK'}) ) { > > > + $errormessage = $Lang::tr{'pre > > > -shared key is too short'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + if ($cgiparams{'PSK'} =~ /'/) { > > > + $cgiparams{'PSK'} =~ tr/'/ /; > > > + $errormessage = > > > $Lang::tr{'invalid > > > characters found in pre-shared key'}; > > > + goto VPNCONF_ERROR; > > > + } > > > } elsif ($cgiparams{'AUTH'} eq 'certreq') { > > > - if ($cgiparams{'KEY'}) { > > > - $errormessage = $Lang::tr{'cant change > > > certificates'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - if (ref ($cgiparams{'FH'}) ne 'Fh') { > > > - $errormessage = $Lang::tr{'there was no file > > > upload'}; > > > - goto VPNCONF_ERROR; > > > - } > > > + if ($cgiparams{'KEY'}) { > > > + $errormessage = $Lang::tr{'cant change > > > certificates'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + if (ref ($cgiparams{'FH'}) ne 'Fh') { > > > + $errormessage = $Lang::tr{'there was no > > > file > > > upload'}; > > > + goto VPNCONF_ERROR; > > > + } > > > > > > - # Move uploaded certificate request to a temporary > > > file > > > - (my $fh, my $filename) = tempfile( ); > > > - if (copy ($cgiparams{'FH'}, $fh) != 1) { > > > - $errormessage = $!; > > > - goto VPNCONF_ERROR; > > > - } > > > + # Move uploaded certificate request to a > > > temporary > > > file > > > + (my $fh, my $filename) = tempfile( ); > > > + if (copy ($cgiparams{'FH'}, $fh) != 1) { > > > + $errormessage = $!; > > > + goto VPNCONF_ERROR; > > > + } > > > > > > - # Sign the certificate request > > > - &General::log("ipsec", "Signing your cert > > > $cgiparams{'NAME'}..."); > > > - my $opt = " ca -md sha256 -days > > > 999999"; > > > + # Sign the certificate request > > > + &General::log("ipsec", "Signing your cert > > > $cgiparams{'NAME'}..."); > > > + my $opt = " ca -md sha256 -days 999999"; > > > $opt .= " -batch -notext"; > > > $opt .= " -in $filename"; > > > $opt .= " -out > > > ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; > > > > > > - if ( $errormessage = &callssl ($opt) ) { > > > - unlink ($filename); > > > - unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > > > - &cleanssldatabase(); > > > - goto VPNCONF_ERROR; > > > - } else { > > > - unlink ($filename); > > > - &cleanssldatabase(); > > > - } > > > - > > > - $cgiparams{'CERT_NAME'} = getCNfromcert > > > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > > > - if ($cgiparams{'CERT_NAME'} eq '') { > > > - $errormessage = $Lang::tr{'could not retrieve > > > common > > > name from certificate'}; > > > - goto VPNCONF_ERROR; > > > - } > > > + if ( $errormessage = &callssl ($opt) ) { > > > + unlink ($filename); > > > + unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > > > + &cleanssldatabase(); > > > + goto VPNCONF_ERROR; > > > + } else { > > > + unlink ($filename); > > > + &cleanssldatabase(); > > > + } > > > + > > > + $cgiparams{'CERT_NAME'} = getCNfromcert > > > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > > > + if ($cgiparams{'CERT_NAME'} eq '') { > > > + $errormessage = $Lang::tr{'could not > > > retrieve common name from certificate'}; > > > + goto VPNCONF_ERROR; > > > + } > > > } elsif ($cgiparams{'AUTH'} eq 'pkcs12') { > > > &General::log("ipsec", "Importing from p12..."); > > > > > > if (ref ($cgiparams{'FH'}) ne 'Fh') { > > > - $errormessage = $Lang::tr{'there was no file > > > upload'}; > > > - goto ROOTCERT_ERROR; > > > + $errormessage = $Lang::tr{'there was no > > > file > > > upload'}; > > > + goto ROOTCERT_ERROR; > > > } > > > > > > # Move uploaded certificate request to a > > > temporary > > > file > > > (my $fh, my $filename) = tempfile( ); > > > if (copy ($cgiparams{'FH'}, $fh) != 1) { > > > - $errormessage = $!; > > > - goto ROOTCERT_ERROR; > > > + $errormessage = $!; > > > + goto ROOTCERT_ERROR; > > > } > > > > > > # Extract the CA certificate from the file > > > &General::log("ipsec", "Extracting caroot from > > > p12..."); > > > if (open(STDIN, "-|")) { > > > - my $opt = " pkcs12 -cacerts > > > -nokeys"; > > > + my $opt = " pkcs12 -cacerts -nokeys"; > > > $opt .= " -in $filename"; > > > $opt .= " -out /tmp/newcacert"; > > > - $errormessage = &callssl ($opt); > > > - } else { #child > > > - print "$cgiparams{'P12_PASS'}\n"; > > > - exit (0); > > > - } > > > - > > > - # Extract the Host certificate from the file > > > - if (!$errormessage) { > > > - &General::log("ipsec", "Extracting host cert > > > from p12..."); > > > - if (open(STDIN, "-|")) { > > > - my $opt = " pkcs12 -clcerts > > > -nokeys"; > > > - $opt .= " -in $filename"; > > > - $opt .= " -out /tmp/newhostcert"; > > > $errormessage = &callssl ($opt); > > > - } else { #child > > > + } else { #child > > > print "$cgiparams{'P12_PASS'}\n"; > > > exit (0); > > > - } > > > - } > > > - > > > - if (!$errormessage) { > > > - &General::log("ipsec", "Moving cacert..."); > > > - #If CA have new subject, add it to our list > > > of > > > CA > > > - my $casubject = > > > &Header::cleanhtml(getsubjectfromcert ('/tmp/newcacert')); > > > - my @names; > > > - foreach my $x (keys %cahash) { > > > - $casubject='' if ($cahash{$x}[1] eq > > > $casubject); > > > - unshift (@names,$cahash{$x}[0]); > > > - } > > > - if ($casubject) { # a new one! > > > - my $temp = `/usr/bin/openssl x509 -text > > > -in > > > /tmp/newcacert`; > > > - if ($temp !~ /CA:TRUE/i) { > > > - $errormessage = $Lang::tr{'not a > > > valid > > > ca certificate'}; > > > - } else { > > > - #compute a name for it > > > - my $idx=0; > > > - while (grep(/Imported-$idx/, @names) > > > ) > > > {$idx++}; > > > - $cgiparams{'CA_NAME'}="Imported > > > -$idx"; > > > - > > > $cgiparams{'CERT_NAME'}=&Header::cleanhtml(getCNfromcert > > > ('/tmp/newhostcert')); > > > - move("/tmp/newcacert", > > > "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); > > > - $errormessage = > > > "$Lang::tr{'certificate > > > file move failed'}: $!" if ($? ne 0); > > > - if (!$errormessage) { > > > - my $key = > > > &General::findhasharraykey > > > (\%cahash); > > > - $cahash{$key}[0] = > > > $cgiparams{'CA_NAME'}; > > > - $cahash{$key}[1] = $casubject; > > > - &General::writehasharray("${Gene > > > ral: > > > :swroot}/vpn/caconfig", \%cahash); > > > - system('/usr/local/bin/ipsecctrl > > > ', > > > 'R'); > > > - } > > > - } > > > - } > > > + } > > > + > > > + # Extract the Host certificate from the file > > > + if (!$errormessage) { > > > + &General::log("ipsec", "Extracting host > > > cert > > > from p12..."); > > > + if (open(STDIN, "-|")) { > > > + my $opt = " pkcs12 -clcerts > > > -nokeys"; > > > + $opt .= " -in $filename"; > > > + $opt .= " -out > > > /tmp/newhostcert"; > > > + $errormessage = &callssl ($opt); > > > + } else { #child > > > + print > > > "$cgiparams{'P12_PASS'}\n"; > > > + exit (0); > > > + } > > > + } > > > + > > > + if (!$errormessage) { > > > + &General::log("ipsec", "Moving > > > cacert..."); > > > + #If CA have new subject, add it to our > > > list > > > of CA > > > + my $casubject = > > > &Header::cleanhtml(getsubjectfromcert ('/tmp/newcacert')); > > > + my @names; > > > + foreach my $x (keys %cahash) { > > > + $casubject='' if ($cahash{$x}[1] > > > eq > > > $casubject); > > > + unshift (@names,$cahash{$x}[0]); > > > + } > > > + if ($casubject) { # a new one! > > > + my $temp = `/usr/bin/openssl > > > x509 > > > -text -in /tmp/newcacert`; > > > + if ($temp !~ /CA:TRUE/i) { > > > + $errormessage = > > > $Lang::tr{'not a valid ca certificate'}; > > > + } else { > > > + #compute a name for it > > > + my $idx=0; > > > + while (grep(/Imported > > > -$idx/, > > > @names) ) {$idx++}; > > > + $cgiparams{'CA_NAME'}="I > > > mpor > > > ted-$idx"; > > > + $cgiparams{'CERT_NAME'}= > > > &Hea > > > der::cleanhtml(getCNfromcert ('/tmp/newhostcert')); > > > + move("/tmp/newcacert", > > > "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); > > > + $errormessage = > > > "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); > > > + if (!$errormessage) { > > > + my $key = > > > &General::findhasharraykey (\%cahash); > > > + $cahash{$key}[0] > > > = > > > $cgiparams{'CA_NAME'}; > > > + $cahash{$key}[1] > > > = > > > $casubject; > > > + &General::writeh > > > asha > > > rray("${General::swroot}/vpn/caconfig", \%cahash); > > > + system('/usr/loc > > > al/b > > > in/ipsecctrl', 'R'); > > > + } > > > + } > > > + } > > > } > > > if (!$errormessage) { > > > - &General::log("ipsec", "Moving host > > > cert..."); > > > - move("/tmp/newhostcert", > > > "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > > > - $errormessage = "$Lang::tr{'certificate file > > > move failed'}: $!" if ($? ne 0); > > > - } > > > + &General::log("ipsec", "Moving host > > > cert..."); > > > + move("/tmp/newhostcert", > > > "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > > > + $errormessage = "$Lang::tr{'certificate > > > file > > > move failed'}: $!" if ($? ne 0); > > > + } > > > > > > #cleanup temp files > > > unlink ($filename); > > > unlink ('/tmp/newcacert'); > > > unlink ('/tmp/newhostcert'); > > > if ($errormessage) { > > > - unlink > > > ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); > > > - unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > > > - goto VPNCONF_ERROR; > > > + unlink > > > ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); > > > + unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > > > + goto VPNCONF_ERROR; > > > } > > > &General::log("ipsec", "p12 import completed!"); > > > } elsif ($cgiparams{'AUTH'} eq 'certfile') { > > > - if ($cgiparams{'KEY'}) { > > > - $errormessage = $Lang::tr{'cant change > > > certificates'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - if (ref ($cgiparams{'FH'}) ne 'Fh') { > > > - $errormessage = $Lang::tr{'there was no file > > > upload'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - # Move uploaded certificate to a temporary file > > > - (my $fh, my $filename) = tempfile( ); > > > - if (copy ($cgiparams{'FH'}, $fh) != 1) { > > > - $errormessage = $!; > > > - goto VPNCONF_ERROR; > > > - } > > > - > > > - # Verify the certificate has a valid CA and move it > > > - &General::log("ipsec", "Validating imported cert > > > against > > > our known CA..."); > > > - my $validca = 1; #assume ok > > > - my $test = `/usr/bin/openssl verify -CAfile > > > ${General::swroot}/ca/cacert.pem $filename`; > > > - if ($test !~ /: OK/) { > > > - my $validca = 0; > > > - foreach my $key (keys %cahash) { > > > - $test = `/usr/bin/openssl verify -CAfile > > > ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`; > > > - if ($test =~ /: OK/) { > > > - $validca = 1; > > > - last; > > > - } > > > - } > > > - } > > > - if (! $validca) { > > > - $errormessage = $Lang::tr{'certificate does not > > > have > > > a valid ca associated with it'}; > > > - unlink ($filename); > > > - goto VPNCONF_ERROR; > > > - } else { > > > - move($filename, > > > "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > > > - if ($? ne 0) { > > > - $errormessage = "$Lang::tr{'certificate file > > > move failed'}: $!"; > > > - unlink ($filename); > > > - goto VPNCONF_ERROR; > > > + if ($cgiparams{'KEY'}) { > > > + $errormessage = $Lang::tr{'cant change > > > certificates'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + if (ref ($cgiparams{'FH'}) ne 'Fh') { > > > + $errormessage = $Lang::tr{'there was no > > > file > > > upload'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + # Move uploaded certificate to a temporary file > > > + (my $fh, my $filename) = tempfile( ); > > > + if (copy ($cgiparams{'FH'}, $fh) != 1) { > > > + $errormessage = $!; > > > + goto VPNCONF_ERROR; > > > } > > > - } > > > > > > - $cgiparams{'CERT_NAME'} = getCNfromcert > > > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > > > - if ($cgiparams{'CERT_NAME'} eq '') { > > > - unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > > > - $errormessage = $Lang::tr{'could not retrieve > > > common > > > name from certificate'}; > > > - goto VPNCONF_ERROR; > > > - } > > > + # Verify the certificate has a valid CA and move > > > it > > > + &General::log("ipsec", "Validating imported cert > > > against our known CA..."); > > > + my $validca = 1; #assume ok > > > + my $test = `/usr/bin/openssl verify -CAfile > > > ${General::swroot}/ca/cacert.pem $filename`; > > > + if ($test !~ /: OK/) { > > > + my $validca = 0; > > > + foreach my $key (keys %cahash) { > > > + $test = `/usr/bin/openssl verify > > > -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem > > > $filename`; > > > + if ($test =~ /: OK/) { > > > + $validca = 1; > > > + last; > > > + } > > > + } > > > + } > > > + if (! $validca) { > > > + $errormessage = $Lang::tr{'certificate > > > does > > > not have a valid ca associated with it'}; > > > + unlink ($filename); > > > + goto VPNCONF_ERROR; > > > + } else { > > > + move($filename, > > > "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > > > + if ($? ne 0) { > > > + $errormessage = > > > "$Lang::tr{'certificate file move failed'}: $!"; > > > + unlink ($filename); > > > + goto VPNCONF_ERROR; > > > + } > > > + } > > > + > > > + $cgiparams{'CERT_NAME'} = getCNfromcert > > > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > > > + if ($cgiparams{'CERT_NAME'} eq '') { > > > + unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > > > + $errormessage = $Lang::tr{'could not > > > retrieve common name from certificate'}; > > > + goto VPNCONF_ERROR; > > > + } > > > } elsif ($cgiparams{'AUTH'} eq 'certgen') { > > > - if ($cgiparams{'KEY'}) { > > > - $errormessage = $Lang::tr{'cant change > > > certificates'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - # Validate input since the form was submitted > > > - if (length($cgiparams{'CERT_NAME'}) >60) { > > > - $errormessage = $Lang::tr{'name too long'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\ > > > -_]+$/) > > > { > > > - $errormessage = $Lang::tr{'invalid input for > > > name'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - if ($cgiparams{'CERT_EMAIL'} ne '' && (! > > > &General::validemail($cgiparams{'CERT_EMAIL'}))) { > > > - $errormessage = $Lang::tr{'invalid input for e > > > -mail > > > address'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - if (length($cgiparams{'CERT_EMAIL'}) > 40) { > > > - $errormessage = $Lang::tr{'e-mail address too > > > long'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - if ($cgiparams{'CERT_OU'} ne '' && > > > $cgiparams{'CERT_OU'} > > > !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > > > - $errormessage = $Lang::tr{'invalid input for > > > department'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - if (length($cgiparams{'CERT_ORGANIZATION'}) >60) { > > > - $errormessage = $Lang::tr{'organization too > > > long'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 > > > ,\.\ > > > -_]+$/) { > > > - $errormessage = $Lang::tr{'invalid input for > > > organization'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - if ($cgiparams{'CERT_CITY'} ne '' && > > > $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > > > - $errormessage = $Lang::tr{'invalid input for > > > city'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - if ($cgiparams{'CERT_STATE'} ne '' && > > > $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > > > - $errormessage = $Lang::tr{'invalid input for > > > state > > > or province'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) { > > > - $errormessage = $Lang::tr{'invalid input for > > > country'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - #the exact syntax is a list comma separated of > > > - # email:any-validemail > > > - # URI: a uniform resource indicator > > > - # DNS: a DNS domain name > > > - # RID: a registered OBJECT IDENTIFIER > > > - # IP: an IP address > > > - # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:fra > > > nck. > > > foo.com > > > - > > > - if ($cgiparams{'SUBJECTALTNAME'} ne '' && > > > $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0 > > > -9 > > > :\/,\.\-_@]*$/) { > > > - $errormessage = $Lang::tr{'vpn altname syntax'}; > > > - goto VPNCONF_ERROR; > > > - } > > > + if ($cgiparams{'KEY'}) { > > > + $errormessage = $Lang::tr{'cant change > > > certificates'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + # Validate input since the form was submitted > > > + if (length($cgiparams{'CERT_NAME'}) >60) { > > > + $errormessage = $Lang::tr{'name too > > > long'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\ > > > -_]+$/) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > name'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + if ($cgiparams{'CERT_EMAIL'} ne '' && (! > > > &General::validemail($cgiparams{'CERT_EMAIL'}))) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > e-mail address'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + if (length($cgiparams{'CERT_EMAIL'}) > 40) { > > > + $errormessage = $Lang::tr{'e-mail > > > address > > > too long'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + if ($cgiparams{'CERT_OU'} ne '' && > > > $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > department'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + if (length($cgiparams{'CERT_ORGANIZATION'}) >60) > > > { > > > + $errormessage = $Lang::tr{'organization > > > too > > > long'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA > > > -Z0-9 > > > ,\.\-_]+$/) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > organization'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + if ($cgiparams{'CERT_CITY'} ne '' && > > > $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > city'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + if ($cgiparams{'CERT_STATE'} ne '' && > > > $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > state or province'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > country'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + #the exact syntax is a list comma separated of > > > + # email:any-validemail > > > + # URI: a uniform resource indicator > > > + # DNS: a DNS domain name > > > + # RID: a registered OBJECT IDENTIFIER > > > + # IP: an IP address > > > + # example: email:franck(a)foo.com,IP:10.0.0.10,DNS > > > :fra > > > nck.foo.com > > > + > > > + if ($cgiparams{'SUBJECTALTNAME'} ne '' && > > > $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0 > > > -9 > > > :\/,\.\-_@]*$/) { > > > + $errormessage = $Lang::tr{'vpn altname > > > syntax'}; > > > + goto VPNCONF_ERROR; > > > + } > > > > > > - if (length($cgiparams{'CERT_PASS1'}) < 5) { > > > - $errormessage = $Lang::tr{'password too short'}; > > > - goto VPNCONF_ERROR; > > > - } > > > - if ($cgiparams{'CERT_PASS1'} ne > > > $cgiparams{'CERT_PASS2'}) { > > > - $errormessage = $Lang::tr{'passwords do not > > > match'}; > > > - goto VPNCONF_ERROR; > > > - } > > > + if (length($cgiparams{'CERT_PASS1'}) < 5) { > > > + $errormessage = $Lang::tr{'password too > > > short'}; > > > + goto VPNCONF_ERROR; > > > + } > > > + if ($cgiparams{'CERT_PASS1'} ne > > > $cgiparams{'CERT_PASS2'}) { > > > + $errormessage = $Lang::tr{'passwords do > > > not > > > match'}; > > > + goto VPNCONF_ERROR; > > > + } > > > > > > - # Replace empty strings with a . > > > - (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; > > > - (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; > > > - (my $state = $cgiparams{'CERT_STATE'}) =~ > > > s/^\s*$/\./; > > > + # Replace empty strings with a . > > > + (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; > > > + (my $city = $cgiparams{'CERT_CITY'}) =~ > > > s/^\s*$/\./; > > > + (my $state = $cgiparams{'CERT_STATE'}) =~ > > > s/^\s*$/\./; > > > > > > - # Create the Client certificate request > > > - &General::log("ipsec", "Creating a cert..."); > > > + # Create the Client certificate request > > > + &General::log("ipsec", "Creating a cert..."); > > > > > > - if (open(STDIN, "-|")) { > > > - my $opt = " req -nodes -rand > > > /proc/interrupts:/proc/net/rt_cache"; > > > - $opt .= " -newkey rsa:2048"; > > > - $opt .= " -keyout > > > ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; > > > - $opt .= " -out > > > ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; > > > + if (open(STDIN, "-|")) { > > > + my $opt = " req -nodes -rand > > > /proc/interrupts:/proc/net/rt_cache"; > > > + $opt .= " -newkey rsa:2048"; > > > + $opt .= " -keyout > > > ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; > > > + $opt .= " -out > > > ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; > > > + > > > + if ( $errormessage = &callssl ($opt) ) { > > > + unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); > > > + unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); > > > + goto VPNCONF_ERROR; > > > + } > > > + } else { #child > > > + print "$cgiparams{'CERT_COUNTRY'}\n"; > > > + print "$state\n"; > > > + print "$city\n"; > > > + print > > > "$cgiparams{'CERT_ORGANIZATION'}\n"; > > > + print "$ou\n"; > > > + print "$cgiparams{'CERT_NAME'}\n"; > > > + print "$cgiparams{'CERT_EMAIL'}\n"; > > > + print ".\n"; > > > + print ".\n"; > > > + exit (0); > > > + } > > > > > > - if ( $errormessage = &callssl ($opt) ) { > > > - unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); > > > - unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); > > > - goto VPNCONF_ERROR; > > > - } > > > - } else { #child > > > - print "$cgiparams{'CERT_COUNTRY'}\n"; > > > - print "$state\n"; > > > - print "$city\n"; > > > - print "$cgiparams{'CERT_ORGANIZATION'}\n"; > > > - print "$ou\n"; > > > - print "$cgiparams{'CERT_NAME'}\n"; > > > - print "$cgiparams{'CERT_EMAIL'}\n"; > > > - print ".\n"; > > > - print ".\n"; > > > - exit (0); > > > - } > > > - > > > - # Sign the client certificate request > > > - &General::log("ipsec", "Signing the cert > > > $cgiparams{'NAME'}..."); > > > - > > > - #No easy way for specifying the contain of > > > subjectAltName without writing a config file... > > > - my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); > > > - print $fh <<END > > > - basicConstraints=CA:FALSE > > > - nsComment="OpenSSL Generated Certificate" > > > - subjectKeyIdentifier=hash > > > - extendedKeyUsage=clientAuth > > > - authorityKeyIdentifier=keyid,issuer:always > > > + # Sign the client certificate request > > > + &General::log("ipsec", "Signing the cert > > > $cgiparams{'NAME'}..."); > > > + > > > + #No easy way for specifying the contain of > > > subjectAltName without writing a config file... > > > + my ($fh, $v3extname) = tempfile > > > ('/tmp/XXXXXXXX'); > > > + print $fh <<END > > > + basicConstraints=CA:FALSE > > > + nsComment="OpenSSL Generated Certificate" > > > + subjectKeyIdentifier=hash > > > + extendedKeyUsage=clientAuth > > > + authorityKeyIdentifier=keyid,issuer:always > > > END > > > ; > > > - print $fh > > > "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" > > > if ($cgiparams{'SUBJECTALTNAME'}); > > > - close ($fh); > > > - > > > - my $opt = " ca -md sha256 -days 999999 -batch > > > -notext"; > > > - $opt .= " -in > > > ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; > > > - $opt .= " -out > > > ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; > > > - $opt .= " -extfile $v3extname"; > > > - > > > - if ( $errormessage = &callssl ($opt) ) { > > > - unlink ($v3extname); > > > - unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); > > > - unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); > > > - unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > > > - &cleanssldatabase(); > > > - goto VPNCONF_ERROR; > > > - } else { > > > - unlink ($v3extname); > > > - unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); > > > - &cleanssldatabase(); > > > - } > > > - > > > - # Create the pkcs12 file > > > - &General::log("ipsec", "Packing a pkcs12 file..."); > > > - $opt = " pkcs12 -export"; > > > - $opt .= " -inkey > > > ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; > > > - $opt .= " -in > > > ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; > > > - $opt .= " -name \"$cgiparams{'NAME'}\""; > > > - $opt .= " -passout > > > pass:$cgiparams{'CERT_PASS1'}"; > > > - $opt .= " -certfile > > > ${General::swroot}/ca/cacert.pem"; > > > - $opt .= " -caname > > > \"$vpnsettings{'ROOTCERT_ORGANIZATION'} CA\""; > > > - $opt .= " -out > > > ${General::swroot}/certs/$cgiparams{'NAME'}.p12"; > > > - > > > - if ( $errormessage = &callssl ($opt) ) { > > > - unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); > > > - unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > > > - unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}.p12"); > > > - goto VPNCONF_ERROR; > > > - } else { > > > - unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); > > > - } > > > + print $fh > > > "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if > > > ($cgiparams{'SUBJECTALTNAME'}); > > > + close ($fh); > > > + > > > + my $opt = " ca -md sha256 -days 999999 -batch > > > -notext"; > > > + $opt .= " -in > > > ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; > > > + $opt .= " -out > > > ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; > > > + $opt .= " -extfile $v3extname"; > > > + > > > + if ( $errormessage = &callssl ($opt) ) { > > > + unlink ($v3extname); > > > + unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); > > > + unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); > > > + unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > > > + &cleanssldatabase(); > > > + goto VPNCONF_ERROR; > > > + } else { > > > + unlink ($v3extname); > > > + unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); > > > + &cleanssldatabase(); > > > + } > > > + > > > + # Create the pkcs12 file > > > + &General::log("ipsec", "Packing a pkcs12 > > > file..."); > > > + $opt = " pkcs12 -export"; > > > + $opt .= " -inkey > > > ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; > > > + $opt .= " -in > > > ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; > > > + $opt .= " -name \"$cgiparams{'NAME'}\""; > > > + $opt .= " -passout > > > pass:$cgiparams{'CERT_PASS1'}"; > > > + $opt .= " -certfile > > > ${General::swroot}/ca/cacert.pem"; > > > + $opt .= " -caname > > > \"$vpnsettings{'ROOTCERT_ORGANIZATION'} CA\""; > > > + $opt .= " -out > > > ${General::swroot}/certs/$cgiparams{'NAME'}.p12"; > > > + > > > + if ( $errormessage = &callssl ($opt) ) { > > > + unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); > > > + unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); > > > + unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}.p12"); > > > + goto VPNCONF_ERROR; > > > + } else { > > > + unlink > > > ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); > > > + } > > > } elsif ($cgiparams{'AUTH'} eq 'cert') { > > > - ;# Nothing, just editing > > > + ;# Nothing, just editing > > > } elsif ($cgiparams{'AUTH'} eq 'auth-dn') { > > > - $cgiparams{'CERT_NAME'} = '%auth-dn'; # a > > > special > > > value saying 'no cert file' > > > + $cgiparams{'CERT_NAME'} = '%auth-dn'; # a > > > special > > > value saying 'no cert file' > > > } else { > > > - $errormessage = $Lang::tr{'invalid input for > > > authentication method'}; > > > - goto VPNCONF_ERROR; > > > + $errormessage = $Lang::tr{'invalid input for > > > authentication method'}; > > > + goto VPNCONF_ERROR; > > > } > > > > > > # 1)Error message here is not accurate. > > > @@ -1759,34 +1757,34 @@ END > > > # 3)Present since initial version (1.3.2.11), it isn't a > > > bug > > > correction > > > # Check if there is no other entry with this certificate > > > name > > > #if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne > > > 'psk') > > > && ($cgiparams{'AUTH'} ne 'auth-dn')) { > > > - # foreach my $key (keys %confighash) { > > > + # foreach my $key (keys %confighash) { > > > # if ($confighash{$key}[2] eq > > > $cgiparams{'CERT_NAME'}) { > > > - # $errormessage = $Lang::tr{'a connection > > > with > > > this common name already exists'}; > > > - # goto VPNCONF_ERROR; > > > + # $errormessage = $Lang::tr{'a connection > > > with this common name already exists'}; > > > + # goto VPNCONF_ERROR; > > > + # } > > > # } > > > - # } > > > #} > > > - # Save the config > > > + # Save the config > > > > > > my $key = $cgiparams{'KEY'}; > > > if (! $key) { > > > - $key = &General::findhasharraykey (\%confighash); > > > - foreach my $i (0 .. 32) { $confighash{$key}[$i] = > > > "";} > > > + $key = &General::findhasharraykey > > > (\%confighash); > > > + foreach my $i (0 .. 32) { $confighash{$key}[$i] > > > = > > > "";} > > > } > > > $confighash{$key}[0] = $cgiparams{'ENABLED'}; > > > $confighash{$key}[1] = $cgiparams{'NAME'}; > > > if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne > > > 'psk') { > > > - $confighash{$key}[2] = $cgiparams{'CERT_NAME'}; > > > + $confighash{$key}[2] = $cgiparams{'CERT_NAME'}; > > > } > > > $confighash{$key}[3] = $cgiparams{'TYPE'}; > > > if ($cgiparams{'AUTH'} eq 'psk') { > > > - $confighash{$key}[4] = 'psk'; > > > - $confighash{$key}[5] = $cgiparams{'PSK'}; > > > + $confighash{$key}[4] = 'psk'; > > > + $confighash{$key}[5] = $cgiparams{'PSK'}; > > > } else { > > > - $confighash{$key}[4] = 'cert'; > > > + $confighash{$key}[4] = 'cert'; > > > } > > > if ($cgiparams{'TYPE'} eq 'net') { > > > - $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; > > > + $confighash{$key}[11] = > > > $cgiparams{'REMOTE_SUBNET'}; > > > } > > > $confighash{$key}[7] = $cgiparams{'LOCAL_ID'}; > > > $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'}; > > > @@ -1797,7 +1795,7 @@ END > > > $confighash{$key}[27] = $cgiparams{'DPD_ACTION'}; > > > $confighash{$key}[29] = $cgiparams{'IKE_VERSION'}; > > > > > > - #dont forget advanced value > > > + # don't forget advanced value > > > $confighash{$key}[18] = $cgiparams{'IKE_ENCRYPTION'}; > > > $confighash{$key}[19] = $cgiparams{'IKE_INTEGRITY'}; > > > $confighash{$key}[20] = $cgiparams{'IKE_GROUPTYPE'}; > > > @@ -1814,39 +1812,39 @@ END > > > $confighash{$key}[31] = $cgiparams{'DPD_DELAY'}; > > > $confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'}; > > > > > > - #free unused fields! > > > + # free unused fields! > > > $confighash{$key}[6] = 'off'; > > > $confighash{$key}[15] = 'off'; > > > > > > &General::writehasharray("${General::swroot}/vpn/config" > > > , > > > \%confighash); > > > &writeipsecfiles(); > > > if (&vpnenabled) { > > > - system('/usr/local/bin/ipsecctrl', 'S', $key); > > > - sleep $sleepDelay; > > > + system('/usr/local/bin/ipsecctrl', 'S', $key); > > > + sleep $sleepDelay; > > > } > > > if ($cgiparams{'EDIT_ADVANCED'} eq 'on') { > > > - $cgiparams{'KEY'} = $key; > > > - $cgiparams{'ACTION'} = $Lang::tr{'advanced'}; > > > + $cgiparams{'KEY'} = $key; > > > + $cgiparams{'ACTION'} = $Lang::tr{'advanced'}; > > > } > > > goto VPNCONF_END; > > > - } else { # add new connection > > > - $cgiparams{'ENABLED'} = 'on'; > > > +} else { # add new connection > > > + $cgiparams{'ENABLED'} = 'on'; > > > if ( ! -f "${General::swroot}/private/cakey.pem" ) { > > > - $cgiparams{'AUTH'} = 'psk'; > > > + $cgiparams{'AUTH'} = 'psk'; > > > } elsif ( ! -f "${General::swroot}/ca/cacert.pem") { > > > - $cgiparams{'AUTH'} = 'certfile'; > > > + $cgiparams{'AUTH'} = 'certfile'; > > > } else { > > > - $cgiparams{'AUTH'} = 'certgen'; > > > + $cgiparams{'AUTH'} = 'certgen'; > > > } > > > - $cgiparams{'LOCAL_SUBNET'} > > > ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'} > > > "; > > > - $cgiparams{'CERT_EMAIL'} = > > > $vpnsettings{'ROOTCERT_EMAIL'}; > > > - $cgiparams{'CERT_OU'} = > > > $vpnsettings{'ROOTCERT_OU'}; > > > - $cgiparams{'CERT_ORGANIZATION'} = > > > $vpnsettings{'ROOTCERT_ORGANIZATION'}; > > > - $cgiparams{'CERT_CITY'} = > > > $vpnsettings{'ROOTCERT_CITY'}; > > > - $cgiparams{'CERT_STATE'} = > > > $vpnsettings{'ROOTCERT_STATE'}; > > > - $cgiparams{'CERT_COUNTRY'} = > > > $vpnsettings{'ROOTCERT_COUNTRY'}; > > > + $cgiparams{'LOCAL_SUBNET'} = > > > "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; > > > + $cgiparams{'CERT_EMAIL'} = > > > $vpnsettings{'ROOTCERT_EMAIL'}; > > > + $cgiparams{'CERT_OU'} = > > > $vpnsettings{'ROOTCERT_OU'}; > > > + $cgiparams{'CERT_ORGANIZATION'} = > > > $vpnsettings{'ROOTCERT_ORGANIZATION'}; > > > + $cgiparams{'CERT_CITY'} = > > > $vpnsettings{'ROOTCERT_CITY'}; > > > + $cgiparams{'CERT_STATE'} = > > > $vpnsettings{'ROOTCERT_STATE'}; > > > + $cgiparams{'CERT_COUNTRY'} = > > > $vpnsettings{'ROOTCERT_COUNTRY'}; > > > > > > - # choose appropriate dpd action > > > + # choose appropriate dpd action > > > if ($cgiparams{'TYPE'} eq 'host') { > > > $cgiparams{'DPD_ACTION'} = 'clear'; > > > } else { > > > @@ -1867,63 +1865,63 @@ END > > > > > > # Default IKE Version to v2 > > > if (!$cgiparams{'IKE_VERSION'}) { > > > - $cgiparams{'IKE_VERSION'} = 'ikev2'; > > > + $cgiparams{'IKE_VERSION'} = 'ikev2'; > > > } > > > > > > # ID are empty > > > - $cgiparams{'LOCAL_ID'} = ''; > > > + $cgiparams{'LOCAL_ID'} = ''; > > > $cgiparams{'REMOTE_ID'} = ''; > > > > > > #use default advanced value > > > - $cgiparams{'IKE_ENCRYPTION'} = > > > 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192g > > > cm96 > > > > aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128' > > > > ; > > > #[18]; > > > - $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; > > > #[19]; > > > - $cgiparams{'IKE_GROUPTYPE'} = > > > '4096|3072|2048|1536|1024'; > > > #[20]; > > > - $cgiparams{'IKE_LIFETIME'} = '3'; #[16] > > > ; > > > - $cgiparams{'ESP_ENCRYPTION'} = > > > 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192g > > > cm96 > > > > aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128' > > > > ; > > > #[21]; > > > - $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; > > > #[22]; > > > - $cgiparams{'ESP_GROUPTYPE'} = > > > '4096|3072|2048|1536|1024'; > > > #[23]; > > > - $cgiparams{'ESP_KEYLIFE'} = '1'; #[17] > > > ; > > > - $cgiparams{'COMPRESSION'} = 'on'; #[13 > > > ]; > > > - $cgiparams{'ONLY_PROPOSED'} = 'off'; #[2 > > > 4]; > > > - $cgiparams{'PFS'} = 'on'; #[2 > > > 8]; > > > - } > > > - > > > - VPNCONF_ERROR: > > > - $checked{'ENABLED'}{'off'} = ''; > > > - $checked{'ENABLED'}{'on'} = ''; > > > - $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = > > > "checked='checked'"; > > > - > > > - $checked{'EDIT_ADVANCED'}{'off'} = ''; > > > - $checked{'EDIT_ADVANCED'}{'on'} = ''; > > > - $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = > > > "checked='checked'"; > > > - > > > - $checked{'AUTH'}{'psk'} = ''; > > > - $checked{'AUTH'}{'certreq'} = ''; > > > - $checked{'AUTH'}{'certgen'} = ''; > > > - $checked{'AUTH'}{'certfile'} = ''; > > > - $checked{'AUTH'}{'pkcs12'} = ''; > > > - $checked{'AUTH'}{'auth-dn'} = ''; > > > - $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; > > > - > > > - &Header::showhttpheaders(); > > > - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > > > - &Header::openbigbox('100%', 'left', '', $errormessage); > > > - if ($errormessage) { > > > - &Header::openbox('100%', 'left', $Lang::tr{'error > > > messages'}); > > > - print "<class name='base'>$errormessage"; > > > - print " </class>"; > > > - &Header::closebox(); > > > - } > > > + $cgiparams{'IKE_ENCRYPTION'} = > > > 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192g > > > cm96 > > > > aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128' > > > > ; > > > #[18]; > > > + $cgiparams{'IKE_INTEGRITY'} = > > > 'sha2_512|sha2_256|sha'; #[19]; > > > + $cgiparams{'IKE_GROUPTYPE'} = > > > '4096|3072|2048|1536|1024'; #[20]; > > > + $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; > > > + $cgiparams{'ESP_ENCRYPTION'} = > > > 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192g > > > cm96 > > > > aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128' > > > > ; > > > #[21]; > > > + $cgiparams{'ESP_INTEGRITY'} = > > > 'sha2_512|sha2_256|sha1'; #[22]; > > > + $cgiparams{'ESP_GROUPTYPE'} = > > > '4096|3072|2048|1536|1024'; #[23]; > > > + $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; > > > + $cgiparams{'COMPRESSION'} = 'on'; #[13]; > > > + $cgiparams{'ONLY_PROPOSED'} = 'off'; > > > #[24]; > > > + $cgiparams{'PFS'} = 'on'; > > > #[28]; > > > +} > > > > > > - if ($warnmessage) { > > > - &Header::openbox('100%', 'left', "$Lang::tr{'warning > > > messages'}:"); > > > - print "<class name='base'>$warnmessage"; > > > - print " </class>"; > > > - &Header::closebox(); > > > - } > > > +VPNCONF_ERROR: > > > + $checked{'ENABLED'}{'off'} = ''; > > > + $checked{'ENABLED'}{'on'} = ''; > > > + $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = > > > "checked='checked'"; > > > + > > > + $checked{'EDIT_ADVANCED'}{'off'} = ''; > > > + $checked{'EDIT_ADVANCED'}{'on'} = ''; > > > + $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = > > > "checked='checked'"; > > > + > > > + $checked{'AUTH'}{'psk'} = ''; > > > + $checked{'AUTH'}{'certreq'} = ''; > > > + $checked{'AUTH'}{'certgen'} = ''; > > > + $checked{'AUTH'}{'certfile'} = ''; > > > + $checked{'AUTH'}{'pkcs12'} = ''; > > > + $checked{'AUTH'}{'auth-dn'} = ''; > > > + $checked{'AUTH'}{$cgiparams{'AUTH'}} = > > > "checked='checked'"; > > > + > > > + &Header::showhttpheaders(); > > > + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > > > + &Header::openbigbox('100%', 'left', '', $errormessage); > > > + if ($errormessage) { > > > + &Header::openbox('100%', 'left', > > > $Lang::tr{'error > > > messages'}); > > > + print "<class name='base'>$errormessage"; > > > + print " </class>"; > > > + &Header::closebox(); > > > + } > > > + > > > + if ($warnmessage) { > > > + &Header::openbox('100%', 'left', > > > "$Lang::tr{'warning > > > messages'}:"); > > > + print "<class name='base'>$warnmessage"; > > > + print " </class>"; > > > + &Header::closebox(); > > > + } > > > > > > - print "<form method='post' enctype='multipart/form-data' > > > action='$ENV{'SCRIPT_NAME'}'>"; > > > - print<<END > > > + print "<form method='post' enctype='multipart/form-data' > > > action='$ENV{'SCRIPT_NAME'}'>"; > > > + print<<END > > > <input type='hidden' name='TYPE' > > > value='$cgiparams{'TYPE'}' > > > /> > > > <input type='hidden' name='IKE_VERSION' > > > value='$cgiparams{'IKE_VERSION'}' /> > > > <input type='hidden' name='IKE_ENCRYPTION' > > > value='$cgiparams{'IKE_ENCRYPTION'}' /> > > > @@ -1942,172 +1940,172 @@ END > > > <input type='hidden' name='DPD_TIMEOUT' > > > value='$cgiparams{'DPD_TIMEOUT'}' /> > > > <input type='hidden' name='FORCE_MOBIKE' > > > value='$cgiparams{'FORCE_MOBIKE'}' /> > > > END > > > - ; > > > - if ($cgiparams{'KEY'}) { > > > - print "<input type='hidden' name='KEY' > > > value='$cgiparams{'KEY'}' />"; > > > - print "<input type='hidden' name='NAME' > > > value='$cgiparams{'NAME'}' />"; > > > - print "<input type='hidden' name='AUTH' > > > value='$cgiparams{'AUTH'}' />"; > > > - } > > > - > > > - &Header::openbox('100%', 'left', "$Lang::tr{'connection'}: > > > $cgiparams{'NAME'}"); > > > - print "<table width='100%'>"; > > > - if (!$cgiparams{'KEY'}) { > > > - print <<EOF; > > > - <tr> > > > - <td > > > width='20%'>$Lang::tr{'name'}: <img src='/blob.gif' alt='*' > > > /></td> > > > - <td width='30%'> > > > - <input type='text' > > > name='NAME' > > > value='$cgiparams{'NAME'}' size='25' /> > > > - </td> > > > - <td colspan="2"></td> > > > - </tr> > > > +; > > > + if ($cgiparams{'KEY'}) { > > > + print "<input type='hidden' name='KEY' > > > value='$cgiparams{'KEY'}' />"; > > > + print "<input type='hidden' name='NAME' > > > value='$cgiparams{'NAME'}' />"; > > > + print "<input type='hidden' name='AUTH' > > > value='$cgiparams{'AUTH'}' />"; > > > + } > > > + > > > + &Header::openbox('100%', 'left', > > > "$Lang::tr{'connection'}: > > > $cgiparams{'NAME'}"); > > > + print "<table width='100%'>"; > > > + if (!$cgiparams{'KEY'}) { > > > + print <<EOF; > > > + <tr> > > > + <td > > > width='20%'>$Lang::tr{'name'}: <img src='/blob.gif' alt='*' > > > /></td> > > > + <td width='30%'> > > > + <input type='text' > > > name='NAME' value='$cgiparams{'NAME'}' size='25' /> > > > + </td> > > > + <td colspan="2"></td> > > > + </tr> > > > EOF > > > - } > > > + } > > > > > > - my $disabled; > > > - my $blob; > > > - if ($cgiparams{'TYPE'} eq 'host') { > > > + my $disabled; > > > + my $blob; > > > + if ($cgiparams{'TYPE'} eq 'host') { > > > $disabled = "disabled='disabled'"; > > > - } elsif ($cgiparams{'TYPE'} eq 'net') { > > > + } elsif ($cgiparams{'TYPE'} eq 'net') { > > > $blob = "<img src='/blob.gif' alt='*' />"; > > > - }; > > > + }; > > > > > > - print <<END > > > + print <<END > > > <tr> > > > <td width='20%'>$Lang::tr{'enabled'}</td> > > > <td width='30%'> > > > <input type='checkbox' name='ENABLED' > > > $checked{'ENABLED'}{'on'} /> > > > </td> > > > - <td class='boldbase' nowrap='nowrap' > > > width='20%'>$Lang::tr{'local subnet'} <img src='/blob.gif' > > > alt='*' /></td> > > > - <td width='30%'> > > > - <input type='text' name='LOCAL_SUBNET' > > > value='$cgiparams{'LOCAL_SUBNET'}' size="25" /> > > > - </td> > > > + <td class='boldbase' nowrap='nowrap' > > > width='20%'>$Lang::tr{'local subnet'} <img src='/blob.gif' > > > alt='*' /></td> > > > + <td width='30%'> > > > + <input type='text' name='LOCAL_SUBNET' > > > value='$cgiparams{'LOCAL_SUBNET'}' size="25" /> > > > + </td> > > > </tr> > > > <tr> > > > - <td class='boldbase' width='20%'>$Lang::tr{'remote > > > host/ip'}: $blob</td> > > > - <td width='30%'> > > > - <input type='text' name='REMOTE' > > > value='$cgiparams{'REMOTE'}' size="25" /> > > > - </td> > > > - <td class='boldbase' nowrap='nowrap' > > > width='20%'>$Lang::tr{'remote subnet'} $blob</td> > > > - <td width='30%'> > > > - <input $disabled type='text' > > > name='REMOTE_SUBNET' > > > value='$cgiparams{'REMOTE_SUBNET'}' size="25" /> > > > - </td> > > > + <td class='boldbase' > > > width='20%'>$Lang::tr{'remote > > > host/ip'}: $blob</td> > > > + <td width='30%'> > > > + <input type='text' name='REMOTE' > > > value='$cgiparams{'REMOTE'}' size="25" /> > > > + </td> > > > + <td class='boldbase' nowrap='nowrap' > > > width='20%'>$Lang::tr{'remote subnet'} $blob</td> > > > + <td width='30%'> > > > + <input $disabled type='text' > > > name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' > > > size="25" /> > > > + </td> > > > </tr> > > > <tr> > > > - <td class='boldbase' width='20%'>$Lang::tr{'vpn > > > local > > > id'}:</td> > > > - <td width='30%'> > > > - <input type='text' name='LOCAL_ID' > > > value='$cgiparams{'LOCAL_ID'}' size="25" /> > > > - </td> > > > - <td class='boldbase' width='20%'>$Lang::tr{'vpn > > > remote > > > id'}:</td> > > > - <td width='30%'> > > > - <input type='text' name='REMOTE_ID' > > > value='$cgiparams{'REMOTE_ID'}' size="25" /> > > > - </td> > > > + <td class='boldbase' width='20%'>$Lang::tr{'vpn > > > local id'}:</td> > > > + <td width='30%'> > > > + <input type='text' name='LOCAL_ID' > > > value='$cgiparams{'LOCAL_ID'}' size="25" /> > > > + </td> > > > + <td class='boldbase' width='20%'>$Lang::tr{'vpn > > > remote id'}:</td> > > > + <td width='30%'> > > > + <input type='text' name='REMOTE_ID' > > > value='$cgiparams{'REMOTE_ID'}' size="25" /> > > > + </td> > > > </tr> > > > <tr><td colspan="4"><br /></td></tr> > > > <tr> > > > - <td class='boldbase' width='20%'>$Lang::tr{'remark > > > title'}</td> > > > - <td colspan='3'> > > > - <input type='text' name='REMARK' > > > value='$cgiparams{'REMARK'}' maxlength='50' size="73" /> > > > - </td> > > > - </tr> > > > -END > > > - ; > > > - if (!$cgiparams{'KEY'}) { > > > - print "<tr><td colspan='3'><input type='checkbox' > > > name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> > > > $Lang::tr{'edit advanced settings when done'}</td></tr>"; > > > - } > > > - print "</table>"; > > > - &Header::closebox(); > > > - > > > - if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { > > > - &Header::openbox('100%', 'left', > > > $Lang::tr{'authentication'}); > > > - print <<END > > > - <table width='100%' cellpadding='0' cellspacing='5' > > > border='0'> > > > - <tr><td class='base' width='50%'>$Lang::tr{'use a pre > > > -shared > > > key'}</td> > > > - <td class='base' width='50%'><input type='password' > > > name='PSK' size='30' value='$cgiparams{'PSK'}' /></td> > > > + <td class='boldbase' > > > width='20%'>$Lang::tr{'remark > > > title'}</td> > > > + <td colspan='3'> > > > + <input type='text' name='REMARK' > > > value='$cgiparams{'REMARK'}' maxlength='50' size="73" /> > > > + </td> > > > </tr> > > > - </table> > > > END > > > - ; > > > +; > > > + if (!$cgiparams{'KEY'}) { > > > + print "<tr><td colspan='3'><input > > > type='checkbox' > > > name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> > > > $Lang::tr{'edit advanced settings when done'}</td></tr>"; > > > + } > > > + print "</table>"; > > > &Header::closebox(); > > > - } elsif (! $cgiparams{'KEY'}) { > > > - my $cakeydisabled = ( ! -f > > > "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" > > > : > > > ''; > > > - $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} > > > if > > > ($cakeydisabled); > > > - my $cacrtdisabled = ( ! -f > > > "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : > > > ''; > > > > > > - &Header::openbox('100%', 'left', > > > $Lang::tr{'authentication'}); > > > - print <<END > > > - <table width='100%' cellpadding='0' cellspacing='5' > > > border='0'> > > > - <tr><td width='5%'><input type='radio' name='AUTH' > > > value='psk' $checked{'AUTH'}{'psk'} /></td> > > > - <td class='base' width='55%'>$Lang::tr{'use a pre > > > -shared > > > key'}</td> > > > - <td class='base' width='40%'><input type='password' > > > name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr> > > > - <tr><td colspan='3' bgcolor='#000000'></td></tr> > > > - <tr><td><input type='radio' name='AUTH' value='certreq' > > > $checked{'AUTH'}{'certreq'} $cakeydisabled /></td> > > > - <td class='base'><hr />$Lang::tr{'upload a > > > certificate > > > request'}</td> > > > - <td class='base' rowspan='3' valign='middle'><input > > > type='file' name='FH' size='30' $cacrtdisabled /></td></tr> > > > - <tr><td><input type='radio' name='AUTH' value='certfile' > > > $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td> > > > - <td class='base'>$Lang::tr{'upload a > > > certificate'}</td></tr> > > > - <tr><td><input type='radio' name='AUTH' value='pkcs12' > > > $cacrtdisabled /></td> > > > - <td class='base'>$Lang::tr{'upload p12 file'} > > > $Lang::tr{'pkcs12 file password'}:<input type='password' > > > name='P12_PASS'/></td></tr> > > > - <tr><td><input type='radio' name='AUTH' value='auth-dn' > > > $checked{'AUTH'}{'auth-dn'} $cacrtdisabled /></td> > > > - <td class='base'><hr />$Lang::tr{'vpn auth > > > -dn'}</td></tr> > > > - <tr><td colspan='3' bgcolor='#000000'></td></tr> > > > - <tr><td><input type='radio' name='AUTH' value='certgen' > > > $checked{'AUTH'}{'certgen'} $cakeydisabled /></td> > > > - <td class='base'><hr />$Lang::tr{'generate a > > > certificate'}</td><td> </td></tr> > > > - <tr><td> </td> > > > - <td class='base'>$Lang::tr{'users fullname or system > > > hostname'}: <img src='/blob.gif' alt='*' /></td> > > > - <td class='base' nowrap='nowrap'><input type='text' > > > name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' size='32' > > > $cakeydisabled /></td></tr> > > > - <tr><td> </td> > > > - <td class='base'>$Lang::tr{'users email'}:</td> > > > - <td class='base' nowrap='nowrap'><input type='text' > > > name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' size='32' > > > $cakeydisabled /></td></tr> > > > - <tr><td> </td> > > > - <td class='base'>$Lang::tr{'users department'}:</td> > > > - <td class='base' nowrap='nowrap'><input type='text' > > > name='CERT_OU' value='$cgiparams{'CERT_OU'}' size='32' > > > $cakeydisabled > > > /></td></tr> > > > - <tr><td> </td> > > > - <td class='base'>$Lang::tr{'organization > > > name'}:</td> > > > - <td class='base' nowrap='nowrap'><input type='text' > > > name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' > > > size='32' $cakeydisabled /></td></tr> > > > - <tr><td> </td> > > > - <td class='base'>$Lang::tr{'city'}:</td> > > > - <td class='base' nowrap='nowrap'><input type='text' > > > name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' size='32' > > > $cakeydisabled /></td></tr> > > > - <tr><td> </td> > > > - <td class='base'>$Lang::tr{'state or > > > province'}:</td> > > > - <td class='base' nowrap='nowrap'><input type='text' > > > name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' size='32' > > > $cakeydisabled /></td></tr> > > > - <tr><td> </td> > > > - <td class='base'>$Lang::tr{'country'}:</td> > > > - <td class='base'><select name='CERT_COUNTRY' > > > $cakeydisabled> > > > + if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { > > > + &Header::openbox('100%', 'left', > > > $Lang::tr{'authentication'}); > > > + print <<END > > > + <table width='100%' cellpadding='0' > > > cellspacing='5' > > > border='0'> > > > + <tr><td class='base' width='50%'>$Lang::tr{'use > > > a > > > pre-shared key'}</td> > > > + <td class='base' width='50%'><input > > > type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' > > > /></td> > > > + </tr> > > > + </table> > > > END > > > - ; > > > - foreach my $country (sort keys %{Countries::countries}) > > > { > > > - print "\t\t\t<option > > > value='$Countries::countries{$country}'"; > > > - if ( $Countries::countries{$country} eq > > > $cgiparams{'CERT_COUNTRY'} ) { > > > - print " selected='selected'"; > > > - } > > > - print ">$country</option>\n"; > > > +; > > > + &Header::closebox(); > > > + } elsif (! $cgiparams{'KEY'}) { > > > + my $cakeydisabled = ( ! -f > > > "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" > > > : > > > ''; > > > + $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full > > > pki'} if ($cakeydisabled); > > > + my $cacrtdisabled = ( ! -f > > > "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : > > > ''; > > > + > > > + &Header::openbox('100%', 'left', > > > $Lang::tr{'authentication'}); > > > + print <<END > > > + <table width='100%' cellpadding='0' > > > cellspacing='5' > > > border='0'> > > > + <tr><td width='5%'><input type='radio' > > > name='AUTH' > > > value='psk' $checked{'AUTH'}{'psk'} /></td> > > > + <td class='base' > > > width='55%'>$Lang::tr{'use > > > a pre-shared key'}</td> > > > + <td class='base' width='40%'><input > > > type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' > > > /></td></tr> > > > + <tr><td colspan='3' bgcolor='#000000'></td></tr> > > > + <tr><td><input type='radio' name='AUTH' > > > value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled > > > /></td> > > > + <td class='base'><hr />$Lang::tr{'upload > > > a > > > certificate request'}</td> > > > + <td class='base' rowspan='3' > > > valign='middle'><input type='file' name='FH' size='30' > > > $cacrtdisabled > > > /></td></tr> > > > + <tr><td><input type='radio' name='AUTH' > > > value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled > > > /></td> > > > + <td class='base'>$Lang::tr{'upload a > > > certificate'}</td></tr> > > > + <tr><td><input type='radio' name='AUTH' > > > value='pkcs12' $cacrtdisabled /></td> > > > + <td class='base'>$Lang::tr{'upload p12 > > > file'} $Lang::tr{'pkcs12 file password'}:<input type='password' > > > name='P12_PASS'/></td></tr> > > > + <tr><td><input type='radio' name='AUTH' > > > value='auth > > > -dn' $checked{'AUTH'}{'auth-dn'} $cacrtdisabled /></td> > > > + <td class='base'><hr />$Lang::tr{'vpn > > > auth > > > -dn'}</td></tr> > > > + <tr><td colspan='3' bgcolor='#000000'></td></tr> > > > + <tr><td><input type='radio' name='AUTH' > > > value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled > > > /></td> > > > + <td class='base'><hr > > > />$Lang::tr{'generate a > > > certificate'}</td><td> </td></tr> > > > + <tr><td> </td> > > > + <td class='base'>$Lang::tr{'users > > > fullname > > > or system hostname'}: <img src='/blob.gif' alt='*' /></td> > > > + <td class='base' nowrap='nowrap'><input > > > type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' > > > size='32' $cakeydisabled /></td></tr> > > > + <tr><td> </td> > > > + <td class='base'>$Lang::tr{'users > > > email'}:</td> > > > + <td class='base' nowrap='nowrap'><input > > > type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' > > > size='32' $cakeydisabled /></td></tr> > > > + <tr><td> </td> > > > + <td class='base'>$Lang::tr{'users > > > department'}:</td> > > > + <td class='base' nowrap='nowrap'><input > > > type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' > > > size='32' > > > $cakeydisabled /></td></tr> > > > + <tr><td> </td> > > > + <td class='base'>$Lang::tr{'organization > > > name'}:</td> > > > + <td class='base' nowrap='nowrap'><input > > > type='text' name='CERT_ORGANIZATION' > > > value='$cgiparams{'CERT_ORGANIZATION'}' size='32' $cakeydisabled > > > /></td></tr> > > > + <tr><td> </td> > > > + <td class='base'>$Lang::tr{'city'}:</td> > > > + <td class='base' nowrap='nowrap'><input > > > type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' > > > size='32' $cakeydisabled /></td></tr> > > > + <tr><td> </td> > > > + <td class='base'>$Lang::tr{'state or > > > province'}:</td> > > > + <td class='base' nowrap='nowrap'><input > > > type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' > > > size='32' $cakeydisabled /></td></tr> > > > + <tr><td> </td> > > > + <td > > > class='base'>$Lang::tr{'country'}:</td> > > > + <td class='base'><select > > > name='CERT_COUNTRY' > > > $cakeydisabled> > > > +END > > > +; > > > + foreach my $country (sort keys > > > %{Countries::countries}) { > > > + print "\t\t\t<option > > > value='$Countries::countries{$country}'"; > > > + if ( $Countries::countries{$country} eq > > > $cgiparams{'CERT_COUNTRY'} ) { > > > + print " selected='selected'"; > > > + } > > > + print ">$country</option>\n"; > > > + } > > > + print <<END > > > + </select></td></tr> > > > + > > > + <tr><td> </td><td > > > class='base'>$Lang::tr{'vpn > > > subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> > > > + <td class='base' nowrap='nowrap'><input > > > type='text' name='SUBJECTALTNAME' > > > value='$cgiparams{'SUBJECTALTNAME'}' size='32' $cakeydisabled > > > /></td></tr> > > > + <tr><td> </td> > > > + <td class='base'>$Lang::tr{'pkcs12 file > > > password'}: <img src='/blob.gif' alt='*' /></td> > > > + <td class='base' nowrap='nowrap'><input > > > type='password' name='CERT_PASS1' > > > value='$cgiparams{'CERT_PASS1'}' > > > size='32' $cakeydisabled /></td></tr> > > > + <tr><td> </td><td > > > class='base'>$Lang::tr{'pkcs12 file > > > password'} ($Lang::tr{'confirmation'}): <img > > > src='/blob.gif' alt='*' /></td> > > > + <td class='base' nowrap='nowrap'><input > > > type='password' name='CERT_PASS2' > > > value='$cgiparams{'CERT_PASS2'}' > > > size='32' $cakeydisabled /></td></tr> > > > + </table> > > > +END > > > +; > > > + &Header::closebox(); > > > } > > > - print <<END > > > - </select></td></tr> > > > > > > - <tr><td> </td><td class='base'>$Lang::tr{'vpn > > > subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> > > > - <td class='base' nowrap='nowrap'><input type='text' > > > name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' > > > size='32' > > > $cakeydisabled /></td></tr> > > > - <tr><td> </td> > > > - <td class='base'>$Lang::tr{'pkcs12 file > > > password'}: <img src='/blob.gif' alt='*' /></td> > > > - <td class='base' nowrap='nowrap'><input > > > type='password' > > > name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' > > > $cakeydisabled /></td></tr> > > > - <tr><td> </td><td class='base'>$Lang::tr{'pkcs12 > > > file > > > password'} ($Lang::tr{'confirmation'}): <img > > > src='/blob.gif' alt='*' /></td> > > > - <td class='base' nowrap='nowrap'><input > > > type='password' > > > name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' > > > $cakeydisabled /></td></tr> > > > - </table> > > > -END > > > - ; > > > - &Header::closebox(); > > > - } > > > - > > > - print "<div align='center'><input type='submit' > > > name='ACTION' > > > value='$Lang::tr{'save'}' />"; > > > - if ($cgiparams{'KEY'}) { > > > - print "<input type='submit' name='ACTION' > > > value='$Lang::tr{'advanced'}' />"; > > > - } > > > - print "<input type='submit' name='ACTION' > > > value='$Lang::tr{'cancel'}' /></div></form>"; > > > - &Header::closebigbox(); > > > - &Header::closepage(); > > > - exit (0); > > > - > > > - VPNCONF_END: > > > + print "<div align='center'><input type='submit' > > > name='ACTION' value='$Lang::tr{'save'}' />"; > > > + if ($cgiparams{'KEY'}) { > > > + print "<input type='submit' name='ACTION' > > > value='$Lang::tr{'advanced'}' />"; > > > + } > > > + print "<input type='submit' name='ACTION' > > > value='$Lang::tr{'cancel'}' /></div></form>"; > > > + &Header::closebigbox(); > > > + &Header::closepage(); > > > + exit (0); > > > + > > > + VPNCONF_END: > > > } > > > > > > ### > > > @@ -2115,291 +2113,288 @@ END > > > ### > > > if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || > > > ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && > > > $cgiparams{'ADVANCED'} eq 'yes')) { > > > - &General::readhash("${General::swroot}/vpn/settings", > > > \%vpnsettings); > > > - &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > - if (! $confighash{$cgiparams{'KEY'}}) { > > > - $errormessage = $Lang::tr{'invalid key'}; > > > - goto ADVANCED_END; > > > - } > > > - > > > - if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { > > > - my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); > > > - if ($#temp < 0) { > > > - $errormessage = $Lang::tr{'invalid input'}; > > > - goto ADVANCED_ERROR; > > > - } > > > - foreach my $val (@temp) { > > > - if ($val !~ > > > /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$ > > > /) { > > > - $errormessage = $Lang::tr{'invalid input'}; > > > - goto ADVANCED_ERROR; > > > - } > > > + &General::readhash("${General::swroot}/vpn/settings", > > > \%vpnsettings); > > > + &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > + if (! $confighash{$cgiparams{'KEY'}}) { > > > + $errormessage = $Lang::tr{'invalid key'}; > > > + goto ADVANCED_END; > > > + } > > > + > > > + if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { > > > + my @temp = split('\|', > > > $cgiparams{'IKE_ENCRYPTION'}); > > > + if ($#temp < 0) { > > > + $errormessage = $Lang::tr{'invalid > > > input'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + foreach my $val (@temp) { > > > + if ($val !~ > > > /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$ > > > /) { > > > + $errormessage = > > > $Lang::tr{'invalid > > > input'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + } > > > + @temp = split('\|', > > > $cgiparams{'IKE_INTEGRITY'}); > > > + if ($#temp < 0) { > > > + $errormessage = $Lang::tr{'invalid > > > input'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + foreach my $val (@temp) { > > > + if ($val !~ > > > /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) { > > > + $errormessage = > > > $Lang::tr{'invalid > > > input'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + } > > > + @temp = split('\|', > > > $cgiparams{'IKE_GROUPTYPE'}); > > > + if ($#temp < 0) { > > > + $errormessage = $Lang::tr{'invalid > > > input'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + foreach my $val (@temp) { > > > + if ($val !~ > > > /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536 > > > |204 > > > 8|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { > > > + $errormessage = > > > $Lang::tr{'invalid > > > input'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + } > > > + if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > ike lifetime'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + if ($cgiparams{'IKE_LIFETIME'} < 1 || > > > $cgiparams{'IKE_LIFETIME'} > 8) { > > > + $errormessage = $Lang::tr{'ike lifetime > > > should be between 1 and 8 hours'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + @temp = split('\|', > > > $cgiparams{'ESP_ENCRYPTION'}); > > > + if ($#temp < 0) { > > > + $errormessage = $Lang::tr{'invalid > > > input'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + foreach my $val (@temp) { > > > + if ($val !~ > > > /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$ > > > /) { > > > + $errormessage = > > > $Lang::tr{'invalid > > > input'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + } > > > + @temp = split('\|', > > > $cgiparams{'ESP_INTEGRITY'}); > > > + if ($#temp < 0) { > > > + $errormessage = $Lang::tr{'invalid > > > input'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + foreach my $val (@temp) { > > > + if ($val !~ > > > /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) { > > > + $errormessage = > > > $Lang::tr{'invalid > > > input'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + } > > > + @temp = split('\|', > > > $cgiparams{'ESP_GROUPTYPE'}); > > > + if ($#temp < 0) { > > > + $errormessage = $Lang::tr{'invalid > > > input'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + foreach my $val (@temp) { > > > + if ($val !~ > > > /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536 > > > |204 > > > 8|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { > > > + $errormessage = > > > $Lang::tr{'invalid > > > input'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + } > > > + if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > esp keylife'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + if ($cgiparams{'ESP_KEYLIFE'} < 1 || > > > $cgiparams{'ESP_KEYLIFE'} > 24) { > > > + $errormessage = $Lang::tr{'esp keylife > > > should be between 1 and 24 hours'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + > > > + if (($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) > > > || > > > + ($cgiparams{'FORCE_MOBIKE'} !~ > > > /^(|on|off)$/) || > > > + ($cgiparams{'ONLY_PROPOSED'} !~ > > > /^(|on|off)$/) || > > > + ($cgiparams{'PFS'} !~ /^(|on|off)$/)) { > > > + $errormessage = $Lang::tr{'invalid > > > input'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + > > > + if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > dpd delay'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + > > > + if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) { > > > + $errormessage = $Lang::tr{'invalid input > > > for > > > dpd timeout'}; > > > + goto ADVANCED_ERROR; > > > + } > > > + > > > + $confighash{$cgiparams{'KEY'}}[29] = > > > $cgiparams{'IKE_VERSION'}; > > > + $confighash{$cgiparams{'KEY'}}[18] = > > > $cgiparams{'IKE_ENCRYPTION'}; > > > + $confighash{$cgiparams{'KEY'}}[19] = > > > $cgiparams{'IKE_INTEGRITY'}; > > > + $confighash{$cgiparams{'KEY'}}[20] = > > > $cgiparams{'IKE_GROUPTYPE'}; > > > + $confighash{$cgiparams{'KEY'}}[16] = > > > $cgiparams{'IKE_LIFETIME'}; > > > + $confighash{$cgiparams{'KEY'}}[21] = > > > $cgiparams{'ESP_ENCRYPTION'}; > > > + $confighash{$cgiparams{'KEY'}}[22] = > > > $cgiparams{'ESP_INTEGRITY'}; > > > + $confighash{$cgiparams{'KEY'}}[23] = > > > $cgiparams{'ESP_GROUPTYPE'}; > > > + $confighash{$cgiparams{'KEY'}}[17] = > > > $cgiparams{'ESP_KEYLIFE'}; > > > + $confighash{$cgiparams{'KEY'}}[12] = 'off'; > > > #$cgiparams{'AGGRMODE'}; > > > + $confighash{$cgiparams{'KEY'}}[13] = > > > $cgiparams{'COMPRESSION'}; > > > + $confighash{$cgiparams{'KEY'}}[24] = > > > $cgiparams{'ONLY_PROPOSED'}; > > > + $confighash{$cgiparams{'KEY'}}[28] = > > > $cgiparams{'PFS'}; > > > + $confighash{$cgiparams{'KEY'}}[27] = > > > $cgiparams{'DPD_ACTION'}; > > > + $confighash{$cgiparams{'KEY'}}[30] = > > > $cgiparams{'DPD_TIMEOUT'}; > > > + $confighash{$cgiparams{'KEY'}}[31] = > > > $cgiparams{'DPD_DELAY'}; > > > + $confighash{$cgiparams{'KEY'}}[32] = > > > $cgiparams{'FORCE_MOBIKE'}; > > > + &General::writehasharray("${General::swroot}/vpn > > > /con > > > fig", \%confighash); > > > + &writeipsecfiles(); > > > + if (&vpnenabled) { > > > + system('/usr/local/bin/ipsecctrl', 'S', > > > $cgiparams{'KEY'}); > > > + sleep $sleepDelay; > > > + } > > > + goto ADVANCED_END; > > > + } else { > > > + $cgiparams{'IKE_VERSION'} = > > > $confighash{$cgiparams{'KEY'}}[29]; > > > + $cgiparams{'IKE_ENCRYPTION'} = > > > $confighash{$cgiparams{'KEY'}}[18]; > > > + $cgiparams{'IKE_INTEGRITY'} = > > > $confighash{$cgiparams{'KEY'}}[19]; > > > + $cgiparams{'IKE_GROUPTYPE'} = > > > $confighash{$cgiparams{'KEY'}}[20]; > > > + $cgiparams{'IKE_LIFETIME'} = > > > $confighash{$cgiparams{'KEY'}}[16]; > > > + $cgiparams{'ESP_ENCRYPTION'} = > > > $confighash{$cgiparams{'KEY'}}[21]; > > > + $cgiparams{'ESP_INTEGRITY'} = > > > $confighash{$cgiparams{'KEY'}}[22]; > > > + $cgiparams{'ESP_GROUPTYPE'} = > > > $confighash{$cgiparams{'KEY'}}[23]; > > > + if ($cgiparams{'ESP_GROUPTYPE'} eq "") { > > > + $cgiparams{'ESP_GROUPTYPE'} = > > > $cgiparams{'IKE_GROUPTYPE'}; > > > + } > > > + $cgiparams{'ESP_KEYLIFE'} = > > > $confighash{$cgiparams{'KEY'}}[17]; > > > + $cgiparams{'COMPRESSION'} = > > > $confighash{$cgiparams{'KEY'}}[13]; > > > + $cgiparams{'ONLY_PROPOSED'} = > > > $confighash{$cgiparams{'KEY'}}[24]; > > > + $cgiparams{'PFS'} > > > = > > > $confighash{$cgiparams{'KEY'}}[28]; > > > + $cgiparams{'DPD_ACTION'} = > > > $confighash{$cgiparams{'KEY'}}[27]; > > > + $cgiparams{'DPD_TIMEOUT'} = > > > $confighash{$cgiparams{'KEY'}}[30]; > > > + $cgiparams{'DPD_DELAY'} = > > > $confighash{$cgiparams{'KEY'}}[31]; > > > + $cgiparams{'FORCE_MOBIKE'} = > > > $confighash{$cgiparams{'KEY'}}[32]; > > > + > > > + if (!$cgiparams{'DPD_DELAY'}) { > > > + $cgiparams{'DPD_DELAY'} = 30; > > > + } > > > + > > > + if (!$cgiparams{'DPD_TIMEOUT'}) { > > > + $cgiparams{'DPD_TIMEOUT'} = 120; > > > + } > > > } > > > + > > > + ADVANCED_ERROR: > > > + $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; > > > + $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; > > > + $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; > > > + $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = ''; > > > + $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = ''; > > > + $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = ''; > > > + $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = ''; > > > + $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = ''; > > > + $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = ''; > > > + $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = ''; > > > + $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = ''; > > > + $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = ''; > > > + $checked{'IKE_ENCRYPTION'}{'3des'} = ''; > > > + $checked{'IKE_ENCRYPTION'}{'camellia256'} = ''; > > > + $checked{'IKE_ENCRYPTION'}{'camellia192'} = ''; > > > + $checked{'IKE_ENCRYPTION'}{'camellia128'} = ''; > > > + my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); > > > + foreach my $key (@temp) > > > {$checked{'IKE_ENCRYPTION'}{$key} = > > > "selected='selected'"; } > > > + $checked{'IKE_INTEGRITY'}{'sha2_512'} = ''; > > > + $checked{'IKE_INTEGRITY'}{'sha2_384'} = ''; > > > + $checked{'IKE_INTEGRITY'}{'sha2_256'} = ''; > > > + $checked{'IKE_INTEGRITY'}{'sha'} = ''; > > > + $checked{'IKE_INTEGRITY'}{'md5'} = ''; > > > + $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; > > > @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); > > > - if ($#temp < 0) { > > > - $errormessage = $Lang::tr{'invalid input'}; > > > - goto ADVANCED_ERROR; > > > - } > > > - foreach my $val (@temp) { > > > - if ($val !~ > > > /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) { > > > - $errormessage = $Lang::tr{'invalid input'}; > > > - goto ADVANCED_ERROR; > > > - } > > > - } > > > + foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} > > > = > > > "selected='selected'"; } > > > + $checked{'IKE_GROUPTYPE'}{'768'} = ''; > > > + $checked{'IKE_GROUPTYPE'}{'1024'} = ''; > > > + $checked{'IKE_GROUPTYPE'}{'1536'} = ''; > > > + $checked{'IKE_GROUPTYPE'}{'2048'} = ''; > > > + $checked{'IKE_GROUPTYPE'}{'3072'} = ''; > > > + $checked{'IKE_GROUPTYPE'}{'4096'} = ''; > > > + $checked{'IKE_GROUPTYPE'}{'6144'} = ''; > > > + $checked{'IKE_GROUPTYPE'}{'8192'} = ''; > > > @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'}); > > > - if ($#temp < 0) { > > > - $errormessage = $Lang::tr{'invalid input'}; > > > - goto ADVANCED_ERROR; > > > - } > > > - foreach my $val (@temp) { > > > - if ($val !~ > > > /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536 > > > |204 > > > 8|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { > > > - $errormessage = $Lang::tr{'invalid input'}; > > > - goto ADVANCED_ERROR; > > > - } > > > - } > > > - if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) { > > > - $errormessage = $Lang::tr{'invalid input for ike > > > lifetime'}; > > > - goto ADVANCED_ERROR; > > > - } > > > - if ($cgiparams{'IKE_LIFETIME'} < 1 || > > > $cgiparams{'IKE_LIFETIME'} > 8) { > > > - $errormessage = $Lang::tr{'ike lifetime should be > > > between 1 and 8 hours'}; > > > - goto ADVANCED_ERROR; > > > - } > > > + foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} > > > = > > > "selected='selected'"; } > > > + > > > + # 768 is not supported by strongswan > > > + $checked{'IKE_GROUPTYPE'}{'768'} = ''; > > > + > > > + $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; > > > + $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; > > > + $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; > > > + $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = ''; > > > + $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = ''; > > > + $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = ''; > > > + $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = ''; > > > + $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = ''; > > > + $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = ''; > > > + $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = ''; > > > + $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = ''; > > > + $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = ''; > > > + $checked{'ESP_ENCRYPTION'}{'3des'} = ''; > > > + $checked{'ESP_ENCRYPTION'}{'camellia256'} = ''; > > > + $checked{'ESP_ENCRYPTION'}{'camellia192'} = ''; > > > + $checked{'ESP_ENCRYPTION'}{'camellia128'} = ''; > > > @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'}); > > > - if ($#temp < 0) { > > > - $errormessage = $Lang::tr{'invalid input'}; > > > - goto ADVANCED_ERROR; > > > - } > > > - foreach my $val (@temp) { > > > - if ($val !~ > > > /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$ > > > /) { > > > - $errormessage = $Lang::tr{'invalid input'}; > > > - goto ADVANCED_ERROR; > > > - } > > > - } > > > + foreach my $key (@temp) > > > {$checked{'ESP_ENCRYPTION'}{$key} = > > > "selected='selected'"; } > > > + $checked{'ESP_INTEGRITY'}{'sha2_512'} = ''; > > > + $checked{'ESP_INTEGRITY'}{'sha2_384'} = ''; > > > + $checked{'ESP_INTEGRITY'}{'sha2_256'} = ''; > > > + $checked{'ESP_INTEGRITY'}{'sha1'} = ''; > > > + $checked{'ESP_INTEGRITY'}{'md5'} = ''; > > > + $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; > > > @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); > > > - if ($#temp < 0) { > > > - $errormessage = $Lang::tr{'invalid input'}; > > > - goto ADVANCED_ERROR; > > > - } > > > - foreach my $val (@temp) { > > > - if ($val !~ > > > /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) { > > > - $errormessage = $Lang::tr{'invalid input'}; > > > - goto ADVANCED_ERROR; > > > - } > > > - } > > > + foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} > > > = > > > "selected='selected'"; } > > > + $checked{'ESP_GROUPTYPE'}{'768'} = ''; > > > + $checked{'ESP_GROUPTYPE'}{'1024'} = ''; > > > + $checked{'ESP_GROUPTYPE'}{'1536'} = ''; > > > + $checked{'ESP_GROUPTYPE'}{'2048'} = ''; > > > + $checked{'ESP_GROUPTYPE'}{'3072'} = ''; > > > + $checked{'ESP_GROUPTYPE'}{'4096'} = ''; > > > + $checked{'ESP_GROUPTYPE'}{'6144'} = ''; > > > + $checked{'ESP_GROUPTYPE'}{'8192'} = ''; > > > + $checked{'ESP_GROUPTYPE'}{'none'} = ''; > > > @temp = split('\|', $cgiparams{'ESP_GROUPTYPE'}); > > > - if ($#temp < 0) { > > > - $errormessage = $Lang::tr{'invalid input'}; > > > - goto ADVANCED_ERROR; > > > - } > > > - foreach my $val (@temp) { > > > - if ($val !~ > > > /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536 > > > |204 > > > 8|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { > > > - $errormessage = $Lang::tr{'invalid input'}; > > > - goto ADVANCED_ERROR; > > > - } > > > - } > > > - if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) { > > > - $errormessage = $Lang::tr{'invalid input for esp > > > keylife'}; > > > - goto ADVANCED_ERROR; > > > - } > > > - if ($cgiparams{'ESP_KEYLIFE'} < 1 || > > > $cgiparams{'ESP_KEYLIFE'} > 24) { > > > - $errormessage = $Lang::tr{'esp keylife should be > > > between > > > 1 and 24 hours'}; > > > - goto ADVANCED_ERROR; > > > - } > > > - > > > - if ( > > > - ($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) || > > > - ($cgiparams{'FORCE_MOBIKE'} !~ /^(|on|off)$/) || > > > - ($cgiparams{'ONLY_PROPOSED'} !~ /^(|on|off)$/) || > > > - ($cgiparams{'PFS'} !~ /^(|on|off)$/) > > > - ){ > > > - $errormessage = $Lang::tr{'invalid input'}; > > > - goto ADVANCED_ERROR; > > > - } > > > - > > > - if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) { > > > - $errormessage = $Lang::tr{'invalid input for dpd > > > delay'}; > > > - goto ADVANCED_ERROR; > > > - } > > > - > > > - if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) { > > > - $errormessage = $Lang::tr{'invalid input for dpd > > > timeout'}; > > > - goto ADVANCED_ERROR; > > > - } > > > - > > > - $confighash{$cgiparams{'KEY'}}[29] = > > > $cgiparams{'IKE_VERSION'}; > > > - $confighash{$cgiparams{'KEY'}}[18] = > > > $cgiparams{'IKE_ENCRYPTION'}; > > > - $confighash{$cgiparams{'KEY'}}[19] = > > > $cgiparams{'IKE_INTEGRITY'}; > > > - $confighash{$cgiparams{'KEY'}}[20] = > > > $cgiparams{'IKE_GROUPTYPE'}; > > > - $confighash{$cgiparams{'KEY'}}[16] = > > > $cgiparams{'IKE_LIFETIME'}; > > > - $confighash{$cgiparams{'KEY'}}[21] = > > > $cgiparams{'ESP_ENCRYPTION'}; > > > - $confighash{$cgiparams{'KEY'}}[22] = > > > $cgiparams{'ESP_INTEGRITY'}; > > > - $confighash{$cgiparams{'KEY'}}[23] = > > > $cgiparams{'ESP_GROUPTYPE'}; > > > - $confighash{$cgiparams{'KEY'}}[17] = > > > $cgiparams{'ESP_KEYLIFE'}; > > > - $confighash{$cgiparams{'KEY'}}[12] = 'off'; > > > #$cgiparams{'AGGRMODE'}; > > > - $confighash{$cgiparams{'KEY'}}[13] = > > > $cgiparams{'COMPRESSION'}; > > > - $confighash{$cgiparams{'KEY'}}[24] = > > > $cgiparams{'ONLY_PROPOSED'}; > > > - $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'}; > > > - $confighash{$cgiparams{'KEY'}}[27] = > > > $cgiparams{'DPD_ACTION'}; > > > - $confighash{$cgiparams{'KEY'}}[30] = > > > $cgiparams{'DPD_TIMEOUT'}; > > > - $confighash{$cgiparams{'KEY'}}[31] = > > > $cgiparams{'DPD_DELAY'}; > > > - $confighash{$cgiparams{'KEY'}}[32] = > > > $cgiparams{'FORCE_MOBIKE'}; > > > - &General::writehasharray("${General::swroot}/vpn/config" > > > , > > > \%confighash); > > > - &writeipsecfiles(); > > > - if (&vpnenabled) { > > > - system('/usr/local/bin/ipsecctrl', 'S', > > > $cgiparams{'KEY'}); > > > - sleep $sleepDelay; > > > - } > > > - goto ADVANCED_END; > > > - } else { > > > - $cgiparams{'IKE_VERSION'} = > > > $confighash{$cgiparams{'KEY'}}[29]; > > > - $cgiparams{'IKE_ENCRYPTION'} = > > > $confighash{$cgiparams{'KEY'}}[18]; > > > - $cgiparams{'IKE_INTEGRITY'} = > > > $confighash{$cgiparams{'KEY'}}[19]; > > > - $cgiparams{'IKE_GROUPTYPE'} = > > > $confighash{$cgiparams{'KEY'}}[20]; > > > - $cgiparams{'IKE_LIFETIME'} = > > > $confighash{$cgiparams{'KEY'}}[16]; > > > - $cgiparams{'ESP_ENCRYPTION'} = > > > $confighash{$cgiparams{'KEY'}}[21]; > > > - $cgiparams{'ESP_INTEGRITY'} = > > > $confighash{$cgiparams{'KEY'}}[22]; > > > - $cgiparams{'ESP_GROUPTYPE'} = > > > $confighash{$cgiparams{'KEY'}}[23]; > > > - if ($cgiparams{'ESP_GROUPTYPE'} eq "") { > > > - $cgiparams{'ESP_GROUPTYPE'} = > > > $cgiparams{'IKE_GROUPTYPE'}; > > > - } > > > - $cgiparams{'ESP_KEYLIFE'} = > > > $confighash{$cgiparams{'KEY'}}[17]; > > > - $cgiparams{'COMPRESSION'} = > > > $confighash{$cgiparams{'KEY'}}[13]; > > > - $cgiparams{'ONLY_PROPOSED'} = > > > $confighash{$cgiparams{'KEY'}}[24]; > > > - $cgiparams{'PFS'} = > > > $confighash{$cgiparams{'KEY'}}[28]; > > > - $cgiparams{'DPD_ACTION'} = > > > $confighash{$cgiparams{'KEY'}}[27]; > > > - $cgiparams{'DPD_TIMEOUT'} = > > > $confighash{$cgiparams{'KEY'}}[30]; > > > - $cgiparams{'DPD_DELAY'} = > > > $confighash{$cgiparams{'KEY'}}[31]; > > > - $cgiparams{'FORCE_MOBIKE'} = > > > $confighash{$cgiparams{'KEY'}}[32]; > > > + foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} > > > = > > > "selected='selected'"; } > > > > > > - if (!$cgiparams{'DPD_DELAY'}) { > > > - $cgiparams{'DPD_DELAY'} = 30; > > > - } > > > + $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq > > > 'on' > > > ? "checked='checked'" : '' ; > > > + $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq > > > 'on' ? "checked='checked'" : '' ; > > > + $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} > > > eq > > > 'on' ? "checked='checked'" : '' ; > > > + $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? > > > "checked='checked'" : '' ; > > > > > > - if (!$cgiparams{'DPD_TIMEOUT'}) { > > > - $cgiparams{'DPD_TIMEOUT'} = 120; > > > - } > > > + $selected{'IKE_VERSION'}{'ikev1'} = ''; > > > + $selected{'IKE_VERSION'}{'ikev2'} = ''; > > > + $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = > > > "selected='selected'"; > > > > > > - } > > > - > > > - ADVANCED_ERROR: > > > - $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; > > > - $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; > > > - $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; > > > - $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = ''; > > > - $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = ''; > > > - $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = ''; > > > - $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = ''; > > > - $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = ''; > > > - $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = ''; > > > - $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = ''; > > > - $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = ''; > > > - $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = ''; > > > - $checked{'IKE_ENCRYPTION'}{'3des'} = ''; > > > - $checked{'IKE_ENCRYPTION'}{'camellia256'} = ''; > > > - $checked{'IKE_ENCRYPTION'}{'camellia192'} = ''; > > > - $checked{'IKE_ENCRYPTION'}{'camellia128'} = ''; > > > - my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'}); > > > - foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = > > > "selected='selected'"; } > > > - $checked{'IKE_INTEGRITY'}{'sha2_512'} = ''; > > > - $checked{'IKE_INTEGRITY'}{'sha2_384'} = ''; > > > - $checked{'IKE_INTEGRITY'}{'sha2_256'} = ''; > > > - $checked{'IKE_INTEGRITY'}{'sha'} = ''; > > > - $checked{'IKE_INTEGRITY'}{'md5'} = ''; > > > - $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; > > > - @temp = split('\|', $cgiparams{'IKE_INTEGRITY'}); > > > - foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = > > > "selected='selected'"; } > > > - $checked{'IKE_GROUPTYPE'}{'768'} = ''; > > > - $checked{'IKE_GROUPTYPE'}{'1024'} = ''; > > > - $checked{'IKE_GROUPTYPE'}{'1536'} = ''; > > > - $checked{'IKE_GROUPTYPE'}{'2048'} = ''; > > > - $checked{'IKE_GROUPTYPE'}{'3072'} = ''; > > > - $checked{'IKE_GROUPTYPE'}{'4096'} = ''; > > > - $checked{'IKE_GROUPTYPE'}{'6144'} = ''; > > > - $checked{'IKE_GROUPTYPE'}{'8192'} = ''; > > > - @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'}); > > > - foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = > > > "selected='selected'"; } > > > - > > > - # 768 is not supported by strongswan > > > - $checked{'IKE_GROUPTYPE'}{'768'} = ''; > > > - > > > - $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; > > > - $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; > > > - $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; > > > - $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = ''; > > > - $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = ''; > > > - $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = ''; > > > - $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = ''; > > > - $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = ''; > > > - $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = ''; > > > - $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = ''; > > > - $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = ''; > > > - $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = ''; > > > - $checked{'ESP_ENCRYPTION'}{'3des'} = ''; > > > - $checked{'ESP_ENCRYPTION'}{'camellia256'} = ''; > > > - $checked{'ESP_ENCRYPTION'}{'camellia192'} = ''; > > > - $checked{'ESP_ENCRYPTION'}{'camellia128'} = ''; > > > - @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'}); > > > - foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = > > > "selected='selected'"; } > > > - $checked{'ESP_INTEGRITY'}{'sha2_512'} = ''; > > > - $checked{'ESP_INTEGRITY'}{'sha2_384'} = ''; > > > - $checked{'ESP_INTEGRITY'}{'sha2_256'} = ''; > > > - $checked{'ESP_INTEGRITY'}{'sha1'} = ''; > > > - $checked{'ESP_INTEGRITY'}{'md5'} = ''; > > > - $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; > > > - @temp = split('\|', $cgiparams{'ESP_INTEGRITY'}); > > > - foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = > > > "selected='selected'"; } > > > - $checked{'ESP_GROUPTYPE'}{'768'} = ''; > > > - $checked{'ESP_GROUPTYPE'}{'1024'} = ''; > > > - $checked{'ESP_GROUPTYPE'}{'1536'} = ''; > > > - $checked{'ESP_GROUPTYPE'}{'2048'} = ''; > > > - $checked{'ESP_GROUPTYPE'}{'3072'} = ''; > > > - $checked{'ESP_GROUPTYPE'}{'4096'} = ''; > > > - $checked{'ESP_GROUPTYPE'}{'6144'} = ''; > > > - $checked{'ESP_GROUPTYPE'}{'8192'} = ''; > > > - $checked{'ESP_GROUPTYPE'}{'none'} = ''; > > > - @temp = split('\|', $cgiparams{'ESP_GROUPTYPE'}); > > > - foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = > > > "selected='selected'"; } > > > - > > > - $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' > > > ? > > > "checked='checked'" : '' ; > > > - $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq > > > 'on' ? > > > "checked='checked'" : '' ; > > > - $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq > > > 'on' > > > ? "checked='checked'" : '' ; > > > - $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? > > > "checked='checked'" : '' ; > > > - > > > - $selected{'IKE_VERSION'}{'ikev1'} = ''; > > > - $selected{'IKE_VERSION'}{'ikev2'} = ''; > > > - $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = > > > "selected='selected'"; > > > - > > > - $selected{'DPD_ACTION'}{'clear'} = ''; > > > - $selected{'DPD_ACTION'}{'hold'} = ''; > > > - $selected{'DPD_ACTION'}{'restart'} = ''; > > > - $selected{'DPD_ACTION'}{'none'} = ''; > > > - $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = > > > "selected='selected'"; > > > - > > > - &Header::showhttpheaders(); > > > - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > > > - &Header::openbigbox('100%', 'left', '', $errormessage); > > > - > > > - if ($errormessage) { > > > - &Header::openbox('100%', 'left', $Lang::tr{'error > > > messages'}); > > > - print "<class name='base'>$errormessage"; > > > - print " </class>"; > > > - &Header::closebox(); > > > - } > > > + $selected{'DPD_ACTION'}{'clear'} = ''; > > > + $selected{'DPD_ACTION'}{'hold'} = ''; > > > + $selected{'DPD_ACTION'}{'restart'} = ''; > > > + $selected{'DPD_ACTION'}{'none'} = ''; > > > + $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = > > > "selected='selected'"; > > > > > > - if ($warnmessage) { > > > - &Header::openbox('100%', 'left', $Lang::tr{'warning > > > messages'}); > > > - print "<class name='base'>$warnmessage"; > > > - print " </class>"; > > > - &Header::closebox(); > > > - } > > > + &Header::showhttpheaders(); > > > + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > > > + &Header::openbigbox('100%', 'left', '', $errormessage); > > > + > > > + if ($errormessage) { > > > + &Header::openbox('100%', 'left', > > > $Lang::tr{'error > > > messages'}); > > > + print "<class name='base'>$errormessage"; > > > + print " </class>"; > > > + &Header::closebox(); > > > + } > > > + > > > + if ($warnmessage) { > > > + &Header::openbox('100%', 'left', > > > $Lang::tr{'warning > > > messages'}); > > > + print "<class name='base'>$warnmessage"; > > > + print " </class>"; > > > + &Header::closebox(); > > > + } > > > > > > - &Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:"); > > > - print <<EOF > > > - <form method='post' enctype='multipart/form-data' > > > action='$ENV{'SCRIPT_NAME'}'> > > > - <input type='hidden' name='ADVANCED' value='yes' /> > > > - <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> > > > + &Header::openbox('100%', 'left', > > > "$Lang::tr{'advanced'}:"); > > > + print <<EOF > > > + <form method='post' enctype='multipart/form-data' > > > action='$ENV{'SCRIPT_NAME'}'> > > > + <input type='hidden' name='ADVANCED' value='yes' /> > > > + <input type='hidden' name='KEY' > > > value='$cgiparams{'KEY'}' /> > > > > > > - <table width='100%'> > > > + <table width='100%'> > > > <thead> > > > <tr> > > > <th width="15%"></th> > > > @@ -2545,14 +2540,14 @@ if(($cgiparams{'ACTION'} eq > > > $Lang::tr{'advanced'}) || > > > </td> > > > </tr> > > > </tbody> > > > - </table> > > > + </table> > > > > > > <br><br> > > > > > > <h2>$Lang::tr{'dead peer detection'}</h2> > > > > > > - <table width="100%"> > > > - <tr> > > > + <table width="100%"> > > > + <tr> > > > <td width="15%">$Lang::tr{'dpd action'}:</td> > > > <td> > > > <select name='DPD_ACTION'> > > > @@ -2575,11 +2570,11 @@ if(($cgiparams{'ACTION'} eq > > > $Lang::tr{'advanced'}) || > > > <input type='text' name='DPD_DELAY' > > > size='5' > > > value='$cgiparams{'DPD_DELAY'}' /> > > > </td> > > > </tr> > > > - </table> > > > + </table> > > > > > > - <hr> > > > + <hr> > > > > > > - <table width="100%"> > > > + <table width="100%"> > > > <tr> > > > <td> > > > <label> > > > @@ -2613,9 +2608,9 @@ if(($cgiparams{'ACTION'} eq > > > $Lang::tr{'advanced'}) || > > > </td> > > > </tr> > > > EOF > > > - ; > > > +; > > > > > > - print <<EOF; > > > + print <<EOF; > > > <tr> > > > <td align='left' colspan='1'><img > > > src='/blob.gif' > > > align='top' alt='*' /> $Lang::tr{'required field'}</td> > > > <td align='right' colspan='2'> > > > @@ -2623,58 +2618,58 @@ EOF > > > <input type='submit' name='ACTION' > > > value='$Lang::tr{'cancel'}' /> > > > </td> > > > </tr> > > > - </table></form> > > > + </table></form> > > > EOF > > > > > > - &Header::closebox(); > > > - &Header::closebigbox(); > > > - &Header::closepage(); > > > - exit(0); > > > + &Header::closebox(); > > > + &Header::closebigbox(); > > > + &Header::closepage(); > > > + exit(0); > > > > > > - ADVANCED_END: > > > + ADVANCED_END: > > > } > > > > > > ### > > > ### Default status page > > > ### > > > - %cgiparams = (); > > > - %cahash = (); > > > - %confighash = (); > > > - &General::readhash("${General::swroot}/vpn/settings", > > > \%cgiparams); > > > - &General::readhasharray("${General::swroot}/vpn/caconfig", > > > \%cahash); > > > - &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > - $cgiparams{'CA_NAME'} = ''; > > > - > > > - my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`; > > > - > > > - # suggest a default name for this side > > > - if ($cgiparams{'VPN_IP'} eq '' && -e > > > "${General::swroot}/red/active") { > > > - if (open(IPADDR, "${General::swroot}/red/local > > > -ipaddress")) > > > { > > > - my $ipaddr = <IPADDR>; > > > - close IPADDR; > > > - chomp ($ipaddr); > > > - $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", > > > split(/\./, $ipaddr)), 2))[0]; > > > - if ($cgiparams{'VPN_IP'} eq '') { > > > - $cgiparams{'VPN_IP'} = $ipaddr; > > > - } > > > - } > > > - } > > > - # no IP found, use %defaultroute > > > - $cgiparams{'VPN_IP'} ='%defaultroute' if > > > ($cgiparams{'VPN_IP'} > > > eq ''); > > > - > > > - $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined > > > ($cgiparams{'VPN_DELAYED_START'})); > > > - $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? > > > "checked='checked'" : ''; > > > - > > > - &Header::showhttpheaders(); > > > - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > > > - &Header::openbigbox('100%', 'left', '', $errormessage); > > > - > > > - if ($errormessage) { > > > - &Header::openbox('100%', 'left', $Lang::tr{'error > > > messages'}); > > > - print "<class name='base'>$errormessage\n"; > > > - print " </class>\n"; > > > - &Header::closebox(); > > > - } > > > + %cgiparams = (); > > > + %cahash = (); > > > + %confighash = (); > > > + &General::readhash("${General::swroot}/vpn/settings", > > > \%cgiparams); > > > + &General::readhasharray("${General::swroot}/vpn/caconfig > > > ", > > > \%cahash); > > > + &General::readhasharray("${General::swroot}/vpn/config", > > > \%confighash); > > > + $cgiparams{'CA_NAME'} = ''; > > > + > > > + my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`; > > > + > > > + # suggest a default name for this side > > > + if ($cgiparams{'VPN_IP'} eq '' && -e > > > "${General::swroot}/red/active") { > > > + if (open(IPADDR, "${General::swroot}/red/local > > > -ipaddress")) { > > > + my $ipaddr = <IPADDR>; > > > + close IPADDR; > > > + chomp ($ipaddr); > > > + $cgiparams{'VPN_IP'} = > > > (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; > > > + if ($cgiparams{'VPN_IP'} eq '') { > > > + $cgiparams{'VPN_IP'} = $ipaddr; > > > + } > > > + } > > > + } > > > + # no IP found, use %defaultroute > > > + $cgiparams{'VPN_IP'} ='%defaultroute' if > > > ($cgiparams{'VPN_IP'} eq ''); > > > + > > > + $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined > > > ($cgiparams{'VPN_DELAYED_START'})); > > > + $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? > > > "checked='checked'" : ''; > > > + > > > + &Header::showhttpheaders(); > > > + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); > > > + &Header::openbigbox('100%', 'left', '', $errormessage); > > > + > > > + if ($errormessage) { > > > + &Header::openbox('100%', 'left', > > > $Lang::tr{'error > > > messages'}); > > > + print "<class name='base'>$errormessage\n"; > > > + print " </class>\n"; > > > + &Header::closebox(); > > > + } > > > > > > if ($warnmessage) { > > > &Header::openbox('100%', 'left', > > > $Lang::tr{'warning > > > messages'}); > > > @@ -2686,61 +2681,61 @@ EOF > > > exit 0; > > > } > > > > > > - &Header::openbox('100%', 'left', $Lang::tr{'global > > > settings'}); > > > - print <<END > > > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > > > - <table width='100%'> > > > - <tr> > > > + &Header::openbox('100%', 'left', $Lang::tr{'global > > > settings'}); > > > + print <<END > > > + <form method='post' action='$ENV{'SCRIPT_NAME'}'> > > > + <table width='100%'> > > > + <tr> > > > <td width='20%' class='base' > > > nowrap='nowrap'>$Lang::tr{'vpn > > > red name'}: <img src='/blob.gif' alt='*' /></td> > > > <td width='20%'><input type='text' name='VPN_IP' > > > value='$cgiparams{'VPN_IP'}' /></td> > > > <td width='20%' class='base'>$Lang::tr{'enabled'}<input > > > type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td> > > > - </tr> > > > + </tr> > > > END > > > - ; > > > +; > > > print <<END > > > - <tr> > > > - <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed > > > start'}: <img src='/blob.gif' alt='*' /><img src='/blob.gif' > > > alt='*' /></td> > > > + <tr> > > > + <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed > > > start'}: <img src='/blob.gif' alt='*' /><img src='/blob.gif' > > > alt='*' /></td> > > > <td ><input type='text' name='VPN_DELAYED_START' > > > value='$cgiparams{'VPN_DELAYED_START'}' /></td> > > > - </tr> > > > - <tr> > > > - <td class='base' nowrap='nowrap'>$Lang::tr{'host to net > > > vpn'}:</td> > > > + </tr> > > > + <tr> > > > + <td class='base' nowrap='nowrap'>$Lang::tr{'host to net > > > vpn'}:</td> > > > <td ><input type='text' name='RW_NET' > > > value='$cgiparams{'RW_NET'}' /></td> > > > - </tr> > > > + </tr> > > > </table> > > > <br> > > > <hr /> > > > <table width='100%'> > > > <tr> > > > - <td class='base' valign='top'><img src='/blob.gif' alt='*' > > > /></td> > > > - <td width='70%' class='base' > > > valign='top'>$Lang::tr{'required > > > field'}</td><td width='30%' align='right' class='base'><input > > > type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td> > > > + <td class='base' valign='top'><img src='/blob.gif' > > > alt='*' > > > /></td> > > > + <td width='70%' class='base' > > > valign='top'>$Lang::tr{'required field'}</td><td width='30%' > > > align='right' class='base'><input type='submit' name='ACTION' > > > value='$Lang::tr{'save'}' /></td> > > > </tr> > > > <tr> > > > - <td class='base' valign='top' nowrap='nowrap'><img > > > src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' > > > /> </td> > > > - <td class='base'> <font class='base'>$Lang::tr{'vpn > > > delayed start help'}</font></td> > > > - <td></td> > > > + <td class='base' valign='top' nowrap='nowrap'><img > > > src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' > > > /> </td> > > > + <td class='base'> <font > > > class='base'>$Lang::tr{'vpn > > > delayed start help'}</font></td> > > > + <td></td> > > > </tr> > > > </table> > > > END > > > -; > > > - print "</form>"; > > > - &Header::closebox(); > > > - > > > - &Header::openbox('100%', 'left', $Lang::tr{'connection > > > status > > > and controlc'}); > > > - print <<END > > > - <table width='100%' cellspacing='1' cellpadding='0' > > > class='tbl'> > > > - <tr> > > > +; > > > + print "</form>"; > > > + &Header::closebox(); > > > + > > > + &Header::openbox('100%', 'left', $Lang::tr{'connection > > > status and controlc'}); > > > + print <<END > > > + <table width='100%' cellspacing='1' cellpadding='0' > > > class='tbl'> > > > + <tr> > > > <th width='10%' class='boldbase' > > > align='center'><b>$Lang::tr{'name'}</b></th> > > > <th width='22%' class='boldbase' > > > align='center'><b>$Lang::tr{'type'}</b></th> > > > <th width='23%' class='boldbase' > > > align='center'><b>$Lang::tr{'common name'}</b></th> > > > <th width='30%' class='boldbase' > > > align='center'><b>$Lang::tr{'remark'}</b></th> > > > <th width='10%' class='boldbase' > > > align='center'><b>$Lang::tr{'status'}</b></th> > > > <th class='boldbase' align='center' > > > colspan='6'><b>$Lang::tr{'action'}</b></th> > > > - </tr> > > > + </tr> > > > END > > > - ; > > > - my $id = 0; > > > - my $gif; > > > - foreach my $key (sort { ncmp > > > ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { > > > +; > > > + my $id = 0; > > > + my $gif; > > > + foreach my $key (sort { ncmp > > > ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { > > > if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } > > > else > > > { $gif = 'off.gif'; } > > > > > > if ($id % 2) { > > > @@ -2753,302 +2748,304 @@ END > > > print "<td align='center' nowrap='nowrap' > > > $col>$confighash{$key}[1]</td>"; > > > print "<td align='center' nowrap='nowrap' $col>" . > > > $Lang::tr{"$confighash{$key}[3]"} . " (" . > > > $Lang::tr{"$confighash{$key}[4]"} . ") > > > $confighash{$key}[29]</td>"; > > > if ($confighash{$key}[2] eq '%auth-dn') { > > > - print "<td align='left' nowrap='nowrap' > > > $col>$confighash{$key}[9]</td>"; > > > + print "<td align='left' nowrap='nowrap' > > > $col>$confighash{$key}[9]</td>"; > > > } elsif ($confighash{$key}[4] eq 'cert') { > > > - print "<td align='left' nowrap='nowrap' > > > $col>$confighash{$key}[2]</td>"; > > > + print "<td align='left' nowrap='nowrap' > > > $col>$confighash{$key}[2]</td>"; > > > } else { > > > - print "<td align='left' $col> </td>"; > > > + print "<td align='left' $col> </td>"; > > > } > > > print "<td align='center' > > > $col>$confighash{$key}[25]</td>"; > > > my $col1="bgcolor='${Header::colourred}'"; > > > # get real state > > > my $active = "<b><font > > > color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>"; > > > foreach my $line (@status) { > > > - if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA > > > established/) || > > > - ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) > > > - { > > > - $col1="bgcolor='${Header::colourgreen}'"; > > > - $active = "<b><font > > > color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>"; > > > - } > > > - } > > > - # move to blueif really down > > > + if (($line =~ /\"$confighash{$key}[1]\".*IPsec > > > SA > > > established/) || > > > + ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) > > > { > > > + $col1="bgcolor='${Header::colourgreen}'" > > > ; > > > + $active = "<b><font > > > color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>"; > > > + } > > > + } > > > + # move to blue if really down > > > if ($confighash{$key}[0] eq 'off' && $col1 =~ > > > /${Header::colourred}/ ) { > > > $col1="bgcolor='${Header::colourblue}'"; > > > - $active = "<b><font > > > color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>"; > > > + $active = "<b><font > > > color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>"; > > > } > > > print <<END > > > <td align='center' $col1>$active</td> > > > <td align='center' $col> > > > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > > > - <input type='image' name='$Lang::tr{'restart'}' > > > src='/images/reload.gif' alt='$Lang::tr{'restart'}' > > > title='$Lang::tr{'restart'}' /> > > > - <input type='hidden' name='ACTION' > > > value='$Lang::tr{'restart'}' /> > > > - <input type='hidden' name='KEY' value='$key' /> > > > - </form> > > > + <form method='post' > > > action='$ENV{'SCRIPT_NAME'}'> > > > + <input type='image' name='$Lang::tr{'restart'}' > > > src='/images/reload.gif' alt='$Lang::tr{'restart'}' > > > title='$Lang::tr{'restart'}' /> > > > + <input type='hidden' name='ACTION' > > > value='$Lang::tr{'restart'}' /> > > > + <input type='hidden' name='KEY' value='$key' /> > > > + </form> > > > </td> > > > END > > > - ; > > > +; > > > if (($confighash{$key}[4] eq 'cert') && > > > ($confighash{$key}[2] ne '%auth-dn')) { > > > - print <<END > > > - <td align='center' $col> > > > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > > > + print <<END > > > + <td align='center' $col> > > > + <form method='post' > > > action='$ENV{'SCRIPT_NAME'}'> > > > <input type='image' name='$Lang::tr{'show > > > certificate'}' src='/images/info.gif' alt='$Lang::tr{'show > > > certificate'}' title='$Lang::tr{'show certificate'}' /> > > > <input type='hidden' name='ACTION' > > > value='$Lang::tr{'show certificate'}' /> > > > <input type='hidden' name='KEY' value='$key' /> > > > - </form> > > > - </td> > > > + </form> > > > + </td> > > > END > > > - ; } else { > > > - print "<td width='2%' $col> </td>"; > > > +; > > > + } else { > > > + print "<td width='2%' $col> </td>"; > > > } > > > - if ($confighash{$key}[4] eq 'cert' && -f > > > "${General::swroot}/certs/$confighash{$key}[1].p12") { > > > - print <<END > > > - <td align='center' $col> > > > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > > > + if ($confighash{$key}[4] eq 'cert' && -f > > > "${General::swroot}/certs/$confighash{$key}[1].p12") { > > > + print <<END > > > + <td align='center' $col> > > > + <form method='post' > > > action='$ENV{'SCRIPT_NAME'}'> > > > <input type='image' name='$Lang::tr{'download > > > pkcs12 > > > file'}' src='/images/floppy.gif' alt='$Lang::tr{'download pkcs12 > > > file'}' title='$Lang::tr{'download pkcs12 file'}' /> > > > <input type='hidden' name='ACTION' > > > value='$Lang::tr{'download pkcs12 file'}' /> > > > <input type='hidden' name='KEY' value='$key' /> > > > - </form> > > > + </form> > > > </td> > > > END > > > - ; } elsif (($confighash{$key}[4] eq 'cert') && > > > ($confighash{$key}[2] ne '%auth-dn')) { > > > - print <<END > > > - <td align='center' $col> > > > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > > > +; > > > + } elsif (($confighash{$key}[4] eq 'cert') && > > > ($confighash{$key}[2] ne '%auth-dn')) { > > > + print <<END > > > + <td align='center' $col> > > > + <form method='post' > > > action='$ENV{'SCRIPT_NAME'}'> > > > <input type='image' name='$Lang::tr{'download > > > certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download > > > certificate'}' title='$Lang::tr{'download certificate'}' /> > > > <input type='hidden' name='ACTION' > > > value='$Lang::tr{'download certificate'}' /> > > > <input type='hidden' name='KEY' value='$key' /> > > > - </form> > > > + </form> > > > </td> > > > END > > > - ; } else { > > > - print "<td width='2%' $col> </td>"; > > > +; > > > + } else { > > > + print "<td width='2%' $col> </td>"; > > > } > > > print <<END > > > <td align='center' $col> > > > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > > > - <input type='image' name='$Lang::tr{'toggle enable > > > disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable > > > disable'}' title='$Lang::tr{'toggle enable disable'}' /> > > > - <input type='hidden' name='ACTION' > > > value='$Lang::tr{'toggle enable disable'}' /> > > > - <input type='hidden' name='KEY' value='$key' /> > > > - </form> > > > + <form method='post' > > > action='$ENV{'SCRIPT_NAME'}'> > > > + <input type='image' name='$Lang::tr{'toggle > > > enable > > > disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable > > > disable'}' title='$Lang::tr{'toggle enable disable'}' /> > > > + <input type='hidden' name='ACTION' > > > value='$Lang::tr{'toggle enable disable'}' /> > > > + <input type='hidden' name='KEY' value='$key' /> > > > + </form> > > > </td> > > > > > > <td align='center' $col> > > > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > > > - <input type='hidden' name='ACTION' > > > value='$Lang::tr{'edit'}' /> > > > - <input type='image' name='$Lang::tr{'edit'}' > > > src='/images/edit.gif' alt='$Lang::tr{'edit'}' > > > title='$Lang::tr{'edit'}' /> > > > - <input type='hidden' name='KEY' value='$key' /> > > > - </form> > > > + <form method='post' > > > action='$ENV{'SCRIPT_NAME'}'> > > > + <input type='hidden' name='ACTION' > > > value='$Lang::tr{'edit'}' /> > > > + <input type='image' name='$Lang::tr{'edit'}' > > > src='/images/edit.gif' alt='$Lang::tr{'edit'}' > > > title='$Lang::tr{'edit'}' /> > > > + <input type='hidden' name='KEY' value='$key' /> > > > + </form> > > > </td> > > > <td align='center' $col> > > > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > > > - <input type='hidden' name='ACTION' > > > value='$Lang::tr{'remove'}' /> > > > - <input type='image' name='$Lang::tr{'remove'}' > > > src='/images/delete.gif' alt='$Lang::tr{'remove'}' > > > title='$Lang::tr{'remove'}' /> > > > - <input type='hidden' name='KEY' value='$key' /> > > > - </form> > > > + <form method='post' > > > action='$ENV{'SCRIPT_NAME'}'> > > > + <input type='hidden' name='ACTION' > > > value='$Lang::tr{'remove'}' /> > > > + <input type='image' name='$Lang::tr{'remove'}' > > > src='/images/delete.gif' alt='$Lang::tr{'remove'}' > > > title='$Lang::tr{'remove'}' /> > > > + <input type='hidden' name='KEY' value='$key' /> > > > + </form> > > > </td> > > > </tr> > > > END > > > - ; > > > +; > > > $id++; > > > - } > > > - print "</table>"; > > > - > > > - # If the config file contains entries, print Key to action > > > icons > > > - if ( $id ) { > > > - print <<END > > > - <table> > > > - <tr> > > > - <td class='boldbase'> > > > <b>$Lang::tr{'legend'}:</b></td> > > > - <td> <img src='/images/on.gif' > > > alt='$Lang::tr{'click > > > to disable'}' /></td> > > > - <td class='base'>$Lang::tr{'click to disable'}</td> > > > - <td> <img src='/images/info.gif' > > > alt='$Lang::tr{'show certificate'}' /></td> > > > - <td class='base'>$Lang::tr{'show certificate'}</td> > > > - <td> <img src='/images/edit.gif' > > > alt='$Lang::tr{'edit'}' /></td> > > > - <td class='base'>$Lang::tr{'edit'}</td> > > > - <td> <img src='/images/delete.gif' > > > alt='$Lang::tr{'remove'}' /></td> > > > - <td class='base'>$Lang::tr{'remove'}</td> > > > - </tr> > > > - <tr> > > > - <td> </td> > > > - <td> <img src='/images/off.gif' alt='?OFF' /></td> > > > - <td class='base'>$Lang::tr{'click to enable'}</td> > > > - <td> <img src='/images/floppy.gif' > > > alt='?FLOPPY' /></td> > > > - <td class='base'>$Lang::tr{'download certificate'}</td> > > > - <td> <img src='/images/reload.gif' > > > alt='?RELOAD'/></td> > > > - <td class='base'>$Lang::tr{'restart'}</td> > > > - </tr> > > > - </table> > > > + } > > > + print "</table>"; > > > + > > > + # If the config file contains entries, print Key to > > > action > > > icons > > > + if ( $id ) { > > > + print <<END > > > + <table> > > > + <tr> > > > + <td class='boldbase'> > > > <b>$Lang::tr{'legend'}:</b></td> > > > + <td> <img src='/images/on.gif' > > > alt='$Lang::tr{'click to disable'}' /></td> > > > + <td class='base'>$Lang::tr{'click to > > > disable'}</td> > > > + <td> <img src='/images/info.gif' > > > alt='$Lang::tr{'show certificate'}' /></td> > > > + <td class='base'>$Lang::tr{'show > > > certificate'}</td> > > > + <td> <img src='/images/edit.gif' > > > alt='$Lang::tr{'edit'}' /></td> > > > + <td class='base'>$Lang::tr{'edit'}</td> > > > + <td> <img src='/images/delete.gif' > > > alt='$Lang::tr{'remove'}' /></td> > > > + <td class='base'>$Lang::tr{'remove'}</td> > > > + </tr> > > > + <tr> > > > + <td> </td> > > > + <td> <img src='/images/off.gif' alt='?OFF' > > > /></td> > > > + <td class='base'>$Lang::tr{'click to > > > enable'}</td> > > > + <td> <img src='/images/floppy.gif' > > > alt='?FLOPPY' /></td> > > > + <td class='base'>$Lang::tr{'download > > > certificate'}</td> > > > + <td> <img src='/images/reload.gif' > > > alt='?RELOAD'/></td> > > > + <td class='base'>$Lang::tr{'restart'}</td> > > > + </tr> > > > + </table> > > > END > > > - ; > > > - } > > > +; > > > + } > > > > > > - print <<END > > > - <table width='100%'> > > > - <tr><td align='right' colspan='9'> > > > + print <<END > > > + <table width='100%'> > > > + <tr><td align='right' colspan='9'> > > > <form method='post' action='$ENV{'SCRIPT_NAME'}'> > > > <input type='submit' name='ACTION' > > > value='$Lang::tr{'add'}' > > > /> > > > </form> > > > - </td></tr> > > > - </table> > > > + </td></tr> > > > + </table> > > > END > > > - ; > > > - &Header::closebox(); > > > +; > > > + &Header::closebox(); > > > > > > - &Header::openbox('100%', 'left', "$Lang::tr{'certificate > > > authorities'}"); > > > - print <<EOF > > > - <table width='100%' cellspacing='1' cellpadding='0' > > > class='tbl'> > > > - <tr> > > > + &Header::openbox('100%', 'left', "$Lang::tr{'certificate > > > authorities'}"); > > > + print <<EOF > > > + <table width='100%' cellspacing='1' cellpadding='0' > > > class='tbl'> > > > + <tr> > > > <th width='25%' class='boldbase' > > > align='center'><b>$Lang::tr{'name'}</b></th> > > > <th width='65%' class='boldbase' > > > align='center'><b>$Lang::tr{'subject'}</b></th> > > > <th width='10%' class='boldbase' colspan='3' > > > align='center'><b>$Lang::tr{'action'}</b></th> > > > - </tr> > > > + </tr> > > > EOF > > > - ; > > > - my $col1="bgcolor='$color{'color22'}'"; > > > +; > > > + my $col1="bgcolor='$color{'color22'}'"; > > > my $col2="bgcolor='$color{'color20'}'"; > > > - if (-f "${General::swroot}/ca/cacert.pem") { > > > - my $casubject = &Header::cleanhtml(getsubjectfromcert > > > ("${General::swroot}/ca/cacert.pem")); > > > - print <<END > > > - <tr> > > > - <td class='base' $col1>$Lang::tr{'root > > > certificate'}</td> > > > - <td class='base' $col1>$casubject</td> > > > - <td width='3%' align='center' $col1> > > > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > > > - <input type='hidden' name='ACTION' > > > value='$Lang::tr{'show root certificate'}' /> > > > - <input type='image' name='$Lang::tr{'edit'}' > > > src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' > > > title='$Lang::tr{'show root certificate'}' /> > > > - </form> > > > - </td> > > > - <td width='3%' align='center' $col1> > > > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > > > - <input type='image' name='$Lang::tr{'download root > > > certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download > > > root > > > certificate'}' title='$Lang::tr{'download root certificate'}' /> > > > - <input type='hidden' name='ACTION' > > > value='$Lang::tr{'download root certificate'}' /> > > > - </form> > > > - </td> > > > - <td width='4%' $col1> </td></tr> > > > + if (-f "${General::swroot}/ca/cacert.pem") { > > > + my $casubject = > > > &Header::cleanhtml(getsubjectfromcert > > > ("${General::swroot}/ca/cacert.pem")); > > > + print <<END > > > + <tr> > > > + <td class='base' $col1>$Lang::tr{'root > > > certificate'}</td> > > > + <td class='base' $col1>$casubject</td> > > > + <td width='3%' align='center' $col1> > > > + <form method='post' > > > action='$ENV{'SCRIPT_NAME'}'> > > > + <input type='hidden' name='ACTION' > > > value='$Lang::tr{'show root certificate'}' /> > > > + <input type='image' > > > name='$Lang::tr{'edit'}' > > > src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' > > > title='$Lang::tr{'show root certificate'}' /> > > > + </form> > > > + </td> > > > + <td width='3%' align='center' $col1> > > > + <form method='post' > > > action='$ENV{'SCRIPT_NAME'}'> > > > + <input type='image' > > > name='$Lang::tr{'download root certificate'}' > > > src='/images/floppy.gif' alt='$Lang::tr{'download root > > > certificate'}' > > > title='$Lang::tr{'download root certificate'}' /> > > > + <input type='hidden' name='ACTION' > > > value='$Lang::tr{'download root certificate'}' /> > > > + </form> > > > + </td> > > > + <td width='4%' $col1> </td></tr> > > > END > > > - ; > > > - } else { > > > - # display rootcert generation buttons > > > - print <<END > > > - <tr> > > > - <td class='base' $col1>$Lang::tr{'root > > > certificate'}:</td> > > > - <td class='base' $col1>$Lang::tr{'not present'}</td> > > > - <td colspan='3' $col1> </td></tr> > > > +; > > > + } else { > > > + # display rootcert generation buttons > > > + print <<END > > > + <tr> > > > + <td class='base' $col1>$Lang::tr{'root > > > certificate'}:</td> > > > + <td class='base' $col1>$Lang::tr{'not > > > present'}</td> > > > + <td colspan='3' $col1> </td></tr> > > > END > > > - ; > > > - } > > > +; > > > + } > > > > > > - if (-f "${General::swroot}/certs/hostcert.pem") { > > > - my $hostsubject = &Header::cleanhtml(getsubjectfromcert > > > ("${General::swroot}/certs/hostcert.pem")); > > > + if (-f "${General::swroot}/certs/hostcert.pem") { > > > + my $hostsubject = > > > &Header::cleanhtml(getsubjectfromcert > > > ("${General::swroot}/certs/hostcert.pem")); > > > > > > - print <<END > > > - <tr> > > > - <td class='base' $col2>$Lang::tr{'host > > > certificate'}</td> > > > - <td class='base' $col2>$hostsubject</td> > > > - <td width='3%' align='center' $col2> > > > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > > > - <input type='hidden' name='ACTION' > > > value='$Lang::tr{'show host certificate'}' /> > > > - <input type='image' name='$Lang::tr{'show host > > > certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host > > > certificate'}' title='$Lang::tr{'show host certificate'}' /> > > > - </form> > > > - </td> > > > - <td width='3%' align='center' $col2> > > > - <form method='post' action='$ENV{'SCRIPT_NAME'}'> > > > - <input type='image' name="$Lang::tr{'download host > > > certificate'}" src='/images/floppy.gif' alt="$Lang::tr{'download > > > host > > > certificate'}" title="$Lang::tr{'download host certificate'}" /> > > > - <input type='hidden' name='ACTION' > > > value="$Lang::tr{'download host certificate'}" /> > > > - </form> > > > - </td> > > > - <td width='4%' $col2> </td></tr> > > > + print <<END > > > + <tr> > > > + <td class='base' $col2>$Lang::tr{'host > > > certificate'}</td> > > > + <td class='base' $col2>$hostsubject</td> > > > + <td width='3%' align='center' $col2> > > > + <form method='post' > > > action='$ENV{'SCRIPT_NAME'}'> > > > + <input type='hidden' name='ACTION' > > > value='$Lang::tr{'show host certificate'}' /> > > > + <input type='image' > > > name='$Lang::tr{'show > > > host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show > > > host > > > certificate'}' title='$Lang::tr{'show host certificate'}' /> > > > + </form> > > > + </td> > > > + <td width='3%' align='center' $col2> > > > + <form method='post' > > > action='$ENV{'SCRIPT_NAME'}'> > > > + <input type='image' > > > name="$Lang::tr{'download host certificate'}" > > > src='/images/floppy.gif' alt="$Lang::tr{'download host > > > certificate'}" > > > title="$Lang::tr{'download host certificate'}" /> > > > + <input type='hidden' name='ACTION' > > > value="$Lang::tr{'download host certificate'}" /> > > > + </form> > > > + </td> > > > + <td width='4%' $col2> </td></tr> > > > END > > > - ; > > > - } else { > > > - # Nothing > > > - print <<END > > > - <tr> > > > - <td width='25%' class='base' $col2>$Lang::tr{'host > > > certificate'}:</td> > > > - <td class='base' $col2>$Lang::tr{'not present'}</td> > > > - <td colspan='3' $col2> </td></tr> > > > +; > > > + } else { > > > + # Nothing > > > + print <<END > > > + <tr> > > > + <td width='25%' class='base' > > > $col2>$Lang::tr{'host > > > certificate'}:</td> > > > + <td class='base' $col2>$Lang::tr{'not > > > present'}</td> > > > + <td colspan='3' $col2> </td></tr> > > > END > > > - ; > > > - } > > > - > > > +; > > > + } > > > + > > > my $rowcolor = 0; > > > if (keys %cahash > 0) { > > > foreach my $key (keys %cahash) { > > > - if ($rowcolor++ % 2) { > > > - print "<tr>"; > > > - $col="bgcolor='$color{'color20'} > > > '"; > > > - } else { > > > - print "<tr>"; > > > - $col="bgcolor='$color{'color22'} > > > '"; > > > - } > > > - print "<td class='base' > > > $col>$cahash{$key}[0]</td>\n"; > > > - print "<td class='base' > > > $col>$cahash{$key}[1]</td>\n"; > > > - print <<END > > > - <td align='center' $col> > > > - <form method='post' name='cafrm${key}a' > > > action='$ENV{'SCRIPT_NAME'}'> > > > - <input type='image' name='$Lang::tr{'show ca > > > certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca > > > certificate'}' title='$Lang::tr{'show ca certificate'}' /> > > > - <input type='hidden' name='ACTION' > > > value='$Lang::tr{'show ca certificate'}' /> > > > - <input type='hidden' name='KEY' value='$key' /> > > > - </form> > > > - </td> > > > - <td align='center' $col> > > > - <form method='post' name='cafrm${key}b' > > > action='$ENV{'SCRIPT_NAME'}'> > > > - <input type='image' name='$Lang::tr{'download ca > > > certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download > > > ca > > > certificate'}' title='$Lang::tr{'download ca certificate'}' /> > > > - <input type='hidden' name='ACTION' > > > value='$Lang::tr{'download ca certificate'}' /> > > > - <input type='hidden' name='KEY' value='$key' /> > > > - </form> > > > - </td> > > > - <td align='center' $col> > > > - <form method='post' name='cafrm${key}c' > > > action='$ENV{'SCRIPT_NAME'}'> > > > - <input type='hidden' name='ACTION' > > > value='$Lang::tr{'remove ca certificate'}' /> > > > - <input type='image' name='$Lang::tr{'remove ca > > > certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca > > > certificate'}' title='$Lang::tr{'remove ca certificate'}' /> > > > - <input type='hidden' name='KEY' value='$key' /> > > > - </form> > > > - </td> > > > - </tr> > > > + if ($rowcolor++ % 2) { > > > + print "<tr>"; > > > + $col="bgcolor='$color{'c > > > olor > > > 20'}'"; > > > + } else { > > > + print "<tr>"; > > > + $col="bgcolor='$color{'c > > > olor > > > 22'}'"; > > > + } > > > + print "<td class='base' > > > $col>$cahash{$key}[0]</td>\n"; > > > + print "<td class='base' > > > $col>$cahash{$key}[1]</td>\n"; > > > + print <<END > > > + <td align='center' $col> > > > + <form method='post' name='cafrm${key}a' > > > action='$ENV{'SCRIPT_NAME'}'> > > > + <input type='image' > > > name='$Lang::tr{'show ca > > > certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca > > > certificate'}' title='$Lang::tr{'show ca certificate'}' /> > > > + <input type='hidden' name='ACTION' > > > value='$Lang::tr{'show ca certificate'}' /> > > > + <input type='hidden' name='KEY' > > > value='$key' > > > /> > > > + </form> > > > + </td> > > > + <td align='center' $col> > > > + <form method='post' name='cafrm${key}b' > > > action='$ENV{'SCRIPT_NAME'}'> > > > + <input type='image' > > > name='$Lang::tr{'download ca certificate'}' > > > src='/images/floppy.gif' > > > alt='$Lang::tr{'download ca certificate'}' > > > title='$Lang::tr{'download > > > ca certificate'}' /> > > > + <input type='hidden' name='ACTION' > > > value='$Lang::tr{'download ca certificate'}' /> > > > + <input type='hidden' name='KEY' > > > value='$key' > > > /> > > > + </form> > > > + </td> > > > + <td align='center' $col> > > > + <form method='post' name='cafrm${key}c' > > > action='$ENV{'SCRIPT_NAME'}'> > > > + <input type='hidden' name='ACTION' > > > value='$Lang::tr{'remove ca certificate'}' /> > > > + <input type='image' > > > name='$Lang::tr{'remove > > > ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove > > > ca > > > certificate'}' title='$Lang::tr{'remove ca certificate'}' /> > > > + <input type='hidden' name='KEY' > > > value='$key' > > > /> > > > + </form> > > > + </td> > > > + </tr> > > > +END > > > +; > > > + } > > > + } > > > + print "</table>"; > > > + > > > + # If the file contains entries, print Key to action > > > icons > > > + if ( -f "${General::swroot}/ca/cacert.pem") { > > > + print <<END > > > + <table><tr> > > > + <td class='boldbase'> > > > <b>$Lang::tr{'legend'}:</b></td> > > > + <td> <img src='/images/info.gif' > > > alt='$Lang::tr{'show certificate'}' /></td> > > > + <td class='base'>$Lang::tr{'show > > > certificate'}</td> > > > + <td> <img src='/images/floppy.gif' > > > alt='$Lang::tr{'download certificate'}' /></td> > > > + <td class='base'>$Lang::tr{'download > > > certificate'}</td> > > > + </tr></table> > > > END > > > - ; > > > +; > > > } > > > - } > > > - print "</table>"; > > > - > > > - # If the file contains entries, print Key to action icons > > > - if ( -f "${General::swroot}/ca/cacert.pem") { > > > + my $createCA = -f "${General::swroot}/ca/cacert.pem" ? > > > '' : > > > "<tr><td colspan='3'></td><td><input type='submit' name='ACTION' > > > value='$Lang::tr{'generate root/host certificates'}' > > > /></td></tr>"; > > > print <<END > > > - <table><tr> > > > - <td class='boldbase'> > > > <b>$Lang::tr{'legend'}:</b></td> > > > - <td> <img src='/images/info.gif' > > > alt='$Lang::tr{'show certificate'}' /></td> > > > - <td class='base'>$Lang::tr{'show certificate'}</td> > > > - <td> <img src='/images/floppy.gif' > > > alt='$Lang::tr{'download certificate'}' /></td> > > > - <td class='base'>$Lang::tr{'download certificate'}</td> > > > - </tr></table> > > > -END > > > - ; > > > - } > > > - my $createCA = -f "${General::swroot}/ca/cacert.pem" ? '' : > > > "<tr><td colspan='3'></td><td><input type='submit' name='ACTION' > > > value='$Lang::tr{'generate root/host certificates'}' > > > /></td></tr>"; > > > - print <<END > > > - <br> > > > - <hr /> > > > - <form method='post' enctype='multipart/form-data' > > > action='$ENV{'SCRIPT_NAME'}'> > > > - <table width='100%' border='0' cellspacing='1' > > > cellpadding='0'> > > > - $createCA > > > - <tr> > > > + <br> > > > + <hr /> > > > + <form method='post' enctype='multipart/form-data' > > > action='$ENV{'SCRIPT_NAME'}'> > > > + <table width='100%' border='0' cellspacing='1' > > > cellpadding='0'> > > > + $createCA > > > + <tr> > > > <td class='base' nowrap='nowrap'>$Lang::tr{'ca > > > name'}: <img src='/blob.gif' alt='*' /></td> > > > <td nowrap='nowrap'><input type='text' name='CA_NAME' > > > value='$cgiparams{'CA_NAME'}' size='15' /> </td> > > > <td nowrap='nowrap'><input type='file' name='FH' > > > size='30' > > > /></td> > > > <td nowrap='nowrap'><input type='submit' name='ACTION' > > > value='$Lang::tr{'upload ca certificate'}' /></td> > > > - </tr> > > > - <tr> > > > + </tr> > > > + <tr> > > > <td colspan='3'>$Lang::tr{'resetting the vpn > > > configuration > > > will remove the root ca, the host certificate and all certificate > > > based connections'}:</td> > > > <td align='right'><input type='submit' name='ACTION' > > > value='$Lang::tr{'remove x509'}' /></td> > > > - </tr> > > > - </table> > > > - </form> > > > + </tr> > > > + </table> > > > + </form> > > > END > > > - ; > > > - &Header::closebox(); > > > - &Header::closebigbox(); > > > - &Header::closepage(); > > > +; > > > + &Header::closebox(); > > > + &Header::closebigbox(); > > > + &Header::closepage(); > > > > > > sub array_unique($) { > > > my $array = shift; [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-09-28 14:33 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-09-25 21:01 [PATCH] vpnmain.cgi - Replace spaces with tab characters and fix indentation Lars Schuhmacher 2015-09-25 22:11 ` Michael Tremer 2015-09-26 6:04 ` Larsen 2015-09-28 14:33 ` Michael Tremer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox