From 03fa5cba13c77b0a4ee8a1e84bf895af113ecb26 Mon Sep 17 00:00:00 2001 From: Ersan Yildirim Date: Fri, 9 May 2014 15:01:17 +0200 Subject: [PATCH 01/38] Update Turkish translation of the installer and setup. --- langs/tr/install/lang_tr.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/langs/tr/install/lang_tr.c b/langs/tr/install/lang_tr.c index 3131dd14f..814949a84 100644 --- a/langs/tr/install/lang_tr.c +++ b/langs/tr/install/lang_tr.c @@ -54,7 +54,7 @@ char *tr_tr[] = { /* TR_JOURNAL_EXT3 */ "Ext3 için günlük oluşturuluyor...", /* TR_CHOOSE_NETCARD */ -"Aşağıdaki ara birim için bir ağ kartı seçin - %s.", +"Aşağıdan şu ara birim için bir ağ kartı seçin - %s", /* TR_NETCARDMENU2 */ "Genişletilmiş Ağ Listesi", /* TR_ERROR_INTERFACES */ @@ -132,7 +132,7 @@ char *tr_tr[] = { /* TR_DNS_AND_GATEWAY_SETTINGS */ "DNS ve Ağ Geçidi ayarları", /* TR_DNS_AND_GATEWAY_SETTINGS_LONG */ -"DNS ve ağ geçidi bilgilerini girin. Bu ayarlar sadece KIRMIZI arabirim adres ayarlarında Sabit seçenği seçilmişse kullanılır. Eğer KIRMIZI arabirim adres ayarlarında DHCP seçeneğini seçtiyseniz bu alanı boş bırakabilirsiniz.", +"DNS ve ağ geçidi bilgilerini girin. Bu ayarlar sadece KIRMIZI ara birim adres ayarlarında Statik seçenği seçilmişse kullanılır. Eğer KIRMIZI ara birim adres ayarlarında DHCP seçeneğini seçtiyseniz bu alanı boş bırakabilirsiniz.", /* TR_DNS_GATEWAY_WITH_GREEN */ "Yapılandırmanız KIRMIZI ara birim için ethernet adaptörünü kullanamaz. DNS ve Çevirmeli ağ kullanıcıları için ağ geçidi bilgisi çevirmeli ağda otomatik olarak yapılandırılır.", /* TR_DOMAINNAME */ @@ -164,7 +164,7 @@ char *tr_tr[] = { /* TR_ENTER_ADDITIONAL_MODULE_PARAMS */ "Bazı ISDN kartları (özellikle ISA olanlar) IRQ ve GÇ adres bilgilerini ayarlamak için ek modül parametrelerine ihtiyaç duyar.Böyle bir ISDN kartınız varsa burada bu ek parametreleri girin. Örneğin: \"io = 0x280 irq = 9 \". Bunlar kart algılama sırasında kullanılacaktır.", /* TR_ENTER_ADMIN_PASSWORD */ -"%s 'admin' kullanıcı parolasını giriniz. Bu, %s web yönetimi sayfalarının kayıtlarına erişebilen kullanıcıdır.", +"%s 'admin' kullanıcı parolasını girin. Bu, %s web yönetimi sayfalarının kayıtlarına erişebilen kullanıcıdır.", /* TR_ENTER_DOMAINNAME */ "Alan adını girin", /* TR_ENTER_HOSTNAME */ @@ -228,7 +228,7 @@ char *tr_tr[] = { /* TR_INTERFACE_FAILED_TO_COME_UP */ "Ara birim yükseltmesi başarısız oldu.", /* TR_INVALID_FIELDS */ -"Aşağıdaki alan geçersizdir:\n\n", +"Aşağıdaki alan geçersiz:\n\n", /* TR_INVALID_IO */ "Girilen GÇ bağlantı noktası detayları geçersiz. ", /* TR_INVALID_IRQ */ @@ -354,7 +354,7 @@ char *tr_tr[] = { /* TR_PHONENUMBER_CANNOT_BE_EMPTY */ "Telefon numarası boş olamaz.", /* TR_PREPARE_HARDDISK */ -"Sabit disk kurulum programı /dev/sda üzerindeki %s sabit diski hazırlayacak. İlk olarak diskiniz bölümlendirilir ve daha sonra bu bölüme dosya sistemleri oluşturulur.\n\nDİSKTEKİ TÜM VERİLER SİLİNECEKTİR. Kabul ediyor musunuz?", +"Sabit disk kurulum programı %s üzerindeki sabit diski hazırlayacak. İlk olarak diskiniz bölümlendirilir ve daha sonra bu bölüme dosya sistemleri oluşturulur.\n\nDİSKTEKİ TÜM VERİLER SİLİNECEKTİR. Kabul ediyor musunuz?", /* TR_PRESS_OK_TO_REBOOT */ "Yeniden Başlat", /* TR_PRIMARY_DNS */ @@ -428,7 +428,7 @@ char *tr_tr[] = { /* TR_SETTING_SETUP_PASSWORD */ "KALDIRILACAK", /* TR_SETUP_FINISHED */ -"Kurulum tamamlandı. Tamam tuşuna basın.", +"Kurulum tamamlandı. Tamam seçneği ile ilerleyin.", /* TR_SETUP_NOT_COMPLETE */ "Başlangıç kurulumu tamamlanamadı. Şimdi kurulumu tekrar çalıştırarak ayarlarınızın düzgün yapılmış olduğundan emin olun.", /* TR_SETUP_PASSWORD */ @@ -444,7 +444,7 @@ char *tr_tr[] = { /* TR_START_ADDRESS_CR */ "Başlangıç adresi\n", /* TR_STATIC */ -"Sabit", +"Statik", /* TR_SUGGEST_IO */ "(öneri %x)", /* TR_SUGGEST_IRQ */ @@ -546,7 +546,7 @@ char *tr_tr[] = { /* TR_WARNING */ "UYARI", /* TR_WARNING_LONG */ -"Bu IP adresini değiştiriseniz %s makinesi ile uzak oturum bağlantısı kopar ve yeniden IP adresi girmeniz gerekir. Bu riskli bir işlemdir. Bu işlem sırasında bir şeyler ters giderse düzeltmek için makineye fiziksel erişiminiz varsa denemelisiniz.", +"Bu IP adresini değiştiriseniz %s makinesi ile uzak oturum bağlantısı kopar ve yeniden IP adresi girmeniz gerekir. Bu riskli bir işlemdir. Bu işlem sırasında bir şeyler ters giderse düzeltmek için makineye fiziksel erişiminiz olmalıdır. Makineye fiziksel erişiminiz varsa bu işlemi gerçekleştirin.", /* TR_WELCOME */ "%s kurulum programına hoş geldiniz. Sonraki ekranların herhangi birinde İptal seçeneğini seçtiğinizde bilgisayar yeniden başlatılacaktır.", /* TR_YOUR_CONFIGURATION_IS_SINGLE_GREEN_ALREADY_HAS_DRIVER */ @@ -588,9 +588,9 @@ char *tr_tr[] = { /* TR_DHCP_FORCE_MTU */ "DHCP mtu zorla:", /* TR_IDENTIFY */ -"Identify", +"Belirle", /* TR_IDENTIFY_SHOULD_BLINK */ -"Selected port should blink now ...", +"Seçilen bağlantı noktasının şimdi yanıp sönmesi gerekir...", /* TR_IDENTIFY_NOT_SUPPORTED */ -"Function is not supported by this port.", +"İşlev bu bağlantı noktası tarafından desteklenmiyor.", }; From 6e8089a94f5cb8b9baafa1afd8dc01d3baa9fd6d Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 10 May 2014 14:25:36 +0200 Subject: [PATCH 02/38] theme: Fix spacing of version string in footer. --- html/html/themes/ipfire/include/functions.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/html/themes/ipfire/include/functions.pl b/html/html/themes/ipfire/include/functions.pl index 0c47cd456..63740d42d 100644 --- a/html/html/themes/ipfire/include/functions.pl +++ b/html/html/themes/ipfire/include/functions.pl @@ -194,7 +194,7 @@ sub openpagewithoutmenu { sub closepage () { open(FILE, "; - $system_release =~ s/core/Core Update/; + $system_release =~ s/core/Core Update /; close(FILE); print < Date: Sun, 11 May 2014 09:24:04 +0200 Subject: [PATCH 03/38] OpenVPN:Add HMAC, cipher 'n2n' and DH key selection. Fixes and new design. Added HMAC algorithm selection menu for N2N and RW. Added cipher selection menu for N2N connections. Added DH key selection also for existing installations incl. DH key upload possibility. Adjusted the ovpn main WUI design to IPSec WUI. Extend key lenght for CA, cert and control channel with faktor 2. Some code and typo cleanup. Bugfixes for #10317, #10149, #10462, #10463 V.2 New changes: Integrated changes in langs and ovpnmain.cgi until 20.03.2014 2.15-Beta3. ovpn.cnf have now default bits of 2048 instead of 1024. ovpn.cnf default_md works now with sha256 instead of md5. Bugfix: By new installation the auth directive for RWs is faded out #10462 Comment 15. Added error message if the crl should be displayed but no crl is present. v.3 New changes #10462 Comment 20: Updated to core version 77. Deleted manual name award in DH key upload section, name will be given automatically now. Added sha512WithRSAEncryption instead of sha1WithRSAEncryption for "Root Certificate". Added tls-auth support for Roadwarriors. Added crypto engine support for N2N and Roadwarriors. --- config/ovpn/openssl/ovpn.cnf | 92 +-- html/cgi-bin/ovpnmain.cgi | 1235 +++++++++++++++++++++++----------- langs/de/cgi-bin/de.pl | 33 +- langs/en/cgi-bin/en.pl | 33 +- 4 files changed, 943 insertions(+), 450 deletions(-) diff --git a/config/ovpn/openssl/ovpn.cnf b/config/ovpn/openssl/ovpn.cnf index d82c04b90..ab026c109 100644 --- a/config/ovpn/openssl/ovpn.cnf +++ b/config/ovpn/openssl/ovpn.cnf @@ -1,46 +1,46 @@ -HOME = . -RANDFILE = /var/ipfire/ovpn/ca/.rnd -oid_section = new_oids +HOME = . +RANDFILE = /var/ipfire/ovpn/ca/.rnd +oid_section = new_oids [ new_oids ] [ ca ] -default_ca = openvpn +default_ca = openvpn [ openvpn ] -dir = /var/ipfire/ovpn -certs = $dir/certs -crl_dir = $dir/crl -database = $dir/certs/index.txt -new_certs_dir = $dir/certs -certificate = $dir/ca/cacert.pem -serial = $dir/certs/serial -crl = $dir/crl.pem -private_key = $dir/ca/cakey.pem -RANDFILE = $dir/ca/.rand -x509_extensions = usr_cert -default_days = 999999 -default_crl_days= 30 -default_md = md5 -preserve = no -policy = policy_match -email_in_dn = no +dir = /var/ipfire/ovpn +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/certs/index.txt +new_certs_dir = $dir/certs +certificate = $dir/ca/cacert.pem +serial = $dir/certs/serial +crl = $dir/crl.pem +private_key = $dir/ca/cakey.pem +RANDFILE = $dir/ca/.rand +x509_extensions = usr_cert +default_days = 999999 +default_crl_days = 30 +default_md = sha256 +preserve = no +policy = policy_match +email_in_dn = no [ policy_match ] -countryName = optional -stateOrProvinceName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional +countryName = optional +stateOrProvinceName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional [ req ] -default_bits = 1024 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca -string_mask = nombstr +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca +string_mask = nombstr [ req_distinguished_name ] countryName = Country Name (2 letter code) @@ -73,31 +73,31 @@ challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] -basicConstraints=CA:FALSE +basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always [ server ] # JY ADDED -- Make a cert with nsCertType set to "server" -basicConstraints=CA:FALSE +basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always [ v3_req ] -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always -basicConstraints = CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true [ crl_ext ] -authorityKeyIdentifier=keyid:always,issuer:always +authorityKeyIdentifier = keyid:always,issuer:always [ engine ] -default = openssl +default = openssl diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 877e09cb1..0c9e73d5b 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2013 IPFire Team # +# Copyright (C) 2007-2014 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -19,7 +19,7 @@ # # ############################################################################### ### -# Based on IPFireCore 55 +# Based on IPFireCore 77 ### use CGI; use CGI qw/:standard/; @@ -80,6 +80,8 @@ $cgiparams{'COMPRESSION'} = 'off'; $cgiparams{'ONLY_PROPOSED'} = 'off'; $cgiparams{'ACTION'} = ''; $cgiparams{'CA_NAME'} = ''; +$cgiparams{'DH_NAME'} = 'dh1024.pem'; +$cgiparams{'DHLENGHT'} = ''; $cgiparams{'DHCP_DOMAIN'} = ''; $cgiparams{'DHCP_DNS'} = ''; $cgiparams{'DHCP_WINS'} = ''; @@ -88,6 +90,10 @@ $cgiparams{'DCOMPLZO'} = 'off'; $cgiparams{'MSSFIX'} = ''; $cgiparams{'number'} = ''; $cgiparams{'PMTU_DISCOVERY'} = ''; +$cgiparams{'DCIPHER'} = ''; +$cgiparams{'DAUTH'} = ''; +$cgiparams{'TLSAUTH'} = ''; +$cgiparams{'ENGINES'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; unless (-e $routes_push_file) { system("touch $routes_push_file"); } unless (-e "${General::swroot}/ovpn/ccd.conf") { system("touch ${General::swroot}/ovpn/ccd.conf"); } @@ -243,10 +249,10 @@ sub writeserverconf { print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n"; print CONF "client-config-dir /var/ipfire/ovpn/ccd\n"; print CONF "tls-server\n"; - print CONF "ca /var/ipfire/ovpn/ca/cacert.pem\n"; - print CONF "cert /var/ipfire/ovpn/certs/servercert.pem\n"; - print CONF "key /var/ipfire/ovpn/certs/serverkey.pem\n"; - print CONF "dh /var/ipfire/ovpn/ca/dh1024.pem\n"; + print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; + print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; + print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; + print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'}); print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n"; @@ -313,6 +319,19 @@ sub writeserverconf { print CONF "status-version 1\n"; print CONF "status /var/log/ovpnserver.log 30\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; + if ($sovpnsettings{'DAUTH'} eq '') { + print CONF ""; + } else { + print CONF "auth $sovpnsettings{'DAUTH'}\n"; + } + if ($sovpnsettings{'TLSAUTH'} eq 'on') { + print CONF "tls-auth ${General::swroot}/ovpn/ca/ta.key 0\n"; + } + if ($sovpnsettings{ENGINES} eq 'disabled') { + print CONF ""; + } else { + print CONF "engine $sovpnsettings{ENGINES}\n"; + } if ($sovpnsettings{DCOMPLZO} eq 'on') { print CONF "comp-lzo\n"; } @@ -731,6 +750,9 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; $vpnsettings{'PMTU_DISCOVERY'} = $cgiparams{'PMTU_DISCOVERY'}; + $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; + $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; + $vpnsettings{'ENGINES'} = $cgiparams{'ENGINES'}; my @temp=(); if ($cgiparams{'FRAGMENT'} eq '') { @@ -743,12 +765,20 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'FRAGMENT'} = $cgiparams{'FRAGMENT'}; } } + if ($cgiparams{'MSSFIX'} ne 'on') { delete $vpnsettings{'MSSFIX'}; } else { $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'}; } + # Create ta.key for tls-auth if not presant + if ($cgiparams{'TLSAUTH'} eq 'on') { + if ( ! -e "${General::swroot}/ovpn/ca/ta.key") { + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/ca/ta.key") + } + } + if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { @@ -925,9 +955,21 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; print SERVERCONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; print SERVERCONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; - print SERVERCONF "dh ${General::swroot}/ovpn/ca/dh1024.pem\n"; + print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; print SERVERCONF "# Cipher\n"; - print SERVERCONF "cipher AES-256-CBC\n"; + print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n"; + if ($cgiparams{'DAUTH'} eq '') { + print SERVERCONF "auth SHA1\n"; + } else { + print SERVERCONF "# HMAC algorithm\n"; + print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; + } + if ($cgiparams{'ENGINES'} eq 'disabled') { + print SERVERCONF ""; + } else { + print SERVERCONF "# Crypto engine\n"; + print SERVERCONF "engine $cgiparams{'ENGINES'}\n"; + } if ($cgiparams{'COMPLZO'} eq 'on') { print SERVERCONF "# Enable Compression\n"; print SERVERCONF "comp-lzo\r\n"; @@ -1014,8 +1056,20 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "# Auth. Client\n"; print CLIENTCONF "tls-client\n"; print CLIENTCONF "# Cipher\n"; - print CLIENTCONF "cipher AES-256-CBC\n"; + print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n"; print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n"; + if ($cgiparams{'DAUTH'} eq '') { + print CLIENTCONF "auth SHA1\n"; + } else { + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; + } + if ($cgiparams{'ENGINES'} eq 'disabled') { + print CLIENTCONF ""; + } else { + print CLIENTCONF "# Crypto engine\n"; + print CLIENTCONF "engine $cgiparams{'ENGINES'}\n"; + } if ($cgiparams{'COMPLZO'} eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\r\n"; @@ -1114,11 +1168,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $errormessage = $Lang::tr{'invalid port'}; goto SETTINGS_ERROR; } - - if ($cgiparams{'DDEST_PORT'} <= 1023) { - $errormessage = $Lang::tr{'ovpn port in root range'}; - goto SETTINGS_ERROR; - } $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'}; $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'}; @@ -1144,7 +1193,7 @@ SETTINGS_ERROR: ### ### Reset all step 2 ### -}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'} && $cgiparams{'AREUSURE'} eq 'yes') { +}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && $cgiparams{'AREUSURE'} eq 'yes') { my $file = ''; &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); @@ -1154,37 +1203,67 @@ SETTINGS_ERROR: } } while ($file = glob("${General::swroot}/ovpn/ca/*")) { - unlink $file + unlink $file; } while ($file = glob("${General::swroot}/ovpn/certs/*")) { - unlink $file + unlink $file; } while ($file = glob("${General::swroot}/ovpn/crls/*")) { - unlink $file + unlink $file; } &cleanssldatabase(); if (open(FILE, ">${General::swroot}/ovpn/caconfig")) { print FILE ""; close FILE; } - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + if (open(FILE, ">${General::swroot}/ovpn/ccdroute")) { + print FILE ""; + close FILE; + } + if (open(FILE, ">${General::swroot}/ovpn/ccdroute2")) { + print FILE ""; + close FILE; + } + while ($file = glob("${General::swroot}/ovpn/ccd/*")) { + unlink $file + } + if (open(FILE, ">${General::swroot}/ovpn/ovpn-leases.db")) { + print FILE ""; + close FILE; + } + if (open(FILE, ">${General::swroot}/ovpn/ovpnconfig")) { + print FILE ""; + close FILE; + } + while ($file = glob("${General::swroot}/ovpn/n2nconf/*")) { + system ("rm -rf $file"); + } + #&writeserverconf(); ### ### Reset all step 1 ### -}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'}) { +}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'}); - print <
- - $Lang::tr{'capswarning'}: - $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'} - - -
+ &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); + print < + + + + + + + +
+ + $Lang::tr{'capswarning'}: + $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}
+
+ + END ; &Header::closebox(); @@ -1192,6 +1271,104 @@ END &Header::closepage(); exit (0); +### +### Generate DH key step 2 +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'} && $cgiparams{'AREUSURE'} eq 'yes') { + # Delete if old key exists + if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { + unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; + } + # Create Diffie Hellmann Parameter + system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache', + '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); + } + +### +### Generate DH key step 1 +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'}) { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'gen dh'}:"); + print < + + + + + $Lang::tr{'ovpn dh'}: + +
+ + + + +
+ + + + $Lang::tr{'capswarning'}: $Lang::tr{'dh key warn'} + + + + + + + + + +
$Lang::tr{'dh key warn1'}

+ +END + ; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit (0); + +### +### Upload DH key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) { + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto UPLOADCA_ERROR; + } + # Move uploaded dh key to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto UPLOADCA_ERROR; + } + my $temp = `/usr/bin/openssl dhparam -text -in $filename`; + if ($temp !~ /DH Parameters: \((1024|2048|3072|4096) bit\)/) { + $errormessage = $Lang::tr{'not a valid dh key'}; + unlink ($filename); + goto UPLOADCA_ERROR; + } else { + # Delete if old key exists + if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { + unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; + } + move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"); + if ($? ne 0) { + $errormessage = "$Lang::tr{'dh key move failed'}: $!"; + unlink ($filename); + goto UPLOADCA_ERROR; + } + } + ### ### Upload CA Certificate ### @@ -1268,7 +1445,7 @@ END if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:"); my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; @@ -1345,10 +1522,10 @@ END } if ($assignedcerts) { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'}); - print <
@@ -1380,7 +1557,7 @@ END $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { my $output; &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:"); @@ -1646,7 +1823,7 @@ END } } else { # child unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-days', '999999', '-newkey', 'rsa:2048', + '-days', '999999', '-newkey', 'rsa:4096', '-sha512', '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", '-out', "${General::swroot}/ovpn/ca/cacert.pem", '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { @@ -1677,7 +1854,7 @@ END } } else { # child unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-newkey', 'rsa:1024', + '-newkey', 'rsa:2048', '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", '-out', "${General::swroot}/ovpn/certs/serverreq.pem", '-extensions', 'server', @@ -1729,8 +1906,7 @@ END } # Create Diffie Hellmann Parameter system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-out', "${General::swroot}/ovpn/ca/dh1024.pem", - '1024' ); + '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); @@ -1748,7 +1924,7 @@ END ROOTCERT_ERROR: if ($cgiparams{'ACTION'} ne '') { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); if ($errormessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); @@ -1757,7 +1933,7 @@ END &Header::closebox(); } &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificates'}:"); - print < @@ -1790,19 +1966,38 @@ END } print ">$country"; } - print < - + + + + - - + +
$Lang::tr{'organization name'}: 
$Lang::tr{'ovpn dh'}: +
    
* $Lang::tr{'this field may be blank'}
- $Lang::tr{'capswarning'}: - $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'} -

+ + $Lang::tr{'capswarning'}: $Lang::tr{'ovpn generating the root and host certificates'} + + + + + + + +
$Lang::tr{'dh key warn'}
$Lang::tr{'dh key warn1'}

+ + + @@ -1818,7 +2013,7 @@ END END ; &Header::closebox(); - + print ""; &Header::closebigbox(); &Header::closepage(); exit(0) @@ -1950,13 +2145,20 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ print CLIENTCONF "ns-cert-type server\n"; print CLIENTCONF "# Auth. Client\n"; print CLIENTCONF "tls-client\n"; - print CLIENTCONF "# Cipher\n"; - print CLIENTCONF "cipher AES-256-CBC\n"; + print CLIENTCONF "# Cipher\n"; + print CLIENTCONF "cipher $confighash{$cgiparams{'KEY'}}[40]\n"; if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; - } - if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') { + } + if ($confighash{$cgiparams{'KEY'}}[39] eq '') { + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth SHA1\n"; + } else { + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n"; + } + if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\r\n"; } @@ -2051,6 +2253,15 @@ else $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; + if ($vpnsettings{'DAUTH'} eq '') { + print CLIENTCONF ""; + } else { + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; + } + if ($vpnsettings{'TLSAUTH'} eq 'on') { + print CLIENTCONF "tls-auth ta.key 1\r\n"; + $zip->addFile( "${General::swroot}/ovpn/ca/ta.key", "ta.key") or die "Can't add file ta.key\n"; + } if ($vpnsettings{DCOMPLZO} eq 'on') { print CLIENTCONF "comp-lzo\r\n"; } @@ -2180,7 +2391,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:"); my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; @@ -2192,15 +2403,40 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { &Header::closepage(); exit(0); } + +### +### Display Diffie-Hellman key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) { + + if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") { + $errormessage = $Lang::tr{'not present'}; + } else { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:"); + my $output = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } + ### ### Display Certificate Revoke List ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) { # &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if ( -f "${General::swroot}/ovpn/crls/cacrl.pem") { + if (! -e "${General::swroot}/ovpn/crls/cacrl.pem") { + $errormessage = $Lang::tr{'not present'}; + } else { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`; @@ -2245,17 +2481,26 @@ ADV_ERROR: if ($cgiparams{'PMTU_DISCOVERY'} eq '') { $cgiparams{'PMTU_DISCOVERY'} = 'off'; } + if ($cgiparams{'DAUTH'} eq '') { + $cgiparams{'DAUTH'} = 'SHA1'; + } + if ($cgiparams{'ENGINES'} eq '') { + $cgiparams{'ENGINES'} = 'disabled'; + } + if ($cgiparams{'TLSAUTH'} eq '') { + $cgiparams{'TLSAUTH'} = 'off'; + } $checked{'CLIENT2CLIENT'}{'off'} = ''; $checked{'CLIENT2CLIENT'}{'on'} = ''; $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED'; $checked{'REDIRECT_GW_DEF1'}{'off'} = ''; $checked{'REDIRECT_GW_DEF1'}{'on'} = ''; $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED'; - $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED'; $checked{'MSSFIX'}{'off'} = ''; $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; + $selected{'LOG_VERB'}{'0'} = ''; $selected{'LOG_VERB'}{'1'} = ''; $selected{'LOG_VERB'}{'2'} = ''; $selected{'LOG_VERB'}{'3'} = ''; @@ -2267,8 +2512,22 @@ ADV_ERROR: $selected{'LOG_VERB'}{'9'} = ''; $selected{'LOG_VERB'}{'10'} = ''; $selected{'LOG_VERB'}{'11'} = ''; - $selected{'LOG_VERB'}{'0'} = ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; + $selected{'DAUTH'}{'whirlpool'} = ''; + $selected{'DAUTH'}{'SHA512'} = ''; + $selected{'DAUTH'}{'SHA384'} = ''; + $selected{'DAUTH'}{'SHA256'} = ''; + $selected{'DAUTH'}{'SHA1'} = ''; + $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + $checked{'TLSAUTH'}{'off'} = ''; + $checked{'TLSAUTH'}{'on'} = ''; + $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; + $selected{'ENGINES'}{'cryptodev'} = ''; + $selected{'ENGINES'}{'dynamic'} = ''; + $selected{'ENGINES'}{'aesni'} = ''; + $selected{'ENGINES'}{'padlock'} = ''; + $selected{'ENGINES'}{'disabled'} = ''; + $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED'; &Header::showhttpheaders(); &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); @@ -2280,7 +2539,7 @@ ADV_ERROR: &Header::closebox(); } &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); - print <
$Lang::tr{'upload p12 file'}:  
@@ -2350,12 +2609,11 @@ print < - - + @@ -2367,53 +2625,84 @@ print <
fragment
$Lang::tr{'openvpn default'}: 1300
mssfix $Lang::tr{'openvpn default'}: on$Lang::tr{'openvpn default'}: off
-
- + + + + + +
$Lang::tr{'log-options'}
VERB
+ +
+ + + + + + - - - -
$Lang::tr{'ovpn crypt options'}
VERB
+ $Lang::tr{'ovpn ha'} + + + Default: SHA1 (160 $Lang::tr{'bit'}) + + + $Lang::tr{'ovpn engines'} + + + Default: $Lang::tr{'disabled'} + + + + + + + + + + + + +
HMAC tls-auth
+ + END if ( -e "/var/run/openvpn.pid"){ print"
$Lang::tr{'attention'}:
$Lang::tr{'server restart'}

"; - print<   @@ -2429,7 +2718,7 @@ END }else{ -print<   @@ -2484,7 +2773,7 @@ if ($cgiparams{'ACTION'} eq "edit"){ &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd modify'}); - print < $Lang::tr{'ccd name'}: @@ -2498,7 +2787,7 @@ END &Header::closebox(); &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} ); - print < $Lang::tr{'ccd name'}$Lang::tr{'network'}$Lang::tr{'ccd used'} @@ -2508,7 +2797,7 @@ END else{ if (! -e "/var/run/openvpn.pid"){ &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd add'}); - print < $Lang::tr{'ccd hint'}

@@ -2582,7 +2871,7 @@ END # # $Lang::tr{'protocol'} # protocol temp removed - print < $Lang::tr{'common name'} @@ -2661,7 +2950,7 @@ END } print ""; - print < @@ -2770,13 +3059,13 @@ END } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'}); if ( -s "${General::swroot}/ovpn/settings") { - print <$Lang::tr{'connection type'}:
@@ -2797,7 +3086,7 @@ END } else { - print <$Lang::tr{'connection type'}:
@@ -2809,6 +3098,7 @@ END } &Header::closebox(); + print ""; &Header::closebigbox(); &Header::closepage(); exit (0); @@ -2944,7 +3234,8 @@ END my $complzoactive; my $mssfixactive; my $n2nfragment; -my @n2nmtudisc = split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]);; +my $authactive; +my @n2nmtudisc = split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]); my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]); my @n2nproto = split(/-/, $n2nproto2[1]); my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]); @@ -2961,7 +3252,9 @@ my @n2novpnsub = split(/\./,$n2novpnsuball[1]); my @n2nremsub = split(/ /, (grep { /^route/ } @firen2nconf)[0]); my @n2nmgmt = split(/ /, (grep { /^management/ } @firen2nconf)[0]); my @n2nlocalsub = split(/ /, (grep { /^# remsub/ } @firen2nconf)[0]); - +my @n2ncipher = split(/ /, (grep { /^cipher/ } @firen2nconf)[0]); +my @n2nauth = split(/ /, (grep { /^auth/ } @firen2nconf)[0]); +my @n2nengine = split(/ /, (grep { /^engine/ } @firen2nconf)[0]);; ### # m.a.d delete CR and LF from arrays for this chomp doesnt work @@ -2980,6 +3273,9 @@ $n2nlocalsub[2] =~ s/\n|\r//g; $n2nfragment[1] =~ s/\n|\r//g; $n2nmgmt[2] =~ s/\n|\r//g; $n2nmtudisc[1] =~ s/\n|\r//g; +$n2ncipher[1] =~ s/\n|\r//g; +$n2nauth[1] =~ s/\n|\r//g; +$n2nengine[1] =~ s/\n|\r//g; chomp ($complzoactive); chomp ($mssfixactive); @@ -3016,7 +3312,7 @@ foreach my $dkey (keys %confighash) { } ### -# Check im Dest Port is vaild +# Check if Dest Port is vaild ### foreach my $dkey (keys %confighash) { @@ -3033,7 +3329,7 @@ foreach my $dkey (keys %confighash) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 42) { $confighash{$key}[$i] = "";} $confighash{$key}[0] = 'off'; $confighash{$key}[1] = $n2nname[0]; @@ -3054,7 +3350,10 @@ foreach my $dkey (keys %confighash) { $confighash{$key}[29] = $n2nport[1]; $confighash{$key}[30] = $complzoactive; $confighash{$key}[31] = $n2ntunmtu[1]; - $confighash{$key}[38] = $n2nmtudisc[1]; + $confighash{$key}[38] = $n2nmtudisc[1]; + $confighash{$key}[39] = $n2nauth[1]; + $confighash{$key}[40] = $n2ncipher[1]; + $confighash{$key}[41] = 'disabled'; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); @@ -3075,7 +3374,7 @@ foreach my $dkey (keys %confighash) { &Header::openbox('100%', 'LEFT', 'import ipfire net2net config'); } if ($errormessage eq ''){ - print <
$Lang::tr{'host to net vpn'}
@@ -3094,6 +3393,8 @@ foreach my $dkey (keys %confighash) { + +
  
$Lang::tr{'MTU'}$confighash{$key}[31]
$Lang::tr{'ovpn mtu-disc'}$confighash{$key}[38]
Management Port $confighash{$key}[22]
$Lang::tr{'ovpn hmac'}:$confighash{$key}[39]
$Lang::tr{'cipher'}$confighash{$key}[40]
  
END @@ -3111,7 +3412,7 @@ END } &Header::closebigbox(); &Header::closepage(); - exit(0); + exit(0); ## @@ -3164,33 +3465,37 @@ if ($confighash{$cgiparams{'KEY'}}) { $errormessage = $Lang::tr{'invalid key'}; goto VPNCONF_END; } - $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0]; - $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1]; - $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; - $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; - $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; - $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6]; - $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8]; - $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; + $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0]; + $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1]; + $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; + $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; + $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; + $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6]; + $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8]; + $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11]; - $cgiparams{'OVPN_MGMT'} = $confighash{$cgiparams{'KEY'}}[22]; - $cgiparams{'MSSFIX'} = $confighash{$cgiparams{'KEY'}}[23]; - $cgiparams{'FRAGMENT'} = $confighash{$cgiparams{'KEY'}}[24]; - $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; - $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26]; - $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27]; - $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[28]; - $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[29]; - $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[30]; - $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[31]; - $cgiparams{'CHECK1'} = $confighash{$cgiparams{'KEY'}}[32]; + $cgiparams{'OVPN_MGMT'} = $confighash{$cgiparams{'KEY'}}[22]; + $cgiparams{'MSSFIX'} = $confighash{$cgiparams{'KEY'}}[23]; + $cgiparams{'FRAGMENT'} = $confighash{$cgiparams{'KEY'}}[24]; + $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; + $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26]; + $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27]; + $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[28]; + $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[29]; + $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[30]; + $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[31]; + $cgiparams{'CHECK1'} = $confighash{$cgiparams{'KEY'}}[32]; $name=$cgiparams{'CHECK1'} ; - $cgiparams{$name} = $confighash{$cgiparams{'KEY'}}[33]; - $cgiparams{'RG'} = $confighash{$cgiparams{'KEY'}}[34]; - $cgiparams{'CCD_DNS1'} = $confighash{$cgiparams{'KEY'}}[35]; - $cgiparams{'CCD_DNS2'} = $confighash{$cgiparams{'KEY'}}[36]; - $cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37]; + $cgiparams{$name} = $confighash{$cgiparams{'KEY'}}[33]; + $cgiparams{'RG'} = $confighash{$cgiparams{'KEY'}}[34]; + $cgiparams{'CCD_DNS1'} = $confighash{$cgiparams{'KEY'}}[35]; + $cgiparams{'CCD_DNS2'} = $confighash{$cgiparams{'KEY'}}[36]; + $cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37]; $cgiparams{'PMTU_DISCOVERY'} = $confighash{$cgiparams{'KEY'}}[38]; + $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39]; + $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40]; + $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41]; + $cgiparams{'ENGINES'} = $confighash{$cgiparams{'KEY'}}[42]; } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); @@ -3727,6 +4032,8 @@ if ($cgiparams{'TYPE'} eq 'net') { } if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { $errormessage = $Lang::tr{'invalid input for name'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; goto VPNCONF_ERROR; } if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { @@ -3799,7 +4106,7 @@ if ($cgiparams{'TYPE'} eq 'net') { } } else { # child unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-newkey', 'rsa:1024', + '-newkey', 'rsa:2048', '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { @@ -3868,7 +4175,7 @@ if ($cgiparams{'TYPE'} eq 'net') { if (! $key) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 43) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -3887,13 +4194,13 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[6] = $cgiparams{'SIDE'}; $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; } - $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'}; + $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'}; $confighash{$key}[10] = $cgiparams{'REMOTE'}; - if ($cgiparams{'OVPN_MGMT'} eq '') { + if ($cgiparams{'OVPN_MGMT'} eq '') { $confighash{$key}[22] = $confighash{$key}[29]; - } else { + } else { $confighash{$key}[22] = $cgiparams{'OVPN_MGMT'}; - } + } $confighash{$key}[23] = $cgiparams{'MSSFIX'}; $confighash{$key}[24] = $cgiparams{'FRAGMENT'}; $confighash{$key}[25] = $cgiparams{'REMARK'}; @@ -3911,7 +4218,10 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[35] = $cgiparams{'CCD_DNS1'}; $confighash{$key}[36] = $cgiparams{'CCD_DNS2'}; $confighash{$key}[37] = $cgiparams{'CCD_WINS'}; - $confighash{$key}[38] = $cgiparams{'PMTU_DISCOVERY'}; + $confighash{$key}[38] = $cgiparams{'PMTU_DISCOVERY'}; + $confighash{$key}[39] = $cgiparams{'DAUTH'}; + $confighash{$key}[40] = $cgiparams{'DCIPHER'}; + $confighash{$key}[42] = $cgiparams{'ENGINES'}; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); @@ -4023,6 +4333,8 @@ if ($cgiparams{'TYPE'} eq 'net') { $cgiparams{'MSSFIX'} = 'on'; $cgiparams{'FRAGMENT'} = '1300'; $cgiparams{'PMTU_DISCOVERY'} = 'off'; + $cgiparams{'DAUTH'} = 'SHA1'; + $cgiparams{'ENGINES'} = 'disabled'; ### # m.a.d n2n end ### @@ -4087,10 +4399,55 @@ if ($cgiparams{'TYPE'} eq 'net') { } $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; + $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; + $selected{'DCIPHER'}{'AES-256-CBC'} = ''; + $selected{'DCIPHER'}{'AES-192-CBC'} = ''; + $selected{'DCIPHER'}{'AES-128-CBC'} = ''; + $selected{'DCIPHER'}{'DESX-CBC'} = ''; + $selected{'DCIPHER'}{'SEED-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; + $selected{'DCIPHER'}{'CAST5-CBC'} = ''; + $selected{'DCIPHER'}{'BF-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-CBC'} = ''; + $selected{'DCIPHER'}{'DES-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-64-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-40-CBC'} = ''; + # If no cipher has been chossen yet, select + # the old default (AES-256-CBC) for compatiblity reasons. + if ($cgiparams{'DCIPHER'} eq '') { + $cgiparams{'DCIPHER'} = 'AES-256-CBC'; + } + $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; + $selected{'DAUTH'}{'whirlpool'} = ''; + $selected{'DAUTH'}{'SHA512'} = ''; + $selected{'DAUTH'}{'SHA384'} = ''; + $selected{'DAUTH'}{'SHA256'} = ''; + $selected{'DAUTH'}{'SHA1'} = ''; + # If no hash algorythm has been choosen yet, select + # the old default value (SHA1) for compatiblity reasons. + if ($cgiparams{'DAUTH'} eq '') { + $cgiparams{'DAUTH'} = 'SHA1'; + } + $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + + $selected{'ENGINES'}{'disabled'} = ''; + $selected{'ENGINES'}{'cryptodev'} = ''; + $selected{'ENGINES'}{'dynamic'} = ''; + $selected{'ENGINES'}{'aesni'} = ''; + $selected{'ENGINES'}{'padlock'} = ''; + # If no engine has been choosen yet, select + # a default one (disabled). + if ($cgiparams{'ENGINES'} eq '') { + $cgiparams{'ENGINES'} = 'disabled'; + } + $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED'; if (1) { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); if ($errormessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); @@ -4148,48 +4505,103 @@ if ($cgiparams{'TYPE'} eq 'net') { - print <    $Lang::tr{'Act as'} + $Lang::tr{'remote host/ip'}: + $Lang::tr{'local subnet'} + $Lang::tr{'remote subnet'} + $Lang::tr{'ovpn subnet'} - $Lang::tr{'protocol'} - - - - $Lang::tr{'destination port'}: - - $Lang::tr{'comp-lzo'}   - - - mssfix   - - $Lang::tr{'openvpn default'}: on - - fragment   - - $Lang::tr{'openvpn default'}: 1300 - - $Lang::tr{'MTU'}  - - $Lang::tr{'openvpn default'}: udp/tcp 1500/1400 - - Management Port  - - $Lang::tr{'openvpn default'}: $Lang::tr{'destination port'} - - $Lang::tr{'ovpn mtu-disc'} + + $Lang::tr{'protocol'} + + + $Lang::tr{'destination port'}: + + + + $Lang::tr{'cipher'} + + + + $Lang::tr{'ovpn ha'}: + + + + + $Lang::tr{'ovpn engines'}   + + + + +
+ + Management Port ($Lang::tr{'openvpn default'}: $Lang::tr{'destination port'}):   + + + + $Lang::tr{'MTU'}  + + $Lang::tr{'openvpn default'}: udp/tcp 1500/1400 + + + fragment   + + $Lang::tr{'openvpn default'}: 1300 + + + mssfix   + + $Lang::tr{'openvpn default'}: on + + + $Lang::tr{'comp-lzo'}   + + + + $Lang::tr{'ovpn mtu-disc'} $Lang::tr{'ovpn mtu-disc yes'} $Lang::tr{'ovpn mtu-disc maybe'} @@ -4260,7 +4672,7 @@ if ($cgiparams{'TYPE'} eq 'host') { if ($cgiparams{'TYPE'} eq 'host') { -print < $Lang::tr{'upload a certificate request'} @@ -4285,7 +4697,7 @@ END } else { -print < $Lang::tr{'generate a certificate'}  @@ -4319,7 +4731,7 @@ END ### if ($cgiparams{'TYPE'} eq 'host') { - print <  $Lang::tr{'valid till'} (days): @@ -4335,7 +4747,7 @@ if ($cgiparams{'TYPE'} eq 'host') { END }else{ - print <         @@ -4463,7 +4875,7 @@ END if (&haveOrangeNet() && $selorange == '1'){ print"";$selorange=0;}elsif(&haveOrangeNet() && $selorange == '0'){print"";} if ($selgreen == '1' || $other == '0'){ print"";$set=0;}else{print"";}; - print<DNS1: DNS2: WINS:
@@ -4519,10 +4931,13 @@ END if ($cgiparams{'DMTU'} eq '') { $cgiparams{'DMTU'} = '1400'; } + if ($cgiparams{'ENGINES'} eq '') { + $cgiparams{'ENGINES'} = 'disabled'; + } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; } - $checked{'ENABLED'}{'off'} = ''; + $checked{'ENABLED'}{'off'} = ''; $checked{'ENABLED'}{'on'} = ''; $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED'; $checked{'ENABLED_BLUE'}{'off'} = ''; @@ -4539,22 +4954,38 @@ END $selected{'DPROTOCOL'}{'tcp'} = ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED'; - $selected{'DCIPHER'}{'DES-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; + $selected{'DCIPHER'}{'AES-256-CBC'} = ''; + $selected{'DCIPHER'}{'AES-192-CBC'} = ''; + $selected{'DCIPHER'}{'AES-128-CBC'} = ''; $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; $selected{'DCIPHER'}{'DESX-CBC'} = ''; - $selected{'DCIPHER'}{'RC2-CBC'} = ''; - $selected{'DCIPHER'}{'RC2-40-CBC'} = ''; - $selected{'DCIPHER'}{'RC2-64-CBC'} = ''; + $selected{'DCIPHER'}{'SEED-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; + $selected{'DCIPHER'}{'CAST5-CBC'} = ''; $selected{'DCIPHER'}{'BF-CBC'} = ''; - $selected{'DCIPHER'}{'CAST5-CBC'} = ''; - $selected{'DCIPHER'}{'AES-128-CBC'} = ''; - $selected{'DCIPHER'}{'AES-192-CBC'} = ''; - $selected{'DCIPHER'}{'AES-256-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-CBC'} = ''; + $selected{'DCIPHER'}{'DES-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-64-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-40-CBC'} = ''; $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; + + $selected{'DAUTH'}{'whirlpool'} = ''; + $selected{'DAUTH'}{'SHA512'} = ''; + $selected{'DAUTH'}{'SHA384'} = ''; + $selected{'DAUTH'}{'SHA256'} = ''; + $selected{'DAUTH'}{'SHA1'} = ''; + $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + + $selected{'ENGINES'}{'cryptodev'} = ''; + $selected{'ENGINES'}{'dynamic'} = ''; + $selected{'ENGINES'}{'aesni'} = ''; + $selected{'ENGINES'}{'padlock'} = ''; + $selected{'ENGINES'}{'disabled'} = ''; + $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED'; + $checked{'DCOMPLZO'}{'off'} = ''; $checked{'DCOMPLZO'}{'on'} = ''; $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; @@ -4595,7 +5026,7 @@ END $activeonrun = "disabled='disabled'"; } &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'}); - print <   @@ -4629,26 +5060,31 @@ END $Lang::tr{'MTU'}  + + $Lang::tr{'cipher'} + + $Lang::tr{'comp-lzo'} - $Lang::tr{'cipher'} - + +

END ; @@ -4676,154 +5112,7 @@ END } print ""; &Header::closebox(); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}"); - print < - - $Lang::tr{'name'} - $Lang::tr{'subject'} - $Lang::tr{'action'} - -EOF - ; - my $col1="bgcolor='$color{'color22'}'"; - my $col2="bgcolor='$color{'color20'}'"; - if (-f "${General::swroot}/ovpn/ca/cacert.pem") { - my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; - $casubject =~ /Subject: (.*)[\n]/; - $casubject = $1; - $casubject =~ s+/Email+, E+; - $casubject =~ s/ ST=/ S=/; - print < - $Lang::tr{'root certificate'} - $casubject -
- - -
-
- - -
-   -END - ; - } else { - # display rootcert generation buttons - print < - $Lang::tr{'root certificate'}: - $Lang::tr{'not present'} -   -END - ; - } - if (-f "${General::swroot}/ovpn/certs/servercert.pem") { - my $hostsubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; - $hostsubject =~ /Subject: (.*)[\n]/; - $hostsubject = $1; - $hostsubject =~ s+/Email+, E+; - $hostsubject =~ s/ ST=/ S=/; - - print < - $Lang::tr{'host certificate'} - $hostsubject -
- - -
-
- - -
-   -END - ; - } else { - # Nothing - print < - $Lang::tr{'host certificate'}: - $Lang::tr{'not present'} -   -END - ; - } - - if (! -f "${General::swroot}/ovpn/ca/cacert.pem") { - print "
"; - print ""; - print "
\n"; - } - - if (keys %cahash > 0) { - foreach my $key (keys %cahash) { - if (($key + 1) % 2) { - print "\n"; - } else { - print "\n"; - } - print "$cahash{$key}[0]\n"; - print "$cahash{$key}[1]\n"; - print < - - - - -
- - - -
-
- - - -
-END - ; - } - } - - print ""; - - # If the file contains entries, print Key to action icons - if ( -f "${General::swroot}/ovpn/ca/cacert.pem") { - print < - -   $Lang::tr{'legend'}: -     $Lang::tr{ - $Lang::tr{'show certificate'} -     $Lang::tr{ - $Lang::tr{'download certificate'} - - -END -; - } - -print < - - - - -
$Lang::tr{'ca name'}:

-END -; - - - &Header::closebox(); - if ( $srunning eq "yes" ) { - print "
\n"; - }else{ - print "
\n"; - } if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) { ### @@ -4831,8 +5120,8 @@ END #$Lang::tr{'remark'}
L2089 ### - &Header::openbox('100%', 'LEFT', $Lang::tr{'Client status and controlc' }); - print < @@ -4907,7 +5196,7 @@ END #EXITING -- A graceful exit is in progress. #### - if (($tustate[1] eq 'CONNECTED') || ($tustate[1] eq 'WAIT')) { + if ($tustate[1] eq 'CONNECTED') { $col1="bgcolor='${Header::colourgreen}'"; $active = "$Lang::tr{'capsopen'}"; }else { @@ -4938,7 +5227,7 @@ END } - print <$active
@@ -4949,7 +5238,7 @@ END END ; if ($confighash{$key}[4] eq 'cert') { - print < @@ -4960,7 +5249,7 @@ END print " "; } if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") { - print < @@ -4968,7 +5257,7 @@ END END ; } elsif ($confighash{$key}[4] eq 'cert') { - print < @@ -5004,45 +5293,215 @@ END # If the config file contains entries, print Key to action icons if ( $id ) { - print < -   $Lang::tr{'legend'}: -   $Lang::tr{ - $Lang::tr{'click to disable'} -     $Lang::tr{ - $Lang::tr{'show certificate'} -     $Lang::tr{ - $Lang::tr{'edit'} -     $Lang::tr{ - $Lang::tr{'remove'} +   $Lang::tr{'legend'}: +   $Lang::tr{ + $Lang::tr{'click to disable'} +     $Lang::tr{ + $Lang::tr{'show certificate'} +     $Lang::tr{ + $Lang::tr{'edit'} +     $Lang::tr{ + $Lang::tr{'remove'} -   -   ?OFF - $Lang::tr{'click to enable'} - ?FLOPPY - $Lang::tr{'download certificate'} - ?RELOAD - $Lang::tr{'dl client arch'} - +   +   ?OFF + $Lang::tr{'click to enable'} +     ?FLOPPY + $Lang::tr{'download certificate'} +     ?RELOAD + $Lang::tr{'dl client arch'} +
END ; } - print <
- - + + + +
END - ; - &Header::closebox(); -} + ; + &Header::closebox(); + } + &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}"); + print < + + $Lang::tr{'name'} + $Lang::tr{'subject'} + $Lang::tr{'action'} + +END + ; + my $col1="bgcolor='$color{'color22'}'"; + my $col2="bgcolor='$color{'color20'}'"; + if (-f "${General::swroot}/ovpn/ca/cacert.pem") { + my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; + $casubject =~ /Subject: (.*)[\n]/; + $casubject = $1; + $casubject =~ s+/Email+, E+; + $casubject =~ s/ ST=/ S=/; + print < + $Lang::tr{'root certificate'} + $casubject +
+ + +
+
+ + +
+   +END + ; + } else { + # display rootcert generation buttons + print < + $Lang::tr{'root certificate'}: + $Lang::tr{'not present'} +   +END + ; + } + + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $hostsubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + $hostsubject =~ /Subject: (.*)[\n]/; + $hostsubject = $1; + $hostsubject =~ s+/Email+, E+; + $hostsubject =~ s/ ST=/ S=/; + + print < + $Lang::tr{'host certificate'} + $hostsubject +
+ + +
+
+ + +
+   +END + ; + } else { + # Nothing + print < + $Lang::tr{'host certificate'}: + $Lang::tr{'not present'} +   +END + ; + } + + if (! -f "${General::swroot}/ovpn/ca/cacert.pem") { + print "
"; + print ""; + print "
\n"; + } + + if (keys %cahash > 0) { + foreach my $key (keys %cahash) { + if (($key + 1) % 2) { + print "\n"; + } else { + print "\n"; + } + print "$cahash{$key}[0]\n"; + print "$cahash{$key}[1]\n"; + print < + + + + +
+ + + +
+
+ + + +
+END + ; + } + } + + print ""; + + # If the file contains entries, print Key to action icons + if ( -f "${General::swroot}/ovpn/ca/cacert.pem") { + print < + +   $Lang::tr{'legend'}: +     $Lang::tr{ + $Lang::tr{'show certificate'} +     $Lang::tr{ + $Lang::tr{'download certificate'} + + +END + ; + } + + print < +
+ + + + + + + + + + + + + + + + + + + + + +
$Lang::tr{'ca name'}: +
$Lang::tr{'ovpn dh upload'}: +

+END + ; + + if ( $srunning eq "yes" ) { + print "
\n"; + } else { + print "
\n"; + } + &Header::closebox(); +END + ; + &Header::closepage(); - - diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 090510fe3..6a1f3f286 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -7,6 +7,7 @@ 'Add Rule' => 'Regel hinzufügen', 'Add a route' => 'Eine Route hinzufügen', 'Async logging enabled' => 'Aktiviere asynchrones Schreiben des Syslogs', +'bit' => 'Bit', 'Choose Rule' => 'Wählen Sie eine der untenstehenden Regeln aus.', 'Class' => 'Klasse', 'Class was deleted' => 'wurde mit eventuell vorhandenen Unterklassen gelöscht', @@ -39,7 +40,7 @@ 'Local VPN IP' => 'Internes Netzwerk (GREEN)', 'MB read' => 'MB gelesen', 'MB written' => 'MB geschrieben', -'MTU' => 'MTU Size', +'MTU' => 'MTU Size:', 'Number of IPs for the pie chart' => 'Anzahl der angezeigten IPs im Diagramm', 'Number of Ports for the pie chart' => 'Anzahl der angezeigten Ports im Diagramm', 'OVPN' => 'OpenVPN', @@ -526,7 +527,7 @@ 'check for net traffic update' => 'Prüfe auf Net-Traffic-Updates', 'check vpn lr' => 'Überprüfen', 'choose config' => 'Konfiguration auswählen', -'cipher' => 'Verschlüsselung', +'cipher' => 'Verschlüsselung:', 'city' => 'Stadt', 'class in use' => 'Die aktuelle Klasse wird bereits verwendet.', 'clear cache' => 'Zwischenspeicher löschen', @@ -660,6 +661,10 @@ 'details' => 'Mehr', 'device' => 'Gerät', 'devices on blue' => 'Geräte auf Blau', +'dh' => 'Diffie-Hellman Key', +'dh key move failed' => 'Verschieben des Diffie-Hellman keys fehlgeschlagen.', +'dh key warn' => 'Diffie-Hellman Keys mit 1024 und 2048 Bit können mehrere Minuten, 3072 und 4096 Bit bis zu mehreren Stunden dauern. Bitte haben sie Geduld.', +'dh key warn1' => 'Bei schwachen Systemen oder Systeme mit wenig Entropie wird empfohlen lange Diffie-Hellman Keys über die Upload Funktion zu integrieren.', 'dhcp advopt add' => 'DHCP Option hinzufügen', 'dhcp advopt added' => 'DHCP Option hinzugefügt', 'dhcp advopt blank value' => 'Wert für DHCP Option darf nicht leer sein', @@ -1120,9 +1125,11 @@ 'fwhost wo subnet' => '(Ohne Subnetz)', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway-IP', +'gen dh' => 'Diffie-Hellman Key erzeugen', 'gen static key' => 'Statischen Schlüssel erzeugen', 'generate' => 'Root/Host-Zertifikate generieren', 'generate a certificate' => 'Erzeuge ein Zertifikat:', +'generate dh key' => 'Diffie-Hellman Key generieren', 'generate iso' => 'ISO erstellen', 'generate root/host certificates' => 'Erzeuge Root/Host-Zertifikate', 'generate tripwire keys and init' => 'Tripwire Initalisierung', @@ -1363,7 +1370,7 @@ 'log view' => 'Log Anzeige', 'log viewer' => 'Protokollansicht', 'log viewing options' => 'Log Ansichts-Optionen', -'log-options' => 'Logfile options', +'log-options' => 'Logfile Optionen', 'loged in at' => 'Angemeldet seit', 'logging' => 'Logging', 'logging server' => 'Protokollierungs-Server', @@ -1544,6 +1551,7 @@ 'nonetworkname' => 'Kein Netzwerkname wurde eingegeben', 'noservicename' => 'Kein Dienstname wurde eingegeben', 'not a valid ca certificate' => 'Kein gültiges CA Zertifikat.', +'not a valid dh key' => 'Kein gültiger Diffie-Hellman Schlüssel. Bitte nur 1024, 2048, 3072 oder 4096 Bit im PKCS#3 Format verwenden.', 'not enough disk space' => 'Nicht genügend Plattenplatz vorhanden', 'not present' => 'Nicht vorhanden', 'not running' => 'nicht gestartet', @@ -1633,12 +1641,19 @@ 'outgoing traffic in bytes per second' => 'Abgehender Verkehr', 'override mtu' => 'Überschreibe Standard MTU', 'ovpn' => 'OpenVPN', +'ovpn crypt options' => 'Kryptografieoptionen', 'ovpn con stat' => 'OpenVPN Verbindungs-Statistik', 'ovpn config' => 'OVPN-Konfiguration', 'ovpn device' => 'OpenVPN-Gerät', +'ovpn dh' => 'Diffie-Hellman Key Länge', +'ovpn dh upload' => 'Upload Diffie-Hellman Key', 'ovpn dl' => 'OVPN-Konfiguration downloaden', +'ovpn engines' => 'Krypto Engine', 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt', 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske', +'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.', +'ovpn hmac' => 'HMAC Optionen', +'ovpn ha' => 'Hash Algorithmus', 'ovpn log' => 'OVPN-Log', 'ovpn mgmt in root range' => 'Ein Port von 1024 oder höher ist erforderlich.', 'ovpn mtu-disc' => 'Path MTU Discovery', @@ -1649,14 +1664,14 @@ 'ovpn mtu-disc with mssfix or fragment' => 'Path MTU Discovery kann nicht gemeinsam mit mssfix oder fragment verwendet werden.', 'ovpn mtu-disc yes' => 'Forciert', 'ovpn no connections' => 'Keine aktiven OpenVPN Verbindungen', -'ovpn on blue' => 'OpenVPN auf BLAU', -'ovpn on orange' => 'OpenVPN auf ORANGE', -'ovpn on red' => 'OpenVPN auf ROT', +'ovpn on blue' => 'OpenVPN auf BLAU:', +'ovpn on orange' => 'OpenVPN auf ORANGE:', +'ovpn on red' => 'OpenVPN auf ROT:', 'ovpn port in root range' => 'Ein Port von 1024 oder höher ist erforderlich.', 'ovpn routes push' => 'Routen (eine pro Zeile) z.b. 192.168.10.0/255.255.255.0 192.168.20.0/24', 'ovpn routes push options' => 'Route push Optionen', 'ovpn server status' => 'OpenVPN-Server-Status', -'ovpn subnet' => 'OpenVPN-Subnetz (z.B. 10.0.10.0/255.255.255.0)', +'ovpn subnet' => 'OpenVPN-Subnetz:', 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', 'ovpn_fastio' => 'Fast-IO', @@ -1830,7 +1845,7 @@ 'resetglobals' => 'Globale Einstellungen zurücksetzen', 'resetpolicy' => 'Policy zurücksetzen', 'resetshares' => 'Shares zurücksetzen?', -'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections' => 'Das Zurücksetzen der VPN-Konfiguration wird die Root-CA, die Host-Zertifikate und alle weiteren Zertifikate und alle zertifikatsbasierten Verbindungen entfernen', +'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections' => 'Das Löschen des X509 wird die Root-CA, die Host-Zertifikate und alle zertifikatsbasierten Verbindungen entfernen.', 'restart' => 'Neustart', 'restart ovpn server' => 'OpenVPN-Server neu starten', 'restore' => 'Wiederherstellen', @@ -1900,6 +1915,7 @@ 'show ca certificate' => 'CA Zertifikat anzeigen', 'show certificate' => 'Zertifikat anzeigen', 'show crl' => 'Certificate Revocation List anzeigen', +'show dh' => 'Diffie-Hellman Key anzeigen', 'show host certificate' => 'Host-Zertifikat anzeigen', 'show last x lines' => 'die letzten x Zeilen anzeigen', 'show root certificate' => 'Root-Zertifikat anzeigen', @@ -2234,6 +2250,7 @@ 'upload a certificate' => 'Ein Zertifikat hochladen:', 'upload a certificate request' => 'Eine Zertifikatsanfrage hochladen:', 'upload ca certificate' => 'CA-Zertifikat hochladen', +'upload dh key' => 'Diffie-Hellman Key hochladen', 'upload file' => 'Datei zum hochladen', 'upload new ruleset' => 'Neuen Regelsatz hochladen', 'upload p12 file' => 'PKCS12-Datei hochladen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index de29f34ec..99d905e41 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -7,6 +7,7 @@ 'Add Rule' => 'Add rule', 'Add a route' => 'Add a route', 'Async logging enabled' => 'Enable asynchronous writing of the syslog file', +'bit' => 'bit', 'Choose Rule' => 'Choose one of the following rules.', 'Class' => 'Class', 'Class was deleted' => 'with potential subclasses was deleted', @@ -682,6 +683,7 @@ 'details' => 'Details', 'device' => 'Device', 'devices on blue' => 'Devices on BLUE', +'dh' => 'Diffie-Hellman Key', 'dhcp advopt add' => 'Add a DHCP option', 'dhcp advopt added' => 'DHCP option added', 'dhcp advopt blank value' => 'DHCP Option value cannot be empty.', @@ -713,6 +715,9 @@ 'dhcp server enabled' => 'DHCP server enabled. Restarting.', 'dhcp server enabled on blue interface' => 'DHCP server enabled on BLUE interface', 'dhcp-options' => 'DHCP push options', +'dh key warn' => 'Diffie-Hellman keys with 1024 and 2048 bit takes up to several minutes, 3072 and 4096 bit might needs several hours. Please be patient.', +'dh key warn1' => 'For weak systems or systems with little entropy it is recommended to integrate long Diffie-Hellman Keys by usage of the upload function.', +'dh key move failed' => 'Diffie-Hellman key move failed.', 'dial' => 'Connect', 'dial profile' => 'Connect with profile', 'dial user password' => 'Dial user password:', @@ -1148,9 +1153,11 @@ 'g.lite' => 'TO BE REMOVED', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway IP', +'gen dh' => 'Generate Diffie-Hellman key', 'gen static key' => 'Generate a static key', 'generate' => 'Generate root/host zertifikate', 'generate a certificate' => 'Generate a certificate:', +'generate dh key' => 'Generate Diffie-Hellman key', 'generate iso' => 'Generate ISO', 'generate root/host certificates' => 'Generate root/host certificates', 'generate tripwire keys and init' => 'generate tripwire keys and init', @@ -1375,7 +1382,7 @@ 'local hard disk' => 'Hard disk', 'local master' => 'Local Master', 'local ntp server specified but not enabled' => 'Local NTP server specified but not enabled', -'local subnet' => 'Local Subnet:', +'local subnet' => 'Local subnet:', 'local subnet is invalid' => 'Local subnet is invalid.', 'local vpn hostname/ip' => 'Local VPN Hostname/IP', 'localkey' => 'Localkey', @@ -1573,6 +1580,7 @@ 'nonetworkname' => 'No Network Name entered', 'noservicename' => 'No Service Name entered', 'not a valid ca certificate' => 'Not a valid CA certificate.', +'not a valid dh key' => 'Not a valid Diffie-Hellman key. Please use 1024, 2048, 3072 or 4096 bit in PKCS#3 format.', 'not enough disk space' => 'Not enough disk space', 'not present' => 'Not present', 'not running' => 'not running', @@ -1665,10 +1673,17 @@ 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'OpenVPN Connection Statistics', 'ovpn config' => 'OVPN-Config', +'ovpn crypt options' => 'Cryptographic options', +'ovpn engines' => 'Crypto engine', 'ovpn device' => 'OpenVPN device:', +'ovpn dh' => 'Diffie-Hellman key lenght', +'ovpn dh upload' => 'Upload Diffie-Hellman Key', 'ovpn dl' => 'OVPN-Config Download', 'ovpn errmsg green already pushed' => 'Route for green network is always set', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', +'ovpn generating the root and host certificates' => 'Generating the root and host certifictae can take a long time.', +'ovpn ha' => 'Hash algorithm', +'ovpn hmac' => 'HMAC options', 'ovpn log' => 'OVPN-Log', 'ovpn mgmt in root range' => 'A port number of 1024 or higher is required.', 'ovpn mtu-disc' => 'Path MTU Discovery', @@ -1679,18 +1694,18 @@ 'ovpn mtu-disc with mssfix or fragment' => 'Path MTU Discovery cannot be used with mssfix or fragment.', 'ovpn mtu-disc yes' => 'Forced', 'ovpn no connections' => 'No active OpenVPN connections', -'ovpn on blue' => 'OpenVPN on BLUE', -'ovpn on orange' => 'OpenVPN on ORANGE', -'ovpn on red' => 'OpenVPN on RED', +'ovpn on blue' => 'OpenVPN on BLUE:', +'ovpn on orange' => 'OpenVPN on ORANGE:', +'ovpn on red' => 'OpenVPN on RED:', 'ovpn port in root range' => 'A port number of 1024 or higher is required.', 'ovpn routes push' => 'Routes (one per line) e.g. 192.168.10.0/255.255.255.0 192.168.20.0/24', 'ovpn routes push options' => 'Route push options', 'ovpn server status' => 'Current OpenVPN server status:', -'ovpn subnet' => 'OpenVPN subnet (e.g. 10.0.10.0/255.255.255.0)', +'ovpn subnet' => 'OpenVPN subnet:', 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', 'ovpn_fastio' => 'Fast-IO', -'ovpn_fragment' => 'Fragmentsize', +'teovpn_fragment' => 'Fragmentsize', 'ovpn_mssfix' => 'MSSFIX Size', 'ovpn_mtudisc' => 'MTU-Discovery', 'ovpn_processprio' => 'Process priority', @@ -1787,7 +1802,7 @@ 'profile saved' => 'Profile saved: ', 'profiles' => 'Profiles:', 'proto' => 'Proto', -'protocol' => 'Protocol', +'protocol' => 'Protocol:', 'proxy' => 'Proxy', 'proxy access graphs' => 'Proxy access graphs', 'proxy admin password' => 'Cache administrator password', @@ -1862,7 +1877,7 @@ 'resetglobals' => 'Reset global settings', 'resetpolicy' => 'Reset policy to default', 'resetshares' => 'Reset shares?', -'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections' => 'Resetting the VPN configuration will remove the root CA, the host certificate and all certificate based connections', +'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections' => 'Resetting the X509 remove the root CA, the host certificate and all certificate based connections.', 'restart' => 'Restart', 'restart ovpn server' => 'Restart OpenVPN server', 'restore' => 'Restore', @@ -1934,6 +1949,7 @@ 'show ca certificate' => 'Show CA certificate', 'show certificate' => 'Show certificate', 'show crl' => 'Show certificate revocation list', +'show dh' => 'Show Diffie-Hellman key', 'show host certificate' => 'Show host certificate', 'show last x lines' => 'Show last x lines', 'show lines' => 'Show lines', @@ -2272,6 +2288,7 @@ 'upload a certificate' => 'Upload a certificate:', 'upload a certificate request' => 'Upload a certificate request:', 'upload ca certificate' => 'Upload CA certificate', +'upload dh key' => 'Upload Diffie-Hellman key', 'upload fcdsl.o' => 'TO BE REMOVED', 'upload file' => 'Upload file', 'upload new ruleset' => 'Upload new ruleset', From 6d49c4a6318512f12cd06da7727d7000f2071030 Mon Sep 17 00:00:00 2001 From: Erik Kapfer Date: Sun, 11 May 2014 09:28:53 +0200 Subject: [PATCH 04/38] OpenVPN: Update to version 2.3.4 --- lfs/openvpn | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lfs/openvpn b/lfs/openvpn index 053d58198..8c7c81a49 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2013 IPFire Team # +# Copyright (C) 2007-2014 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,10 +24,10 @@ include Config -VER = 2.3.2 +VER = 2.3.4 THISAPP = openvpn-$(VER) -DL_FILE = $(THISAPP).tar.gz +DL_FILE = $(THISAPP).tar.xz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 06e5f93dbf13f2c19647ca15ffc23ac1 +$(DL_FILE)_MD5 = 9b70be9fb45e407117c3c9b118e4ba22 install : $(TARGET) @@ -69,7 +69,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar Jxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && ./configure \ --prefix=/usr \ --sysconfdir=/var/ipfire/ovpn \ From b2e75449a98f19e47b8aaf7623a6299749b21de6 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 11 May 2014 18:34:34 +0200 Subject: [PATCH 05/38] Revert "OpenVPN:Add HMAC, cipher 'n2n' and DH key selection. Fixes and new design." This reverts commit c2b5d12b3453c55afce7ef84451a65e130b0d80f. Conflicts: langs/de/cgi-bin/de.pl langs/en/cgi-bin/en.pl --- config/ovpn/openssl/ovpn.cnf | 92 ++++++++++----------- doc/language_issues.de | 18 ++--- doc/language_issues.en | 16 ++-- doc/language_issues.es | 4 - doc/language_issues.fr | 4 - doc/language_issues.nl | 4 - doc/language_issues.pl | 4 - doc/language_issues.ru | 4 - doc/language_issues.tr | 4 - doc/language_missings | 44 +++++----- html/cgi-bin/ovpnmain.cgi | 150 +++++++++++++++++++++-------------- langs/de/cgi-bin/de.pl | 22 ++--- langs/en/cgi-bin/en.pl | 14 ++-- 13 files changed, 195 insertions(+), 185 deletions(-) diff --git a/config/ovpn/openssl/ovpn.cnf b/config/ovpn/openssl/ovpn.cnf index ab026c109..d82c04b90 100644 --- a/config/ovpn/openssl/ovpn.cnf +++ b/config/ovpn/openssl/ovpn.cnf @@ -1,46 +1,46 @@ -HOME = . -RANDFILE = /var/ipfire/ovpn/ca/.rnd -oid_section = new_oids +HOME = . +RANDFILE = /var/ipfire/ovpn/ca/.rnd +oid_section = new_oids [ new_oids ] [ ca ] -default_ca = openvpn +default_ca = openvpn [ openvpn ] -dir = /var/ipfire/ovpn -certs = $dir/certs -crl_dir = $dir/crl -database = $dir/certs/index.txt -new_certs_dir = $dir/certs -certificate = $dir/ca/cacert.pem -serial = $dir/certs/serial -crl = $dir/crl.pem -private_key = $dir/ca/cakey.pem -RANDFILE = $dir/ca/.rand -x509_extensions = usr_cert -default_days = 999999 -default_crl_days = 30 -default_md = sha256 -preserve = no -policy = policy_match -email_in_dn = no +dir = /var/ipfire/ovpn +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/certs/index.txt +new_certs_dir = $dir/certs +certificate = $dir/ca/cacert.pem +serial = $dir/certs/serial +crl = $dir/crl.pem +private_key = $dir/ca/cakey.pem +RANDFILE = $dir/ca/.rand +x509_extensions = usr_cert +default_days = 999999 +default_crl_days= 30 +default_md = md5 +preserve = no +policy = policy_match +email_in_dn = no [ policy_match ] -countryName = optional -stateOrProvinceName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional +countryName = optional +stateOrProvinceName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional [ req ] -default_bits = 2048 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca -string_mask = nombstr +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca +string_mask = nombstr [ req_distinguished_name ] countryName = Country Name (2 letter code) @@ -73,31 +73,31 @@ challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] -basicConstraints = CA:FALSE +basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid,issuer:always +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always [ server ] # JY ADDED -- Make a cert with nsCertType set to "server" -basicConstraints = CA:FALSE +basicConstraints=CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid,issuer:always +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always [ v3_req ] -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always -basicConstraints = CA:true +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints = CA:true [ crl_ext ] -authorityKeyIdentifier = keyid:always,issuer:always +authorityKeyIdentifier=keyid:always,issuer:always [ engine ] -default = openssl +default = openssl diff --git a/doc/language_issues.de b/doc/language_issues.de index 3746d7d9b..650d41552 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -1,4 +1,3 @@ -WARNING: translation string unused: Client status and controlc WARNING: translation string unused: ConnSched scheduler WARNING: translation string unused: ConnSched select profile WARNING: translation string unused: HDD temperature @@ -364,6 +363,7 @@ WARNING: translation string unused: network time WARNING: translation string unused: network traffic graphs WARNING: translation string unused: network updated WARNING: translation string unused: networks settings +WARNING: translation string unused: never WARNING: translation string unused: new optionsfw must boot WARNING: translation string unused: no alcatelusb firmware WARNING: translation string unused: no cfg upload @@ -410,7 +410,10 @@ WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn config WARNING: translation string unused: ovpn dl +WARNING: translation string unused: ovpn engines WARNING: translation string unused: ovpn log +WARNING: translation string unused: ovpn reneg sec +WARNING: translation string unused: ovpn_fastio WARNING: translation string unused: ovpn_fragment WARNING: translation string unused: ovpn_mssfix WARNING: translation string unused: ovpn_mtudisc @@ -456,16 +459,12 @@ WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile WARNING: translation string unused: requested data -WARNING: translation string unused: reserved dst port -WARNING: translation string unused: reserved src port WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path WARNING: translation string unused: root user password WARNING: translation string unused: route subnet is invalid WARNING: translation string unused: router ip -WARNING: translation string unused: rsvd dst port overlap -WARNING: translation string unused: rsvd src port overlap WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error @@ -596,7 +595,6 @@ WARNING: translation string unused: use dov WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode -WARNING: translation string unused: vpn configuration main WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue @@ -612,19 +610,21 @@ WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits -WARNING: untranslated string: Number of Countries for the pie chart WARNING: untranslated string: Scan for Songs WARNING: untranslated string: addons WARNING: untranslated string: bytes WARNING: untranslated string: community rules WARNING: untranslated string: dead peer detection +WARNING: untranslated string: dns servers +WARNING: untranslated string: downlink WARNING: untranslated string: emerging rules -WARNING: untranslated string: firewall logs country +WARNING: untranslated string: first WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: last WARNING: untranslated string: monitor interface WARNING: untranslated string: qos add subclass WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table -WARNING: untranslated string: source ip country +WARNING: untranslated string: uplink diff --git a/doc/language_issues.en b/doc/language_issues.en index a64b82266..c32d0579b 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1,4 +1,3 @@ -WARNING: translation string unused: Client status and controlc WARNING: translation string unused: ConnSched scheduler WARNING: translation string unused: ConnSched select profile WARNING: translation string unused: HDD temperature @@ -389,6 +388,7 @@ WARNING: translation string unused: network time WARNING: translation string unused: network traffic graphs WARNING: translation string unused: network updated WARNING: translation string unused: networks settings +WARNING: translation string unused: never WARNING: translation string unused: new optionsfw must boot WARNING: translation string unused: no alcatelusb firmware WARNING: translation string unused: no cfg upload @@ -436,7 +436,9 @@ WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn config WARNING: translation string unused: ovpn dl +WARNING: translation string unused: ovpn engines WARNING: translation string unused: ovpn log +WARNING: translation string unused: ovpn reneg sec WARNING: translation string unused: ovpn_fastio WARNING: translation string unused: ovpn_fragment WARNING: translation string unused: ovpn_mssfix @@ -484,16 +486,12 @@ WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile WARNING: translation string unused: requested data -WARNING: translation string unused: reserved dst port -WARNING: translation string unused: reserved src port WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path WARNING: translation string unused: root user password WARNING: translation string unused: route subnet is invalid WARNING: translation string unused: router ip -WARNING: translation string unused: rsvd dst port overlap -WARNING: translation string unused: rsvd src port overlap WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error @@ -631,7 +629,6 @@ WARNING: translation string unused: use dov WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode -WARNING: translation string unused: vpn configuration main WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue @@ -647,13 +644,16 @@ WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits -WARNING: untranslated string: Number of Countries for the pie chart WARNING: untranslated string: Scan for Songs WARNING: untranslated string: bytes +WARNING: untranslated string: dns servers +WARNING: untranslated string: downlink +WARNING: untranslated string: first WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: last WARNING: untranslated string: monitor interface WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table -WARNING: untranslated string: source ip country +WARNING: untranslated string: uplink diff --git a/doc/language_issues.es b/doc/language_issues.es index 92622bdaf..b274590af 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -420,16 +420,12 @@ WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile WARNING: translation string unused: requested data -WARNING: translation string unused: reserved dst port -WARNING: translation string unused: reserved src port WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path WARNING: translation string unused: root user password WARNING: translation string unused: route subnet is invalid WARNING: translation string unused: router ip -WARNING: translation string unused: rsvd dst port overlap -WARNING: translation string unused: rsvd src port overlap WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 65e036fa8..935d991e6 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -431,16 +431,12 @@ WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile WARNING: translation string unused: requested data -WARNING: translation string unused: reserved dst port -WARNING: translation string unused: reserved src port WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path WARNING: translation string unused: root user password WARNING: translation string unused: route subnet is invalid WARNING: translation string unused: router ip -WARNING: translation string unused: rsvd dst port overlap -WARNING: translation string unused: rsvd src port overlap WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error diff --git a/doc/language_issues.nl b/doc/language_issues.nl index e06e8a75c..6115f6298 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -485,16 +485,12 @@ WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile WARNING: translation string unused: requested data -WARNING: translation string unused: reserved dst port -WARNING: translation string unused: reserved src port WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path WARNING: translation string unused: root user password WARNING: translation string unused: route subnet is invalid WARNING: translation string unused: router ip -WARNING: translation string unused: rsvd dst port overlap -WARNING: translation string unused: rsvd src port overlap WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 92622bdaf..b274590af 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -420,16 +420,12 @@ WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile WARNING: translation string unused: requested data -WARNING: translation string unused: reserved dst port -WARNING: translation string unused: reserved src port WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path WARNING: translation string unused: root user password WARNING: translation string unused: route subnet is invalid WARNING: translation string unused: router ip -WARNING: translation string unused: rsvd dst port overlap -WARNING: translation string unused: rsvd src port overlap WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error diff --git a/doc/language_issues.ru b/doc/language_issues.ru index fbf4d46ef..18d93a7eb 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -425,16 +425,12 @@ WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile WARNING: translation string unused: requested data -WARNING: translation string unused: reserved dst port -WARNING: translation string unused: reserved src port WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path WARNING: translation string unused: root user password WARNING: translation string unused: route subnet is invalid WARNING: translation string unused: router ip -WARNING: translation string unused: rsvd dst port overlap -WARNING: translation string unused: rsvd src port overlap WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 816967cd3..ad6086cf5 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -484,16 +484,12 @@ WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile WARNING: translation string unused: requested data -WARNING: translation string unused: reserved dst port -WARNING: translation string unused: reserved src port WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path WARNING: translation string unused: root user password WARNING: translation string unused: route subnet is invalid WARNING: translation string unused: router ip -WARNING: translation string unused: rsvd dst port overlap -WARNING: translation string unused: rsvd src port overlap WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error diff --git a/doc/language_missings b/doc/language_missings index b8fe1b475..939d4b9a5 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -90,8 +90,6 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone -< dns servers -< downlink < dpd delay < dpd timeout < drop action @@ -119,8 +117,8 @@ < fireinfo why enable < fireinfo why read more < fireinfo your profile id +< firewall logs country < firewall rules -< first < flag < forward firewall < fw default drop @@ -319,7 +317,6 @@ < ipsec < ipsec network < ipsec no connections -< last < least preferred < lifetime < mac filter @@ -342,11 +339,13 @@ < modem sim information < modem status < most preferred +< never < no hardware random number generator < not a valid dh key < notice < ntp common settings < ntp sync +< Number of Countries for the pie chart < openvpn default < openvpn destination port used < openvpn disabled @@ -364,6 +363,7 @@ < ovpn crypt options < ovpn dh < ovpn dh name +< ovpn engines < ovpn generating the root and host certificates < ovpn ha < ovpn hmac @@ -377,6 +377,7 @@ < ovpn mtu-disc yes < ovpn no connections < ovpn port in root range +< ovpn reneg sec < p2p block < p2p block save notice < proxy reports @@ -392,6 +393,7 @@ < snat new source ip address < snort working < software version +< source ip country < ssh < static routes < support donation @@ -453,7 +455,6 @@ < tor use exit nodes < updxlrtr sources < updxlrtr standard view -< uplink < upload dh key < upload new ruleset < uptime @@ -600,8 +601,6 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone -< dns servers -< downlink < dpd delay < dpd timeout < drop action @@ -629,8 +628,8 @@ < fireinfo why enable < fireinfo why read more < fireinfo your profile id +< firewall logs country < firewall rules -< first < flag < forward firewall < fw default drop @@ -829,7 +828,6 @@ < ipsec < ipsec network < ipsec no connections -< last < least preferred < lifetime < mac filter @@ -852,9 +850,11 @@ < modem sim information < modem status < most preferred +< never < no hardware random number generator < not a valid dh key < notice +< Number of Countries for the pie chart < openvpn default < openvpn destination port used < openvpn disabled @@ -886,6 +886,7 @@ < ovpn crypt options < ovpn dh < ovpn dh name +< ovpn engines < ovpn errmsg green already pushed < ovpn errmsg invalid ip or mask < ovpn generating the root and host certificates @@ -901,6 +902,7 @@ < ovpn mtu-disc yes < ovpn no connections < ovpn port in root range +< ovpn reneg sec < ovpn routes push < ovpn routes push options < p2p block @@ -918,6 +920,7 @@ < show dh < snat new source ip address < software version +< source ip country < ssh < static routes < support donation @@ -979,7 +982,6 @@ < tor use exit nodes < updxlrtr sources < updxlrtr standard view -< uplink < upload dh key < uptime < uptime load average @@ -1102,8 +1104,6 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone -< dns servers -< downlink < dpd delay < dpd timeout < drop action @@ -1123,8 +1123,8 @@ < extrahd unable to read < extrahd unable to write < extrahd you cant mount +< firewall logs country < firewall rules -< first < flag < forward firewall < fw default drop @@ -1323,7 +1323,6 @@ < ipsec < ipsec network < ipsec no connections -< last < least preferred < lifetime < mac filter @@ -1346,9 +1345,11 @@ < modem sim information < modem status < most preferred +< never < no hardware random number generator < not a valid dh key < notice +< Number of Countries for the pie chart < openvpn default < openvpn destination port used < openvpn disabled @@ -1366,6 +1367,7 @@ < ovpn crypt options < ovpn dh < ovpn dh name +< ovpn engines < ovpn errmsg green already pushed < ovpn errmsg invalid ip or mask < ovpn generating the root and host certificates @@ -1381,6 +1383,7 @@ < ovpn mtu-disc yes < ovpn no connections < ovpn port in root range +< ovpn reneg sec < ovpn routes push < ovpn routes push options < p2p block @@ -1397,6 +1400,7 @@ < show dh < snat new source ip address < software version +< source ip country < ssh < static routes < support donation @@ -1457,7 +1461,6 @@ < tor use exit nodes < updxlrtr sources < updxlrtr standard view -< uplink < upload dh key < uptime < uptime load average @@ -1583,8 +1586,6 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone -< dns servers -< downlink < dpd delay < dpd timeout < drop action @@ -1605,8 +1606,8 @@ < extrahd unable to read < extrahd unable to write < extrahd you cant mount +< firewall logs country < firewall rules -< first < flag < forward firewall < frequency @@ -1808,7 +1809,6 @@ < ipsec < ipsec network < ipsec no connections -< last < least preferred < lifetime < mac filter @@ -1832,9 +1832,11 @@ < modem status < month-graph < most preferred +< never < no hardware random number generator < not a valid dh key < notice +< Number of Countries for the pie chart < openvpn default < openvpn destination port used < openvpn disabled @@ -1853,6 +1855,7 @@ < ovpn crypt options < ovpn dh < ovpn dh name +< ovpn engines < ovpn generating the root and host certificates < ovpn ha < ovpn hmac @@ -1866,6 +1869,7 @@ < ovpn mtu-disc yes < ovpn no connections < ovpn port in root range +< ovpn reneg sec < p2p block < p2p block save notice < proxy reports @@ -1880,6 +1884,7 @@ < show dh < snat new source ip address < software version +< source ip country < ssh < static routes < support donation @@ -1940,7 +1945,6 @@ < tor use exit nodes < updxlrtr sources < updxlrtr standard view -< uplink < upload dh key < uptime < uptime load average diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index dec27b722..ceb63d456 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -226,6 +226,50 @@ sub checkportinc } } +# Darren Critchley - certain ports are reserved for IPFire +# TCP 67,68,81,222,444 +# UDP 67,68 +# Params passed in -> port, rangeyn, protocol +sub disallowreserved +{ + # port 67 and 68 same for tcp and udp, don't bother putting in an array + my $msg = ""; + my @tcp_reserved = (81,222,444); + my $prt = $_[0]; # the port or range + my $ryn = $_[1]; # tells us whether or not it is a port range + my $prot = $_[2]; # protocol + my $srcdst = $_[3]; # source or destination + if ($ryn) { # disect port range + if ($srcdst eq "src") { + $msg = "$Lang::tr{'rsvd src port overlap'}"; + } else { + $msg = "$Lang::tr{'rsvd dst port overlap'}"; + } + my @tmprng = split(/\:/,$prt); + unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; } + unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; } + if ($prot eq "tcp") { + foreach my $prange (@tcp_reserved) { + unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; } + } + } + } else { + if ($srcdst eq "src") { + $msg = "$Lang::tr{'reserved src port'}"; + } else { + $msg = "$Lang::tr{'reserved dst port'}"; + } + if ($prt == 67) { $errormessage="$msg 67"; return; } + if ($prt == 68) { $errormessage="$msg 68"; return; } + if ($prot eq "tcp") { + foreach my $prange (@tcp_reserved) { + if ($prange == $prt) { $errormessage="$msg $prange"; return; } + } + } + } + return; +} + sub writeserverconf { my %sovpnsettings = (); @@ -318,11 +362,7 @@ sub writeserverconf { print CONF "status-version 1\n"; print CONF "status /var/log/ovpnserver.log 30\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; - if ($sovpnsettings{'DAUTH'} eq '') { - print CONF ""; - } else { - print CONF "auth $sovpnsettings{'DAUTH'}\n"; - } + print CONF "auth $sovpnsettings{DAUTH}\n"; if ($sovpnsettings{DCOMPLZO} eq 'on') { print CONF "comp-lzo\n"; } @@ -519,7 +559,7 @@ sub getccdadresses my @iprange=(); my %ccdhash=(); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); - $iprange[0]=$ip1.".".$ip2.".".$ip3.".".($ip4+2); + $iprange[0]=$ip1.".".$ip2.".".$ip3.".".2; for (my $i=1;$i<=$count;$i++) { my $tmpip=$iprange[$i-1]; my $stepper=$i*4; @@ -1330,6 +1370,7 @@ END } } + ### ### Upload CA Certificate ### @@ -2207,11 +2248,7 @@ else $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; - if ($vpnsettings{'DAUTH'} eq '') { - print CLIENTCONF ""; - } else { - print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; - } + print CLIENTCONF "auth $vpnsettings{DAUTH}\r\n"; if ($vpnsettings{DCOMPLZO} eq 'on') { print CLIENTCONF "comp-lzo\r\n"; } @@ -2320,8 +2357,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { } else { $errormessage = $Lang::tr{'invalid key'}; } - - &General::firewall_reload(); + &General::firewall_reload(); ### ### Download PKCS12 file @@ -2383,21 +2419,19 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) { # &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if (! -e "${General::swroot}/ovpn/crls/cacrl.pem") { - $errormessage = $Lang::tr{'not present'}; - } else { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ovpn'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); - my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; - &Header::closebox(); - print ""; - &Header::closebigbox(); - &Header::closepage(); - exit(0); + if ( -f "${General::swroot}/ovpn/crls/cacrl.pem") { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); + my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit(0); } ### @@ -2478,7 +2512,7 @@ ADV_ERROR: &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); print < - +
@@ -2550,7 +2584,6 @@ print < - @@ -2599,12 +2632,12 @@ print < @@ -2688,10 +2721,10 @@ if ($cgiparams{'ACTION'} eq "edit"){ &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd modify'}); print < +
$Lang::tr{'dhcp-options'}
mssfix $Lang::tr{'openvpn default'}: on
$Lang::tr{'ovpn mtu-disc'}
$Lang::tr{'ovpn ha'} Default: SHA1 (160 $Lang::tr{'bit'})
- + @@ -2751,7 +2784,7 @@ END print" + END ; } @@ -2990,7 +3023,7 @@ if ( -s "${General::swroot}/ovpn/settings") { - + @@ -3723,14 +3756,13 @@ if ($cgiparams{'TYPE'} eq 'net') { unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; goto VPNCONF_ERROR; - } - #Check if remote subnet is used elsewhere - my ($n2nip,$n2nsub)=split("/",$cgiparams{'REMOTE_SUBNET'}); - $warnmessage=&General::checksubnets('',$n2nip,'ovpn'); - if ($warnmessage){ - $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'})
".$warnmessage; - } - + } + #Check if remote subnet is used elsewhere + my ($n2nip,$n2nsub)=split("/",$cgiparams{'REMOTE_SUBNET'}); + $warnmessage=&General::checksubnets('',$n2nip,'ovpn'); + if ($warnmessage){ + $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'})
".$warnmessage; + } } # if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) { @@ -4605,7 +4637,7 @@ if ($cgiparams{'TYPE'} eq 'host') { - + @@ -4869,15 +4901,15 @@ END &Header::closebox(); } - if ($warnmessage) { - &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'}); - print "$warnmessage
"; - print "$Lang::tr{'fwdfw warn1'}
"; - &Header::closebox(); - print"
"; - &Header::closepage(); - exit 0; - } + if ($warnmessage) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'}); + print "$warnmessage
"; + print "$Lang::tr{'fwdfw warn1'}
"; + &Header::closebox(); + print"
"; + &Header::closepage(); + exit 0; + } my $sactive = "
$Lang::tr{'ccd name'}:$Lang::tr{'ccd subnet'}:
$Lang::tr{'ccd subnet'}:
$ccdconf[0]$ccdconf[1]$ccdhosts/".(&ccdmaxclients($ccdconf[1])+1).""; print < - + @@ -2760,7 +2793,7 @@ END -
$Lang::tr{'net to net vpn'} (Upload Client Package)
 
 Import Connection Name
 $Lang::tr{'openvpn default'}: Client Packagename
 Default : Client Packagename
* $Lang::tr{'this field may be blank'}
  $Lang::tr{'pkcs12 file password'}:
 $Lang::tr{'pkcs12 file password'}:
($Lang::tr{'confirmation'})
 $Lang::tr{'pkcs12 file password'}:
($Lang::tr{'confirmation'})
 
$Lang::tr{'stopped'}
"; my $srunning = "no"; @@ -4891,7 +4923,7 @@ END } &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'}); print < + diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 10dd03bdf..ab12e9ead 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1,7 +1,7 @@ %tr = ( %tr, -'Act as' => 'Konfiguriert als', +'Act as' => 'Konfiguriert als:', 'Add Level7 rule' => 'Level7-Regel hinzufügen', 'Add Port Rule' => 'Port-Regel hinzufügen', 'Add Rule' => 'Regel hinzufügen', @@ -10,7 +10,6 @@ 'Choose Rule' => 'Wählen Sie eine der untenstehenden Regeln aus.', 'Class' => 'Klasse', 'Class was deleted' => 'wurde mit eventuell vorhandenen Unterklassen gelöscht', -'Client status and controlc' => 'Client-Status und -Kontrolle', 'ConnSched action' => 'Aktion:', 'ConnSched add action' => 'Aktion hinzufügen', 'ConnSched change profile title' => 'Wechsle zu Profil:', @@ -39,7 +38,8 @@ 'Local VPN IP' => 'Internes Netzwerk (GREEN)', 'MB read' => 'MB gelesen', 'MB written' => 'MB geschrieben', -'MTU' => 'MTU Size:', +'MTU' => 'MTU Size', +'Number of Countries for the pie chart' => 'Anzahl der angezeigten Länder im Diagramm', 'Number of IPs for the pie chart' => 'Anzahl der angezeigten IPs im Diagramm', 'Number of Ports for the pie chart' => 'Anzahl der angezeigten Ports im Diagramm', 'OVPN' => 'OpenVPN', @@ -736,8 +736,7 @@ 'dns proxy server' => 'DNS-Proxyserver', 'dns saved' => 'Erfolgreich gespeichert!', 'dns saved txt' => 'Die beiden eingegebenen DNS-Server-Adressen wurde erfolgreich gespeichert.
Um die Änderung wirksam zu machen, müssen Sie neustarten oder wiederverbinden!', -'dns server' => 'DNS-Server', -'dns servers' => 'DNS-Server', +'dns server' => 'DNS Server', 'dns title' => 'Domain Name System', 'dnsforward' => 'DNS-Weiterleitung', 'dnsforward add a new entry' => 'Neuen Eintrag hinzufügen', @@ -761,7 +760,6 @@ 'donation-text' => 'IPFire wird von Freiwilligen in ihrer Freizeit betrieben und auch betreut. Um dieses Projekt am Laufen zu halten, entstehen uns natürlich auch Kosten. Wenn Sie uns unterstützen wollen, würden wir uns über eine kleine Spende sehr freuen.', 'dos charset' => 'DOS Charset', 'down and up speed' => 'Geben Sie bitte hier ihre Download- bzw. Upload-Geschwindigkeit ein
und klicken Sie danach auf Speichern.', -'downlink' => 'Downlink', 'downlink speed' => 'Downlink-Geschwindigkeit (kBit/sek)', 'downlink std class' => 'Downloadstandardklasse', 'download' => 'herunterladen', @@ -907,13 +905,13 @@ 'firewall log' => 'Firewall-Protokoll', 'firewall log viewer' => 'Betrachter der Firewall-Logdateien', 'firewall logs' => 'Firewall-Logdateien', +'firewall logs country' => 'Fw-Logdiagramme (Land)', 'firewall logs ip' => 'Fw-Logdiagramme (IP)', 'firewall logs port' => 'Fw-Logdiagramme (Port)', 'firewall rules' => 'Firewallregeln', 'firewallhits' => 'Firewalltreffer', 'firmware' => 'Firmware', 'firmware upload' => 'Hochladen der Firmware/Treiber', -'first' => 'Erste', 'fixed ip lease added' => 'Feste IP-Zuordnung hinzugefügt', 'fixed ip lease modified' => 'Feste IP-Zuordnung geändert', 'fixed ip lease removed' => 'Feste IP-Zuordnung gelöscht', @@ -1339,7 +1337,6 @@ 'lan' => 'LAN', 'lang' => 'de', 'languagepurpose' => 'Wählen Sie eine Sprache, in der IPFire angezeigt werden soll:', -'last' => 'Letzte', 'last activity' => 'Letzte Aktivität', 'lateprompting' => 'Late prompting', 'lease expires' => 'Zuordnung verfällt', @@ -1544,6 +1541,7 @@ 'network traffic graphs others' => 'Netzwerk (sonstige)', 'network updated' => 'Benutzerdefiniertes Netzwerk aktualisiert', 'networks settings' => 'Firewall - Netzwerkeinstellungen', +'never' => 'Nie', 'new optionsfw later' => 'Einige Einstellungen werden erst nach einem Neustart aktiv', 'new optionsfw must boot' => 'Sie müssen Ihren IPFire neu starten', 'newer' => 'Neuer', @@ -1662,6 +1660,7 @@ 'ovpn dh' => 'Diffie-Hellman Key Länge', 'ovpn dh name' => 'Diffie-Hellman Key Name', 'ovpn dl' => 'OVPN-Konfiguration downloaden', +'ovpn engines' => 'Krypto Engine', 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt', 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske', 'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.', @@ -1681,12 +1680,14 @@ 'ovpn on orange' => 'OpenVPN auf ORANGE:', 'ovpn on red' => 'OpenVPN auf ROT:', 'ovpn port in root range' => 'Ein Port von 1024 oder höher ist erforderlich.', +'ovpn reneg sec' => 'Session Key Lifetime', 'ovpn routes push' => 'Routen (eine pro Zeile) z.b. 192.168.10.0/255.255.255.0 192.168.20.0/24', 'ovpn routes push options' => 'Route push Optionen', -'ovpn server status' => 'OpenVPN-Server-Status', +'ovpn server status' => 'OpenVPN-Server-Status:', 'ovpn subnet' => 'OpenVPN-Subnetz:', 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', +'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrösse', 'ovpn_mssfix' => 'MSSFIX-Grösse', 'ovpn_mtudisc' => 'MTU-Discovery', @@ -1965,6 +1966,7 @@ 'source ip' => 'Quell-IP-Adresse', 'source ip and port' => 'Quell-IP:Port', 'source ip bad' => 'Ungültige Quell-IP-Adresse.', +'source ip country' => 'Quell-IP-Adresse Land', 'source ip in use' => 'Benutzte Quell-IP:', 'source ip or net' => 'Quellen-IP oder Netz', 'source net' => 'Quell-Netz', @@ -2256,7 +2258,6 @@ 'updxlrtr weekly' => 'wöchentlich', 'updxlrtr year' => 'einem Jahr', 'upgrade' => 'upgrade', -'uplink' => 'Uplink', 'uplink speed' => 'Uplink-Geschwindigkeit (kBit/sek)', 'uplink std class' => 'Uploadstandardklasse', 'upload' => 'Hochladen', @@ -2514,7 +2515,6 @@ 'vpn aggrmode' => 'IKE Aggressive Mode zugelassen. Wenn möglich, vermeiden (preshared Schlüssel wird im Klartext übertragen)!', 'vpn altname syntax' => 'Der Subjekt Alternativ Name ist eine durch Komma getrennte Liste von Email, DNS, URI, RID und IP Objekten.
Email: eine Email Adresse. Syntax Email: \'copy\' benutzt die Email Adresse aus dem Zertifikatfeld.
DNS: ein gültiger Domain Name.
URI: eine gültige URI.
RID: Registriertes Objekt Identifikation.
IP: eine IP Adresse.
Bitte beachten: der Zeichensatz ist eingeschränkt und die Groß-/Kleinschreibung ist entscheidend.
Beispiel:
email:info@ipfire.org,email:copy,DNS:www.ipfire.org,IP:127.0.0.1,URI:http://url/nach/irgendwo', 'vpn auth-dn' => 'Peer wird identifiziert durch entweder ein IPV4_ADDR, FQDN, USER_FQDN oder DER_ASN1_DN string in Remote ID Feld', -'vpn configuration main' => 'VPN-Konfiguration', 'vpn delayed start' => 'Verzögerung bevor VPN gestartet wird (Sekunden)', 'vpn delayed start help' => 'Falls notwendig, kann diese Verzögerung dazu verwendet werden, um Dynamic-DNS-Updates ordnungsgemäß anzuwenden. 60 ist ein gängiger Wert, wenn ROT (RED) eine dynamische IP Adresse ist.', 'vpn incompatible use of defaultroute' => 'Hostname=%defaultroute nicht zulässig', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 64a31a182..a865fea45 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -10,7 +10,6 @@ 'Choose Rule' => 'Choose one of the following rules.', 'Class' => 'Class', 'Class was deleted' => 'with potential subclasses was deleted', -'Client status and controlc' => 'Client status and control:', 'ConnSched action' => 'Action:', 'ConnSched add action' => 'Add action', 'ConnSched change profile title' => 'Change to profile:', @@ -40,6 +39,7 @@ 'MB read' => 'MB read', 'MB written' => 'MB written', 'MTU' => 'MTU size:', +'Number of Countries for the pie chart' => 'Number of Countries for the pie chart', 'Number of IPs for the pie chart' => 'Number of IPs for the pie chart', 'Number of Ports for the pie chart' => 'Number of ports for the pie chart', 'OVPN' => 'OpenVPN', @@ -424,7 +424,7 @@ 'behind a proxy' => 'Behind a proxy:', 'bewan adsl pci st' => 'TO BE REMOVED', 'bewan adsl usb' => 'TO BE REMOVED', -'bit' => 'Bit', +'bit' => 'bit', 'bitrate' => 'Bitrate', 'bleeding rules' => 'Bleeding Edge Snort Rules', 'blue' => 'BLUE', @@ -761,7 +761,6 @@ 'dns saved' => 'Successfully saved!', 'dns saved txt' => 'The two entered DNS server addresses have been saved successfully.
You have to reboot or reconnect that the changes have effect!', 'dns server' => 'DNS Server', -'dns servers' => 'DNS Servers', 'dns title' => 'Domain Name System', 'dnsforward' => 'DNS Forwarding', 'dnsforward add a new entry' => 'Add a new entry', @@ -786,7 +785,6 @@ 'done' => 'Do it', 'dos charset' => 'DOS Charset', 'down and up speed' => 'Enter your Down- and Uplink-Speed
and then press Save.', -'downlink' => 'Downlink', 'downlink speed' => 'Downlink speed (kbit/sec)', 'downlink std class' => 'downlink standard class', 'download' => 'download', @@ -940,7 +938,6 @@ 'firewallhits' => 'firewallhits', 'firmware' => 'Firmware', 'firmware upload' => 'Upload Firmware/Drivers', -'first' => 'First', 'fixed ip lease added' => 'Fixed IP lease added', 'fixed ip lease modified' => 'Fixed IP lease modified', 'fixed ip lease removed' => 'Fixed IP lease removed', @@ -1369,7 +1366,6 @@ 'lan' => 'LAN', 'lang' => 'en', 'languagepurpose' => 'Select the language you wish IPFire to display in:', -'last' => 'Last', 'last activity' => 'Last Activity', 'lateprompting' => 'Lateprompting', 'lease expires' => 'Lease expires', @@ -1574,6 +1570,7 @@ 'network traffic graphs others' => 'Network (others)', 'network updated' => 'Custom Network updated', 'networks settings' => 'Firewall - Network settings', +'never' => 'Never', 'new optionsfw later' => 'Some options need a reboot to take effect', 'new optionsfw must boot' => 'You must reboot your IPFire', 'newer' => 'Newer', @@ -1693,6 +1690,7 @@ 'ovpn dh' => 'Diffie-Hellman key lenght', 'ovpn dh name' => 'Diffie-Hellman key name', 'ovpn dl' => 'OVPN-Config Download', +'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for green network is always set', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', 'ovpn generating the root and host certificates' => 'Generating the root and host certifictae can take a long time.', @@ -1712,6 +1710,7 @@ 'ovpn on orange' => 'OpenVPN on ORANGE:', 'ovpn on red' => 'OpenVPN on RED:', 'ovpn port in root range' => 'A port number of 1024 or higher is required.', +'ovpn reneg sec' => 'Session key lifetime:', 'ovpn routes push' => 'Routes (one per line) e.g. 192.168.10.0/255.255.255.0 192.168.20.0/24', 'ovpn routes push options' => 'Route push options', 'ovpn server status' => 'Current OpenVPN server status:', @@ -2002,6 +2001,7 @@ 'source ip' => 'Source IP', 'source ip and port' => 'Source IP: Port', 'source ip bad' => 'Not a valid IP address or a network address.', +'source ip country' => 'Source IP Country', 'source ip in use' => 'Source IP in use:', 'source ip or net' => 'Source IP or Net', 'source net' => 'Source Net', @@ -2296,7 +2296,6 @@ 'updxlrtr weekly' => 'weekly', 'updxlrtr year' => 'one year', 'upgrade' => 'upgrade', -'uplink' => 'Uplink', 'uplink speed' => 'Uplink speed (kbit/sec)', 'uplink std class' => 'uplink standard class', 'upload' => 'Upload', @@ -2555,7 +2554,6 @@ 'vpn aggrmode' => 'IKE aggressive mode allowed. Avoid if possible (preshared key is transmitted in clear text)!', 'vpn altname syntax' => 'SubjectAltName is a comma separated list of e-mail, dns, uri, rid and ip objects.
email:an email address. Syntax email:copy takes the email field from the cert to be used.
DNS:a valid domain name.
URI:any valid uri.
RID:registered object identifier.
IP:an IP address.
Note:charset is limited and case is significant.
Example:
e-mail:ipfire@foo.org,email:copy,DNS:www.ipfire.org,IP:127.0.0.1,URI:http://url/to/something', 'vpn auth-dn' => 'Peer is identified by either IPV4_ADDR, FQDN, USER_FQDN or DER_ASN1_DN string in remote ID field', -'vpn configuration main' => 'VPN Configuration', 'vpn delayed start' => 'Delay before launching VPN (seconds)', 'vpn delayed start help' => 'If required, this delay can be used to allow dynamic DNS updates to propagate properly. 60 is a common value when RED is a dynamic IP.', 'vpn incompatible use of defaultroute' => 'hostname=%defaultroute not allowed', From 1a200cffc994858c8cad91b9b00093d24f00e79a Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sun, 11 May 2014 19:01:45 +0200 Subject: [PATCH 06/38] clamav: update to 0.98.3. --- config/rootfiles/packages/clamav | 8 +++++--- lfs/clamav | 7 ++++--- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/config/rootfiles/packages/clamav b/config/rootfiles/packages/clamav index 885af45fc..e27eba6e5 100644 --- a/config/rootfiles/packages/clamav +++ b/config/rootfiles/packages/clamav @@ -4,21 +4,22 @@ usr/bin/clamconf usr/bin/clamdscan usr/bin/clamdtop usr/bin/clamscan +usr/bin/clamsubmit usr/bin/freshclam usr/bin/sigtool #usr/include/clamav.h #usr/lib/libclamav.la usr/lib/libclamav.so usr/lib/libclamav.so.6 -usr/lib/libclamav.so.6.1.20 +usr/lib/libclamav.so.6.1.22 #usr/lib/libclamunrar.la usr/lib/libclamunrar.so usr/lib/libclamunrar.so.6 -usr/lib/libclamunrar.so.6.1.20 +usr/lib/libclamunrar.so.6.1.22 #usr/lib/libclamunrar_iface.la usr/lib/libclamunrar_iface.so usr/lib/libclamunrar_iface.so.6 -usr/lib/libclamunrar_iface.so.6.1.20 +usr/lib/libclamunrar_iface.so.6.1.22 #usr/lib/pkgconfig/libclamav.pc usr/sbin/clamd usr/share/clamav @@ -27,6 +28,7 @@ usr/share/clamav #usr/share/man/man1/clamdscan.1 #usr/share/man/man1/clamdtop.1 #usr/share/man/man1/clamscan.1 +#usr/share/man/man1/clamsubmit.1 #usr/share/man/man1/freshclam.1 #usr/share/man/man1/sigtool.1 #usr/share/man/man5/clamav-milter.conf.5 diff --git a/lfs/clamav b/lfs/clamav index 4a9a5a2ba..8cb849b5c 100644 --- a/lfs/clamav +++ b/lfs/clamav @@ -24,7 +24,7 @@ include Config -VER = 0.98.1 +VER = 0.98.3 THISAPP = clamav-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = clamav -PAK_VER = 24 +PAK_VER = 25 DEPS = "" @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = b1ec7b19dea8385954515ef1d63576d8 +$(DL_FILE)_MD5 = b649d35ee85d4d6075a98173dd255c17 install : $(TARGET) @@ -96,6 +96,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Disable PaX mprotect for clamd and freshclam paxctl -cm /usr/sbin/clamd + paxctl -cm /usr/bin/clamscan paxctl -cm /usr/bin/freshclam @rm -rf $(DIR_APP) From afe1107dc978dfae14c576cc1d9dc80c9e09107e Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Sun, 11 May 2014 19:26:32 +0200 Subject: [PATCH 07/38] snort: Update to 2.9.6.1. --- config/rootfiles/common/snort | 4 +++- lfs/snort | 30 +++++++++++++++++++++--------- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/config/rootfiles/common/snort b/config/rootfiles/common/snort index e35838d03..706c5f852 100644 --- a/config/rootfiles/common/snort +++ b/config/rootfiles/common/snort @@ -30,7 +30,6 @@ usr/bin/u2spewfoo #usr/include/snort/dynamic_preproc/bitop.h #usr/include/snort/dynamic_preproc/cpuclock.h #usr/include/snort/dynamic_preproc/file_api.h -#usr/include/snort/dynamic_preproc/file_lib.h #usr/include/snort/dynamic_preproc/idle_processing.h #usr/include/snort/dynamic_preproc/ipv6_port.h #usr/include/snort/dynamic_preproc/mempool.h @@ -180,11 +179,14 @@ usr/sbin/snort #usr/share/doc/snort/README.dnp3 #usr/share/doc/snort/README.dns #usr/share/doc/snort/README.event_queue +#usr/share/doc/snort/README.file +#usr/share/doc/snort/README.file_ips #usr/share/doc/snort/README.filters #usr/share/doc/snort/README.flowbits #usr/share/doc/snort/README.frag3 #usr/share/doc/snort/README.ftptelnet #usr/share/doc/snort/README.gre +#usr/share/doc/snort/README.ha #usr/share/doc/snort/README.http_inspect #usr/share/doc/snort/README.imap #usr/share/doc/snort/README.ipip diff --git a/lfs/snort b/lfs/snort index 2d5d04a12..45c17a8ad 100644 --- a/lfs/snort +++ b/lfs/snort @@ -24,7 +24,7 @@ include Config -VER = 2.9.5.3 +VER = 2.9.6.1 THISAPP = snort-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = f99465c0734a6173bfca899dcb72266b +$(DL_FILE)_MD5 = d7c0f1ddb2e70b70acdaa4664abb5fb0 install : $(TARGET) @@ -70,14 +70,26 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) $(DIR_SRC)/snort* && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && ./configure --prefix=/usr --disable-nls \ - --sysconfdir=/etc/snort --target=i586 \ - --enable-linux-smp-stats --enable-smb-alerts \ - --enable-gre --enable-mpls --enable-targetbased \ - --enable-decoder-preprocessor-rules --enable-ppm \ + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --disable-nls \ + --sysconfdir=/etc/snort \ + --target=i586 \ + --enable-linux-smp-stats \ + --enable-smb-alerts \ + --enable-gre --enable-mpls \ + --enable-targetbased \ + --enable-decoder-preprocessor-rules \ + --enable-ppm \ --enable-non-ether-decoders \ - --enable-perfprofiling --enable-zlib --enable-active-response \ - --enable-normalizer --enable-reload --enable-react --enable-flexresp3 + --enable-perfprofiling \ + --enable-zlib \ + --enable-active-response \ + --enable-normalizer \ + --enable-reload \ + --enable-react \ + --enable-flexresp3 + cd $(DIR_APP) && make cd $(DIR_APP) && make install mv /usr/bin/snort /usr/sbin/ From 02c542d173228b45bde7895d9ecd1e00b7129769 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Wed, 29 Jan 2014 15:31:23 +0100 Subject: [PATCH 08/38] DDNS: Add support for twodns.de. This commit adds support for the dynamic dns service provider twodns.de. Fixes #10418. --- html/cgi-bin/ddns.cgi | 2 ++ src/scripts/setddns.pl | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi index 4e51ab6fd..ae981a42f 100644 --- a/html/cgi-bin/ddns.cgi +++ b/html/cgi-bin/ddns.cgi @@ -254,6 +254,7 @@ $checked{'SERVICE'}{'ovh.com'} = ''; $checked{'SERVICE'}{'regfish.com'} = ''; $checked{'SERVICE'}{'selfhost.de'} = ''; $checked{'SERVICE'}{'strato.com'} = ''; +$checked{'SERVICE'}{'twodns.de'} = ''; $checked{'SERVICE'}{'tzo.com'} = ''; $checked{'SERVICE'}{'zoneedit.com'} = ''; $checked{'SERVICE'}{$settings{'SERVICE'}} = "selected='selected'"; @@ -350,6 +351,7 @@ print <regfish.com + diff --git a/src/scripts/setddns.pl b/src/scripts/setddns.pl index f97e75074..939e9f254 100644 --- a/src/scripts/setddns.pl +++ b/src/scripts/setddns.pl @@ -650,6 +650,40 @@ if ($ip ne $ipcache) { &General::log("Dynamic DNS ip-update for $settings{'HOSTDOMAIN'} : failure (could not connect to server, check your credentials---$out-$response--)"); } } + elsif ($settings{'SERVICE'} eq 'twodns.de') { + # use proxy ? + my %proxysettings; + &General::readhash("${General::swroot}/proxy/settings", \%proxysettings); + if ($_=$proxysettings{'UPSTREAM_PROXY'}) { + my ($peer, $peerport) = (/^(?:[a-zA-Z ]+\:\/\/)?(?:[A-Za-z0-9\_\.\-]*?(?:\:[A-Za-z0-9\_\.\-]*?)?\@)?([a-zA-Z0-9\.\_\-]*?)(?:\:([0-9]{1,5}))?(?:\/.*?)?$/); + Net::SSLeay::set_proxy($peer,$peerport,$proxysettings{'UPSTREAM_USER'},$proxysettings{'UPSTREAM_PASSWORD'} ); + } + + if ($settings{'HOSTNAME'} eq '') { + $settings{'HOSTDOMAIN'} = $settings{'DOMAIN'}; + } else { + $settings{'HOSTDOMAIN'} = "$settings{'HOSTNAME'}.$settings{'DOMAIN'}"; + } + + my ($out, $response) = Net::SSLeay::get_https( 'update.twodns.de', + 443, + "/update?hostname=$settings{'HOSTDOMAIN'}&ip=$ip", + Net::SSLeay::make_headers('User-Agent' => 'IPFire', + 'Authorization' => 'Basic ' . encode_base64("$settings{'LOGIN'}:$settings{'PASSWORD'}")) ); + + # Valid response are 'ok' 'nochange' + if ($response =~ m%HTTP/1\.. 200 OK%) { + if ( $out !~ m/^(good|nochg)/ ) { + $out =~ s/\n/ /g; + &General::log("Dynamic DNS ip-update for $settings{'HOSTDOMAIN'} : failure ($out)"); + } else { + &General::log("Dynamic DNS ip-update for $settings{'HOSTDOMAIN'} : success"); + $success++; + } + } else { + &General::log("Dynamic DNS ip-update for $settings{'HOSTDOMAIN'} : failure (could not connect to server, check your credentials---$out-$response--)"); + } + } else { if ($settings{'WILDCARDS'} eq 'on') { $settings{'WILDCARDS'} = '-w'; From b1ab4a4dd0cce83c838b9946f42d601776e9ca8a Mon Sep 17 00:00:00 2001 From: Stefan Ernst Date: Sun, 11 May 2014 19:53:00 +0200 Subject: [PATCH 09/38] DDNS: Add support for variomedia.de. This commit adds support for the dynamic dns service provider variomedia.de. Fixes #10485. --- html/cgi-bin/ddns.cgi | 2 ++ src/scripts/setddns.pl | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi index ae981a42f..dc4649b4a 100644 --- a/html/cgi-bin/ddns.cgi +++ b/html/cgi-bin/ddns.cgi @@ -256,6 +256,7 @@ $checked{'SERVICE'}{'selfhost.de'} = ''; $checked{'SERVICE'}{'strato.com'} = ''; $checked{'SERVICE'}{'twodns.de'} = ''; $checked{'SERVICE'}{'tzo.com'} = ''; +$checked{'SERVICE'}{'variomedia.de'} = ''; $checked{'SERVICE'}{'zoneedit.com'} = ''; $checked{'SERVICE'}{$settings{'SERVICE'}} = "selected='selected'"; @@ -353,6 +354,7 @@ print <strato.com + diff --git a/src/scripts/setddns.pl b/src/scripts/setddns.pl index 939e9f254..d5f7e0888 100644 --- a/src/scripts/setddns.pl +++ b/src/scripts/setddns.pl @@ -684,6 +684,39 @@ if ($ip ne $ipcache) { &General::log("Dynamic DNS ip-update for $settings{'HOSTDOMAIN'} : failure (could not connect to server, check your credentials---$out-$response--)"); } } + elsif ($settings{'SERVICE'} eq 'variomedia') { + # use proxy ? + my %proxysettings; + &General::readhash("${General::swroot}/proxy/settings", \%proxysettings); + if ($_=$proxysettings{'UPSTREAM_PROXY'}) { + my ($peer, $peerport) = (/^(?:[a-zA-Z ]+\:\/\/)?(?:[A-Za-z0-9\_\.\-]*?(?:\:[A-Za-z0-9\_\.\-]*?)?\@)?([a-zA-Z0-9\.\_\-]*?)(?:\:([0-9]{1,5}))?(?:\/.*?)?$/); + Net::SSLeay::set_proxy($peer,$peerport,$proxysettings{'UPSTREAM_USER'},$proxysettings{'UPSTREAM_PASSWORD'} ); + } + + if ($settings{'HOSTNAME'} eq '') { + $settings{'HOSTDOMAIN'} = $settings{'DOMAIN'}; + } else { + $settings{'HOSTDOMAIN'} = "$settings{'HOSTNAME'}.$settings{'DOMAIN'}"; + } + + my ($out, $response) = Net::SSLeay::get_https( 'dyndns.variomedia.de', + 443, + "/nic/update?hostname=$settings{'HOSTDOMAIN'}&myip=$ip", + Net::SSLeay::make_headers('User-Agent' => 'IPFire', + 'Authorization' => 'Basic ' . encode_base64("$settings{'LOGIN'}:$settings{'PASSWORD'}")) ); + + # Valid response is 'good $ip' + if ($response =~ m%HTTP/1\.. 200 OK%) { + if ( $out !~ m/^good $ip/ ) { + &General::log("Dynamic DNS ip-update for $settings{'HOSTDOMAIN'} ($ip) : failure ($out)"); + } else { + &General::log("Dynamic DNS ip-update for $settings{'HOSTDOMAIN'} ($ip) : success"); + $success++; + } + } else { + &General::log("Dynamic DNS ip-update for $settings{'HOSTDOMAIN'} : failure (could not connect to server, check your credentials---$out-$response--)"); + } + } else { if ($settings{'WILDCARDS'} eq 'on') { $settings{'WILDCARDS'} = '-w'; From c6d9cb76ab5a1ce0ac152765c929f61b68361d87 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 12 May 2014 12:54:08 +0200 Subject: [PATCH 10/38] openvpn: Update translation. DH keys are actually called DH parameters. --- langs/de/cgi-bin/de.pl | 26 +++++++++++++------------- langs/en/cgi-bin/en.pl | 22 +++++++++++----------- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 6cf4dfcec..a2cf71a7a 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -38,7 +38,7 @@ 'Local VPN IP' => 'Internes Netzwerk (GREEN)', 'MB read' => 'MB gelesen', 'MB written' => 'MB geschrieben', -'MTU' => 'MTU Size:', +'MTU' => 'MTU-Größe:', 'Number of Countries for the pie chart' => 'Anzahl der angezeigten Länder im Diagramm', 'Number of IPs for the pie chart' => 'Anzahl der angezeigten IPs im Diagramm', 'Number of Ports for the pie chart' => 'Anzahl der angezeigten Ports im Diagramm', @@ -661,10 +661,10 @@ 'details' => 'Mehr', 'device' => 'Gerät', 'devices on blue' => 'Geräte auf Blau', -'dh' => 'Diffie-Hellman Key', -'dh key move failed' => 'Verschieben des Diffie-Hellman keys fehlgeschlagen.', -'dh key warn' => 'Diffie-Hellman Keys mit 1024 und 2048 Bit können mehrere Minuten, 3072 und 4096 Bit bis zu mehreren Stunden dauern. Bitte haben sie Geduld.', -'dh key warn1' => 'Bei schwachen Systemen oder Systeme mit wenig Entropie wird empfohlen lange Diffie-Hellman Keys über die Upload Funktion zu integrieren.', +'dh' => 'Diffie-Hellman-Parameter', +'dh key move failed' => 'Verschieben der Diffie-Hellman-Parameter fehlgeschlagen.', +'dh key warn' => 'Das Generieren der Diffie-Hellman-Parameter mit 1024 oder 2048 Bit dauert üblicherweise mehrere Minuten. Schlüssellängen von 3072 oder 4096 Bit beanspruchen mehrere Stunden. Bitte haben Sie etwas Geduld.', +'dh key warn1' => 'Bei schwachen Systemen oder Systeme mit wenig Entropie wird empfohlen lange Diffie-Hellman-Parameter über die Upload-Funktion hochzuladen.', 'dhcp advopt add' => 'DHCP Option hinzufügen', 'dhcp advopt added' => 'DHCP Option hinzugefügt', 'dhcp advopt blank value' => 'Wert für DHCP Option darf nicht leer sein', @@ -1123,7 +1123,7 @@ 'fwhost wo subnet' => '(Ohne Subnetz)', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway-IP', -'gen dh' => 'Diffie-Hellman Key erzeugen', +'gen dh' => 'Diffie-Hellman-Parameter erzeugen', 'gen static key' => 'Statischen Schlüssel erzeugen', 'generate' => 'Root/Host-Zertifikate generieren', 'generate a certificate' => 'Erzeuge ein Zertifikat:', @@ -1564,7 +1564,7 @@ 'nonetworkname' => 'Kein Netzwerkname wurde eingegeben', 'noservicename' => 'Kein Dienstname wurde eingegeben', 'not a valid ca certificate' => 'Kein gültiges CA Zertifikat.', -'not a valid dh key' => 'Kein gültiger Diffie-Hellman Schlüssel. Bitte nur 1024, 2048, 3072 oder 4096 Bit im PKCS#3 Format verwenden.', +'not a valid dh key' => 'Kein gültiger Diffie-Hellman-Parameter. Es sind nur Parameter mit einer Länge von 1024, 2048, 3072 oder 4096 Bit im PKCS#3-Format erlaubt.', 'not enough disk space' => 'Nicht genügend Plattenplatz vorhanden', 'not present' => 'Nicht vorhanden', 'not running' => 'nicht gestartet', @@ -1658,15 +1658,15 @@ 'ovpn config' => 'OVPN-Konfiguration', 'ovpn crypt options' => 'Kryptografieoptionen', 'ovpn device' => 'OpenVPN-Gerät', -'ovpn dh' => 'Diffie-Hellman Key Länge', -'ovpn dh upload' => 'Upload Diffie-Hellman Key', +'ovpn dh' => 'Diffie-Hellman-Parameter-Länge', +'ovpn dh upload' => 'Diffie-Hellman-Parameter hochladen', 'ovpn dl' => 'OVPN-Konfiguration downloaden', 'ovpn engines' => 'Krypto Engine', 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt', 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske', 'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.', -'ovpn ha' => 'Hash Algorithmus', -'ovpn hmac' => 'HMAC Optionen', +'ovpn ha' => 'Hash-Algorithmus', +'ovpn hmac' => 'HMAC-Optionen', 'ovpn log' => 'OVPN-Log', 'ovpn mgmt in root range' => 'Ein Port von 1024 oder höher ist erforderlich.', 'ovpn mtu-disc' => 'Path MTU Discovery', @@ -1929,7 +1929,7 @@ 'show ca certificate' => 'CA Zertifikat anzeigen', 'show certificate' => 'Zertifikat anzeigen', 'show crl' => 'Certificate Revocation List anzeigen', -'show dh' => 'Diffie-Hellman Key anzeigen', +'show dh' => 'Diffie-Hellman-Parameter anzeigen', 'show host certificate' => 'Host-Zertifikat anzeigen', 'show last x lines' => 'die letzten x Zeilen anzeigen', 'show root certificate' => 'Root-Zertifikat anzeigen', @@ -2265,7 +2265,7 @@ 'upload a certificate' => 'Ein Zertifikat hochladen:', 'upload a certificate request' => 'Eine Zertifikatsanfrage hochladen:', 'upload ca certificate' => 'CA-Zertifikat hochladen', -'upload dh key' => 'Diffie-Hellman Key hochladen', +'upload dh key' => 'Diffie-Hellman-Parameter hochladen', 'upload file' => 'Datei zum hochladen', 'upload new ruleset' => 'Neuen Regelsatz hochladen', 'upload p12 file' => 'PKCS12-Datei hochladen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index e1186323b..5ccad79ee 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -683,10 +683,10 @@ 'details' => 'Details', 'device' => 'Device', 'devices on blue' => 'Devices on BLUE', -'dh' => 'Diffie-Hellman Key', -'dh key move failed' => 'Diffie-Hellman key move failed.', -'dh key warn' => 'Diffie-Hellman keys with 1024 and 2048 bit takes up to several minutes, 3072 and 4096 bit might needs several hours. Please be patient.', -'dh key warn1' => 'For weak systems or systems with little entropy it is recommended to integrate long Diffie-Hellman Keys by usage of the upload function.', +'dh' => 'Diffie-Hellman parameters', +'dh key move failed' => 'Diffie-Hellman parameters move failed.', +'dh key warn' => 'Creating Diffie-Hellman parameters with lengths of 1024 or 2048 bits takes up to several minutes. Lengths of 3072 or 4096 bits might needs several hours. Please be patient.', +'dh key warn1' => 'For weak systems or systems with little entropy, it is recommended to upload long Diffie-Hellman parameters by usage of the upload function.', 'dh name is invalid' => 'Name is invalid, please use "dh1024.pem".', 'dhcp advopt add' => 'Add a DHCP option', 'dhcp advopt added' => 'DHCP option added', @@ -1152,11 +1152,11 @@ 'g.lite' => 'TO BE REMOVED', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway IP', -'gen dh' => 'Generate Diffie-Hellman key', +'gen dh' => 'Generate Diffie-Hellman parameters', 'gen static key' => 'Generate a static key', 'generate' => 'Generate root/host zertifikate', 'generate a certificate' => 'Generate a certificate:', -'generate dh key' => 'Generate Diffie-Hellman key', +'generate dh key' => 'Generate Diffie-Hellman parameters', 'generate iso' => 'Generate ISO', 'generate root/host certificates' => 'Generate root/host certificates', 'generate tripwire keys and init' => 'generate tripwire keys and init', @@ -1594,7 +1594,7 @@ 'nonetworkname' => 'No Network Name entered', 'noservicename' => 'No Service Name entered', 'not a valid ca certificate' => 'Not a valid CA certificate.', -'not a valid dh key' => 'Not a valid Diffie-Hellman key. Please use 1024, 2048, 3072 or 4096 bit in PKCS#3 format.', +'not a valid dh key' => 'Not a valid Diffie-Hellman parameters file. Please use a length of 1024, 2048, 3072 or 4096 bits and the PKCS#3 format.', 'not enough disk space' => 'Not enough disk space', 'not present' => 'Not present', 'not running' => 'not running', @@ -1689,8 +1689,8 @@ 'ovpn config' => 'OVPN-Config', 'ovpn crypt options' => 'Cryptographic options', 'ovpn device' => 'OpenVPN device:', -'ovpn dh' => 'Diffie-Hellman key lenght', -'ovpn dh upload' => 'Upload Diffie-Hellman Key', +'ovpn dh' => 'Diffie-Hellman parameters length', +'ovpn dh upload' => 'Upload Diffie-Hellman parameters', 'ovpn dl' => 'OVPN-Config Download', 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for green network is always set', @@ -1963,7 +1963,7 @@ 'show ca certificate' => 'Show CA certificate', 'show certificate' => 'Show certificate', 'show crl' => 'Show certificate revocation list', -'show dh' => 'Show Diffie-Hellman key', +'show dh' => 'Show Diffie-Hellman parameters', 'show host certificate' => 'Show host certificate', 'show last x lines' => 'Show last x lines', 'show lines' => 'Show lines', @@ -2304,7 +2304,7 @@ 'upload a certificate' => 'Upload a certificate:', 'upload a certificate request' => 'Upload a certificate request:', 'upload ca certificate' => 'Upload CA certificate', -'upload dh key' => 'Upload Diffie-Hellman key', +'upload dh key' => 'Upload Diffie-Hellman parameters', 'upload fcdsl.o' => 'TO BE REMOVED', 'upload file' => 'Upload file', 'upload new ruleset' => 'Upload new ruleset', From 27ecea56ce242adc0f3b471ed2868dc3ea246874 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 9 May 2014 01:28:56 +0200 Subject: [PATCH 11/38] squid: Update to 3.4.5. --- lfs/squid | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/squid b/lfs/squid index 00dc12a10..1f1589d01 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@ include Config -VER = 3.4.4 +VER = 3.4.5 THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = dc2bcb967fc6b15bbbc6b961010c0c00 +$(DL_FILE)_MD5 = a831efb36cfbaa419f8dc7a43cba72c9 install : $(TARGET) From 7c1b7d3e226310403ddd40b4cd19d78f7db4d457 Mon Sep 17 00:00:00 2001 From: Bernhard Bitsch Date: Mon, 12 May 2014 13:16:43 +0200 Subject: [PATCH 12/38] proxy.pac: Only grant direct access for actual subnets. Fixes #10324. --- html/cgi-bin/proxy.cgi | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index c4cff4789..5ab6f9b5b 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -2974,9 +2974,22 @@ if ( (isPlainHostName(host)) || (dnsDomainIs(host, ".$mainsettings{'DOMAINNAME'}")) || (isInNet(host, "127.0.0.1", "255.0.0.0")) || - (isInNet(host, "10.0.0.0", "255.0.0.0")) || - (isInNet(host, "172.16.0.0", "255.240.0.0")) || - (isInNet(host, "192.168.0.0", "255.255.0.0")) || +END +; + + if ($netsettings{'GREEN_DEV'}) { + print FILE " (isInNet(host, \"$netsettings{'GREEN_NETADDRESS'}\", \"$netsettings{'GREEN_NETMASK'}\")) ||\n"; + } + + if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) { + print FILE " (isInNet(host, \"$netsettings{'BLUE_NETADDRESS'}\", \"$netsettings{'BLUE_NETMASK'}\")) ||\n"; + } + + if (&Header::orange_used() && $netsettings{'ORANGE_DEV'}) { + print FILE " (isInNet(host, \"$netsettings{'ORANGE_NETADDRESS'}\", \"$netsettings{'ORANGE_NETMASK'}\")) ||\n"; + } + + print FILE < Date: Mon, 12 May 2014 13:21:24 +0200 Subject: [PATCH 13/38] proxy.pac: Don't use proxy for direct domain access. --- html/cgi-bin/proxy.cgi | 1 - 1 file changed, 1 deletion(-) diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index 5ab6f9b5b..2a9d49394 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -2972,7 +2972,6 @@ sub writepacfile print FILE < Date: Mon, 12 May 2014 19:50:50 +0200 Subject: [PATCH 14/38] DDNS: Add support for spdns.de. This commit adds support for the dynamic dns service provider spdns.de. Fixes #10533. --- html/cgi-bin/ddns.cgi | 2 ++ src/scripts/setddns.pl | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi index dc4649b4a..4b4bc63d7 100644 --- a/html/cgi-bin/ddns.cgi +++ b/html/cgi-bin/ddns.cgi @@ -253,6 +253,7 @@ $checked{'SERVICE'}{'nsupdate'} = ''; $checked{'SERVICE'}{'ovh.com'} = ''; $checked{'SERVICE'}{'regfish.com'} = ''; $checked{'SERVICE'}{'selfhost.de'} = ''; +$checked{'SERVICE'}{'spdns.org'} = ''; $checked{'SERVICE'}{'strato.com'} = ''; $checked{'SERVICE'}{'twodns.de'} = ''; $checked{'SERVICE'}{'tzo.com'} = ''; @@ -351,6 +352,7 @@ print <ovh.com + diff --git a/src/scripts/setddns.pl b/src/scripts/setddns.pl index d5f7e0888..ef1176856 100644 --- a/src/scripts/setddns.pl +++ b/src/scripts/setddns.pl @@ -400,6 +400,41 @@ if ($ip ne $ipcache) { &General::log("Dynamic DNS ip-update for $settings{'HOSTNAME'}.$settings{'DOMAIN'} : failure (could not connect to server)"); } } + elsif ($settings{'SERVICE'} eq 'spdns.de') { + # use proxy ? + my %proxysettings; + &General::readhash("${General::swroot}/proxy/settings", \%proxysettings); + if ($_=$proxysettings{'UPSTREAM_PROXY'}) { + my ($peer, $peerport) = (/^(?:[a-zA-Z ]+\:\/\/)?(?:[A-Za-z0-9\_\.\-]*?(?:\:[A-Za-z0-9\_\.\-]*?)?\@)?([a-zA-Z0-9\.\_\-]*?)(?:\:([0-9]{1,5}))?(?:\/.*?)?$/); + Net::SSLeay::set_proxy($peer,$peerport,$proxysettings{'UPSTREAM_USER'},$proxysettings{'UPSTREAM_PASSWORD'} ); + } + + if ($settings{'HOSTNAME'} eq '') { + $settings{'HOSTDOMAIN'} = $settings{'DOMAIN'}; + } else { + $settings{'HOSTDOMAIN'} = "$settings{'HOSTNAME'}.$settings{'DOMAIN'}"; + } + + my ($out, $response) = Net::SSLeay::get_https( 'www.spdns.de', 443, + "/nic/update?&hostname=$settings{'HOSTDOMAIN'}&myip=$ip", + Net::SSLeay::make_headers('User-Agent' => 'IPFire' , + 'Authorization' => 'Basic ' . encode_base64("$settings{'LOGIN'}:$settings{'PASSWORD'}")) + ); + + #Valid responses from service are: + # good xxx.xxx.xxx.xxx + # nochg xxx.xxx.xxx.xxx + if ($response =~ m%HTTP/1\.. 200 OK%) { + if ($out !~ m/good |nochg /ig) { + &General::log("Dynamic DNS ip-update for $settings{'HOSTDOMAIN'} : failure ($out)"); + } else { + &General::log("Dynamic DNS ip-update for $settings{'HOSTDOMAIN'} : success"); + $success++; + } + } else { + &General::log("Dynamic DNS ip-update for $settings{'HOSTDOMAIN'} : failure (could not connect to server)"); + } + } elsif ($settings{'SERVICE'} eq 'strato') { # use proxy ? my %proxysettings; From edb7235c38554f9a02a03cd1b58f027cae43cf8c Mon Sep 17 00:00:00 2001 From: alpha197 Date: Tue, 13 May 2014 19:00:04 +0200 Subject: [PATCH 15/38] xen-image-maker: Fix wrong menu entry for pygrub Should fix https://bugzilla.ipfire.org/show_bug.cgi?id=10499 --- config/xen-image/xen-image-maker.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/xen-image/xen-image-maker.sh b/config/xen-image/xen-image-maker.sh index a42ad5bf0..1a2a004b4 100644 --- a/config/xen-image/xen-image-maker.sh +++ b/config/xen-image/xen-image-maker.sh @@ -121,7 +121,7 @@ mkdir $MNThdd/boot/grub echo "timeout 10" > $MNThdd/boot/grub/grub.conf echo "default 0" >> $MNThdd/boot/grub/grub.conf echo "title IPFire ($KERN_TYPE-kernel)" >> $MNThdd/boot/grub/grub.conf -echo " kernel /vmlinuz-$KVER-ipfire-xen root=/dev/xvda3 rootdelay=10 panic=10 console=$CONSOLE ro" \ +echo " kernel /vmlinuz-$KVER-ipfire-$KERN_TYPE root=/dev/xvda3 rootdelay=10 panic=10 console=$CONSOLE ro" \ >> $MNThdd/boot/grub/grub.conf echo " initrd /ipfirerd-$KVER-$KERN_TYPE.img" >> $MNThdd/boot/grub/grub.conf echo "# savedefault 0" >> $MNThdd/boot/grub/grub.conf From 1f99fc9845457b2d58d584adb47866a1eec8a7dc Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 13 May 2014 20:36:58 +0200 Subject: [PATCH 16/38] openvpn: Fix wrong default port number. --- config/ovpn/settings | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/ovpn/settings b/config/ovpn/settings index b78fc32d7..8fa37fe07 100644 --- a/config/ovpn/settings +++ b/config/ovpn/settings @@ -1,6 +1,6 @@ ENABLED=off ENABLED_BLUE=off ENABLED_ORANGE=off -DDEST_PORT=1149 +DDEST_PORT=1194 DPROTOCOL=udp VPN_IP= From 2308525f0c53c4665cbe604d6c524441b3442ac5 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Wed, 14 May 2014 18:53:51 +0200 Subject: [PATCH 17/38] start core78. --- config/rootfiles/core/78/exclude | 20 ++ .../core/78/filelists/armv5tel/linux-kirkwood | 1 + .../core/78/filelists/armv5tel/linux-multi | 1 + .../core/78/filelists/armv5tel/linux-rpi | 1 + config/rootfiles/core/78/filelists/files | 2 + config/rootfiles/core/78/filelists/i586/grub | 1 + config/rootfiles/core/78/filelists/i586/linux | 1 + config/rootfiles/core/78/meta | 1 + config/rootfiles/core/78/update.sh | 295 ++++++++++++++++++ make.sh | 2 +- 10 files changed, 324 insertions(+), 1 deletion(-) create mode 100644 config/rootfiles/core/78/exclude create mode 120000 config/rootfiles/core/78/filelists/armv5tel/linux-kirkwood create mode 120000 config/rootfiles/core/78/filelists/armv5tel/linux-multi create mode 120000 config/rootfiles/core/78/filelists/armv5tel/linux-rpi create mode 100644 config/rootfiles/core/78/filelists/files create mode 120000 config/rootfiles/core/78/filelists/i586/grub create mode 120000 config/rootfiles/core/78/filelists/i586/linux create mode 100644 config/rootfiles/core/78/meta create mode 100644 config/rootfiles/core/78/update.sh diff --git a/config/rootfiles/core/78/exclude b/config/rootfiles/core/78/exclude new file mode 100644 index 000000000..18e9b4d24 --- /dev/null +++ b/config/rootfiles/core/78/exclude @@ -0,0 +1,20 @@ +boot/config.txt +etc/collectd.custom +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/ovpn +var/log/cache +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/78/filelists/armv5tel/linux-kirkwood b/config/rootfiles/core/78/filelists/armv5tel/linux-kirkwood new file mode 120000 index 000000000..72171071e --- /dev/null +++ b/config/rootfiles/core/78/filelists/armv5tel/linux-kirkwood @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-kirkwood \ No newline at end of file diff --git a/config/rootfiles/core/78/filelists/armv5tel/linux-multi b/config/rootfiles/core/78/filelists/armv5tel/linux-multi new file mode 120000 index 000000000..204eb4c43 --- /dev/null +++ b/config/rootfiles/core/78/filelists/armv5tel/linux-multi @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-multi \ No newline at end of file diff --git a/config/rootfiles/core/78/filelists/armv5tel/linux-rpi b/config/rootfiles/core/78/filelists/armv5tel/linux-rpi new file mode 120000 index 000000000..a651a498f --- /dev/null +++ b/config/rootfiles/core/78/filelists/armv5tel/linux-rpi @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-rpi \ No newline at end of file diff --git a/config/rootfiles/core/78/filelists/files b/config/rootfiles/core/78/filelists/files new file mode 100644 index 000000000..409e5fe8a --- /dev/null +++ b/config/rootfiles/core/78/filelists/files @@ -0,0 +1,2 @@ +etc/system-release +etc/issue diff --git a/config/rootfiles/core/78/filelists/i586/grub b/config/rootfiles/core/78/filelists/i586/grub new file mode 120000 index 000000000..feb236a22 --- /dev/null +++ b/config/rootfiles/core/78/filelists/i586/grub @@ -0,0 +1 @@ +../../../../common/i586/grub \ No newline at end of file diff --git a/config/rootfiles/core/78/filelists/i586/linux b/config/rootfiles/core/78/filelists/i586/linux new file mode 120000 index 000000000..693ec4bbf --- /dev/null +++ b/config/rootfiles/core/78/filelists/i586/linux @@ -0,0 +1 @@ +../../../../common/i586/linux \ No newline at end of file diff --git a/config/rootfiles/core/78/meta b/config/rootfiles/core/78/meta new file mode 100644 index 000000000..d547fa86f --- /dev/null +++ b/config/rootfiles/core/78/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/78/update.sh b/config/rootfiles/core/78/update.sh new file mode 100644 index 000000000..0d5976111 --- /dev/null +++ b/config/rootfiles/core/78/update.sh @@ -0,0 +1,295 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2014 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +function add_to_backup () +{ + # Add path to ROOTFILES but remove old entries to prevent double + # files in the tar + grep -v "^$1" /opt/pakfire/tmp/ROOTFILES > /opt/pakfire/tmp/ROOTFILES.tmp + mv /opt/pakfire/tmp/ROOTFILES.tmp /opt/pakfire/tmp/ROOTFILES + echo $1 >> /opt/pakfire/tmp/ROOTFILES +} + +# +# Remove old core updates from pakfire cache to save space... +core=78 +for (( i=1; i<=${core}; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# +# Do some sanity checks. +case $(uname -r) in + *-ipfire-versatile ) + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: ERROR cannot update. versatile support is dropped." + # Report no error to pakfire. So it does not try to install it again. + exit 0 + ;; + *-ipfire-xen ) + BOOTSIZE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f2 | tail -n 1` + if [ $BOOTSIZE -lt 28000 ]; then + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: ERROR cannot update because not enough space on boot." + exit 2 + fi + ;; + *-ipfire* ) + # Ok. + ;; + * ) + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: ERROR cannot update. No IPFire Kernel." + exit 1 + ;; +esac + + +# +# +KVER="xxxKVERxxx" +MOUNT=`grep "kernel" /boot/grub/grub.conf 2>/dev/null | tail -n 1 ` +# Nur den letzten Parameter verwenden +echo $MOUNT > /dev/null +MOUNT=$_ +if [ ! $MOUNT == "rw" ]; then + MOUNT="ro" +fi + +# +# check if we the backup file already exist +if [ -e /var/ipfire/backup/core-upgrade${core}_${KVER}.tar.xz ]; then + echo Moving backup to backup-old ... + mv -f /var/ipfire/backup/core-upgrade${core}_${KVER}.tar.xz \ + /var/ipfire/backup/core-upgrade${core}_${KVER}-old.tar.xz +fi +echo First we made a backup of all files that was inside of the +echo update archive. This may take a while ... +# Add some files that are not in the package to backup +add_to_backup lib/modules +add_to_backup boot + +# Backup the files +tar cJvf /var/ipfire/backup/core-upgrade${core}_${KVER}.tar.xz \ + -C / -T /opt/pakfire/tmp/ROOTFILES --exclude='#*' --exclude='/var/cache' > /dev/null 2>&1 + +# Check diskspace on root +ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + +if [ $ROOTSPACE -lt 100000 ]; then + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: ERROR cannot update because not enough free space on root." + exit 2 +fi + + +echo +echo Update Kernel to $KVER ... +# +# Remove old kernel, configs, initrd, modules ... +# +rm -rf /boot/System.map-* +rm -rf /boot/config-* +rm -rf /boot/ipfirerd-* +rm -rf /boot/vmlinuz-* +rm -rf /boot/uImage-ipfire-* +rm -rf /boot/uInit-ipfire-* +rm -rf /lib/modules + +case $(uname -m) in + i?86 ) + # + # Backup grub.conf + # + cp -vf /boot/grub/grub.conf /boot/grub/grub.conf.org + ;; +esac +# +#Stop services +/etc/init.d/snort stop +/etc/init.d/squid stop +/etc/init.d/ipsec stop +/etc/init.d/apache stop + +# Remove the old default theme +rm -rf /srv/web/ipfire/html/themes/ipfire + +# rename /etc/modprobe.d files +for i in $(find /etc/modprobe.d/* | grep -v ".conf"); do + mv $i $i.conf +done + +# +#Extract files +tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C / + +# Check diskspace on boot +BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + +if [ $BOOTSPACE -lt 1000 ]; then + case $(uname -r) in + *-ipfire-kirkwood ) + # Special handling for old kirkwood images. + # (install only kirkwood kernel) + rm -rf /boot/* + tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p \ + --numeric-owner -C / --wildcards 'boot/*-kirkwood*' + ;; + * ) + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: FATAL-ERROR space run out on boot. System is not bootable..." + /etc/init.d/apache start + exit 4 + ;; + esac +fi + + +# Update Language cache +perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" + +# +# Start services +# +/etc/init.d/apache start +/etc/init.d/squid start +/etc/init.d/snort start +if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then + /etc/init.d/ipsec start +fi + +case $(uname -m) in + i?86 ) + # + # Modify grub.conf + # + echo + echo Update grub configuration ... + ROOT=`mount | grep " / " | cut -d" " -f1` + + if [ ! -z $ROOT ]; then + ROOTUUID=`blkid -c /dev/null -sUUID $ROOT | cut -d'"' -f2` + fi + + if [ ! -z $ROOTUUID ]; then + sed -i "s|ROOT|UUID=$ROOTUUID|g" /boot/grub/grub.conf + else + sed -i "s|ROOT|$ROOT|g" /boot/grub/grub.conf + fi + sed -i "s|KVER|$KVER|g" /boot/grub/grub.conf + sed -i "s|MOUNT|$MOUNT|g" /boot/grub/grub.conf + + if [ "$(grep "^serial" /boot/grub/grub.conf.org)" == "" ]; then + echo "grub use default console ..." + else + echo "grub use serial console ..." + sed -i -e "s|splashimage|#splashimage|g" /boot/grub/grub.conf + sed -i -e "s|#serial|serial|g" /boot/grub/grub.conf + sed -i -e "s|#terminal|terminal|g" /boot/grub/grub.conf + sed -i -e "s| panic=10 | console=ttyS0,115200n8 panic=10 |g" /boot/grub/grub.conf + fi + + # + # ReInstall grub + # + echo "(hd0) ${ROOT::`expr length $ROOT`-1}" > /boot/grub/device.map + grub-install --no-floppy ${ROOT::`expr length $ROOT`-1} + ;; +esac + + +# Force (re)install pae kernel if pae is supported +rm -rf /opt/pakfire/db/*/meta-linux-pae +if [ ! "$(grep "^flags.* pae " /proc/cpuinfo)" == "" ]; then + ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + if [ $BOOTSPACE -lt 12000 -o $ROOTSPACE -lt 90000 ]; then + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: WARNING not enough space for pae kernel." + else + echo "Name: linux-pae" > /opt/pakfire/db/installed/meta-linux-pae + echo "ProgVersion: 0" >> /opt/pakfire/db/installed/meta-linux-pae + echo "Release: 0" >> /opt/pakfire/db/installed/meta-linux-pae + echo "Name: linux-pae" > /opt/pakfire/db/meta/meta-linux-pae + echo "ProgVersion: 0" >> /opt/pakfire/db/meta/meta-linux-pae + echo "Release: 0" >> /opt/pakfire/db/meta/meta-linux-pae + fi +fi + +# Force reinstall xen kernel if it was installed +if [ -e "/opt/pakfire/db/installed/meta-linux-xen" ]; then + echo "Name: linux-xen" > /opt/pakfire/db/installed/meta-linux-xen + echo "ProgVersion: 0" >> /opt/pakfire/db/installed/meta-linux-xen + echo "Release: 0" >> /opt/pakfire/db/installed/meta-linux-xen + echo "Name: linux-xen" > /opt/pakfire/db/meta/meta-linux-xen + echo "ProgVersion: 0" >> /opt/pakfire/db/meta/meta-linux-xen + echo "Release: 0" >> /opt/pakfire/db/meta/meta-linux-xen + # Add xvc0 to /etc/securetty + echo "xvc0" >> /etc/securetty +fi + +# +# After pakfire has ended run it again and update the lists and do upgrade +# +echo '#!/bin/bash' > /tmp/pak_update +echo 'while [ "$(ps -A | grep " update.sh")" != "" ]; do' >> /tmp/pak_update +echo ' sleep 1' >> /tmp/pak_update +echo 'done' >> /tmp/pak_update +echo 'while [ "$(ps -A | grep " pakfire")" != "" ]; do' >> /tmp/pak_update +echo ' sleep 1' >> /tmp/pak_update +echo 'done' >> /tmp/pak_update +echo '/opt/pakfire/pakfire update -y --force' >> /tmp/pak_update +echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update +echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update +echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update +echo '/usr/bin/logger -p syslog.emerg -t ipfire "Core-upgrade finished. If you use a customized grub.cfg"' >> /tmp/pak_update +echo '/usr/bin/logger -p syslog.emerg -t ipfire "Check it before reboot !!!"' >> /tmp/pak_update +echo '/usr/bin/logger -p syslog.emerg -t ipfire " *** Please reboot... *** "' >> /tmp/pak_update +echo 'touch /var/run/need_reboot ' >> /tmp/pak_update +# +killall -KILL pak_update +chmod +x /tmp/pak_update +/tmp/pak_update & + +sync + +# +#Finish +( + /etc/init.d/fireinfo start + sendprofile +) >/dev/null 2>&1 & + +# Update Package list for addon installation +/opt/pakfire/pakfire update -y --force + +echo +echo Please wait until pakfire has ended... +echo +#Don't report the exitcode last command +exit 0 + diff --git a/make.sh b/make.sh index 5bff402a4..0056ee59e 100755 --- a/make.sh +++ b/make.sh @@ -25,7 +25,7 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.15" # Version number -CORE="77" # Core Level (Filename) +CORE="78" # Core Level (Filename) PAKFIRE_CORE="77" # Core Level (PAKFIRE) GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch SLOGAN="www.ipfire.org" # Software slogan From aab13a8d9d873c2ad83bb2454ca03d90bfecfd53 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Wed, 14 May 2014 18:59:22 +0200 Subject: [PATCH 18/38] backupiso: change to hybrid image. --- config/rootfiles/common/i586/syslinux | 2 +- config/rootfiles/core/78/filelists/i586/syslinux | 1 + src/scripts/backupiso | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) create mode 120000 config/rootfiles/core/78/filelists/i586/syslinux diff --git a/config/rootfiles/common/i586/syslinux b/config/rootfiles/common/i586/syslinux index 0c43b88be..89cf5c844 100644 --- a/config/rootfiles/common/i586/syslinux +++ b/config/rootfiles/common/i586/syslinux @@ -1,6 +1,6 @@ #sbin/extlinux #usr/bin/gethostip -#usr/bin/isohybrid +usr/bin/isohybrid #usr/bin/isohybrid.pl #usr/bin/keytab-lilo #usr/bin/lss16toppm diff --git a/config/rootfiles/core/78/filelists/i586/syslinux b/config/rootfiles/core/78/filelists/i586/syslinux new file mode 120000 index 000000000..74a776d94 --- /dev/null +++ b/config/rootfiles/core/78/filelists/i586/syslinux @@ -0,0 +1 @@ +../../../../common/i586/syslinux \ No newline at end of file diff --git a/src/scripts/backupiso b/src/scripts/backupiso index dab1d6dc9..a340d6f14 100644 --- a/src/scripts/backupiso +++ b/src/scripts/backupiso @@ -60,6 +60,7 @@ echo "Running mkisofs" mkisofs -J -r -V "ipfire backup ${TS}" \ -b boot/isolinux/isolinux.bin -no-emul-boot -boot-load-size 4 -boot-info-table \ -c boot/isolinux/boot.catalog backupiso.${TS} > $(basename ${ISO} .iso)-${TS}.iso +isohybrid $(basename ${ISO} .iso)-${TS}.iso echo "Cleaning up" rm -rf backupiso.${TS} From f353972f3f84da9873f0512dc8810a20408fde2c Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Wed, 14 May 2014 19:52:06 +0200 Subject: [PATCH 19/38] Change update url for spDNS.de. --- src/scripts/setddns.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/scripts/setddns.pl b/src/scripts/setddns.pl index ef1176856..c1a6f5d06 100644 --- a/src/scripts/setddns.pl +++ b/src/scripts/setddns.pl @@ -415,7 +415,7 @@ if ($ip ne $ipcache) { $settings{'HOSTDOMAIN'} = "$settings{'HOSTNAME'}.$settings{'DOMAIN'}"; } - my ($out, $response) = Net::SSLeay::get_https( 'www.spdns.de', 443, + my ($out, $response) = Net::SSLeay::get_https( 'update.spdns.de', 443, "/nic/update?&hostname=$settings{'HOSTDOMAIN'}&myip=$ip", Net::SSLeay::make_headers('User-Agent' => 'IPFire' , 'Authorization' => 'Basic ' . encode_base64("$settings{'LOGIN'}:$settings{'PASSWORD'}")) From 0a511b76938a036a46446ca5cf35a47482c39382 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 14 May 2014 20:02:55 +0200 Subject: [PATCH 20/38] ppp: Try longer to connect via PPPoE (60 seconds). --- lfs/ppp | 1 + .../ppp-2.4.6-increase-max-padi-attempts.patch | 13 +++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 src/patches/ppp-2.4.6-increase-max-padi-attempts.patch diff --git a/lfs/ppp b/lfs/ppp index ba72f4c83..2e47fef4c 100644 --- a/lfs/ppp +++ b/lfs/ppp @@ -73,6 +73,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && rm -f include/pcap-int.h include/linux/if_pppol2tp.h + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp-2.4.6-increase-max-padi-attempts.patch cd $(DIR_APP) && sed -i -e "s+/etc/ppp/connect-errors+/var/log/connect-errors+" pppd/pathnames.h cd $(DIR_APP) && ./configure --prefix=/usr --disable-nls cd $(DIR_APP) && make $(MAKETUNING) CC="gcc $(CFLAGS)" diff --git a/src/patches/ppp-2.4.6-increase-max-padi-attempts.patch b/src/patches/ppp-2.4.6-increase-max-padi-attempts.patch new file mode 100644 index 000000000..b09a9b52d --- /dev/null +++ b/src/patches/ppp-2.4.6-increase-max-padi-attempts.patch @@ -0,0 +1,13 @@ +diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h +index 9ab2eee..86762bd 100644 +--- a/pppd/plugins/rp-pppoe/pppoe.h ++++ b/pppd/plugins/rp-pppoe/pppoe.h +@@ -148,7 +148,7 @@ extern UINT16_t Eth_PPPOE_Session; + #define STATE_TERMINATED 4 + + /* How many PADI/PADS attempts? */ +-#define MAX_PADI_ATTEMPTS 3 ++#define MAX_PADI_ATTEMPTS 12 + + /* Initial timeout for PADO/PADS */ + #define PADI_TIMEOUT 5 From 172c1f72c4034419063589ab83fa95df5e48ef70 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 14 May 2014 20:20:36 +0200 Subject: [PATCH 21/38] ppp: Import some more patches from Fedora. --- lfs/ppp | 8 +- ...e-compiler-flags-handed-to-us-by-rpm.patch | 121 +++++++++ ...-don-t-want-to-accidentally-leak-fds.patch | 143 +++++++++++ .../0013-everywhere-O_CLOEXEC-harder.patch | 241 ++++++++++++++++++ ...se-SOCK_CLOEXEC-when-creating-socket.patch | 174 +++++++++++++ ...ppp-2.4.6-increase-max-padi-attempts.patch | 0 6 files changed, 685 insertions(+), 2 deletions(-) create mode 100644 src/patches/ppp/0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch create mode 100644 src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch create mode 100644 src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch create mode 100644 src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch rename src/patches/{ => ppp}/ppp-2.4.6-increase-max-padi-attempts.patch (100%) diff --git a/lfs/ppp b/lfs/ppp index 2e47fef4c..3c60938dc 100644 --- a/lfs/ppp +++ b/lfs/ppp @@ -73,10 +73,14 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && rm -f include/pcap-int.h include/linux/if_pppol2tp.h - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp-2.4.6-increase-max-padi-attempts.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch cd $(DIR_APP) && sed -i -e "s+/etc/ppp/connect-errors+/var/log/connect-errors+" pppd/pathnames.h cd $(DIR_APP) && ./configure --prefix=/usr --disable-nls - cd $(DIR_APP) && make $(MAKETUNING) CC="gcc $(CFLAGS)" + cd $(DIR_APP) && make $(MAKETUNING) CC="gcc" RPM_OPT_FLAGS="$(CFLAGS)" cd $(DIR_APP) && make install cd $(DIR_APP) && make install-etcppp touch /var/log/connect-errors diff --git a/src/patches/ppp/0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch b/src/patches/ppp/0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch new file mode 100644 index 000000000..4a43d444a --- /dev/null +++ b/src/patches/ppp/0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch @@ -0,0 +1,121 @@ +From d729b06f0ac7a5ebd3648ef60bef0499b59bf82d Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Fri, 4 Apr 2014 11:29:39 +0200 +Subject: [PATCH 03/25] build-sys: utilize compiler flags handed to us by + rpmbuild + +--- + chat/Makefile.linux | 2 +- + pppd/Makefile.linux | 3 +-- + pppd/plugins/Makefile.linux | 2 +- + pppd/plugins/pppoatm/Makefile.linux | 2 +- + pppd/plugins/radius/Makefile.linux | 2 +- + pppd/plugins/rp-pppoe/Makefile.linux | 2 +- + pppdump/Makefile.linux | 2 +- + pppstats/Makefile.linux | 2 +- + 8 files changed, 8 insertions(+), 9 deletions(-) + +diff --git a/chat/Makefile.linux b/chat/Makefile.linux +index 1065ac5..848cd8d 100644 +--- a/chat/Makefile.linux ++++ b/chat/Makefile.linux +@@ -10,7 +10,7 @@ CDEF3= -UNO_SLEEP # Use the usleep function + CDEF4= -DFNDELAY=O_NDELAY # Old name value + CDEFS= $(CDEF1) $(CDEF2) $(CDEF3) $(CDEF4) + +-COPTS= -O2 -g -pipe ++COPTS= $(RPM_OPT_FLAGS) + CFLAGS= $(COPTS) $(CDEFS) + + INSTALL= install +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index 5a44d30..63872eb 100644 +--- a/pppd/Makefile.linux ++++ b/pppd/Makefile.linux +@@ -32,8 +32,7 @@ endif + + CC = gcc + # +-COPTS = -O2 -pipe -Wall -g +-LIBS = ++COPTS = -Wall $(RPM_OPT_FLAGS) + + # Uncomment the next 2 lines to include support for Microsoft's + # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. +diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux +index 0a7ec7b..e09a369 100644 +--- a/pppd/plugins/Makefile.linux ++++ b/pppd/plugins/Makefile.linux +@@ -1,5 +1,5 @@ + #CC = gcc +-COPTS = -O2 -g ++COPTS = $(RPM_OPT_FLAGS) + CFLAGS = $(COPTS) -I.. -I../../include -fPIC + LDFLAGS = -shared + INSTALL = install +diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux +index 20f62e6..5a81447 100644 +--- a/pppd/plugins/pppoatm/Makefile.linux ++++ b/pppd/plugins/pppoatm/Makefile.linux +@@ -1,5 +1,5 @@ + #CC = gcc +-COPTS = -O2 -g ++COPTS = $(RPM_OPT_FLAGS) + CFLAGS = $(COPTS) -I../.. -I../../../include -fPIC + LDFLAGS = -shared + INSTALL = install +diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux +index 24ed3e5..45b3b8d 100644 +--- a/pppd/plugins/radius/Makefile.linux ++++ b/pppd/plugins/radius/Makefile.linux +@@ -12,7 +12,7 @@ VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) + INSTALL = install + + PLUGIN=radius.so radattr.so radrealms.so +-CFLAGS=-I. -I../.. -I../../../include -O2 -fPIC -DRC_LOG_FACILITY=LOG_DAEMON ++CFLAGS=-I. -I../.. -I../../../include $(RPM_OPT_FLAGS) -DRC_LOG_FACILITY=LOG_DAEMON + + # Uncomment the next line to include support for Microsoft's + # MS-CHAP authentication protocol. +diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux +index 5d7a271..352991a 100644 +--- a/pppd/plugins/rp-pppoe/Makefile.linux ++++ b/pppd/plugins/rp-pppoe/Makefile.linux +@@ -25,7 +25,7 @@ INSTALL = install + # Version is set ONLY IN THE MAKEFILE! Don't delete this! + RP_VERSION=3.8p + +-COPTS=-O2 -g ++COPTS=$(RPM_OPT_FLAGS) + CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"' + all: rp-pppoe.so pppoe-discovery + +diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux +index ac028f6..d0a5032 100644 +--- a/pppdump/Makefile.linux ++++ b/pppdump/Makefile.linux +@@ -2,7 +2,7 @@ DESTDIR = $(INSTROOT)@DESTDIR@ + BINDIR = $(DESTDIR)/sbin + MANDIR = $(DESTDIR)/share/man/man8 + +-CFLAGS= -O -I../include/net ++CFLAGS= $(RPM_OPT_FLAGS) -I../include/net + OBJS = pppdump.o bsd-comp.o deflate.o zlib.o + + INSTALL= install +diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux +index cca6f0f..42aba73 100644 +--- a/pppstats/Makefile.linux ++++ b/pppstats/Makefile.linux +@@ -10,7 +10,7 @@ PPPSTATSRCS = pppstats.c + PPPSTATOBJS = pppstats.o + + #CC = gcc +-COPTS = -O ++COPTS = $(RPM_OPT_FLAGS) + COMPILE_FLAGS = -I../include + LIBS = + +-- +1.8.3.1 + diff --git a/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch b/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch new file mode 100644 index 000000000..90bb2d161 --- /dev/null +++ b/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch @@ -0,0 +1,143 @@ +From 82cd789df0f022eb6f3d28646e7a61d1d0715805 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Mon, 7 Apr 2014 12:23:36 +0200 +Subject: [PATCH 12/25] pppd: we don't want to accidentally leak fds + +--- + pppd/auth.c | 20 ++++++++++---------- + pppd/options.c | 2 +- + pppd/sys-linux.c | 4 ++-- + 3 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/pppd/auth.c b/pppd/auth.c +index 4271af6..9e957fa 100644 +--- a/pppd/auth.c ++++ b/pppd/auth.c +@@ -428,7 +428,7 @@ setupapfile(argv) + option_error("unable to reset uid before opening %s: %m", fname); + return 0; + } +- ufile = fopen(fname, "r"); ++ ufile = fopen(fname, "re"); + if (seteuid(euid) == -1) + fatal("unable to regain privileges: %m"); + if (ufile == NULL) { +@@ -1413,7 +1413,7 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg) + filename = _PATH_UPAPFILE; + addrs = opts = NULL; + ret = UPAP_AUTHNAK; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) { + error("Can't open PAP password file %s: %m", filename); + +@@ -1512,7 +1512,7 @@ null_login(unit) + if (ret <= 0) { + filename = _PATH_UPAPFILE; + addrs = NULL; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) + return 0; + check_access(f, filename); +@@ -1559,7 +1559,7 @@ get_pap_passwd(passwd) + } + + filename = _PATH_UPAPFILE; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) + return 0; + check_access(f, filename); +@@ -1597,7 +1597,7 @@ have_pap_secret(lacks_ipp) + } + + filename = _PATH_UPAPFILE; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) + return 0; + +@@ -1642,7 +1642,7 @@ have_chap_secret(client, server, need_ip, lacks_ipp) + } + + filename = _PATH_CHAPFILE; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) + return 0; + +@@ -1684,7 +1684,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp) + struct wordlist *addrs; + + filename = _PATH_SRPFILE; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) + return 0; + +@@ -1740,7 +1740,7 @@ get_secret(unit, client, server, secret, secret_len, am_server) + addrs = NULL; + secbuf[0] = 0; + +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) { + error("Can't open chap secret file %s: %m", filename); + return 0; +@@ -1797,7 +1797,7 @@ get_srp_secret(unit, client, server, secret, am_server) + filename = _PATH_SRPFILE; + addrs = NULL; + +- fp = fopen(filename, "r"); ++ fp = fopen(filename, "re"); + if (fp == NULL) { + error("Can't open srp secret file %s: %m", filename); + return 0; +@@ -2203,7 +2203,7 @@ scan_authfile(f, client, server, secret, addrs, opts, filename, flags) + */ + if (word[0] == '@' && word[1] == '/') { + strlcpy(atfile, word+1, sizeof(atfile)); +- if ((sf = fopen(atfile, "r")) == NULL) { ++ if ((sf = fopen(atfile, "re")) == NULL) { + warn("can't open indirect secret file %s", atfile); + continue; + } +diff --git a/pppd/options.c b/pppd/options.c +index 45fa742..1d754ae 100644 +--- a/pppd/options.c ++++ b/pppd/options.c +@@ -427,7 +427,7 @@ options_from_file(filename, must_exist, check_prot, priv) + option_error("unable to drop privileges to open %s: %m", filename); + return 0; + } +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + err = errno; + if (check_prot && seteuid(euid) == -1) + fatal("unable to regain privileges"); +diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c +index 72a7727..8a12fa0 100644 +--- a/pppd/sys-linux.c ++++ b/pppd/sys-linux.c +@@ -1412,7 +1412,7 @@ static char *path_to_procfs(const char *tail) + /* Default the mount location of /proc */ + strlcpy (proc_path, "/proc", sizeof(proc_path)); + proc_path_len = 5; +- fp = fopen(MOUNTED, "r"); ++ fp = fopen(MOUNTED, "re"); + if (fp != NULL) { + while ((mntent = getmntent(fp)) != NULL) { + if (strcmp(mntent->mnt_type, MNTTYPE_IGNORE) == 0) +@@ -1472,7 +1472,7 @@ static int open_route_table (void) + close_route_table(); + + path = path_to_procfs("/net/route"); +- route_fd = fopen (path, "r"); ++ route_fd = fopen (path, "re"); + if (route_fd == NULL) { + error("can't open routing table %s: %m", path); + return 0; +-- +1.8.3.1 + diff --git a/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch b/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch new file mode 100644 index 000000000..e3608a0d6 --- /dev/null +++ b/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch @@ -0,0 +1,241 @@ +From 302c1b736cb656c7885a0cba270fd953a672d8a8 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Mon, 7 Apr 2014 13:56:34 +0200 +Subject: [PATCH 13/25] everywhere: O_CLOEXEC harder + +--- + pppd/eap.c | 2 +- + pppd/main.c | 4 ++-- + pppd/options.c | 4 ++-- + pppd/sys-linux.c | 22 +++++++++++----------- + pppd/tdb.c | 4 ++-- + pppd/tty.c | 4 ++-- + pppd/utils.c | 6 +++--- + 7 files changed, 23 insertions(+), 23 deletions(-) + +diff --git a/pppd/eap.c b/pppd/eap.c +index 6ea6c1f..faced53 100644 +--- a/pppd/eap.c ++++ b/pppd/eap.c +@@ -1226,7 +1226,7 @@ mode_t modebits; + + if ((path = name_of_pn_file()) == NULL) + return (-1); +- fd = open(path, modebits, S_IRUSR | S_IWUSR); ++ fd = open(path, modebits, S_IRUSR | S_IWUSR | O_CLOEXEC); + err = errno; + free(path); + errno = err; +diff --git a/pppd/main.c b/pppd/main.c +index 6d50d1b..4880377 100644 +--- a/pppd/main.c ++++ b/pppd/main.c +@@ -420,7 +420,7 @@ main(argc, argv) + die(0); + + /* Make sure fds 0, 1, 2 are open to somewhere. */ +- fd_devnull = open(_PATH_DEVNULL, O_RDWR); ++ fd_devnull = open(_PATH_DEVNULL, O_RDWR | O_CLOEXEC); + if (fd_devnull < 0) + fatal("Couldn't open %s: %m", _PATH_DEVNULL); + while (fd_devnull <= 2) { +@@ -1679,7 +1679,7 @@ device_script(program, in, out, dont_wait) + if (log_to_fd >= 0) + errfd = log_to_fd; + else +- errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0600); ++ errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC, 0600); + + ++conn_running; + pid = safe_fork(in, out, errfd); +diff --git a/pppd/options.c b/pppd/options.c +index 1d754ae..8e62635 100644 +--- a/pppd/options.c ++++ b/pppd/options.c +@@ -1544,9 +1544,9 @@ setlogfile(argv) + option_error("unable to drop permissions to open %s: %m", *argv); + return 0; + } +- fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL, 0644); ++ fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL | O_CLOEXEC, 0644); + if (fd < 0 && errno == EEXIST) +- fd = open(*argv, O_WRONLY | O_APPEND); ++ fd = open(*argv, O_WRONLY | O_APPEND | O_CLOEXEC); + err = errno; + if (!privileged_option && seteuid(euid) == -1) + fatal("unable to regain privileges: %m"); +diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c +index 8a12fa0..00a2cf5 100644 +--- a/pppd/sys-linux.c ++++ b/pppd/sys-linux.c +@@ -459,7 +459,7 @@ int generic_establish_ppp (int fd) + goto err; + } + dbglog("using channel %d", chindex); +- fd = open("/dev/ppp", O_RDWR); ++ fd = open("/dev/ppp", O_RDWR | O_CLOEXEC); + if (fd < 0) { + error("Couldn't reopen /dev/ppp: %m"); + goto err; +@@ -619,7 +619,7 @@ static int make_ppp_unit() + dbglog("in make_ppp_unit, already had /dev/ppp open?"); + close(ppp_dev_fd); + } +- ppp_dev_fd = open("/dev/ppp", O_RDWR); ++ ppp_dev_fd = open("/dev/ppp", O_RDWR | O_CLOEXEC); + if (ppp_dev_fd < 0) + fatal("Couldn't open /dev/ppp: %m"); + flags = fcntl(ppp_dev_fd, F_GETFL); +@@ -693,7 +693,7 @@ int bundle_attach(int ifnum) + if (!new_style_driver) + return -1; + +- master_fd = open("/dev/ppp", O_RDWR); ++ master_fd = open("/dev/ppp", O_RDWR | O_CLOEXEC); + if (master_fd < 0) + fatal("Couldn't open /dev/ppp: %m"); + if (ioctl(master_fd, PPPIOCATTACH, &ifnum) < 0) { +@@ -1715,7 +1715,7 @@ int sifproxyarp (int unit, u_int32_t his_adr) + if (tune_kernel) { + forw_path = path_to_procfs("/sys/net/ipv4/ip_forward"); + if (forw_path != 0) { +- int fd = open(forw_path, O_WRONLY); ++ int fd = open(forw_path, O_WRONLY | O_CLOEXEC); + if (fd >= 0) { + if (write(fd, "1", 1) != 1) + error("Couldn't enable IP forwarding: %m"); +@@ -2030,7 +2030,7 @@ int ppp_available(void) + sscanf(utsname.release, "%d.%d.%d", &osmaj, &osmin, &ospatch); + kernel_version = KVERSION(osmaj, osmin, ospatch); + +- fd = open("/dev/ppp", O_RDWR); ++ fd = open("/dev/ppp", O_RDWR | O_CLOEXEC); + if (fd >= 0) { + new_style_driver = 1; + +@@ -2208,7 +2208,7 @@ void logwtmp (const char *line, const char *name, const char *host) + #if __GLIBC__ >= 2 + updwtmp(_PATH_WTMP, &ut); + #else +- wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY); ++ wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY|O_CLOEXEC); + if (wtmp >= 0) { + flock(wtmp, LOCK_EX); + +@@ -2394,7 +2394,7 @@ int sifaddr (int unit, u_int32_t our_adr, u_int32_t his_adr, + int fd; + + path = path_to_procfs("/sys/net/ipv4/ip_dynaddr"); +- if (path != 0 && (fd = open(path, O_WRONLY)) >= 0) { ++ if (path != 0 && (fd = open(path, O_WRONLY | O_CLOEXEC)) >= 0) { + if (write(fd, "1", 1) != 1) + error("Couldn't enable dynamic IP addressing: %m"); + close(fd); +@@ -2570,7 +2570,7 @@ get_pty(master_fdp, slave_fdp, slave_name, uid) + /* + * Try the unix98 way first. + */ +- mfd = open("/dev/ptmx", O_RDWR); ++ mfd = open("/dev/ptmx", O_RDWR | O_CLOEXEC); + if (mfd >= 0) { + int ptn; + if (ioctl(mfd, TIOCGPTN, &ptn) >= 0) { +@@ -2581,7 +2581,7 @@ get_pty(master_fdp, slave_fdp, slave_name, uid) + if (ioctl(mfd, TIOCSPTLCK, &ptn) < 0) + warn("Couldn't unlock pty slave %s: %m", pty_name); + #endif +- if ((sfd = open(pty_name, O_RDWR | O_NOCTTY)) < 0) ++ if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0) + warn("Couldn't open pty slave %s: %m", pty_name); + } + } +@@ -2592,10 +2592,10 @@ get_pty(master_fdp, slave_fdp, slave_name, uid) + for (i = 0; i < 64; ++i) { + slprintf(pty_name, sizeof(pty_name), "/dev/pty%c%x", + 'p' + i / 16, i % 16); +- mfd = open(pty_name, O_RDWR, 0); ++ mfd = open(pty_name, O_RDWR | O_CLOEXEC, 0); + if (mfd >= 0) { + pty_name[5] = 't'; +- sfd = open(pty_name, O_RDWR | O_NOCTTY, 0); ++ sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC, 0); + if (sfd >= 0) { + fchown(sfd, uid, -1); + fchmod(sfd, S_IRUSR | S_IWUSR); +diff --git a/pppd/tdb.c b/pppd/tdb.c +index bdc5828..c7ab71c 100644 +--- a/pppd/tdb.c ++++ b/pppd/tdb.c +@@ -1724,7 +1724,7 @@ TDB_CONTEXT *tdb_open_ex(const char *name, int hash_size, int tdb_flags, + goto internal; + } + +- if ((tdb->fd = open(name, open_flags, mode)) == -1) { ++ if ((tdb->fd = open(name, open_flags | O_CLOEXEC, mode)) == -1) { + TDB_LOG((tdb, 5, "tdb_open_ex: could not open file %s: %s\n", + name, strerror(errno))); + goto fail; /* errno set by open(2) */ +@@ -1967,7 +1967,7 @@ int tdb_reopen(TDB_CONTEXT *tdb) + } + if (close(tdb->fd) != 0) + TDB_LOG((tdb, 0, "tdb_reopen: WARNING closing tdb->fd failed!\n")); +- tdb->fd = open(tdb->name, tdb->open_flags & ~(O_CREAT|O_TRUNC), 0); ++ tdb->fd = open(tdb->name, (tdb->open_flags & ~(O_CREAT|O_TRUNC)) | O_CLOEXEC, 0); + if (tdb->fd == -1) { + TDB_LOG((tdb, 0, "tdb_reopen: open failed (%s)\n", strerror(errno))); + goto fail; +diff --git a/pppd/tty.c b/pppd/tty.c +index d571b11..bc96695 100644 +--- a/pppd/tty.c ++++ b/pppd/tty.c +@@ -569,7 +569,7 @@ int connect_tty() + status = EXIT_OPEN_FAILED; + goto errret; + } +- real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR, 0); ++ real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR | O_CLOEXEC, 0); + err = errno; + if (prio < OPRIO_ROOT && seteuid(0) == -1) + fatal("Unable to regain privileges"); +@@ -723,7 +723,7 @@ int connect_tty() + if (connector == NULL && modem && devnam[0] != 0) { + int i; + for (;;) { +- if ((i = open(devnam, O_RDWR)) >= 0) ++ if ((i = open(devnam, O_RDWR | O_CLOEXEC)) >= 0) + break; + if (errno != EINTR) { + error("Failed to reopen %s: %m", devnam); +diff --git a/pppd/utils.c b/pppd/utils.c +index 29bf970..6051b9a 100644 +--- a/pppd/utils.c ++++ b/pppd/utils.c +@@ -918,14 +918,14 @@ lock(dev) + slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", LOCK_DIR, dev); + #endif + +- while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR, 0644)) < 0) { ++ while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR | O_CLOEXEC, 0644)) < 0) { + if (errno != EEXIST) { + error("Can't create lock file %s: %m", lock_file); + break; + } + + /* Read the lock file to find out who has the device locked. */ +- fd = open(lock_file, O_RDONLY, 0); ++ fd = open(lock_file, O_RDONLY | O_CLOEXEC, 0); + if (fd < 0) { + if (errno == ENOENT) /* This is just a timing problem. */ + continue; +@@ -1004,7 +1004,7 @@ relock(pid) + + if (lock_file[0] == 0) + return -1; +- fd = open(lock_file, O_WRONLY, 0); ++ fd = open(lock_file, O_WRONLY | O_CLOEXEC, 0); + if (fd < 0) { + error("Couldn't reopen lock file %s: %m", lock_file); + lock_file[0] = 0; +-- +1.8.3.1 + diff --git a/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch b/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch new file mode 100644 index 000000000..3475f09a8 --- /dev/null +++ b/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch @@ -0,0 +1,174 @@ +From 2a97ab28ee00586e5f06b3ef3a0e43ea0c7c6499 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Mon, 7 Apr 2014 14:21:41 +0200 +Subject: [PATCH 14/25] everywhere: use SOCK_CLOEXEC when creating socket + +--- + pppd/plugins/pppoatm/pppoatm.c | 2 +- + pppd/plugins/pppol2tp/openl2tp.c | 2 +- + pppd/plugins/pppol2tp/pppol2tp.c | 2 +- + pppd/plugins/rp-pppoe/if.c | 2 +- + pppd/plugins/rp-pppoe/plugin.c | 6 +++--- + pppd/plugins/rp-pppoe/pppoe-discovery.c | 2 +- + pppd/sys-linux.c | 10 +++++----- + pppd/tty.c | 2 +- + 8 files changed, 14 insertions(+), 14 deletions(-) + +diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c +index d693350..c31bb34 100644 +--- a/pppd/plugins/pppoatm/pppoatm.c ++++ b/pppd/plugins/pppoatm/pppoatm.c +@@ -135,7 +135,7 @@ static int connect_pppoatm(void) + + if (!device_got_set) + no_device_given_pppoatm(); +- fd = socket(AF_ATMPVC, SOCK_DGRAM, 0); ++ fd = socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (fd < 0) + fatal("failed to create socket: %m"); + memset(&qos, 0, sizeof qos); +diff --git a/pppd/plugins/pppol2tp/openl2tp.c b/pppd/plugins/pppol2tp/openl2tp.c +index 9643b96..1099575 100644 +--- a/pppd/plugins/pppol2tp/openl2tp.c ++++ b/pppd/plugins/pppol2tp/openl2tp.c +@@ -83,7 +83,7 @@ static int openl2tp_client_create(void) + int result; + + if (openl2tp_fd < 0) { +- openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM, 0); ++ openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (openl2tp_fd < 0) { + error("openl2tp connection create: %m"); + return -ENOTCONN; +diff --git a/pppd/plugins/pppol2tp/pppol2tp.c b/pppd/plugins/pppol2tp/pppol2tp.c +index a7e3400..e64a778 100644 +--- a/pppd/plugins/pppol2tp/pppol2tp.c ++++ b/pppd/plugins/pppol2tp/pppol2tp.c +@@ -208,7 +208,7 @@ static void send_config_pppol2tp(int mtu, + struct ifreq ifr; + int fd; + +- fd = socket(AF_INET, SOCK_DGRAM, 0); ++ fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (fd >= 0) { + memset (&ifr, '\0', sizeof (ifr)); + strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); +diff --git a/pppd/plugins/rp-pppoe/if.c b/pppd/plugins/rp-pppoe/if.c +index 91e9a57..72aba41 100644 +--- a/pppd/plugins/rp-pppoe/if.c ++++ b/pppd/plugins/rp-pppoe/if.c +@@ -116,7 +116,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) + stype = SOCK_PACKET; + #endif + +- if ((fd = socket(domain, stype, htons(type))) < 0) { ++ if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) { + /* Give a more helpful message for the common error case */ + if (errno == EPERM) { + fatal("Cannot create raw socket -- pppoe must be run as root."); +diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c +index a8c2bb4..24bdf8f 100644 +--- a/pppd/plugins/rp-pppoe/plugin.c ++++ b/pppd/plugins/rp-pppoe/plugin.c +@@ -137,7 +137,7 @@ PPPOEConnectDevice(void) + /* server equipment). */ + /* Opening this socket just before waitForPADS in the discovery() */ + /* function would be more appropriate, but it would mess-up the code */ +- conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE); ++ conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC, PX_PROTO_OE); + if (conn->sessionSocket < 0) { + error("Failed to create PPPoE socket: %m"); + return -1; +@@ -148,7 +148,7 @@ PPPOEConnectDevice(void) + lcp_wantoptions[0].mru = conn->mru; + + /* Update maximum MRU */ +- s = socket(AF_INET, SOCK_DGRAM, 0); ++ s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (s < 0) { + error("Can't get MTU for %s: %m", conn->ifName); + goto errout; +@@ -320,7 +320,7 @@ PPPoEDevnameHook(char *cmd, char **argv, int doit) + } + + /* Open a socket */ +- if ((fd = socket(PF_PACKET, SOCK_RAW, 0)) < 0) { ++ if ((fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) { + r = 0; + } + +diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c +index 3d3bf4e..c0d927d 100644 +--- a/pppd/plugins/rp-pppoe/pppoe-discovery.c ++++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c +@@ -121,7 +121,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) + stype = SOCK_PACKET; + #endif + +- if ((fd = socket(domain, stype, htons(type))) < 0) { ++ if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) { + /* Give a more helpful message for the common error case */ + if (errno == EPERM) { + rp_fatal("Cannot create raw socket -- pppoe must be run as root."); +diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c +index 00a2cf5..0690019 100644 +--- a/pppd/sys-linux.c ++++ b/pppd/sys-linux.c +@@ -308,12 +308,12 @@ static int modify_flags(int fd, int clear_bits, int set_bits) + void sys_init(void) + { + /* Get an internet socket for doing socket ioctls. */ +- sock_fd = socket(AF_INET, SOCK_DGRAM, 0); ++ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (sock_fd < 0) + fatal("Couldn't create IP socket: %m(%d)", errno); + + #ifdef INET6 +- sock6_fd = socket(AF_INET6, SOCK_DGRAM, 0); ++ sock6_fd = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (sock6_fd < 0) + sock6_fd = -errno; /* save errno for later */ + #endif +@@ -1857,7 +1857,7 @@ get_if_hwaddr(u_char *addr, char *name) + struct ifreq ifreq; + int ret, sock_fd; + +- sock_fd = socket(AF_INET, SOCK_DGRAM, 0); ++ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (sock_fd < 0) + return 0; + memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr)); +@@ -2067,7 +2067,7 @@ int ppp_available(void) + /* + * Open a socket for doing the ioctl operations. + */ +- s = socket(AF_INET, SOCK_DGRAM, 0); ++ s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (s < 0) + return 0; + +@@ -2860,7 +2860,7 @@ ether_to_eui64(eui64_t *p_eui64) + int skfd; + const unsigned char *ptr; + +- skfd = socket(PF_INET6, SOCK_DGRAM, 0); ++ skfd = socket(PF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if(skfd == -1) + { + warn("could not open IPv6 socket"); +diff --git a/pppd/tty.c b/pppd/tty.c +index bc96695..8e76a5d 100644 +--- a/pppd/tty.c ++++ b/pppd/tty.c +@@ -896,7 +896,7 @@ open_socket(dest) + *sep = ':'; + + /* get a socket and connect it to the other end */ +- sock = socket(PF_INET, SOCK_STREAM, 0); ++ sock = socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); + if (sock < 0) { + error("Can't create socket: %m"); + return -1; +-- +1.8.3.1 + diff --git a/src/patches/ppp-2.4.6-increase-max-padi-attempts.patch b/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch similarity index 100% rename from src/patches/ppp-2.4.6-increase-max-padi-attempts.patch rename to src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch From 28f44b83c32f72074bc75817698a2958119020bd Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 14 May 2014 20:31:12 +0200 Subject: [PATCH 22/38] core78: Don't remove the ipfire theme. --- config/rootfiles/core/78/update.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/config/rootfiles/core/78/update.sh b/config/rootfiles/core/78/update.sh index 0d5976111..cb9af9f24 100644 --- a/config/rootfiles/core/78/update.sh +++ b/config/rootfiles/core/78/update.sh @@ -135,9 +135,6 @@ esac /etc/init.d/ipsec stop /etc/init.d/apache stop -# Remove the old default theme -rm -rf /srv/web/ipfire/html/themes/ipfire - # rename /etc/modprobe.d files for i in $(find /etc/modprobe.d/* | grep -v ".conf"); do mv $i $i.conf From d3782f77ba9f3d4ead14cf22ac4ffe608e3114d7 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 14 May 2014 20:33:33 +0200 Subject: [PATCH 23/38] core78: Add all recently changes files and packages. --- config/rootfiles/core/78/filelists/files | 7 +++++++ config/rootfiles/core/78/filelists/openvpn | 1 + config/rootfiles/core/78/filelists/ppp | 1 + config/rootfiles/core/78/filelists/snort | 1 + config/rootfiles/core/78/filelists/squid | 1 + config/rootfiles/core/78/filelists/vnstat | 1 + 6 files changed, 12 insertions(+) create mode 120000 config/rootfiles/core/78/filelists/openvpn create mode 120000 config/rootfiles/core/78/filelists/ppp create mode 120000 config/rootfiles/core/78/filelists/snort create mode 120000 config/rootfiles/core/78/filelists/squid create mode 120000 config/rootfiles/core/78/filelists/vnstat diff --git a/config/rootfiles/core/78/filelists/files b/config/rootfiles/core/78/filelists/files index 409e5fe8a..335d57be6 100644 --- a/config/rootfiles/core/78/filelists/files +++ b/config/rootfiles/core/78/filelists/files @@ -1,2 +1,9 @@ etc/system-release etc/issue +srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat +srv/web/ipfire/cgi-bin/logs.cgi/showrequestfromcountry.dat +srv/web/ipfire/cgi-bin/modem-status.cgi +srv/web/ipfire/cgi-bin/proxy.cgi +var/ipfire/langs +var/ipfire/menu.d/20-status.menu +var/ipfire/menu.d/70-log.menu diff --git a/config/rootfiles/core/78/filelists/openvpn b/config/rootfiles/core/78/filelists/openvpn new file mode 120000 index 000000000..493f3f7a4 --- /dev/null +++ b/config/rootfiles/core/78/filelists/openvpn @@ -0,0 +1 @@ +../../../common/openvpn \ No newline at end of file diff --git a/config/rootfiles/core/78/filelists/ppp b/config/rootfiles/core/78/filelists/ppp new file mode 120000 index 000000000..4844a9b58 --- /dev/null +++ b/config/rootfiles/core/78/filelists/ppp @@ -0,0 +1 @@ +../../../common/ppp \ No newline at end of file diff --git a/config/rootfiles/core/78/filelists/snort b/config/rootfiles/core/78/filelists/snort new file mode 120000 index 000000000..9406ce01c --- /dev/null +++ b/config/rootfiles/core/78/filelists/snort @@ -0,0 +1 @@ +../../../common/snort \ No newline at end of file diff --git a/config/rootfiles/core/78/filelists/squid b/config/rootfiles/core/78/filelists/squid new file mode 120000 index 000000000..2dc8372a0 --- /dev/null +++ b/config/rootfiles/core/78/filelists/squid @@ -0,0 +1 @@ +../../../common/squid \ No newline at end of file diff --git a/config/rootfiles/core/78/filelists/vnstat b/config/rootfiles/core/78/filelists/vnstat new file mode 120000 index 000000000..2e2e6100b --- /dev/null +++ b/config/rootfiles/core/78/filelists/vnstat @@ -0,0 +1 @@ +../../../common/vnstat \ No newline at end of file From cf910b536ade7b4bc03267d0d04cb4ddda815d5f Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 14 May 2014 20:39:36 +0200 Subject: [PATCH 24/38] daq: Update to version 2.0.2. --- config/rootfiles/common/daq | 2 +- config/rootfiles/core/78/filelists/daq | 1 + lfs/daq | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) create mode 120000 config/rootfiles/core/78/filelists/daq diff --git a/config/rootfiles/common/daq b/config/rootfiles/common/daq index 4467545ae..b8a9fd4ac 100644 --- a/config/rootfiles/common/daq +++ b/config/rootfiles/common/daq @@ -21,7 +21,7 @@ usr/lib/daq #usr/lib/libdaq.la #usr/lib/libdaq.so usr/lib/libdaq.so.2 -usr/lib/libdaq.so.2.0.1 +usr/lib/libdaq.so.2.0.2 #usr/lib/libdaq_static.a #usr/lib/libdaq_static.la #usr/lib/libdaq_static_modules.a diff --git a/config/rootfiles/core/78/filelists/daq b/config/rootfiles/core/78/filelists/daq new file mode 120000 index 000000000..d0e0956f2 --- /dev/null +++ b/config/rootfiles/core/78/filelists/daq @@ -0,0 +1 @@ +../../../common/daq \ No newline at end of file diff --git a/lfs/daq b/lfs/daq index e6fd8fbdf..fa8f2a89c 100644 --- a/lfs/daq +++ b/lfs/daq @@ -24,7 +24,7 @@ include Config -VER = 2.0.1 +VER = 2.0.2 THISAPP = daq-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 044aa3663d44580d005293eeb8ccf175 +$(DL_FILE)_MD5 = 865bf9b750a2a2ca632591a3c70b0ea0 install : $(TARGET) From b7ca4506502a50776ddfb65b446ac73c85797cc3 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 14 May 2014 20:42:41 +0200 Subject: [PATCH 25/38] core78: Add OpenVPN changes. --- config/rootfiles/core/78/filelists/files | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/rootfiles/core/78/filelists/files b/config/rootfiles/core/78/filelists/files index 335d57be6..3fbe8b191 100644 --- a/config/rootfiles/core/78/filelists/files +++ b/config/rootfiles/core/78/filelists/files @@ -3,7 +3,9 @@ etc/issue srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat srv/web/ipfire/cgi-bin/logs.cgi/showrequestfromcountry.dat srv/web/ipfire/cgi-bin/modem-status.cgi +srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/proxy.cgi var/ipfire/langs var/ipfire/menu.d/20-status.menu var/ipfire/menu.d/70-log.menu +var/ipfire/ovpn/openssl/ovpn.cnf From f527e53f54c8d908340e2102d983297392db1938 Mon Sep 17 00:00:00 2001 From: Erik Kapfer Date: Wed, 14 May 2014 19:37:15 +0200 Subject: [PATCH 26/38] ovpn_fixes: Fixed some typos and strcture. Fixes #10462#c21. Conflicts: html/cgi-bin/ovpnmain.cgi langs/de/cgi-bin/de.pl langs/en/cgi-bin/en.pl --- doc/language_issues.de | 1 + doc/language_issues.en | 1 + doc/language_issues.es | 4 +- doc/language_issues.fr | 4 +- doc/language_issues.nl | 4 +- doc/language_issues.pl | 4 +- doc/language_issues.ru | 4 +- doc/language_issues.tr | 4 +- doc/language_missings | 12 ++ html/cgi-bin/ovpnmain.cgi | 269 ++++++++++++++++---------------------- langs/de/cgi-bin/de.pl | 7 +- langs/en/cgi-bin/en.pl | 7 +- 12 files changed, 154 insertions(+), 167 deletions(-) diff --git a/doc/language_issues.de b/doc/language_issues.de index a00e97a05..650d41552 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -410,6 +410,7 @@ WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn config WARNING: translation string unused: ovpn dl +WARNING: translation string unused: ovpn engines WARNING: translation string unused: ovpn log WARNING: translation string unused: ovpn reneg sec WARNING: translation string unused: ovpn_fastio diff --git a/doc/language_issues.en b/doc/language_issues.en index ba7f0307d..732e2aa57 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -437,6 +437,7 @@ WARNING: translation string unused: outgoing firewall warning WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn config WARNING: translation string unused: ovpn dl +WARNING: translation string unused: ovpn engines WARNING: translation string unused: ovpn log WARNING: translation string unused: ovpn reneg sec WARNING: translation string unused: ovpn_fastio diff --git a/doc/language_issues.es b/doc/language_issues.es index 54cb32e98..e13636b9f 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -575,6 +575,7 @@ WARNING: untranslated string: ConnSched reboot WARNING: untranslated string: ConnSched shutdown WARNING: untranslated string: MB read WARNING: untranslated string: MB written +WARNING: untranslated string: MTU settings WARNING: untranslated string: Number of Countries for the pie chart WARNING: untranslated string: Scan for Songs WARNING: untranslated string: Set time on boot @@ -874,8 +875,9 @@ WARNING: untranslated string: outgoing firewall p2p allow WARNING: untranslated string: outgoing firewall p2p deny WARNING: untranslated string: ovpn crypt options WARNING: untranslated string: ovpn dh +WARNING: untranslated string: ovpn dh new key +WARNING: untranslated string: ovpn dh parameters WARNING: untranslated string: ovpn dh upload -WARNING: untranslated string: ovpn engines WARNING: untranslated string: ovpn errmsg green already pushed WARNING: untranslated string: ovpn errmsg invalid ip or mask WARNING: untranslated string: ovpn generating the root and host certificates diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 0386f243c..759c18d58 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -586,6 +586,7 @@ WARNING: untranslated string: ConnSched reboot WARNING: untranslated string: ConnSched shutdown WARNING: untranslated string: MB read WARNING: untranslated string: MB written +WARNING: untranslated string: MTU settings WARNING: untranslated string: Number of Countries for the pie chart WARNING: untranslated string: Scan for Songs WARNING: untranslated string: addons @@ -885,8 +886,9 @@ WARNING: untranslated string: other WARNING: untranslated string: outgoing firewall access WARNING: untranslated string: ovpn crypt options WARNING: untranslated string: ovpn dh +WARNING: untranslated string: ovpn dh new key +WARNING: untranslated string: ovpn dh parameters WARNING: untranslated string: ovpn dh upload -WARNING: untranslated string: ovpn engines WARNING: untranslated string: ovpn generating the root and host certificates WARNING: untranslated string: ovpn ha WARNING: untranslated string: ovpn hmac diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 7c6f729dd..c1173f781 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -644,6 +644,7 @@ WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits +WARNING: untranslated string: MTU settings WARNING: untranslated string: Number of Countries for the pie chart WARNING: untranslated string: Scan for Songs WARNING: untranslated string: atm device @@ -678,8 +679,9 @@ WARNING: untranslated string: monitor interface WARNING: untranslated string: not a valid dh key WARNING: untranslated string: ovpn crypt options WARNING: untranslated string: ovpn dh +WARNING: untranslated string: ovpn dh new key +WARNING: untranslated string: ovpn dh parameters WARNING: untranslated string: ovpn dh upload -WARNING: untranslated string: ovpn engines WARNING: untranslated string: ovpn generating the root and host certificates WARNING: untranslated string: ovpn ha WARNING: untranslated string: ovpn hmac diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 54cb32e98..e13636b9f 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -575,6 +575,7 @@ WARNING: untranslated string: ConnSched reboot WARNING: untranslated string: ConnSched shutdown WARNING: untranslated string: MB read WARNING: untranslated string: MB written +WARNING: untranslated string: MTU settings WARNING: untranslated string: Number of Countries for the pie chart WARNING: untranslated string: Scan for Songs WARNING: untranslated string: Set time on boot @@ -874,8 +875,9 @@ WARNING: untranslated string: outgoing firewall p2p allow WARNING: untranslated string: outgoing firewall p2p deny WARNING: untranslated string: ovpn crypt options WARNING: untranslated string: ovpn dh +WARNING: untranslated string: ovpn dh new key +WARNING: untranslated string: ovpn dh parameters WARNING: untranslated string: ovpn dh upload -WARNING: untranslated string: ovpn engines WARNING: untranslated string: ovpn errmsg green already pushed WARNING: untranslated string: ovpn errmsg invalid ip or mask WARNING: untranslated string: ovpn generating the root and host certificates diff --git a/doc/language_issues.ru b/doc/language_issues.ru index c7c39ec98..0589067d0 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -579,6 +579,7 @@ WARNING: untranslated string: ConnSched shutdown WARNING: untranslated string: Edit an existing route WARNING: untranslated string: MB read WARNING: untranslated string: MB written +WARNING: untranslated string: MTU settings WARNING: untranslated string: Number of Countries for the pie chart WARNING: untranslated string: Scan for Songs WARNING: untranslated string: addons @@ -869,8 +870,9 @@ WARNING: untranslated string: outgoing firewall access WARNING: untranslated string: outgoing traffic in bytes per second WARNING: untranslated string: ovpn crypt options WARNING: untranslated string: ovpn dh +WARNING: untranslated string: ovpn dh new key +WARNING: untranslated string: ovpn dh parameters WARNING: untranslated string: ovpn dh upload -WARNING: untranslated string: ovpn engines WARNING: untranslated string: ovpn generating the root and host certificates WARNING: untranslated string: ovpn ha WARNING: untranslated string: ovpn hmac diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 06cacf10f..2d9ebf7ce 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -643,6 +643,7 @@ WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits +WARNING: untranslated string: MTU settings WARNING: untranslated string: Number of Countries for the pie chart WARNING: untranslated string: Scan for Songs WARNING: untranslated string: bytes @@ -674,8 +675,9 @@ WARNING: untranslated string: monitor interface WARNING: untranslated string: not a valid dh key WARNING: untranslated string: ovpn crypt options WARNING: untranslated string: ovpn dh +WARNING: untranslated string: ovpn dh new key +WARNING: untranslated string: ovpn dh parameters WARNING: untranslated string: ovpn dh upload -WARNING: untranslated string: ovpn engines WARNING: untranslated string: ovpn generating the root and host certificates WARNING: untranslated string: ovpn ha WARNING: untranslated string: ovpn hmac diff --git a/doc/language_missings b/doc/language_missings index d25ea40f8..7a5546008 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -341,6 +341,7 @@ < modem sim information < modem status < most preferred +< MTU settings < never < no hardware random number generator < not a valid dh key @@ -364,6 +365,8 @@ < outgoing firewall access < ovpn crypt options < ovpn dh +< ovpn dh new key +< ovpn dh parameters < ovpn dh upload < ovpn engines < ovpn generating the root and host certificates @@ -853,6 +856,7 @@ < modem sim information < modem status < most preferred +< MTU settings < never < no hardware random number generator < not a valid dh key @@ -888,6 +892,8 @@ < outgoing firewall view group < ovpn crypt options < ovpn dh +< ovpn dh new key +< ovpn dh parameters < ovpn dh upload < ovpn engines < ovpn errmsg green already pushed @@ -1349,6 +1355,7 @@ < modem sim information < modem status < most preferred +< MTU settings < never < no hardware random number generator < not a valid dh key @@ -1370,6 +1377,8 @@ < outgoing firewall access < ovpn crypt options < ovpn dh +< ovpn dh new key +< ovpn dh parameters < ovpn dh upload < ovpn engines < ovpn errmsg green already pushed @@ -1837,6 +1846,7 @@ < modem status < month-graph < most preferred +< MTU settings < never < no hardware random number generator < not a valid dh key @@ -1859,6 +1869,8 @@ < outgoing traffic in bytes per second < ovpn crypt options < ovpn dh +< ovpn dh new key +< ovpn dh parameters < ovpn dh upload < ovpn engines < ovpn generating the root and host certificates diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index df5f9ece2..5b2c74054 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -19,6 +19,7 @@ # # ############################################################################### ### +# Based on IPFireCore 77 ### use CGI; use CGI qw/:standard/; @@ -92,7 +93,6 @@ $cgiparams{'PMTU_DISCOVERY'} = ''; $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; -$cgiparams{'ENGINES'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; unless (-e $routes_push_file) { system("touch $routes_push_file"); } unless (-e "${General::swroot}/ovpn/ccd.conf") { system("touch ${General::swroot}/ovpn/ccd.conf"); } @@ -371,11 +371,6 @@ sub writeserverconf { if ($sovpnsettings{'TLSAUTH'} eq 'on') { print CONF "tls-auth ${General::swroot}/ovpn/ca/ta.key 0\n"; } - if ($sovpnsettings{ENGINES} eq 'disabled') { - print CONF ""; - } else { - print CONF "engine $sovpnsettings{ENGINES}\n"; - } if ($sovpnsettings{DCOMPLZO} eq 'on') { print CONF "comp-lzo\n"; } @@ -796,7 +791,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'PMTU_DISCOVERY'} = $cgiparams{'PMTU_DISCOVERY'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; - $vpnsettings{'ENGINES'} = $cgiparams{'ENGINES'}; my @temp=(); if ($cgiparams{'FRAGMENT'} eq '') { @@ -1008,12 +1002,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "# HMAC algorithm\n"; print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; } - if ($cgiparams{'ENGINES'} eq 'disabled') { - print SERVERCONF ""; - } else { - print SERVERCONF "# Crypto engine\n"; - print SERVERCONF "engine $cgiparams{'ENGINES'}\n"; - } if ($cgiparams{'COMPLZO'} eq 'on') { print SERVERCONF "# Enable Compression\n"; print SERVERCONF "comp-lzo\r\n"; @@ -1109,12 +1097,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "# HMAC algorithm\n"; print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; } - if ($cgiparams{'ENGINES'} eq 'disabled') { - print CLIENTCONF ""; - } else { - print CLIENTCONF "# Crypto engine\n"; - print CLIENTCONF "engine $cgiparams{'ENGINES'}\n"; - } if ($cgiparams{'COMPLZO'} eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\r\n"; @@ -1299,7 +1281,6 @@ SETTINGS_ERROR: @@ -1343,7 +1324,7 @@ END print < - + @@ -2539,6 +2520,12 @@ ADV_ERROR: if ($cgiparams{'TLSAUTH'} eq '') { $cgiparams{'TLSAUTH'} = 'off'; } + if ($cgiparams{'DAUTH'} eq '') { + $cgiparams{'DAUTH'} = 'SHA1'; + } + if ($cgiparams{'TLSAUTH'} eq '') { + $cgiparams{'TLSAUTH'} = 'off'; + } $checked{'CLIENT2CLIENT'}{'off'} = ''; $checked{'CLIENT2CLIENT'}{'on'} = ''; $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED'; @@ -2571,13 +2558,7 @@ ADV_ERROR: $checked{'TLSAUTH'}{'off'} = ''; $checked{'TLSAUTH'}{'on'} = ''; $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; - $selected{'ENGINES'}{'cryptodev'} = ''; - $selected{'ENGINES'}{'dynamic'} = ''; - $selected{'ENGINES'}{'aesni'} = ''; - $selected{'ENGINES'}{'padlock'} = ''; - $selected{'ENGINES'}{'disabled'} = ''; - $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED'; - + &Header::showhttpheaders(); &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); @@ -2719,18 +2700,6 @@ print < - - - - -
   $Lang::tr{'hostname'}: *
- $Lang::tr{'capswarning'}: $Lang::tr{'capswarning'}: $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}
$Lang::tr{'ovpn dh'}:Default: SHA1 (160 $Lang::tr{'bit'})
$Lang::tr{'ovpn engines'} - Default: $Lang::tr{'disabled'}
@@ -3301,8 +3270,7 @@ my @n2nremsub = split(/ /, (grep { /^route/ } @firen2nconf)[0]); my @n2nmgmt = split(/ /, (grep { /^management/ } @firen2nconf)[0]); my @n2nlocalsub = split(/ /, (grep { /^# remsub/ } @firen2nconf)[0]); my @n2ncipher = split(/ /, (grep { /^cipher/ } @firen2nconf)[0]); -my @n2nauth = split(/ /, (grep { /^auth/ } @firen2nconf)[0]); -my @n2nengine = split(/ /, (grep { /^engine/ } @firen2nconf)[0]);; +my @n2nauth = split(/ /, (grep { /^auth/ } @firen2nconf)[0]);; ### # m.a.d delete CR and LF from arrays for this chomp doesnt work @@ -3323,7 +3291,6 @@ $n2nmgmt[2] =~ s/\n|\r//g; $n2nmtudisc[1] =~ s/\n|\r//g; $n2ncipher[1] =~ s/\n|\r//g; $n2nauth[1] =~ s/\n|\r//g; -$n2nengine[1] =~ s/\n|\r//g; chomp ($complzoactive); chomp ($mssfixactive); @@ -3542,7 +3509,6 @@ if ($confighash{$cgiparams{'KEY'}}) { $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39]; $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40]; $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41]; - $cgiparams{'ENGINES'} = $confighash{$cgiparams{'KEY'}}[42]; } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); @@ -4268,7 +4234,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[38] = $cgiparams{'PMTU_DISCOVERY'}; $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'}; - $confighash{$key}[42] = $cgiparams{'ENGINES'}; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); @@ -4380,7 +4345,6 @@ if ($cgiparams{'TYPE'} eq 'net') { $cgiparams{'FRAGMENT'} = '1300'; $cgiparams{'PMTU_DISCOVERY'} = 'off'; $cgiparams{'DAUTH'} = 'SHA1'; - $cgiparams{'ENGINES'} = 'disabled'; ### # m.a.d n2n end ### @@ -4479,18 +4443,6 @@ if ($cgiparams{'TYPE'} eq 'net') { } $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; - $selected{'ENGINES'}{'disabled'} = ''; - $selected{'ENGINES'}{'cryptodev'} = ''; - $selected{'ENGINES'}{'dynamic'} = ''; - $selected{'ENGINES'}{'aesni'} = ''; - $selected{'ENGINES'}{'padlock'} = ''; - # If no engine has been choosen yet, select - # a default one (disabled). - if ($cgiparams{'ENGINES'} eq '') { - $cgiparams{'ENGINES'} = 'disabled'; - } - $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED'; - if (1) { &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ovpn'}, 1, ''); @@ -4547,100 +4499,66 @@ if ($cgiparams{'TYPE'} eq 'net') { } print <  - + + + - - + + + - - + + - - + + + - - + + - - + + + + + + + - - - + + + - - - + + + + + - - + + + + - - - + + + + - - + + + + - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + END ; } @@ -5025,13 +4979,6 @@ END $selected{'DAUTH'}{'SHA1'} = ''; $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; - $selected{'ENGINES'}{'cryptodev'} = ''; - $selected{'ENGINES'}{'dynamic'} = ''; - $selected{'ENGINES'}{'aesni'} = ''; - $selected{'ENGINES'}{'padlock'} = ''; - $selected{'ENGINES'}{'disabled'} = ''; - $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED'; - $checked{'DCOMPLZO'}{'off'} = ''; $checked{'DCOMPLZO'}{'on'} = ''; $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; @@ -5107,10 +5054,11 @@ END + @@ -5519,22 +5464,32 @@ END + + + + + + + + + - + + + + - - - -
 
 
$Lang::tr{'Act as'} +
$Lang::tr{'Act as'}$Lang::tr{'remote host/ip'}:
$Lang::tr{'remote host/ip'}:
$Lang::tr{'local subnet'}
$Lang::tr{'local subnet'}$Lang::tr{'remote subnet'}
$Lang::tr{'remote subnet'}
$Lang::tr{'ovpn subnet'}
$Lang::tr{'ovpn subnet'}
$Lang::tr{'protocol'}
$Lang::tr{'destination port'}:
$Lang::tr{'protocol'}Management Port ($Lang::tr{'openvpn default'}: $Lang::tr{'destination port'}):  
$Lang::tr{'destination port'}:
$Lang::tr{'MTU settings'}
$Lang::tr{'cipher'} -
$Lang::tr{'MTU'} $Lang::tr{'openvpn default'}: udp/tcp 1500/1400
$Lang::tr{'ovpn ha'}: -
fragment  $Lang::tr{'openvpn default'}: 1300
$Lang::tr{'ovpn engines'}   - -
mssfix  $Lang::tr{'openvpn default'}: on
Management Port ($Lang::tr{'openvpn default'}: $Lang::tr{'destination port'}):  
$Lang::tr{'MTU'}  $Lang::tr{'openvpn default'}: udp/tcp 1500/1400
fragment  $Lang::tr{'openvpn default'}: 1300
mssfix  $Lang::tr{'openvpn default'}: on
$Lang::tr{'comp-lzo'}   -
$Lang::tr{'comp-lzo'}   +
$Lang::tr{'ovpn mtu-disc'} @@ -4650,6 +4568,42 @@ if ($cgiparams{'TYPE'} eq 'net') { $Lang::tr{'ovpn mtu-disc off'}
$Lang::tr{'ovpn crypt options'}:
$Lang::tr{'cipher'} + $Lang::tr{'ovpn ha'}: +
$Lang::tr{'MTU'}  $Lang::tr{'cipher'}
$Lang::tr{'comp-lzo'}
$Lang::tr{'ovpn dh parameters'}:
$Lang::tr{'ovpn dh upload'}:

$Lang::tr{'ovpn dh new key'}:
+ +
END ; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index a2cf71a7a..aee46df87 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -39,6 +39,7 @@ 'MB read' => 'MB gelesen', 'MB written' => 'MB geschrieben', 'MTU' => 'MTU-Größe:', +'MTU settings' => 'MTU-Einstellungen:', 'Number of Countries for the pie chart' => 'Anzahl der angezeigten Länder im Diagramm', 'Number of IPs for the pie chart' => 'Anzahl der angezeigten IPs im Diagramm', 'Number of Ports for the pie chart' => 'Anzahl der angezeigten Ports im Diagramm', @@ -1123,7 +1124,7 @@ 'fwhost wo subnet' => '(Ohne Subnetz)', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway-IP', -'gen dh' => 'Diffie-Hellman-Parameter erzeugen', +'gen dh' => 'Neuen Diffie-Hellman-Parameter erzeugen', 'gen static key' => 'Statischen Schlüssel erzeugen', 'generate' => 'Root/Host-Zertifikate generieren', 'generate a certificate' => 'Erzeuge ein Zertifikat:', @@ -1659,7 +1660,9 @@ 'ovpn crypt options' => 'Kryptografieoptionen', 'ovpn device' => 'OpenVPN-Gerät', 'ovpn dh' => 'Diffie-Hellman-Parameter-Länge', -'ovpn dh upload' => 'Diffie-Hellman-Parameter hochladen', +'ovpn dh new key' => 'Neuen Diffie-Hellman Parameter erstellen', +'ovpn dh parameters' => 'Diffie-Hellman-Parameter-Optionen', +'ovpn dh upload' => 'Neuen Diffie-Hellman-Parameter hochladen', 'ovpn dl' => 'OVPN-Konfiguration downloaden', 'ovpn engines' => 'Krypto Engine', 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 5ccad79ee..20e9db379 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -39,6 +39,7 @@ 'MB read' => 'MB read', 'MB written' => 'MB written', 'MTU' => 'MTU size:', +'MTU settings' => 'MTU settings:', 'Number of Countries for the pie chart' => 'Number of Countries for the pie chart', 'Number of IPs for the pie chart' => 'Number of IPs for the pie chart', 'Number of Ports for the pie chart' => 'Number of ports for the pie chart', @@ -1152,7 +1153,7 @@ 'g.lite' => 'TO BE REMOVED', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway IP', -'gen dh' => 'Generate Diffie-Hellman parameters', +'gen dh' => 'Generate new Diffie-Hellman parameters', 'gen static key' => 'Generate a static key', 'generate' => 'Generate root/host zertifikate', 'generate a certificate' => 'Generate a certificate:', @@ -1690,7 +1691,9 @@ 'ovpn crypt options' => 'Cryptographic options', 'ovpn device' => 'OpenVPN device:', 'ovpn dh' => 'Diffie-Hellman parameters length', -'ovpn dh upload' => 'Upload Diffie-Hellman parameters', +'ovpn dh new key' => 'Generate new Diffie-Hellman parameters', +'ovpn dh parameters' => 'Diffie-Hellman parameters options', +'ovpn dh upload' => 'Upload new Diffie-Hellman parameters', 'ovpn dl' => 'OVPN-Config Download', 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for green network is always set', From a50dadc229a4ad34be60e9fa24cf20c33e9d96c2 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 14 May 2014 21:28:45 +0200 Subject: [PATCH 27/38] openvpn: Remove RC2 as a cipher option. --- html/cgi-bin/ovpnmain.cgi | 8 -------- 1 file changed, 8 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 5b2c74054..a051b5d83 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -4421,10 +4421,7 @@ if ($cgiparams{'TYPE'} eq 'net') { $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; $selected{'DCIPHER'}{'CAST5-CBC'} = ''; $selected{'DCIPHER'}{'BF-CBC'} = ''; - $selected{'DCIPHER'}{'RC2-CBC'} = ''; $selected{'DCIPHER'}{'DES-CBC'} = ''; - $selected{'DCIPHER'}{'RC2-64-CBC'} = ''; - $selected{'DCIPHER'}{'RC2-40-CBC'} = ''; # If no cipher has been chossen yet, select # the old default (AES-256-CBC) for compatiblity reasons. if ($cgiparams{'DCIPHER'} eq '') { @@ -4588,7 +4585,6 @@ if ($cgiparams{'TYPE'} eq 'net') { - @@ -4966,10 +4962,7 @@ END $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; $selected{'DCIPHER'}{'CAST5-CBC'} = ''; $selected{'DCIPHER'}{'BF-CBC'} = ''; - $selected{'DCIPHER'}{'RC2-CBC'} = ''; $selected{'DCIPHER'}{'DES-CBC'} = ''; - $selected{'DCIPHER'}{'RC2-64-CBC'} = ''; - $selected{'DCIPHER'}{'RC2-40-CBC'} = ''; $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; $selected{'DAUTH'}{'whirlpool'} = ''; @@ -5069,7 +5062,6 @@ END - $Lang::tr{'comp-lzo'} From 7e8d00649625a1f8f77e086d402e02b2ab2dce79 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 14 May 2014 21:32:04 +0200 Subject: [PATCH 28/38] core78: Add updated theme functions.pl. --- config/rootfiles/core/78/filelists/files | 1 + 1 file changed, 1 insertion(+) diff --git a/config/rootfiles/core/78/filelists/files b/config/rootfiles/core/78/filelists/files index 3fbe8b191..91b624ef9 100644 --- a/config/rootfiles/core/78/filelists/files +++ b/config/rootfiles/core/78/filelists/files @@ -5,6 +5,7 @@ srv/web/ipfire/cgi-bin/logs.cgi/showrequestfromcountry.dat srv/web/ipfire/cgi-bin/modem-status.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/proxy.cgi +srv/web/ipfire/html/themes/ipfire/include/functions.pl var/ipfire/langs var/ipfire/menu.d/20-status.menu var/ipfire/menu.d/70-log.menu From ed4b4c19b9e47229ead960bd43bcc9cd6a01413a Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 12 Jan 2014 15:40:50 +0100 Subject: [PATCH 29/38] Re-apply: OpenVPN: Fix daemon stuck in WAIT state. When the client is in the WAIT state, it is usally connected to the server. Conflicts: html/cgi-bin/index.cgi html/cgi-bin/ovpnmain.cgi --- html/cgi-bin/ovpnmain.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index a051b5d83..8390be058 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -5177,7 +5177,7 @@ END #EXITING -- A graceful exit is in progress. #### - if ($tustate[1] eq 'CONNECTED') { + if (($tustate[1] eq 'CONNECTED') || ($tustate[1] eq 'WAIT')) { $col1="bgcolor='${Header::colourgreen}'"; $active = "$Lang::tr{'capsopen'}"; }else { From d9fe569366e9dca7f833b53a212ea2ef4311d45f Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 31 Jan 2014 21:23:21 +0100 Subject: [PATCH 30/38] openvpn: Wrong subnet calculation bug fix. Fixes #10466. --- html/cgi-bin/ovpnmain.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 8390be058..1694f2d18 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -567,7 +567,7 @@ sub getccdadresses my @iprange=(); my %ccdhash=(); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); - $iprange[0]=$ip1.".".$ip2.".".$ip3.".".2; + $iprange[0]=$ip1.".".$ip2.".".$ip3.".".($ip4+2); for (my $i=1;$i<=$count;$i++) { my $tmpip=$iprange[$i-1]; my $stepper=$i*4; From bc2b3e9483f37ec497b3460faf0208cfb87cdfc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alf=20H=C3=B8gemark?= Date: Wed, 14 May 2014 21:51:50 +0200 Subject: [PATCH 31/38] vpnmain.cgi: htmlcleanup, change html tags from uppercase to lowercase --- html/cgi-bin/ovpnmain.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 1694f2d18..d50cc31a2 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -4729,7 +4729,7 @@ if ($cgiparams{'TYPE'} eq 'host') {   $Lang::tr{'pkcs12 file password'}: -  $Lang::tr{'pkcs12 file password'}:
($Lang::tr{'confirmation'}) +  $Lang::tr{'pkcs12 file password'}:
($Lang::tr{'confirmation'})  
@@ -5046,7 +5046,7 @@ END $Lang::tr{'destination port'}: $Lang::tr{'MTU'}  - + $Lang::tr{'cipher'} - Default: SHA1 (160 $Lang::tr{'bit'}) + $Lang::tr{'openvpn default'}: SHA1 (160 $Lang::tr{'bit'}) @@ -3092,7 +3092,7 @@ if ( -s "${General::swroot}/ovpn/settings") { $Lang::tr{'net to net vpn'} (Upload Client Package)    Import Connection Name -  Default : Client Packagename +  $Lang::tr{'openvpn default'}: Client Packagename
* $Lang::tr{'this field may be blank'} From a9fb14d0513d71accacfded36f46e471cb3a88d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alf=20H=C3=B8gemark?= Date: Tue, 18 Feb 2014 17:48:57 +0000 Subject: [PATCH 33/38] cgi-bin: Use readonly="readonly" attribute on html input elements The proper way to mark readonly is to use readonly="readonly", not readonly="true", like it was done some places. --- html/cgi-bin/ovpnmain.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 21bd5cea6..ce899e731 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2793,7 +2793,7 @@ if ($cgiparams{'ACTION'} eq "edit"){ - + From 1638682beb691a4bf40f4db155c109d9a34536a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alf=20H=C3=B8gemark?= Date: Wed, 14 May 2014 21:56:42 +0200 Subject: [PATCH 34/38] cgi-bin: Add title attribute to input type image where missing Almost all of $ccdconf[0] + END ; } From 5a9f40613eea53a15e3cf6dc6348114329871ac3 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Thu, 15 May 2014 18:47:13 +0200 Subject: [PATCH 35/38] setddns.pl: Switch off debuging output. Switch off accidently enabled debugging output from commit dc98645fd42873dfeda01188243565e2f977f4a9 --- src/scripts/setddns.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/scripts/setddns.pl b/src/scripts/setddns.pl index c1a6f5d06..e26c524bc 100644 --- a/src/scripts/setddns.pl +++ b/src/scripts/setddns.pl @@ -51,7 +51,7 @@ if ($ip eq "unavailable") { exit(0); } -&General::log("Dynamic DNS public router IP is: $ip"); +#&General::log("Dynamic DNS public router IP is: $ip"); if ($ARGV[0] eq '-f') { unlink ($cachefile); # next regular calls will try again if this force update fails. From 0f7ee3ea4e63a646ae5d02207530493016240f43 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 16 May 2014 17:12:43 +0200 Subject: [PATCH 36/38] sslscan: New package. --- config/rootfiles/packages/sslscan | 2 + lfs/sslscan | 83 +++++++++++++++++++++++++++++++ make.sh | 1 + 3 files changed, 86 insertions(+) create mode 100644 config/rootfiles/packages/sslscan create mode 100644 lfs/sslscan diff --git a/config/rootfiles/packages/sslscan b/config/rootfiles/packages/sslscan new file mode 100644 index 000000000..603c36ee5 --- /dev/null +++ b/config/rootfiles/packages/sslscan @@ -0,0 +1,2 @@ +usr/bin/sslscan +#usr/share/man/man1/sslscan.1 diff --git a/lfs/sslscan b/lfs/sslscan new file mode 100644 index 000000000..a384db1e4 --- /dev/null +++ b/lfs/sslscan @@ -0,0 +1,83 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2014 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 1.10.2 + +THISAPP = sslscan-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) +PROG = sslscan +PAK_VER = 1 + +DEPS = "" + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 41ecff92303cecfd00bf3c7de509af14 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist: + @$(PAK) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && make $(MAKETUNING) CFLAGS="$(CFLAGS)" + cd $(DIR_APP) && make install PREFIX=/usr + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 0056ee59e..041f69656 100755 --- a/make.sh +++ b/make.sh @@ -797,6 +797,7 @@ buildipfire() { ipfiremake iptraf-ng ipfiremake iotop ipfiremake stunnel + ipfiremake sslscan } buildinstaller() { From ace810a3f85f58a59c4ca430b61d052817e7362c Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Fri, 16 May 2014 22:07:14 +0200 Subject: [PATCH 37/38] snort: Update url's for rule download. --- html/cgi-bin/ids.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 55e264506..5a28daaed 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -263,9 +263,9 @@ if (-e "/etc/snort/snort.conf") { ####################### End added for snort rules control ################################# if ($snortsettings{'RULES'} eq 'subscripted') { - $url=" http://www.snort.org/sub-rules/snortrules-snapshot-2953.tar.gz/$snortsettings{'OINKCODE'}"; + $url=" http://www.snort.org/sub-rules/snortrules-snapshot-2961.tar.gz/$snortsettings{'OINKCODE'}"; } elsif ($snortsettings{'RULES'} eq 'registered') { - $url=" http://www.snort.org/reg-rules/snortrules-snapshot-2950.tar.gz/$snortsettings{'OINKCODE'}"; + $url=" http://www.snort.org/reg-rules/snortrules-snapshot-2960.tar.gz/$snortsettings{'OINKCODE'}"; } elsif ($snortsettings{'RULES'} eq 'community') { $url=" http://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz"; } else { From e3b5a052ecd0eb5c53f669c5218f360b016fe128 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 17 May 2014 15:32:56 +0200 Subject: [PATCH 38/38] core78: Update filelist. --- config/rootfiles/core/78/filelists/files | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/rootfiles/core/78/filelists/files b/config/rootfiles/core/78/filelists/files index 91b624ef9..15c629b74 100644 --- a/config/rootfiles/core/78/filelists/files +++ b/config/rootfiles/core/78/filelists/files @@ -1,12 +1,16 @@ etc/system-release etc/issue +srv/web/ipfire/cgi-bin/ddns.cgi +srv/web/ipfire/cgi-bin/ids.cgi srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat srv/web/ipfire/cgi-bin/logs.cgi/showrequestfromcountry.dat srv/web/ipfire/cgi-bin/modem-status.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/proxy.cgi srv/web/ipfire/html/themes/ipfire/include/functions.pl +usr/local/bin/setddns.pl var/ipfire/langs var/ipfire/menu.d/20-status.menu var/ipfire/menu.d/70-log.menu +var/ipfire/modem-lib.pl var/ipfire/ovpn/openssl/ovpn.cnf
$Lang::tr{'ccd name'}:$Lang::tr{'ccd subnet'}:
$Lang::tr{'ccd subnet'}:
$ccdconf[1]$ccdhosts/".(&ccdmaxclients($ccdconf[1])+1).""; print < - + @@ -2862,7 +2862,7 @@ END -