[prev in list] [next in list] [prev in thread] [next in thread]
List: ipcop-svn
Subject: [Ipcop-svn] SF.net SVN: ipcop:[7043] ipcop/trunk/html/cgi-bin/ipsec.cgi
From: dotzball () users ! sourceforge ! net
Date: 2013-05-23 5:17:32
Message-ID: E1UfNu8-0002hc-Ej () sfp-svn-4 ! v30 ! ch3 ! sourceforge ! com
[Download RAW message or body]
Revision: 7043
http://ipcop.svn.sourceforge.net/ipcop/?rev=7043&view=rev
Author: dotzball
Date: 2013-05-23 05:17:32 +0000 (Thu, 23 May 2013)
Log Message:
-----------
Multiple changes:
- Use explicit return values for evaluation.
- Prepare errormessages for display of multiple errors instead of only one error per \
"ACTION".
- Add missing warnmessage box.
- Some formating.
Modified Paths:
--------------
ipcop/trunk/html/cgi-bin/ipsec.cgi
Modified: ipcop/trunk/html/cgi-bin/ipsec.cgi
===================================================================
--- ipcop/trunk/html/cgi-bin/ipsec.cgi 2013-05-22 19:37:45 UTC (rev 7042)
+++ ipcop/trunk/html/cgi-bin/ipsec.cgi 2013-05-23 05:17:32 UTC (rev 7043)
@@ -31,8 +31,8 @@
use strict;
# enable only the following on debugging purpose
-#use warnings;
-#use CGI::Carp 'fatalsToBrowser';
+use warnings;
+use CGI::Carp 'fatalsToBrowser';
require '/usr/lib/ipcop/general-functions.pl';
require '/usr/lib/ipcop/vpn-functions.pl';
@@ -42,7 +42,7 @@
require '/usr/lib/ipcop/firewall-lib.pl';
#workaround to suppress a warning when a variable is used only once
-my @dummy = ( ${Header::sortup} );
+my @dummy = ( ${Header::sortup}, @{General::longMonths} );
undef (@dummy);
# $Lang::tr{'host'} # Dummy string variables included here
@@ -155,22 +155,22 @@
if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && \
$cgiparams{'KEY'} eq '') { &General::readhash("/var/ipcop/ipsec/settings", \
\%vpnsettings);
unless (&General::validiporfqdn($cgiparams{'VPN_IP'}) || $cgiparams{'VPN_IP'} eq \
'%defaultroute') {
- $errormessage = $Lang::tr{'invalid input for hostname'};
+ $errormessage .= "$Lang::tr{'invalid input for hostname'}<br />";
goto SAVE_ERROR;
}
unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 \
seconds !
- $errormessage = $Lang::tr{'invalid time period'};
+ $errormessage .= "$Lang::tr{'invalid time period'}<br />";
goto SAVE_ERROR;
}
unless ($cgiparams{'VPN_OVERRIDE_MTU'} =~ /^(|[0-9]{1,5})$/ ) { #allow 0-99999
- $errormessage = $Lang::tr{'vpn mtu invalid'};
+ $errormessage .= "$Lang::tr{'vpn mtu invalid'}<br />";
goto SAVE_ERROR;
}
unless ($cgiparams{'VPN_WATCH'} =~ /^(|off|on)$/ ) {
- $errormessage = $Lang::tr{'invalid input'};
+ $errormessage .= "$Lang::tr{'invalid input'}<br />";
goto SAVE_ERROR;
}
@@ -183,24 +183,27 @@
$vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};
$vpnsettings{'VPN_OVERRIDE_MTU'} = $cgiparams{'VPN_OVERRIDE_MTU'};
$vpnsettings{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'};
- &General::writehash("/var/ipcop/ipsec/settings", \%vpnsettings);
- &VPN::writeipsecfiles();
- if (&VPN::ipsecenabled(\%vpnsettings)) {
- &General::log("ipsec", "Start ipsecctrl");
- system('/usr/local/bin/ipsecctrl', '--start');
+
+ if($errormessage) {
+ $error_global = 'error';
}
else {
- &General::log("ipsec", "Stop ipsecctrl");
- system('/usr/local/bin/ipsecctrl', '--stop');
+ &General::writehash("/var/ipcop/ipsec/settings", \%vpnsettings);
+ &VPN::writeipsecfiles();
+ if (&VPN::ipsecenabled(\%vpnsettings)) {
+ &General::log("ipsec", "Start ipsecctrl");
+ system('/usr/local/bin/ipsecctrl', '--start');
+ }
+ else {
+ &General::log("ipsec", "Stop ipsecctrl");
+ system('/usr/local/bin/ipsecctrl', '--stop');
+ }
+ sleep $sleepDelay;
}
- sleep $sleepDelay;
- SAVE_ERROR:
- $error_global = 'error' if ($errormessage);
-
+}
###
### Export ca certificate to browser
###
-}
elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) {
&General::readhasharray("/var/ipcop/vpn/caconfig", \%cahash);
@@ -212,13 +215,12 @@
exit(0);
}
else {
- $errormessage = $Lang::tr{'invalid key'};
+ $errormessage .= "$Lang::tr{'invalid key'}<br />";
}
-
+}
###
### Export PKCS12 file to browser
###
-}
elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) {
&General::readhasharray("/var/ipcop/ipsec/config", \%confighash);
print "Content-Type: application/force-download\n";
@@ -226,11 +228,10 @@
print "Content-Type: application/octet-stream\r\n\r\n";
print `/bin/cat /var/ipcop/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
exit (0);
-
+}
###
### Display certificate
###
-}
elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) {
&General::readhasharray("/var/ipcop/ipsec/config", \%confighash);
@@ -239,18 +240,19 @@
&Header::openpage($Lang::tr{'ipsec configuration main'}, 1, '');
&Header::openbigbox('100%', 'left', '', '');
&Header::openbox('100%', 'left', "$Lang::tr{'certificate'}:");
+
my $output = `/usr/bin/openssl x509 -text -in \
/var/ipcop/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; $output = \
&Header::cleanhtml($output,"y"); print <<END
<table width='100%'><tr>
- <td width='10%'><a href='/cgi-bin/ipsec.cgi'><img src='/images/back.png' \
alt='$Lang::tr{'back'}' title='$Lang::tr{'back'}' /></a></td> + <td width='10%'><a \
href='$ENV{'SCRIPT_NAME'}'><img src='/images/back.png' alt='$Lang::tr{'back'}' \
title='$Lang::tr{'back'}' /></a></td> <td> </td>
</tr></table>
<hr />
<pre>$output</pre>
<hr />
<table width='100%'><tr>
- <td width='10%'><a href='/cgi-bin/ipsec.cgi'><img src='/images/back.png' \
alt='$Lang::tr{'back'}' title='$Lang::tr{'back'}' /></a></td> + <td width='10%'><a \
href='$ENV{'SCRIPT_NAME'}'><img src='/images/back.png' alt='$Lang::tr{'back'}' \
title='$Lang::tr{'back'}' /></a></td> <td> </td>
</tr></table>
END
@@ -260,11 +262,10 @@
&Header::closepage();
exit(0);
}
-
+}
###
### Export Certificate to browser
###
-}
elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) {
&General::readhasharray("/var/ipcop/ipsec/config", \%confighash);
@@ -274,11 +275,10 @@
print `/bin/cat /var/ipcop/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
exit (0);
}
-
+}
###
### Enable/Disable connection
###
-}
elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
&General::readhash("/var/ipcop/ipsec/settings", \%vpnsettings);
@@ -306,13 +306,12 @@
sleep $sleepDelay;
}
else {
- $errormessage = $Lang::tr{'invalid key'};
+ $errormessage .= "$Lang::tr{'invalid key'}<br />";
}
-
+}
###
### Restart connection
###
-}
elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) {
&General::readhash("/var/ipcop/ipsec/settings", \%vpnsettings);
&General::readhasharray("/var/ipcop/ipsec/config", \%confighash);
@@ -325,13 +324,13 @@
}
}
else {
- $errormessage = $Lang::tr{'invalid key'};
+ $errormessage .= "$Lang::tr{'invalid key'}<br />";
}
-
+}
###
### Remove connection
###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
+elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
&General::readhash("/var/ipcop/ipsec/settings", \%vpnsettings);
&General::readhasharray("/var/ipcop/ipsec/config", \%confighash);
@@ -347,13 +346,13 @@
&VPN::writeipsecfiles();
}
else {
- $errormessage = $Lang::tr{'invalid key'};
+ $errormessage .= "$Lang::tr{'invalid key'}<br />";
}
-
+}
###
### Choose between adding a host-net or net-net connection
###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {
+elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'ipsec configuration main'}, 1, '');
&Header::openbigbox('100%', 'left', '', '');
@@ -384,13 +383,13 @@
&Header::closebigbox();
&Header::closepage();
exit (0);
+}
###
### Adding/Editing/Saving a connection
###
-}
-elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) ||
- ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) ||
- ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {
+elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'})
+ || ($cgiparams{'ACTION'} eq $Lang::tr{'edit'})
+ || ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq \
'')) {
&General::readhash("/var/ipcop/ipsec/settings", \%vpnsettings);
&General::readhasharray("/var/ipcop/vpn/caconfig", \%cahash);
@@ -398,7 +397,7 @@
if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
if (! $confighash{$cgiparams{'KEY'}}[0]) {
- $errormessage = $Lang::tr{'invalid key'};
+ $errormessage .= "$Lang::tr{'invalid key'}<br />";
goto VPNCONF_END;
}
$cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0];
@@ -432,24 +431,24 @@
elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
$cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
- $errormessage = $Lang::tr{'connection type is invalid'};
+ $errormessage .= "$Lang::tr{'connection type is invalid'}<br />";
goto VPNCONF_ERROR;
}
if ($cgiparams{'NAME'} !~ /^[a-zA-Z]+[a-zA-Z0-9]*$/) {
- $errormessage = $Lang::tr{'vpn name is invalid'};
+ $errormessage .= "$Lang::tr{'vpn name is invalid'}<br />";
$error_connection = 'error';
goto VPNCONF_ERROR;
}
if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
- $errormessage = $Lang::tr{'vpn name is invalid'};
+ $errormessage .= "$Lang::tr{'vpn name is invalid'}<br />";
$error_connection = 'error';
goto VPNCONF_ERROR;
}
if (length($cgiparams{'NAME'}) >60) {
- $errormessage = $Lang::tr{'vpn name is invalid'};
+ $errormessage .= "$Lang::tr{'vpn name is invalid'}<br />";
$error_connection = 'error';
goto VPNCONF_ERROR;
}
@@ -458,7 +457,7 @@
if (! $cgiparams{'KEY'}) { #only for add
foreach my $key (keys %confighash) {
if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
- $errormessage = $Lang::tr{'a connection with this name already \
exists'}; + $errormessage .= "$Lang::tr{'a connection with this \
name already exists'}<br />"; $error_connection = 'error';
goto VPNCONF_ERROR;
}
@@ -466,26 +465,26 @@
}
if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) {
- $errormessage = $Lang::tr{'invalid input for remote host/ip'};
+ $errormessage .= "$Lang::tr{'invalid input for remote host/ip'}<br />";
goto VPNCONF_ERROR;
}
if ($cgiparams{'REMOTE'}) {
if (! &General::validip($cgiparams{'REMOTE'})) {
if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
- $errormessage = $Lang::tr{'invalid input for remote host/ip'};
+ $errormessage .= "$Lang::tr{'invalid input for remote \
host/ip'}<br />"; goto VPNCONF_ERROR;
}
else {
if (&General::validdnshost($cgiparams{'REMOTE'})) {
- $warnmessage = "$Lang::tr{'check vpn lr'} \
$cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}"; + \
$warnmessage .= "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check \
failed'}<br />"; }
}
}
}
unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {
- $errormessage = $Lang::tr{'local subnet is invalid'};
+ $errormessage .= "$Lang::tr{'local subnet is invalid'}<br />";
goto VPNCONF_ERROR;
}
@@ -493,22 +492,22 @@
if ($cgiparams{'REMOTE'} eq '' && $cgiparams{'AUTH'} eq 'psk') {
foreach my $key (keys %confighash) {
if ( ($cgiparams{'KEY'} ne $key) && ($confighash{$key}[4] eq 'psk') \
&& ($confighash{$key}[10] eq '') ) {
- $errormessage = $Lang::tr{'you can only define one roadwarrior \
connection when using pre-shared key authentication'}; + \
$errormessage .= "$Lang::tr{'you can only define one roadwarrior connection when \
using pre-shared key authentication'}<br />"; goto VPNCONF_ERROR;
}
}
}
if (($cgiparams{'TYPE'} eq 'net') && (! \
&General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {
- $errormessage = $Lang::tr{'remote subnet is invalid'};
+ $errormessage .= "$Lang::tr{'remote subnet is invalid'}<br />";
goto VPNCONF_ERROR;
}
if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
- $errormessage = $Lang::tr{'invalid input'};
+ $errormessage .= "$Lang::tr{'invalid input'}<br />";
goto VPNCONF_ERROR;
}
if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {
- $errormessage = $Lang::tr{'invalid input'};
+ $errormessage .= "$Lang::tr{'invalid input'}<br />";
goto VPNCONF_ERROR;
}
@@ -517,48 +516,50 @@
if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. \
=*\/-]+|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/) ||
($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. \
=*\/-]+|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/) ||
(($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && \
($cgiparams{'LOCAL_ID'} ne '')) ) {
- $errormessage = $Lang::tr{'invalid local-remote id'} . '<br />' .
- 'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*<br />' .
- 'FQDN: @ipcop.org<br />' .
- 'USER_FQDN: franck@ipcop.org<br />' .
- 'IPV4_ADDR: 123.123.123.123';
+ $errormessage .= "$Lang::tr{'invalid local-remote id'} <br />"
+ . "DER_ASN1_DN: \@c=FR/ou=Paris/ou=Home/cn=*<br \
/>" + . "FQDN: \@example.com<br />"
+ . "USER_FQDN: user\@example.com<br />"
+ . "IPV4_ADDR: 123.123.123.123<br />";
goto VPNCONF_ERROR;
}
# If Auth is DN, verify existance of Remote ID.
- if ( $cgiparams{'REMOTE_ID'} eq '' && (
- $cgiparams{'AUTH'} eq 'auth-dn'|| # while creation
- $confighash{$cgiparams{'KEY'}}[2] eq '%auth-dn')){ # while editing
- $errormessage = $Lang::tr{'vpn missing remote id'};
+ if ( $cgiparams{'REMOTE_ID'} eq ''
+ && ($cgiparams{'AUTH'} eq 'auth-dn' # while creation
+ ||$confighash{$cgiparams{'KEY'}}[2] eq '%auth-dn')){ # while \
editing + $errormessage .= "$Lang::tr{'vpn missing remote id'}<br />";
goto VPNCONF_ERROR;
}
if ($cgiparams{'AUTH'} eq 'psk') {
if (! length($cgiparams{'PSK'}) ) {
- $errormessage = $Lang::tr{'pre-shared key is too short'};
+ $errormessage .= "$Lang::tr{'pre-shared key is too short'}<br />";
$error_auth = 'error';
goto VPNCONF_ERROR;
}
if ($cgiparams{'PSK'} =~ /'/) {
$cgiparams{'PSK'} =~ tr/'/ /;
- $errormessage = $Lang::tr{'invalid characters found in pre-shared \
key'}; + $errormessage .= "$Lang::tr{'invalid characters found in \
pre-shared key'}<br />"; $error_auth = 'error';
goto VPNCONF_ERROR;
}
}
elsif ($cgiparams{'AUTH'} eq 'certreq') {
if ($cgiparams{'KEY'}) {
- $errormessage = $Lang::tr{'cant change certificates'};
+ $errormessage .= "$Lang::tr{'cant change certificates'}<br />";
goto VPNCONF_ERROR;
}
if (ref ($cgiparams{'FH'}) ne 'Fh') {
- $errormessage = $Lang::tr{'there was no file upload'};
+ $errormessage .= "$Lang::tr{'there was no file upload'}<br />";
+ $error_auth = 'error';
goto VPNCONF_ERROR;
}
# Move uploaded certificate request to a temporary file
(my $fh, my $filename) = tempfile( );
- if (copy ($cgiparams{'FH'}, $fh) != 1) {
- $errormessage = $!;
+ if (copy($cgiparams{'FH'}, $fh) != 1) {
+ $errormessage .= "$!<br />";
+ $error_auth = 'error';
goto VPNCONF_ERROR;
}
@@ -569,20 +570,20 @@
$opt .= " -in $filename";
$opt .= " -out /var/ipcop/certs/$cgiparams{'NAME'}cert.pem";
- if ( $errormessage = &VPN::callssl ($opt) ) {
- unlink ($filename);
+ my $return = &VPN::callssl ($opt);
+ unlink ($filename);
+ &VPN::cleanssldatabase();
+ if ($return) {
+ $errormessage .= "$return<br />";
+ $error_auth = 'error';
unlink ("/var/ipcop/certs/$cgiparams{'NAME'}cert.pem");
- &VPN::cleanssldatabase();
goto VPNCONF_ERROR;
}
- else {
- unlink ($filename);
- &VPN::cleanssldatabase();
- }
$cgiparams{'CERT_NAME'} = &VPN::getCNfromcert \
("/var/ipcop/certs/$cgiparams{'NAME'}cert.pem"); if ($cgiparams{'CERT_NAME'} eq '') \
{
- $errormessage = $Lang::tr{'could not retrieve common name from \
certificate'}; + $errormessage .= "$Lang::tr{'could not retrieve \
common name from certificate'}<br />"; + $error_auth = 'error';
goto VPNCONF_ERROR;
}
}
@@ -590,24 +591,30 @@
&General::log("ipsec", "Importing from p12...");
if (ref ($cgiparams{'FH'}) ne 'Fh') {
- $errormessage = $Lang::tr{'there was no file upload'};
+ $errormessage .= "$Lang::tr{'there was no file upload'}<br />";
+ $error_auth = 'error';
goto ROOTCERT_ERROR;
}
# Move uploaded certificate request to a temporary file
(my $fh, my $filename) = tempfile( );
- if (copy ($cgiparams{'FH'}, $fh) != 1) {
- $errormessage = $!;
+ if (copy($cgiparams{'FH'}, $fh) != 1) {
+ $errormessage .= "$!<br />";
+ $error_auth = 'error';
goto ROOTCERT_ERROR;
}
# Extract the CA certificate from the file
- &General::log("ipsec", "Extracting caroot from p12...");
+ &General::log("ipsec", "Extracting ca root from p12...");
if (open(STDIN, "-|")) {
my $opt = " pkcs12 -cacerts -nokeys";
$opt .= " -in $filename";
$opt .= " -out /tmp/newcacert";
- $errormessage = &VPN::callssl ($opt);
+ my $return = &VPN::callssl ($opt);
+ if ($return) {
+ $errormessage .= "$return<br />";
+ $error_auth = 'error';
+ }
}
else { #child
print "$cgiparams{'P12_PASS'}\n";
@@ -621,7 +628,8 @@
my $opt = " pkcs12 -clcerts -nokeys";
$opt .= " -in $filename";
$opt .= " -out /tmp/newhostcert";
- $errormessage = &VPN::callssl ($opt);
+ my $return = &VPN::callssl ($opt);
+ $errormessage .= "$return<br />" if ($return);
}
else { #child
print "$cgiparams{'P12_PASS'}\n";
@@ -631,26 +639,29 @@
if (!$errormessage) {
&General::log("ipsec", "Moving cacert...");
- #If CA have new subject, add it to our list of CA
+ # If CA has new subject, add it to our list of CA
my $casubject = &Header::cleanhtml(&VPN::getsubjectfromcert \
('/tmp/newcacert')); my @names;
foreach my $x (keys %cahash) {
- $casubject='' if ($cahash{$x}[1] eq $casubject);
+ $casubject = '' if ($cahash{$x}[1] eq $casubject);
unshift (@names,$cahash{$x}[0]);
}
if ($casubject) { # a new one!
my $temp = `/usr/bin/openssl x509 -text -in /tmp/newcacert`;
if ($temp !~ /CA:TRUE/i) {
- $errormessage = $Lang::tr{'not a valid ca certificate'};
+ $errormessage .= "$Lang::tr{'not a valid ca certificate'}<br \
/>"; + $error_auth = 'error';
}
else {
- #compute a name for it
+ # compute a name for it
my $idx=0;
- while (grep(/Imported-$idx/, @names) ) {$idx++};
- $cgiparams{'CA_NAME'}="Imported-$idx";
- \
$cgiparams{'CERT_NAME'}=&Header::cleanhtml(&VPN::getCNfromcert \
('/tmp/newhostcert'));
- move("/tmp/newcacert", \
"/var/ipcop/ca/$cgiparams{'CA_NAME'}cert.pem");
- $errormessage = "$Lang::tr{'certificate file move failed'}: \
$!" if ($? ne 0); + while (grep(/Imported-$idx/, @names) ) {
+ $idx++
+ };
+ $cgiparams{'CA_NAME'} = "Imported-$idx";
+ $cgiparams{'CERT_NAME'} = \
&Header::cleanhtml(&VPN::getCNfromcert ('/tmp/newhostcert')); + \
my $return = move("/tmp/newcacert", "/var/ipcop/ca/$cgiparams{'CA_NAME'}cert.pem"); + \
$errormessage .= "$Lang::tr{'certificate file move failed'}: $!<br />" if ($return ne \
1); if (!$errormessage) {
my $key = &General::findhasharraykey (\%cahash);
$cahash{$key}[0] = $cgiparams{'CA_NAME'};
@@ -664,8 +675,8 @@
}
if (!$errormessage) {
&General::log("ipsec", "Moving host cert...");
- move("/tmp/newhostcert", \
"/var/ipcop/certs/$cgiparams{'NAME'}cert.pem");
- $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if \
($? ne 0); + my $return = move("/tmp/newhostcert", \
"/var/ipcop/certs/$cgiparams{'NAME'}cert.pem"); + $errormessage .= \
"$Lang::tr{'certificate file move failed'}: $!<br />" if ($return ne 1); }
#cleanup temp files
@@ -681,17 +692,20 @@
}
elsif ($cgiparams{'AUTH'} eq 'certfile') {
if ($cgiparams{'KEY'}) {
- $errormessage = $Lang::tr{'cant change certificates'};
+ $errormessage .= "$Lang::tr{'cant change certificates'}<br />";
+ $error_auth = 'error';
goto VPNCONF_ERROR;
}
if (ref ($cgiparams{'FH'}) ne 'Fh') {
- $errormessage = $Lang::tr{'there was no file upload'};
+ $errormessage .= "$Lang::tr{'there was no file upload'}<br />";
+ $error_auth = 'error';
goto VPNCONF_ERROR;
}
# Move uploaded certificate to a temporary file
(my $fh, my $filename) = tempfile( );
- if (copy ($cgiparams{'FH'}, $fh) != 1) {
- $errormessage = $!;
+ if (copy($cgiparams{'FH'}, $fh) != 1) {
+ $errormessage .= "$!<br />";
+ $error_auth = 'error';
goto VPNCONF_ERROR;
}
@@ -699,6 +713,7 @@
&General::log("ipsec", "Validating imported cert against our known \
CA..."); my $validca = 1; #assume ok
my $test = `/usr/bin/openssl verify -CAfile /var/ipcop/ca/cacert.pem \
$filename`; +
if ($test !~ /: OK/) {
my $validca = 0;
foreach my $key (keys %cahash) {
@@ -709,15 +724,18 @@
}
}
}
+
if (! $validca) {
- $errormessage = $Lang::tr{'certificate does not have a valid ca \
associated with it'}; + $errormessage .= "$Lang::tr{'certificate does \
not have a valid ca associated with it'}<br />"; + $error_auth = \
'error'; unlink ($filename);
goto VPNCONF_ERROR;
}
else {
my $return = move($filename, \
"/var/ipcop/certs/$cgiparams{'NAME'}cert.pem"); if ($return ne 1) {
- $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
+ $errormessage .= "$Lang::tr{'certificate file move failed'}: \
$!<br />"; + $error_auth = 'error';
unlink ($filename);
goto VPNCONF_ERROR;
}
@@ -726,54 +744,65 @@
$cgiparams{'CERT_NAME'} = &VPN::getCNfromcert \
("/var/ipcop/certs/$cgiparams{'NAME'}cert.pem"); if ($cgiparams{'CERT_NAME'} eq '') \
{ unlink ("/var/ipcop/certs/$cgiparams{'NAME'}cert.pem");
- $errormessage = $Lang::tr{'could not retrieve common name from \
certificate'}; + $errormessage .= "$Lang::tr{'could not retrieve \
common name from certificate'}<br />"; + $error_auth = 'error';
goto VPNCONF_ERROR;
}
}
elsif ($cgiparams{'AUTH'} eq 'certgen') {
if ($cgiparams{'KEY'}) {
- $errormessage = $Lang::tr{'cant change certificates'};
+ $errormessage .= "$Lang::tr{'cant change certificates'}<br />";
+ $error_auth = 'error';
goto VPNCONF_ERROR;
}
# Validate input since the form was submitted
if (length($cgiparams{'CERT_NAME'}) >60) {
- $errormessage = $Lang::tr{'name too long'};
+ $errormessage .= "$Lang::tr{'name too long'}<br />";
+ $error_auth = 'error';
goto VPNCONF_ERROR;
}
if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
- $errormessage = $Lang::tr{'invalid input for name'};
+ $errormessage .= "$Lang::tr{'invalid input for name'}<br />";
+ $error_auth = 'error';
goto VPNCONF_ERROR;
}
if ($cgiparams{'CERT_EMAIL'} ne '' && (! \
&General::validemail($cgiparams{'CERT_EMAIL'}))) {
- $errormessage = $Lang::tr{'invalid input for e-mail address'};
+ $errormessage .= "$Lang::tr{'invalid input for e-mail address'}<br \
/>"; + $error_auth = 'error';
goto VPNCONF_ERROR;
}
if (length($cgiparams{'CERT_EMAIL'}) > 40) {
- $errormessage = $Lang::tr{'e-mail address too long'};
+ $errormessage .= "$Lang::tr{'e-mail address too long'}<br />";
+ $error_auth = 'error';
goto VPNCONF_ERROR;
}
if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 \
,\.\-_]*$/) {
- $errormessage = $Lang::tr{'invalid input for department'};
+ $errormessage .= "$Lang::tr{'invalid input for department'}<br />";
+ $error_auth = 'error';
goto VPNCONF_ERROR;
}
if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {
- $errormessage = $Lang::tr{'organization too long'};
+ $errormessage .= $Lang::tr{'organization too long'};
+ $error_auth = 'error';
goto VPNCONF_ERROR;
}
if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
- $errormessage = $Lang::tr{'invalid input for organization'};
+ $errormessage .= "$Lang::tr{'invalid input for organization'}<br \
/>"; goto VPNCONF_ERROR;
}
if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ \
/^[a-zA-Z0-9 ,\.\-_]*$/) {
- $errormessage = $Lang::tr{'invalid input for city'};
+ $errormessage .= "$Lang::tr{'invalid input for city'}<br />";
+ $error_auth = 'error';
goto VPNCONF_ERROR;
}
if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ \
/^[a-zA-Z0-9 ,\.\-_]*$/) {
- $errormessage = $Lang::tr{'invalid input for state or province'};
+ $errormessage .= "$Lang::tr{'invalid input for state or \
province'}<br />"; + $error_auth = 'error';
goto VPNCONF_ERROR;
}
if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {
- $errormessage = $Lang::tr{'invalid input for country'};
+ $errormessage .= "$Lang::tr{'invalid input for country'}<br />";
+ $error_auth = 'error';
goto VPNCONF_ERROR;
}
#the exact syntax is a list comma separated of
@@ -782,31 +811,36 @@
# DNS: a DNS domain name
# RID: a registered OBJECT IDENTIFIER
# IP: an IP address
- # example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com
+ # example: email:user@example.com,IP:10.0.0.10,DNS:user.example.com
if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} \
!~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) {
- $errormessage = $Lang::tr{'vpn altname syntax'};
+ $errormessage .= "$Lang::tr{'vpn altname syntax'}<br />";
+ $error_auth = 'error';
goto VPNCONF_ERROR;
}
if (length($cgiparams{'CERT_PASS1'}) < 5) {
- $errormessage = $Lang::tr{'password too short'};
+ $errormessage .= "$Lang::tr{'password too short'}<br />";
+ $error_auth = 'error';
goto VPNCONF_ERROR;
}
if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
- $errormessage = $Lang::tr{'passwords do not match'};
+ $errormessage .= "$Lang::tr{'passwords do not match'}<br />";
+ $error_auth = 'error';
goto VPNCONF_ERROR;
}
if (($cgiparams{'YEAR'} < $this_year)
|| (($cgiparams{'YEAR'} == $this_year) && ($cgiparams{'MONTH'} < \
$now[4]))
|| (($cgiparams{'YEAR'} == $this_year) && ($cgiparams{'MONTH'} == \
$now[4]) && ($cgiparams{'DAY'} < $now[3])) ) {
- $errormessage = $Lang::tr{'invalid date entered'};
+ $errormessage .= "$Lang::tr{'invalid date entered'}<br />";
+ $error_auth = 'error';
goto VPNCONF_ERROR;
}
my $certdays = (POSIX::mktime( 0, 0, 1, $cgiparams{'DAY'}, \
$cgiparams{'MONTH'}, $cgiparams{'YEAR'}-1900) - POSIX::mktime( 0, 0, 0, $now[3], \
$now[4], $now[5])) / 86400; if ($certdays <= 1) {
- $errormessage = $Lang::tr{'invalid date entered'};
+ $errormessage .= "$Lang::tr{'invalid date entered'}<br />";
+ $error_auth = 'error';
goto VPNCONF_ERROR;
}
@@ -824,7 +858,10 @@
$opt .= " -keyout /var/ipcop/certs/$cgiparams{'NAME'}key.pem";
$opt .= " -out /var/ipcop/certs/$cgiparams{'NAME'}req.pem";
- if ( $errormessage = &VPN::callssl ($opt) ) {
+ my $return = &VPN::callssl ($opt);
+ if ($return) {
+ $errormessage .= "$return<br />";
+ $error_auth = 'error';
unlink ("/var/ipcop/certs/$cgiparams{'NAME'}key.pem");
unlink ("/var/ipcop/certs/$cgiparams{'NAME'}req.pem");
goto VPNCONF_ERROR;
@@ -846,7 +883,7 @@
# Sign the host certificate request
&General::log("ipsec", "Signing the cert $cgiparams{'NAME'}...");
- #No easy way for specifying the contain of subjectAltName without \
writing a config file... + # No easy way for specifying the contain of \
subjectAltName without writing a config file... my ($fh, $v3extname) = tempfile \
('/tmp/XXXXXXXX'); print $fh <<END
basicConstraints=CA:FALSE
@@ -863,19 +900,17 @@
$opt .= " -out /var/ipcop/certs/$cgiparams{'NAME'}cert.pem";
$opt .= " -extfile $v3extname";
- if ( $errormessage = &VPN::callssl ($opt) ) {
- unlink ($v3extname);
+ my $return = &VPN::callssl ($opt);
+ unlink ($v3extname);
+ unlink ("/var/ipcop/certs/$cgiparams{'NAME'}req.pem");
+ &VPN::cleanssldatabase();
+ if ($return) {
+ $errormessage .= "$return<br />";
+ $error_auth = 'error';
unlink ("/var/ipcop/certs/$cgiparams{'NAME'}key.pem");
- unlink ("/var/ipcop/certs/$cgiparams{'NAME'}req.pem");
unlink ("/var/ipcop/certs/$cgiparams{'NAME'}cert.pem");
- &VPN::cleanssldatabase();
goto VPNCONF_ERROR;
}
- else {
- unlink ($v3extname);
- unlink ("/var/ipcop/certs/$cgiparams{'NAME'}req.pem");
- &VPN::cleanssldatabase();
- }
# Create the pkcs12 file
&General::log("ipsec", "Packing a pkcs12 file...");
@@ -888,15 +923,15 @@
$opt .= " -caname \"$vpnsettings{'ROOTCERT_ORGANIZATION'} CA\"";
$opt .= " -out /var/ipcop/certs/$cgiparams{'NAME'}.p12";
- if ( $errormessage = &VPN::callssl ($opt) ) {
- unlink ("/var/ipcop/certs/$cgiparams{'NAME'}key.pem");
+ $return = &VPN::callssl ($opt);
+ unlink ("/var/ipcop/certs/$cgiparams{'NAME'}key.pem");
+ if ($return) {
+ $errormessage .= "$return<br />";
+ $error_auth = 'error';
unlink ("/var/ipcop/certs/$cgiparams{'NAME'}cert.pem");
unlink ("/var/ipcop/certs/$cgiparams{'NAME'}.p12");
goto VPNCONF_ERROR;
}
- else {
- unlink ("/var/ipcop/certs/$cgiparams{'NAME'}key.pem");
- }
}
elsif ($cgiparams{'AUTH'} eq 'cert') {
;# Nothing, just editing
@@ -905,18 +940,19 @@
$cgiparams{'CERT_NAME'} = '%auth-dn'; # a special value saying 'no \
cert file' }
else {
- $errormessage = $Lang::tr{'invalid input for authentication method'};
+ $errormessage .= "$Lang::tr{'invalid input for authentication \
method'}<br />"; + $error_auth = 'error';
goto VPNCONF_ERROR;
}
- # 1)Error message here is not accurate.
- # 2)Test is superfluous, openswan can reference same cert multiple times
- # 3)Present since initial version (1.3.2.11), it isn't a bug correction
+ # 1) Error message here is not accurate.
+ # 2) Test is superfluous, openswan can reference same cert multiple times
+ # 3) Present since initial version (1.3.2.11), it isn't a bug correction
# Check if there is no other entry with this certificate name
#if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk') && \
($cgiparams{'AUTH'} ne 'auth-dn')) { # foreach my $key (keys %confighash) {
# if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {
- # $errormessage = $Lang::tr{'a connection with this common name \
already exists'}; + # $errormessage .= "$Lang::tr{'a connection with \
this common name already exists'}<br />"; # goto VPNCONF_ERROR;
# }
# }
@@ -953,7 +989,7 @@
$confighash{$key}[27] = $cgiparams{'DPD_ACTION'};
$confighash{$key}[6] = $cgiparams{'TUNNELSTART'};
- #dont forget advanced value
+ # dont forget advanced value
$confighash{$key}[18] = $cgiparams{'IKE_ENCRYPTION'};
$confighash{$key}[19] = $cgiparams{'IKE_INTEGRITY'};
$confighash{$key}[20] = $cgiparams{'IKE_GROUPTYPE'};
@@ -968,7 +1004,7 @@
$confighash{$key}[28] = $cgiparams{'PFS'};
$confighash{$key}[14] = $cgiparams{'VHOST'};
- #free unused fields!
+ # free unused fields!
$confighash{$key}[15] = 'off';
&General::writehasharray("/var/ipcop/ipsec/config", \%confighash);
@@ -1026,51 +1062,51 @@
$cgiparams{'LOCAL_ID'} = '';
$cgiparams{'REMOTE_ID'} = '';
- #use default advanced value
+ # use default advanced value
$cgiparams{'IKE_ENCRYPTION'} = 'aes128|3des'; #[18];
- $cgiparams{'IKE_INTEGRITY'} = 'sha|md5'; #[19];
- $cgiparams{'IKE_GROUPTYPE'} = '1536|1024'; #[20];
- $cgiparams{'IKE_LIFETIME'} = '1'; #[16];
+ $cgiparams{'IKE_INTEGRITY'} = 'sha|md5'; #[19];
+ $cgiparams{'IKE_GROUPTYPE'} = '1536|1024'; #[20];
+ $cgiparams{'IKE_LIFETIME'} = '1'; #[16];
$cgiparams{'ESP_ENCRYPTION'} = 'aes128|3des'; #[21];
- $cgiparams{'ESP_INTEGRITY'} = 'sha1|md5'; #[22];
- $cgiparams{'ESP_GROUPTYPE'} = ''; #[23];
- $cgiparams{'ESP_KEYLIFE'} = '8'; #[17];
- $cgiparams{'AGGRMODE'} = 'off'; #[12];
- $cgiparams{'COMPRESSION'} = 'off'; #[13];
- $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24];
- $cgiparams{'PFS'} = 'on'; #[28];
- $cgiparams{'VHOST'} = 'on'; #[14];
+ $cgiparams{'ESP_INTEGRITY'} = 'sha1|md5'; #[22];
+ $cgiparams{'ESP_GROUPTYPE'} = ''; #[23];
+ $cgiparams{'ESP_KEYLIFE'} = '8'; #[17];
+ $cgiparams{'AGGRMODE'} = 'off'; #[12];
+ $cgiparams{'COMPRESSION'} = 'off'; #[13];
+ $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24];
+ $cgiparams{'PFS'} = 'on'; #[28];
+ $cgiparams{'VHOST'} = 'on'; #[14];
}
VPNCONF_ERROR:
- $checked{'ENABLED'}{'off'} = '';
- $checked{'ENABLED'}{'on'} = '';
+ $checked{'ENABLED'}{'off'} = '';
+ $checked{'ENABLED'}{'on'} = '';
$checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'";
- $checked{'EDIT_ADVANCED'}{'off'} = '';
- $checked{'EDIT_ADVANCED'}{'on'} = '';
+ $checked{'EDIT_ADVANCED'}{'off'} = '';
+ $checked{'EDIT_ADVANCED'}{'on'} = '';
$checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = "checked='checked'";
- $checked{'AUTH'}{'psk'} = '';
- $checked{'AUTH'}{'certreq'} = '';
- $checked{'AUTH'}{'certgen'} = '';
- $checked{'AUTH'}{'certfile'} = '';
- $checked{'AUTH'}{'pkcs12'} = '';
- $checked{'AUTH'}{'auth-dn'} = '';
+ $checked{'AUTH'}{'psk'} = '';
+ $checked{'AUTH'}{'certreq'} = '';
+ $checked{'AUTH'}{'certgen'} = '';
+ $checked{'AUTH'}{'certfile'} = '';
+ $checked{'AUTH'}{'pkcs12'} = '';
+ $checked{'AUTH'}{'auth-dn'} = '';
$checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
- $selected{'INTERFACE'}{'RED'} = '';
- $selected{'INTERFACE'}{'BLUE'} = '';
+ $selected{'INTERFACE'}{'RED'} = '';
+ $selected{'INTERFACE'}{'BLUE'} = '';
$selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = "selected='selected'";
- $selected{'DPD_ACTION'}{'clear'} = '';
- $selected{'DPD_ACTION'}{'hold'} = '';
- $selected{'DPD_ACTION'}{'restart'} = '';
+ $selected{'DPD_ACTION'}{'clear'} = '';
+ $selected{'DPD_ACTION'}{'hold'} = '';
+ $selected{'DPD_ACTION'}{'restart'} = '';
$selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";
- $selected{'TUNNELSTART'}{'add'} = '';
- $selected{'TUNNELSTART'}{'route'} = '';
- $selected{'TUNNELSTART'}{'start'} = '';
+ $selected{'TUNNELSTART'}{'add'} = '';
+ $selected{'TUNNELSTART'}{'route'} = '';
+ $selected{'TUNNELSTART'}{'start'} = '';
$selected{'TUNNELSTART'}{$cgiparams{'TUNNELSTART'}} = "selected='selected'";
&Header::showhttpheaders();
@@ -1084,7 +1120,7 @@
if ($warnmessage) {
&Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:", \
'warning');
- print "<font class='base'>$errormessage </font>";
+ print "<font class='base'>$warnmessage </font>";
&Header::closebox();
}
@@ -1123,8 +1159,8 @@
print "<td width='25%'>$Lang::tr{'enabled'}:</td><td><input type='checkbox' \
name='ENABLED' $checked{'ENABLED'}{'on'} /></td>"; print "</tr><tr><td \
colspan='4'><br /></td></tr>";
- my $disabled;
- my $blob;
+ my $disabled = '';
+ my $blob = '';
if ($cgiparams{'TYPE'} eq 'host') {
$disabled = "disabled='disabled'";
$blob = "<img src='/blob.gif' alt='*' />";
@@ -1133,7 +1169,7 @@
print "<tr><td>$Lang::tr{'host ip'}:</td>";
print "<td><select name='INTERFACE'>";
print "<option value='RED' $selected{'INTERFACE'}{'RED'}>RED \
($vpnsettings{'VPN_IP'})</option>";
- print "<option value='BLUE' $selected{'INTERFACE'}{'BLUE'}>BLUE \
($netsettings{'BLUE_1_ADDRESS'})</option>" if ($netsettings{'BLUE_COUNT'} > 0); + \
print "<option value='BLUE' $selected{'INTERFACE'}{'BLUE'}>BLUE \
($netsettings{'BLUE_1_ADDRESS'})</option>" if (&FW::haveBlueNet()); print \
"</select></td>"; print <<END
<td class='base'>$Lang::tr{'remote host/ip'}: $blob</td>
@@ -1365,160 +1401,166 @@
###
### Advanced settings
###
-if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
- ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq \
'yes')) { +if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'})
+ || ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq \
'yes')) { +
&General::readhash("/var/ipcop/ipsec/settings", \%vpnsettings);
&General::readhasharray("/var/ipcop/ipsec/config", \%confighash);
+
if (! $confighash{$cgiparams{'KEY'}}) {
- $errormessage = $Lang::tr{'invalid key'};
+ $errormessage .= "$Lang::tr{'invalid key'}<br />";
goto ADVANCED_END;
}
if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
- # I didn't read any incompatibilities here....
- #if ($cgiparams{'VHOST'} eq 'on' && $cgiparams{'COMPRESSION'} eq 'on') {
- # $errormessage = $Lang::tr{'cannot enable both nat traversal and \
compression'};
- # goto ADVANCED_ERROR;
- #}
- my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});
- if ($#temp < 0) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
- foreach my $val (@temp) {
- if ($val !~ \
/^(aes256|aes128|3des|twofish256|twofish128|serpent256|serpent128|blowfish256|blowfish128|cast128)$/) \
{
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
+ # I didn't read any incompatibilities here....
+ #if ($cgiparams{'VHOST'} eq 'on' && $cgiparams{'COMPRESSION'} eq 'on') {
+ # $errormessage .= "$Lang::tr{'cannot enable both nat traversal and \
compression'}<br />"; + # goto ADVANCED_ERROR;
+ #}
+ my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});
+ if ($#temp < 0) {
+ $errormessage .= "$Lang::tr{'invalid input'}<br />";
+ goto ADVANCED_ERROR;
}
- }
- @temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
- if ($#temp < 0) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
- foreach my $val (@temp) {
- if ($val !~ /^(sha2_512|sha2_256|sha|md5)$/) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
+ foreach my $val (@temp) {
+ if ($val !~ \
/^(aes256|aes128|3des|twofish256|twofish128|serpent256|serpent128|blowfish256|blowfish128|cast128)$/) \
{ + $errormessage .= "$Lang::tr{'invalid input'}<br />";
+ goto ADVANCED_ERROR;
+ }
}
- }
- @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});
- if ($#temp < 0) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
- foreach my $val (@temp) {
- if ($val !~ /^(768|1024|1536|2048|3072|4096|6144|8192)$/) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
+ @temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
+ if ($#temp < 0) {
+ $errormessage .= "$Lang::tr{'invalid input'}<br />";
+ goto ADVANCED_ERROR;
}
- }
- if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) {
- $errormessage = $Lang::tr{'invalid input for ike lifetime'};
- goto ADVANCED_ERROR;
- }
- if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 8) {
- $errormessage = $Lang::tr{'ike lifetime should be between 1 and 8 hours'};
- goto ADVANCED_ERROR;
- }
- @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});
- if ($#temp < 0) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
- foreach my $val (@temp) {
- if ($val !~ \
/^(aes256|aes128|3des|twofish256|twofish128|serpent256|serpent128|blowfish256|blowfish128)$/) \
{
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
+ foreach my $val (@temp) {
+ if ($val !~ /^(sha2_512|sha2_256|sha|md5)$/) {
+ $errormessage .= "$Lang::tr{'invalid input'}<br />";
+ goto ADVANCED_ERROR;
+ }
}
- }
- @temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
- if ($#temp < 0) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
- foreach my $val (@temp) {
- if ($val !~ /^(sha2_512|sha2_256|sha1|md5)$/) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
+ @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});
+ if ($#temp < 0) {
+ $errormessage .= "$Lang::tr{'invalid input'}<br />";
+ goto ADVANCED_ERROR;
}
- }
- # pfsgroup removed from openswan 2.6.21
- # if ($cgiparams{'ESP_GROUPTYPE'} ne '' &&
- # $cgiparams{'ESP_GROUPTYPE'} !~ /^modp(768|1024|1536|2048|3072|4096)$/) {
- # $errormessage = $Lang::tr{'invalid input'};
- # goto ADVANCED_ERROR;
- # }
+ foreach my $val (@temp) {
+ if ($val !~ /^(768|1024|1536|2048|3072|4096|6144|8192)$/) {
+ $errormessage .= "$Lang::tr{'invalid input'}<br />";
+ goto ADVANCED_ERROR;
+ }
+ }
+ if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) {
+ $errormessage .= "$Lang::tr{'invalid input for ike lifetime'}<br />";
+ goto ADVANCED_ERROR;
+ }
+ if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 8) {
+ $errormessage .= "$Lang::tr{'ike lifetime should be between 1 and 8 \
hours'}<br />"; + goto ADVANCED_ERROR;
+ }
+ @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});
+ if ($#temp < 0) {
+ $errormessage .= "$Lang::tr{'invalid input'}<br />";
+ goto ADVANCED_ERROR;
+ }
+ foreach my $val (@temp) {
+ if ($val !~ \
/^(aes256|aes128|3des|twofish256|twofish128|serpent256|serpent128|blowfish256|blowfish128)$/) \
{ + $errormessage .= "$Lang::tr{'invalid input'}<br />";
+ goto ADVANCED_ERROR;
+ }
+ }
+ @temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
+ if ($#temp < 0) {
+ $errormessage .= "$Lang::tr{'invalid input'}<br />";
+ goto ADVANCED_ERROR;
+ }
+ foreach my $val (@temp) {
+ if ($val !~ /^(sha2_512|sha2_256|sha1|md5)$/) {
+ $errormessage .= "$Lang::tr{'invalid input'}<br />";
+ goto ADVANCED_ERROR;
+ }
+ }
+ # pfsgroup removed from openswan 2.6.21
+ # if ($cgiparams{'ESP_GROUPTYPE'} ne '' &&
+ # $cgiparams{'ESP_GROUPTYPE'} !~ \
/^modp(768|1024|1536|2048|3072|4096)$/) { + # $errormessage .= \
"$Lang::tr{'invalid input'}<br />"; + # goto ADVANCED_ERROR;
+ # }
- if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) {
- $errormessage = $Lang::tr{'invalid input for esp keylife'};
- goto ADVANCED_ERROR;
- }
- if ($cgiparams{'ESP_KEYLIFE'} < 1 || $cgiparams{'ESP_KEYLIFE'} > 24) {
- $errormessage = $Lang::tr{'esp keylife should be between 1 and 24 hours'};
- goto ADVANCED_ERROR;
- }
+ if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) {
+ $errormessage .= "$Lang::tr{'invalid input for esp keylife'}<br />";
+ goto ADVANCED_ERROR;
+ }
+ if ($cgiparams{'ESP_KEYLIFE'} < 1 || $cgiparams{'ESP_KEYLIFE'} > 24) {
+ $errormessage .= "$Lang::tr{'esp keylife should be between 1 and 24 \
hours'}<br />"; + goto ADVANCED_ERROR;
+ }
- # Achim Weber: Don't allow empty values, otherwise the configfile can break.
- # If the last entry is empty there would be a comma as last char, if you edit
- # another entry that last comma of the first entry will be forgotten.
- # When a checkbox is not selected, there is no cgiparam send.
- # To avoid this don't allow empty values, and init those parameters (which
- # are used as checkbox value) with 'off' before reading %cgiparams.
- if (
- ($cgiparams{'AGGRMODE'} !~ /^(on|off)$/) ||
- ($cgiparams{'COMPRESSION'} !~ /^(on|off)$/) ||
- ($cgiparams{'ONLY_PROPOSED'} !~ /^(on|off)$/) ||
- ($cgiparams{'PFS'} !~ /^(on|off)$/) ||
- ($cgiparams{'VHOST'} !~ /^(on|off)$/)
- ){
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
+ # Achim Weber: Don't allow empty values, otherwise the configfile can break.
+ # If the last entry is empty there would be a comma as last char, if you \
edit + # another entry that last comma of the first entry will be forgotten.
+ # When a checkbox is not selected, there is no cgiparam send.
+ # To avoid this don't allow empty values, and init those parameters (which
+ # are used as checkbox value) with 'off' before reading %cgiparams.
+ if (
+ ($cgiparams{'AGGRMODE'} !~ /^(on|off)$/) ||
+ ($cgiparams{'COMPRESSION'} !~ /^(on|off)$/) ||
+ ($cgiparams{'ONLY_PROPOSED'} !~ /^(on|off)$/) ||
+ ($cgiparams{'PFS'} !~ /^(on|off)$/) ||
+ ($cgiparams{'VHOST'} !~ /^(on|off)$/)
+ ){
+ $errormessage .= "$Lang::tr{'invalid input'}<br />";
+ goto ADVANCED_ERROR;
+ }
- $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'};
- $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'};
- $confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'};
- $confighash{$cgiparams{'KEY'}}[16] = $cgiparams{'IKE_LIFETIME'};
- $confighash{$cgiparams{'KEY'}}[21] = $cgiparams{'ESP_ENCRYPTION'};
- $confighash{$cgiparams{'KEY'}}[22] = $cgiparams{'ESP_INTEGRITY'};
- $confighash{$cgiparams{'KEY'}}[23] = $cgiparams{'ESP_GROUPTYPE'};
- $confighash{$cgiparams{'KEY'}}[17] = $cgiparams{'ESP_KEYLIFE'};
- $confighash{$cgiparams{'KEY'}}[12] = $cgiparams{'AGGRMODE'};
- $confighash{$cgiparams{'KEY'}}[13] = $cgiparams{'COMPRESSION'};
- $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'};
- $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'};
- $confighash{$cgiparams{'KEY'}}[14] = $cgiparams{'VHOST'};
- &General::writehasharray("/var/ipcop/ipsec/config", \%confighash);
- &VPN::writeipsecfiles();
- if (&VPN::ipsecenabled(\%vpnsettings)) {
- &General::log("ipsec", "Start connection #$cgiparams{'KEY'}");
- system("/usr/local/bin/ipsecctrl --start=$cgiparams{'KEY'}");
- sleep $sleepDelay;
+ $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'};
+ $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'};
+ $confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'};
+ $confighash{$cgiparams{'KEY'}}[16] = $cgiparams{'IKE_LIFETIME'};
+ $confighash{$cgiparams{'KEY'}}[21] = $cgiparams{'ESP_ENCRYPTION'};
+ $confighash{$cgiparams{'KEY'}}[22] = $cgiparams{'ESP_INTEGRITY'};
+ $confighash{$cgiparams{'KEY'}}[23] = $cgiparams{'ESP_GROUPTYPE'};
+ $confighash{$cgiparams{'KEY'}}[17] = $cgiparams{'ESP_KEYLIFE'};
+ $confighash{$cgiparams{'KEY'}}[12] = $cgiparams{'AGGRMODE'};
+ $confighash{$cgiparams{'KEY'}}[13] = $cgiparams{'COMPRESSION'};
+ $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'};
+ $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'};
+ $confighash{$cgiparams{'KEY'}}[14] = $cgiparams{'VHOST'};
+
+ &General::writehasharray("/var/ipcop/ipsec/config", \%confighash);
+ &VPN::writeipsecfiles();
+
+ if (&VPN::ipsecenabled(\%vpnsettings)) {
+ &General::log("ipsec", "Start connection #$cgiparams{'KEY'}");
+ system("/usr/local/bin/ipsecctrl --start=$cgiparams{'KEY'}");
+ sleep $sleepDelay;
+ }
+ goto ADVANCED_END;
}
- goto ADVANCED_END;
- } else {
- $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];
- $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19];
- $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20];
- $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16];
- $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21];
- $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22];
- $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23];
- $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17];
- $cgiparams{'AGGRMODE'} = $confighash{$cgiparams{'KEY'}}[12];
- $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13];
- $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24];
- $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28];
- $cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14];
+ else {
+ $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];
+ $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19];
+ $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20];
+ $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16];
+ $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21];
+ $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22];
+ $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23];
+ $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17];
+ $cgiparams{'AGGRMODE'} = $confighash{$cgiparams{'KEY'}}[12];
+ $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13];
+ $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24];
+ $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28];
+ $cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14];
- if ($confighash{$cgiparams{'KEY'}}[3] eq 'net' || \
$confighash{$cgiparams{'KEY'}}[10]) {
- $cgiparams{'VHOST'} = 'off';
+ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net' || \
$confighash{$cgiparams{'KEY'}}[10]) { + $cgiparams{'VHOST'} = 'off';
+ }
}
- }
ADVANCED_ERROR:
$error_advanced = 'error' if ($errormessage);
+
$checked{'IKE_ENCRYPTION'}{'aes256'} = '';
$checked{'IKE_ENCRYPTION'}{'aes128'} = '';
$checked{'IKE_ENCRYPTION'}{'3des'} = '';
@@ -1531,12 +1573,14 @@
$checked{'IKE_ENCRYPTION'}{'cast128'} = '';
my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});
foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = \
"selected='selected'"; } +
$checked{'IKE_INTEGRITY'}{'sha2_512'} = '';
$checked{'IKE_INTEGRITY'}{'sha2_256'} = '';
$checked{'IKE_INTEGRITY'}{'sha'} = '';
$checked{'IKE_INTEGRITY'}{'md5'} = '';
@temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = \
"selected='selected'"; } +
$checked{'IKE_GROUPTYPE'}{'768'} = '';
$checked{'IKE_GROUPTYPE'}{'1024'} = '';
$checked{'IKE_GROUPTYPE'}{'1536'} = '';
@@ -1547,6 +1591,7 @@
$checked{'IKE_GROUPTYPE'}{'8192'} = '';
@temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});
foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = \
"selected='selected'"; } +
$checked{'ESP_ENCRYPTION'}{'aes256'} = '';
$checked{'ESP_ENCRYPTION'}{'aes128'} = '';
$checked{'ESP_ENCRYPTION'}{'3des'} = '';
@@ -1558,12 +1603,14 @@
$checked{'ESP_ENCRYPTION'}{'blowfish128'} = '';
@temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});
foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = \
"selected='selected'"; } +
$checked{'ESP_INTEGRITY'}{'sha2_512'} = '';
$checked{'ESP_INTEGRITY'}{'sha2_256'} = '';
$checked{'ESP_INTEGRITY'}{'sha1'} = '';
$checked{'ESP_INTEGRITY'}{'md5'} = '';
@temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = \
"selected='selected'"; } +
$checked{'ESP_GROUPTYPE'}{'modp768'} = '';
$checked{'ESP_GROUPTYPE'}{'modp1024'} = '';
$checked{'ESP_GROUPTYPE'}{'modp1536'} = '';
@@ -1583,15 +1630,15 @@
&Header::openbigbox('100%', 'left', '', $errormessage);
if ($errormessage) {
- &Header::openbox('100%', 'left', "$Lang::tr{'error messages'}:", 'error');
- print "<font class='base'>$errormessage </font>";
- &Header::closebox();
+ &Header::openbox('100%', 'left', "$Lang::tr{'error messages'}:", 'error');
+ print "<font class='base'>$errormessage </font>";
+ &Header::closebox();
}
if ($warnmessage) {
- &Header::openbox('100%', 'left', $Lang::tr{'warning messages'}, 'warning');
- print "<font class='base'>$errormessage </font>";
- &Header::closebox();
+ &Header::openbox('100%', 'left', $Lang::tr{'warning messages'}, 'warning');
+ print "<font class='base'>$warnmessage </font>";
+ &Header::closebox();
}
&Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:", $error_advanced);
@@ -1692,14 +1739,16 @@
END
;
if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {
- print "<tr><td><input type='hidden' name='VHOST' value='off' /></td></tr>";
- } elsif ($confighash{$cgiparams{'KEY'}}[10]) {
- print "<tr><td colspan='5'><input type='checkbox' name='VHOST' $checked{'VHOST'} \
disabled='disabled' />";
- print " $Lang::tr{'vpn vhost'}</td></tr>";
- } else {
- print "<tr><td colspan='5'><input type='checkbox' name='VHOST' $checked{'VHOST'} \
/>";
- print " $Lang::tr{'vpn vhost'}</td></tr>";
+ print "<tr><td><input type='hidden' name='VHOST' value='off' /></td></tr>";
}
+ elsif ($confighash{$cgiparams{'KEY'}}[10]) {
+ print "<tr><td colspan='5'><input type='checkbox' name='VHOST' \
$checked{'VHOST'} disabled='disabled' />"; + print " $Lang::tr{'vpn \
vhost'}</td></tr>"; + }
+ else {
+ print "<tr><td colspan='5'><input type='checkbox' name='VHOST' \
$checked{'VHOST'} />"; + print " $Lang::tr{'vpn vhost'}</td></tr>";
+ }
print <<END
</table>
@@ -1780,6 +1829,12 @@
&Header::closebox();
}
+if ($warnmessage) {
+ &Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:", 'warning');
+ print "<font class='base'>$warnmessage </font>";
+ &Header::closebox();
+}
+
&Header::openbox('100%', 'left', $Lang::tr{'global settings'}, $error_global);
print <<END
<form method='post' action='$ENV{'SCRIPT_NAME'}'><table width='100%'>
@@ -1872,22 +1927,13 @@
my $id = 0;
my $gif;
-sub SortConfigHashByTunnelName
-{
- if ($confighash{$a}[1] lt $confighash{$b}[1]) {
- return -1;
- }
- elsif ($confighash{$a}[1] gt $confighash{$b}[1]) {
- return 1;
- }
+foreach my $key (sort SortConfigHashByTunnelName (keys(%confighash))) {
+ if ($confighash{$key}[0] eq 'on') {
+ $gif = 'on.gif'; }
else {
- return 0;
+ $gif = 'off.gif';
}
-}
-foreach my $key (sort SortConfigHashByTunnelName (keys(%confighash))) {
- if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; \
}
-
my $tid = ($id % 2) + 1;
print "<tr class='table${tid}colour'>";
print "<td align='center' nowrap='nowrap'>$confighash{$key}[1]</td>";
@@ -1958,6 +2004,7 @@
else {
print "<td width='2%'> </td>";
}
+
if ($confighash{$key}[4] eq 'cert' && -f \
"/var/ipcop/certs/$confighash{$key}[1].p12") { print <<END
<td align='center'>
@@ -1985,6 +2032,7 @@
else {
print "<td width='2%'> </td>";
}
+
print <<END
<td align='center'>
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
@@ -2061,3 +2109,18 @@
&Header::closebigbox();
&Header::closepage();
+
+
+
+sub SortConfigHashByTunnelName
+{
+ if ($confighash{$a}[1] lt $confighash{$b}[1]) {
+ return -1;
+ }
+ elsif ($confighash{$a}[1] gt $confighash{$b}[1]) {
+ return 1;
+ }
+ else {
+ return 0;
+ }
+}
This was sent by the SourceForge.net collaborative development platform, the world's \
largest Open Source development site.
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Ipcop-svn mailing list
Ipcop-svn@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipcop-svn
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic